POSIX file permissions are the basis of most Linux access control mechanisms. Over time they've been extended to make it possible to represent more complex business logic.
Traditional POSIX file permissions
POSIX file permissions give us three levels of access control:
- Users allow the file's owning user specific rights;
- Groups allow the file's owning group specific rights; and
- Other users have fallback permissions.
Each of these can any combination of the following permissions:
- Read file contents or see the existence of a directory;
- Write file contents or create files within a directory; and
- eXecute on files, or list the contents of directories.
In an applied example:
$ ls -hal file -rw-r--r-- 1 lukecarrier lukecarrier 0 Sep 26 15:02 file
lukecarrieris the file's owner (user) and has read and write permissions
lukecarrieris the file's group and has read permissions
- Everyone else has read permissions
We could represent these permissions as follows:
sudo chown lukecarrier file sudo chgrp lukecarrier file sudo chmod u+rx,go+r
Or more concisely:
sudo chown lukecarrier:lukecarrier file sudo chmod 644 file
How ACLs extend POSIX permissions
ACLs are an extension of POSIX permissions; they don't replace them. The same permissions we set above can be viewed in the ACL tools:
$ touch file $ getfacl file # file: file # owner: lukecarrier # group: lukecarrier user::rw- group::r-- other::r--
Now we might want to grant another user read access to our file:
$ setfacl -Rm user:www-data:r file $ getfacl file # file: file # owner: lukecarrier # group: lukecarrier user::rw- user:www-data:r-- group::r-- other::r--
Directories have one additional type of ACL --
default. These set the default ACLs of files created within them. We can use these to avoid having to constantly reapply ACLs to catch newly created files:
$ mkdir dir $ setfacl -Rm default:user:www-data:r dir $ getfacl dir/file # file: dir/file # owner: lukecarrier # group: lukecarrier user::rw- user:www-data:r-- group::r-x #effective:r-- mask::r-- other::r--
It's usually a good practice to keep the default ACLs in line with the desired ACLs.