1. Permissions
Every file in Unix has the following attributes −
Owner permissions − The owner's permissions determine what actions the owner of the file can perform on the file.
Group permissions − The group's permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file.
Other (world) permissions − The permissions for others indicate what action all other users can perform on the file.
1.1. The Permission Indicators
<g2dfigat@s53 /pfs/work/g2dfigat>ls -l log.txt -rwxr-xr-- 1 g2dfigat g2itmdev 0 Mar 18 12:00 log.txt
The permissions are broken into groups of threes, and each position in the group denotes a specific permission, in this order: read (r), write (w), execute (x) −
The first three characters (2-4) represent the permissions for the file's owner. For example, -rwxr-xr-- represents that the owner has read (r), write (w) and execute (x) permission.
The second group of three characters (5-7) consists of the permissions for the group to which the file belongs. For example, -rwxr-xr-- represents that the group has read (r) and execute (x) permission, but no write permission.
The last group of three characters (8-10) represents the permissions for everyone else. For example, -rwxr-xr-- represents that there is read (r) only permission.
1.2. File Access Modes
The permissions of a file are the first line of defense in the security of a Unix system. The basic building blocks of Unix permissions are the read, write, and execute permissions, which have been described below −
- Read - Grants the capability to read, i.e., view the contents of the file.
- Write - Grants the capability to modify, or remove the content of the file.
- Execute - User with execute permissions can run a file as a program.
1.3. Directory Access Modes
Directory access modes are listed and organized in the same manner as any other file. There are a few differences that need to be mentioned −
- Read -Access to a directory means that the user can read the contents. The user can look at the filenames inside the directory.
- Write - Access means that the user can add or delete files from the directory.
- Execute - Executing a directory doesn't really make sense, so think of this as a traverse permission.
A user must have execute access to the bin directory in order to execute the ls or the cd command.
2. Changing Permissions
To change the file or the directory permissions, you use the chmod (change mode) command. There are two ways to use chmod — the symbolic mode and the absolute mode.
2.1. Using chmod in Symbolic Mode
The easiest way for a beginner to modify file or directory permissions is to use the symbolic mode. With symbolic permissions you can add, delete, or specify the permission set you want by using the operators in the following table.
| Number | Chmod operator & Description |
|---|---|
| 1 | + Adds the designated permission(s) to a file or directory. |
| 2 | - Removes the designated permission(s) from a file or directory. |
| 3 | = Sets the designated permission(s). |
2.2. Using chmod with Absolute Permissions
The second way to modify permissions with the chmod command is to use a number to specify each set of permissions for the file.
Each permission is assigned a value, as the following table shows, and the total of each set of permissions provides a number for that set.
| Number | Octal Permission Representation | Ref |
|---|---|---|
| 0 | No permission | --- |
| 1 | Execute permission | --x |
| 2 | Write permission | -w- |
| 3 | Execute and write permission: 1 (execute) + 2 (write) = 3 | -wx |
| 4 | Read permission | r-- |
| 5 | Read and execute permission: 4 (read) + 1 (execute) = 5 | r-x |
| 6 | Read and write permission: 4 (read) + 2 (write) = 6 | rw- |
| 7 | All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 | rwx |
3. ACL at /pfs
ACL (Access Control Lists) are a second level of discretionary permissions, that may override the standard rwx ones. When used correctly they can grant you a better granularity in setting access to a file or a directory, for example by giving or denying access to a specific user that is neither the file owner, nor in the group owner.
3.1. Show ACL
To show permissions, use getfacl command:
<g2dfigat@s53 /pfs/work/g2dfigat>getfacl $ITMWORK getfacl: Removing leading '/' from absolute path names # file: pfs/work/g2dfigat # owner: g2dfigat # group: g2itmdev user::rwx group::r-x other::r-x
3.2. Set ACL
The ACL can be modified using the setfacl command.
You can list file/directory permission changes without modifying the permissions (i.e. dry-run) by appending the --test flag.
To set permissions for a user (user is either the user name or ID):
# setfacl -m "u:<user>:<permissions>" <file/dir>
To set permissions for a group (group is either the group name or ID):
# setfacl -m "g:<group>:<permissions>" <file/dir>
To set permissions for others:
# setfacl -m "<other><:permissions>" <file/dir>
To allow all newly created files or directories to inherit entries from the parent directory (this will not affect files which will be copied into the directory):
# setfacl -dm "entry" <dir>
To remove a specific entry:
# setfacl -x "entry" <file/dir>
To remove the default entries:
# setfacl -k <file/dir>
To remove all entries (entries of the owner, group and others are retained):
# setfacl -b <file/dir>
To apply operations to all files and directories recursively, append the -R argument.
3.3. $ITMWORK
To make $ITMWORK visible (read access) to everyone:
setfacl -R -m o::rx $ITMWORK
Available for the selected group (for example g2itmuse):
setfacl -R -m g:g2itmuse:rx $ITMWORK
4. ACL at /afs
4.1. Show ACL
To show permissions, use fs la command:
<g2dfigat@s53 ~>fs la ~/public/ Access list for public/ is Normal rights: system:anyuser rl g2dfigat rlidwka
4.2. Permissions and Shortcuts
There are seven standard AFS permissions, each referred to by one of the letters r, l, i, d, w, k and a. The lida permissions apply to directories and the rwk permissions apply to files.
4.2.1. DIRECTORY PERMISSIONS
| ACL | Permissions |
|---|---|
| l (lookup) | Allows one to list the contents of a directory. It does not allow the reading of files. |
| i (insert) | Allows one to create new files in a directory or copy new files to a directory. |
| d (delete) | Allows one to remove files and sub-directories from a directory. |
| a (administer) | Allows one to change a directory's ACL. The owner of a directory can always change |
4.2.2. FILE PERMISSIONS
| ACL | Permissions |
|---|---|
| r (read) | Allows one to read the contents of file in the directory. |
| w (write) | Allows one to modify the contents of files in a directory and use chmod on them. |
| k (lock) | Allows programs to lock files in a directory. |
4.2.3. Shortcuts
When specifying directory rights using fs, the following shortcuts may be used:
| Shortcut | Permissions |
|---|---|
| all | rlidwka |
| read | rl |
| write | rlidwk |
| none | removes all entries |
4.3. Set ACL
The ACL can be modified using the fs setacl command.
To add user or group to an ACL - read permission:
fs setacl -dir /afs/<dir> -acl <user> read
As a shortcut, you can abbreviate "setacl" to "sa" and/or leave out the "-dir" and "-acl" as long as you maintain the arguments in the order given
fs sa /afs/<dir> <user> read
To add user or group to an ACL - write permission:
fs setacl -dir /afs/<dir> -acl <user> rlidwk
To remove a user or group from an ACL:
fs setacl -dir /afs/<dir> -acl <user> none
How to copy ACL:
fs copyacl -fromdir <dir1> -todir <dir2>
4.4. $HOME/public
To give read access to ~ / public for everyone:
fs setacl -dir ~/public -acl system:anyuser rl
To give read access recursively for all directories in ~ / public:
find ~/public -type d -exec fs setacl -dir {} -acl system:anyuser rl \;