UNIX file permissions and ACLs

From Statgen Internal Wiki
Jump to navigationJump to search

Standard UNIX file permissions recognize three distinct classes of user:

  • Owner
  • Group
  • World

A series of three permission bits are defined for each of the three classes of user:

  • Read (r)
  • Write (w)
  • Execute (x)

When applied to a directory instead of a file, the execute bit represents directory traversal, the right to change to the directory and children thereof.

Let's see how file ownership, permissions and ACLs work in the context of a real directory listing from a project array, below. 

drwxrwx---   3 topmed  topmed   29 Aug  5 17:56 backups
drwxrwx---   2 topmed  topmed    6 Oct 27 13:28 cp2ncbi
drwxrwx--x+ 19 topmed  topmed 4096 Nov 13 20:03 gt-release
drwxr-xr-x   3 hmkang  hmkang   25 Sep 28 07:34 hmkang
drwxr-xr-x   2 jzwlin  topmed    6 Sep 17 16:02 jzwlin
drwxr-xr-x  12 khlin   topmed 4096 Nov 19 11:03 khlin
drwxr-xr-x   3 schelcj  55671   28 Aug 15 01:25 schelcj
drwxrwx---   4 tblackw topmed   48 Aug 11 08:28 tblackw
lrwxrwxrwx   1 topmed  topmed   33 Nov  6 10:47 topmed-output -> /net/topmed/working/topmed-output

Of particular note:

  • The first field from the left shows file mode and permission bits
  • The third field from the left shows the owner of the file
  • The fourth field from the left shows the group of the file

If not set (-) the directory entry is a simple file (data or executable). Special types of files are indicated by their mode bit:

  • Block device (b)
  • Character device (c)
  • Directory (d)
  • Symbolic link (l)
  • Socket (s)

Let's look at the permission bits in further detail. Consider one of the directory entries, below: 

drwxr-xr-x   2 jzwlin  topmed    6 Sep 17 16:02 jzwlin
 \ /\ /\ /
  O  G  W

The first set of three bits shows read, write and execute permissions for the owner. The second set of three bits shows read, write and execute permissions for the group. The third set of three bits shows read, write and execute permissions for "everyone else" or "world"; basically anyone who is not the listed owner, or a member of the listed group, on the file.

In the example above, the owner, jzwlin, has full (read, write, execute) permissions as does the owning group, topmed. Other users who are not jwzlin or members of the topmed group have read and traverse permissions, but they are not permitted to write (create, modify or delete files).

File ownership is set with the "chown" and "chgrp" commands. For example: 

chown <user> <file|directory>

chgrp <group> <file|directory>

The "chown" command can also take the user and group together as an argument: 

chown <user>:<group> <file|directory>

Recursive mode can also be specified at the top of a directory hierarchy, to apply the change to all children: 

chown -R <user>:<group> <file|directory>

File permissions are set with the "chmod" command. Basic syntax is: 

chmod {u|g|o}{+|-|=}{r|w|x} <file|directory>

For example(s): 

chmod u+rwx file
chmod o-rwx file
chmod g=r-x file

Similar to other ownership and permission manipulation commands, "chmod" can be run in recursive mode at the top of a directory tree: 

chmod -R {u|g|o}{+|-|=}{r|w|x} <file|directory>

Consider another example: 

drwxrwx--x+ 19 topmed  topmed 4096 Nov 13 20:03 gt-release

Note here, there is a "+" after the nine traditional UNIX permissions bits. This means that the directory also has an extended ACL set.

To view the extended ACL, use the "getfacl" command: 

root@topmed2:/working# getfacl gt-release
# file: gt-release
# owner: topmed
# group: topmed
user::rwx
user:sftp-barnes:--x
user:sftp-blangero:--x
user:sftp-burchard:--x
user:sftp-correa:--x
user:sftp-ellinor:--x
user:sftp-mcgarvey:--x
user:sftp-mitchell:--x
user:sftp-ramachandran:--x
user:sftp-redline:--x
user:sftp-silverman:--x
user:sftp-weiss:--x
user:sftp-broad:--x
user:sftp-illumina:--x
user:sftp-nygc:--x
user:sftp-uw:--x
user:sftp-trio:--x
group::rwx
mask::rwx
other::--x

Note that in this case, the extended ACL is used simply to allow lesser-permissioned accounts to traverse this top-level directory.

To set an extended ACL, use the "setfacl" command. For example: 

setfacl -m user:<username>:{r|w|x} <file|directory>
setfacl -m group:<group>:{r|w|x} <file|directory>

The "setfacl" command can also be run recursively at the top of a directory tree: 

setfacl -R -m user:<username>:{r|w|x} <file|directory>
setfacl -R -m group:<group>:{r|w|x} <file|directory>

Note that the extended ACL is masked by the group traditional file permission bits, so for best results, these are traditionally set to rwx when using extended ACLs.

Retrieved from "https://statgen.sph.umich.edu/w/index.php?title=UNIX_file_permissions_and_ACLs&oldid=18590"