...
Every file in Unix has the following attributes −
Owner permissions − The owner's permissions determine what actions the owner of the file can perform on the file.
Group permissions − The group's permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file.
Other (world) permissions − The permissions for others indicate what action all other users can perform on the file.
The Permission Indicators
| Code Block |
|---|
<g2dfigat@s53 /pfs/work/g2dfigat>ls -l log.txt -rwxr-xr-- 1 g2dfigat g2itmdev 0 Mar 18 12:00 log.txt |
The permissions are broken into groups of threes, and each position in the group denotes a specific permission, in this order: read (r), write (w), execute (x) −
The first three characters (2-4) represent the permissions for the file's owner. For example, -rwxr-xr-- represents that the owner has read (r), write (w) and execute (x) permission.
The second group of three characters (5-7) consists of the permissions for the group to which the file belongs. For example, -rwxr-xr-- represents that the group has read (r) and execute (x) permission, but no write permission.
The last group of three characters (8-10) represents the permissions for everyone else. For example, -rwxr-xr-- represents that there is read (r) only permission.
File Access Modes
The permissions of a file are the first line of defense in the security of a Unix system. The basic building blocks of Unix permissions are the read, write, and execute permissions, which have been described below −
- Read - Grants the capability to read, i.e., view the contents of the file.
- Write - Grants the capability to modify, or remove the content of the file.
- Execute - User with execute permissions can run a file as a program.
Directory Access Modes
Directory access modes are listed and organized in the same manner as any other file. There are a few differences that need to be mentioned −
...
To change the file or the directory permissions, you use the chmod (change mode) command. There are two ways to use chmod — the symbolic mode and the absolute mode.
Using chmod in Symbolic Mode
The easiest way for a beginner to modify file or directory permissions is to use the symbolic mode. With symbolic permissions you can add, delete, or specify the permission set you want by using the operators in the following table.
| Number | Chmod operator & Description |
|---|---|
| 1 | + Adds the designated permission(s) to a file or directory. |
| 2 | - Removes the designated permission(s) from a file or directory. |
| 3 | = Sets the designated permission(s). |
Using chmod with Absolute Permissions
The second way to modify permissions with the chmod command is to use a number to specify each set of permissions for the file.
Each permission is assigned a value, as the following table shows, and the total of each set of permissions provides a number for that set.
| Number | Octal Permission Representation | Ref |
|---|---|---|
| 0 | No permission | --- |
| 1 | Execute permission | --x |
| 2 | Write permission | -w- |
| 3 | Execute and write permission: 1 (execute) + 2 (write) = 3 | -wx |
| 4 | Read permission | r-- |
| 5 | Read and execute permission: 4 (read) + 1 (execute) = 5 | r-x |
| 6 | Read and write permission: 4 (read) + 2 (write) = 6 | rw- |
| 7 | All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 | rwx |
ACLs
ACL at /pfs
ACL (Access Control Lists) ACLs are a second level of discretionary permissions, that may override the standard rwx ones. When used correctly they can grant you a better granularity in setting access to a file or a directory, for example by giving or denying access to a specific user that is neither the file owner, nor in the group owner.
Show ACL
To show permissions, use getfacl command:
...
The ACL can be modified using the setfacl command.
| Tip |
|---|
You can list file/directory permission changes without modifying the permissions (i.e. dry-run) by appending the |
To set permissions for a user (user is either the user name or ID):
| Code Block |
|---|
# setfacl -m "u:user<user>:permissions<permissions>" <file/dir> |
To set permissions for a group (group is either the group name or ID):
| Code Block |
|---|
# setfacl -m "g:group<group>:permissions<permissions>" <file/dir> |
To set permissions for others:
| Code Block |
|---|
# setfacl -m "other<other><:permissionspermissions>" <file/dir> |
To allow all newly created files or directories to inherit entries from the parent directory (this will not affect files which will be copied into the directory):
| Code Block |
|---|
# setfacl -dm "entry" <dir> |
To remove a specific entry:
| Code Block |
|---|
# setfacl -x "entry" <file/dir> |
To remove the default entries:
| Code Block |
|---|
# setfacl -k <file/dir> |
To remove all entries (entries of the owner, group and others are retained):
| Code Block |
|---|
# setfacl -b <file/dir> |
...
| Tip |
|---|
To apply operations to all files and directories recursively, append the |
ACL at /afs
Show ACL
To show permissions, use fs la command:
| Code Block |
|---|
<g2dfigat@s53 ~>fs la ~/public/
Access list for public/ is
Normal rights:
system:anyuser rl
g2dfigat rlidwka
|
Permissions and Shortcuts
There are seven standard AFS permissions, each referred to by one of the letters r, l, i, d, w, k and a. The lida permissions apply to directories and the rwk permissions apply to files.
DIRECTORY PERMISSIONS
| ACL | Permissions |
|---|---|
| l (lookup) | Allows one to list the contents of a directory. It does not allow the reading of files. |
| i (insert) | Allows one to create new files in a directory or copy new files to a directory. |
| d (delete) | Allows one to remove files and sub-directories from a directory. |
| a (administer) | Allows one to change a directory's ACL. The owner of a directory can always change |
FILE PERMISSIONS
| ACL | Permissions |
|---|---|
| r (read) | Allows one to read the contents of file in the directory. |
| w (write) | Allows one to modify the contents of files in a directory and use chmod on them. |
| k (lock) | Allows programs to lock files in a directory. |
Shortcuts
When specifying directory rights using fs, the following shortcuts may be used:
| Shortcut | Permissions |
|---|---|
| all | rlidwka |
| read | rl |
| write | rlidwk |
| none | removes all entries |
Set ACL
The ACL can be modified using the fs setacl command.
To add user or group to an ACL - read permission:
| Code Block |
|---|
fs setacl -dir /afs/<dir> -acl <user> read |
To add user or group to an ACL - write permission:
| Code Block |
|---|
fs setacl -dir /afs/<dir> -acl <user> rlidwk |
To remove a user or group from an ACL:
| Code Block |
|---|
fs setacl -dir /afs/<dir> -acl <user> none |
| Tip | ||
|---|---|---|
How to copy ACL:
|