Day 6 Task: File Permissions and Access Control Lists

Day 6 Task: File Permissions and Access Control Lists

·

4 min read

#90Days of DevOps challenge

#day6 task of the #90daysdevops challenge.

TABLE OF CONTENTS

File Ownership

File/ Directory owners come in this basic three categories:

  • user — The owner of the file or application.

    A user is the owner of the file. By default, the person who created a file becomes its owner. Hence, a user is also sometimes called an owner.

  • group — The group that owns the file or application.

    A user- group can contain multiple users. Members or users can share certain permissions of the group if it allows.

  • others — All users with access to the system.

    Any user that is not an owner of the file or doesn’t belong to the group can be categorized as others.

Linux File Permissions

File permissions can be categorized into these three categories:-

  • write(w): It is the permission by which the user gets access to modify it.

  • read(r):- It is the permission by which the user can view the content of the file.

  • execute(x):- It is the permission by which the user can run the file.

Create a simple file and do ls -ltr to see the details of the files

We have created a new file 'file.txt' and new directory 'data' and view its permissions by using the command

ls -ltr or ls -l

In this output, '-' represents the file and 'd' represents a directory

Suppose we split the output like in a file, we get this

  • rw-: file owner permission

  • r--: file group permission

  • r--: other user permission

Change file permissions

For modification of these permissions, we use the following commands

  • "chown" is used to change the ownership permission of a file or directory.

  • "chgrp" is used to change the group permission of a file or directory.

  • "chmod" is used to change the other user's permissions of a file or directory.

Let's create one user named Shawn and one group say DevOps like

sudo useradd Shawn

sudo groupadd DevOps

Now try to change the ownership of the above files and directory by using chown and chgrp commands.

sudo chown Shawn file.txt

sudo chown Shawn:DevOps data

sudo chgrp DevOps data

we get the current owner of the directory by using ls -ltr command

drwxr-xr-x 1 Shawn DevOps 4096 Jan 7 10:34 data

We can also change this permission by using chmod command.

There are two modes of chmod command that we can use:-

  1. Symbolic Method

  2. Numeric Method

Symbolic Method:

In this, owners can be represented as

    u  : user/owner
    g  : group
    o  : other
    a  : all

and operators are used here

     Adds a permission to a file or directory
    –    : Removes the permission
    =    : Sets the permission and overrides the permissions set earlier.

Some examples of this method:

chmod u+x file.txt

chmod o-w file.txt

Numeric method:

It is also referred to as an Absolute method. In this mode, file permissions are not represented as characters but as a three-digit octal number.

4=> Read; 2=> Write; 1=> Execute

    Table showing numbers of all permissions:
    Number    Permission             Type    Symbol
    0        No Permission            —
    1        Execute                    –x
    2        Write                    -w-
    3        Execute + Write            -wx
    4        Read                    r–
    5        Read + Execute            r-x
    6        Read +Write                rw-
    7        Read + Write +Execute    rwx

Some examples of this method:

chmod 750 file.txt

chmod 777 data

Read about ACL and try out the commands getfacl and setfacl

Access Control List (ACL)

ACL is used to assign specific permission to a user(other user) or a group (other group)

What is setfacl? It is used to set ACL to user, group.

And getfacl? It gives output of setfacl.

Syntax :

setfacl -m u:<user>:<permission> <file/dir> & setfacl -m g:<group>:<permission> <file/dir>

where m is for modify mode of permission

setfacl -x u:<user> <file/dir> & setfacl -x g:<group> <file/dir>

where x is for extract/remove permission

setfacl -b <file/dir>

where b is for base permission

getfacl <file/user>

Some example:

setfacl -m u:Shawn:rwx data

getfacl data