DevopsWithUday

File Permissions and Access Control Lists

File Permissions and Access Control Lists

Uday Sharma's photo
Uday Sharma
·

5 min read

Table of contents

Linux File System Permissions: Theory, Examples, and Types

Introduction:

Linux file system permissions are a crucial aspect of system security, providing control over who can access, modify, or execute files and directories. This system relies on a permission system that assigns specific rights to three categories of users: the file owner (user), the group associated with the file, and other users who fall into neither of the first two categories. This article will explore the theory behind Linux file system permissions, provide practical examples, and discuss different types of permissions.

Understanding File System Permissions:

In Linux, each file and directory is associated with a set of permission bits, represented by the letters r (read), w (write), and x (execute). These permissions are organized into three classes: user, group, and others. The permission settings are viewed using commands like ls -l, which displays a long listing with detailed information about files, including ownership and permissions.

A typical output of ls -l might look like this:

-rw-r--r-- 1 user1 users 1024 Feb 10 10:30 example.txt

In this example:

  • rw- indicates read and write permissions for the user (owner).

  • r-- indicates read-only permissions for the group.

  • r-- indicates read-only permissions for others.

The first character in the permission string (- in this case) represents the file type. For regular files, it is -; for directories, it is d.

Numeric (Octal) Notation:

Numeric notation is an alternative way to represent permissions using octal numbers. Each permission is assigned a numerical value: read (4), write (2), and execute (1). The sum of these values represents the permission set for each class (user, group, others).

For example, chmod 764 filename sets read+write+execute for the user, read+write for the group, and read-only for others.

Examples of Setting Permissions:

  1. Symbolic Notation:

    • Use chmod with symbolic notation to modify permissions. For instance:

        chmod u+x filename

      This adds execute permission for the user.

  2. Numeric Notation:

    • Use chmod with numeric notation to set permissions. For example:

        chmod 755 filename

      This grants read+write+execute for the user, and read+execute for group and others.

Special Permissions:

Apart from the standard permissions, Linux supports special permissions:

  1. Set User ID (SUID):

    • When set on an executable file, the process runs with the privileges of the file owner.

    • Example: chmod u+s executable_file

  2. Set Group ID (SGID):

    • When set on an executable file, the process runs with the privileges of the file's group.

    • Example: chmod g+s executable_file

  3. Sticky Bit:

    • Primarily used on directories to restrict deletion of files within the directory to only the file owner.

    • Example: chmod +t directory

Best Practices:

  1. Limit Permissions:

    • Grant the minimum necessary permissions to users and groups.

  2. Regular Audits:

    • Regularly audit and review permissions to ensure security.

  3. Use Groups Effectively:

    • Leverage group permissions to streamline access control.

  4. Secure Sensitive Files:

    • For sensitive files, restrict access to the file owner and grant read-only access to others.

Conclusion:

Linux file system permissions are a fundamental component of system security, providing control over access to files and directories. Understanding how to set and manage permissions is crucial for maintaining a secure and well-organized system. Whether using symbolic or numeric notation, administrators can tailor permissions to meet specific security and operational requirements. Special permissions, such as SUID, SGID, and the sticky bit, offer additional control mechanisms for fine-tuning access. Regular audits and adherence to best practices contribute to a robust security posture, ensuring that only authorized users can access and modify critical system files.

Access Control Lists (ACL): Theory and Explanation for Non-IT Persons

Access Control Lists (ACLs) are a security feature used to define and manage permissions on files and directories. ACLs provide a more granular level of control than traditional Unix file permissions, allowing users to specify access rights for specific individuals or groups. This article aims to explain the concept of ACLs in a simple, non-technical manner with examples.

Understanding Access Control Lists (ACLs):

In everyday terms, think of ACLs as a set of rules that determine who can do what with a particular file or folder. While traditional permissions in Unix systems are somewhat limited (e.g., read, write, execute for the owner, group, and others), ACLs provide a more sophisticated way to manage access.

Key Concepts:

  1. Users and Groups:

    • ACLs allow you to assign specific permissions to individual users or groups.

  2. Permissions:

    • Permissions include read, write, execute, and other custom permissions.

  3. Multiple Entries:

    • Unlike standard Unix permissions, ACLs allow multiple entries for different users and groups.

Example Scenario:

Imagine you have a shared folder named "ProjectDocs" where multiple users collaborate. You want to control access to files within this folder using ACLs.

  1. List of Users:

    • Alice (alice)

    • Bob (bob)

    • Charlie (charlie)

  2. List of Groups:

    • Developers (dev)

    • Designers (design)

    • Managers (managers)

Traditional Unix Permissions:

Initially, the folder has standard Unix permissions:

bashCopy code$ ls -l ProjectDocs
drwxr-xr-x 2 alice dev 4096 Feb 20 10:00 ProjectDocs

In this example, Alice is the owner, the group is set to "dev," and others have read and execute permissions.

Applying ACLs:

Now, let's enhance access control using ACLs:

bashCopy code$ setfacl -m u:bob:rw- ProjectDocs
$ setfacl -m g:design:r-- ProjectDocs
$ setfacl -m u:charlie:rwx ProjectDocs

Explanation:

  • setfacl is the command to set ACLs.

  • -m specifies modification.

  • u:bob:rw- grants read and write permissions to Bob.

  • g:design:r-- grants read-only access to the Designers group.

  • u:charlie:rwx grants full read, write, and execute permissions to Charlie.

Checking ACLs:

After applying ACLs, the listing may look like this:

bashCopy code$ getfacl ProjectDocs
# file: ProjectDocs
# owner: alice
# group: dev
user::rwx
user:bob:rw-
user:charlie:rwx
group::r-x
group:design:r--
mask::rwx
other::r-x

This output shows the ACL entries, indicating the specific permissions granted to users and groups.

Practical Implications:

  1. Flexibility:

    • ACLs provide flexibility in granting permissions to specific users or groups without affecting others.

  2. Collaboration:

    • Allows for more controlled collaboration by defining who can modify, read, or execute specific files.

  3. Fine-Tuning Access:

    • Enables fine-tuning of access rights for different individuals or teams based on their roles.

Conclusion:

In essence, ACLs offer a more refined approach to access control, allowing users to tailor permissions to specific needs. While Unix permissions provide a basic level of control, ACLs enhance this by enabling users to define access rules for individual users and groups. Understanding ACLs can empower users to manage access in shared environments, fostering collaboration while maintaining security.

DevopsLinuxfilesfilesystem#90daysofdevops