Advanced file permissions in Linux
A lot of Linux/openSUSE users aren’t aware that there are more to file system permissions than the obvious Owner, Group, Other / Read, Write, Execute setup.
All major Linux file systems (ext3, reiserfs, etc) support access control lists (ACL) and its very easy to use them.
To see if a file or directory has an ACL set on it, you can use ls:
inspidell:~ # ls -ld /home/sontek
You’ll get output similar to this:
drwxr-xr-x+ 55 sontek users 4096 JulĀ 4 13:42 /home/sontek
The + at the end of the permissions means that we are using extended permissions (ACL’s). To get the list of ACL’s on the file/directory, run the getfacl <file> command.
inspidell:~ # getfacl /home/sontek
getfacl: Removing leading '/' from absolute path names
# file: home/sontek
# owner: sontek
# group: users
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group:users:---
default:mask::r-x
default:other::r-x
This shows both the ACL’s and the basic Linux permissions.
To modify or set ACL’s you use the setfacl command. Here are a few examples of how to use it:
Grant a single user read access to a directory in your home directory.
setfacl -m u:mom:r /home/sontek/photos
Remove all access from a group on a file
setfacl -x g:developers payroll.xml
You can also copy a set of permissions from one file to another
getfacl file1 | setfacl --set-file=- file2
Remove all ACL’s
setfacl -k /home/sontek
For those of you who are not console jockey’s, you’ll realize quickly that the default nautilus setup doesn’t have a way to view, modify, or add any ACL’s, to get this support you’ll need to install two packages, with opensuse you do this with zypper:
inspidell:~ # zypper in eiciel nautilus-eiciel
Before the ACL permissions show up in nautilus, you’ll have to restart it:
inspidell:~ # pkill nautilus
After this, you’ll be greeted with a very easy to use dialog for modifying ACL’s:
another great nautilus permissions tip I learned from Christer Edwards is to enable advanced permissions in nautilus, this is a much better UI for managing permissions and should probably be the default.
gconftool-2 --type bool --set /apps/nautilus/preferences/show_advanced_permissions True
A screenshot of this in action:
I hope this helps you better secure and manage your computer with the more advanced features your Linux file systems both from console and inside GNOME.
OpenSUSE comes with YAST. Why do I need to use the command line to do all this?
I install software with YAST, I set up my nfs server and client with YAST, and I do everything through the GUI interface. I rather think this is the way most users install stuff, especially new ones.
I appreciate your desire to help us understand what’s going on, and how to change it, but why do you want us to use the command line instead of the interface we’re already used to?
I don’t mind using the command line - my first computer came with the optional 4K memory and all we had for years was the command line but I doubt most newcomers are used to it.
I appreciate the subject, though. Setting up working nfs networks can be really confusing, especially trying to figure out why you can’t write to the damned file on the network!
Thanks, Bob.
Comment by Bob Smits — July 11, 2008 @ 7:01 pm
I’ve never used yast or a gui, i’m teaching you how to do it the way I know how, sorry if its not the way you want to do it
And these commands are generic and can be ran on any linux distribution.
Comment by sontek — July 11, 2008 @ 8:46 pm
I’ve found ACLs really useful. I learnt them by reading up SuSE documentation (9.x IIRC).
Comment by Mrugesh Karnik — July 12, 2008 @ 12:42 pm
[...] Source: blog.sontek.net [...]
Pingback by Advanced file permissions in Linux — July 21, 2008 @ 10:33 pm