What You Need To Know To Set Linux Permissions and Access Control Lists

Set standard Linux permissions and access control lists to manage file and directory access by using the chmod and setfacl commands.

What You Need to Know to Set Linux Permissions and Access Control ListsLinux permissions are fairly straightforward to manage. There are three levels of access and three identities to assign access to. This article summarizes the necessary commands and syntax to manage both standard Linux permissions and access control lists (ACLs).

The three access levels are:

  • Read (r)
  • Write (w)
  • Execute (x)

The three identities are:

  • User/owner (u)
  • Group (g)
  • All others (o)

Note that access levels behave differently depending on whether applied to a file or directory. One of the primary differences is that the execute permission runs files (such as scripts) while it allows changing into directories via the cd command.

Use the chmod Command

The chmod command manipulates standard permissions. The syntax varies depending on whether you're using absolute or symbolic mode, but the general format is:

chmod {access-level} {resource}

You may need to use sudo to set file permissions, depending on how your system is configured.

In the following example, 764 is the {access-level} and /opt/projects is the {resource}:

$ chmod 764 /opt/projects

P1

The chmod command accepts two different types of input: Absolute mode and symbolic mode. As a Linux user, it's important to understand both types.

Use Absolute Mode

Absolute mode relies on numeric values for each access level. Three digits are used to define standard permissions, and the position of the digits relates to each of the three identities. It sounds far more confusing than it actually is.

Here are the values for each access level:

  • Read = 4
  • Write = 2
  • Execute = 1

The numbers are summed together to result in a final access level. For example, to grant read (4) and write (2) access, add 4+2 for a result of 6. If an identity has 6, it has read and write access. An identity with read (4) and execute (1) has an access level of 5 (4+1).

Each identity has a position in the permissions syntax. The leftmost position applies to the user/owner (u), and the middle digit applies to the group (g). The rightmost position is for others (o).

Here are the positions for each digit:

ugo

So how is this applied? Absolute mode requires the administrator to define the desired permissions. It does not pay attention to the existing permissions; rather, the absolute or final settings are applied, regardless of what access levels existed before.

For example, an administrator wants the user to have rwx, the group to have r-x, and others to have no access. The rwx access is 4+2+1, or 7. The group's r-x access is 4+1, or 5. Finally, the others have no access, or 0. So the absolute setting is 750. To configure this access for the /opt/projects directory, type:

$ chmod 750 /opt/projects

P2

Similarly, to grant the user read and write, the group read, and others read to the test.txt file, type:

$ chmod 644 test.txt

P3

Can You Do It?

Q1: What is the absolute mode value to grant the user read and write, the group read, and all others no access?

The answer is at the end of the article.

Use Symbolic Mode

Some people don't enjoy working with numbers and find absolute mode confusing. Others may only need to modify one access level and don't wish to specify permissions for all three identities every time. In these situations, symbolic mode may be preferred. The challenge with symbolic mode is accounting for the existing permissions that you don't want to manipulate.

Symbolic mode relies on the same three identities (user, group, others) and the same three access levels (read, write, execute). It uses letters to represent the identities and access levels, and it uses math operators to adjust permissions (+, -, =). Permissions can be adjusted on a per-identity basis. The chmod command recognizes these abbreviations.

To add the execute (x) permission to the test.txt file for others (o), type the following:

$ chmod o+x test.txt

P4

The access levels for the user and group are not changed. Any other permission for others still exists. The execute permission is simply added to whatever is already there.

Symbolic mode allows for adjusting multiple access levels at a time for multiple identities. To grant the group (g) and others (o) both read (r) and execute (x) to test.txt, type:

$ chmod go+rx test.txt

P5

Remember, you are adding or subtracting permissions for the existing access levels. If the user already has read (r) and you also want to grant them write (w), you add write (+w). Therefore, to calculate the desired outcome, you must first figure out the existing levels and whether you need to add or subtract access (or both).

Assume you enter the ls -l command and see the following existing permissions:

rwxrw--- test.txt

P6

The first or leftmost three digits (circled above in red) represent the user/owner's access (rwx in this example). The middle three digits (circled in blue) represent the group (in this example, rw-). The final three (circled in yellow) apply to all others (in this case, --- or no access).

To grant the others (o) read, you must add read (+a). However, to remove execute for the user (u), you must subtract the x permission (-x).

The adjustment might look like this (there are a few different ways to do this):

$ chmod o+r test.txt

$ chmod u-x test.txt

P7

Can You Do It?

Q2: The test.txt file's permissions are currently rwxrw-rw-. What are the symbolic mode commands to grant the user read and write, the group read, and all others no access?

The answer is at the end of the article.

Configure ACLs

One of the challenges with standard Linux permissions is that only one user and one group are associated with the resource. Using standard permissions, you cannot assign user1 rwx and user2 r--. Likewise, you cannot assign group1 rw- and group2 r--.

However, access control lists (ACLs) are a filesystem feature that allow multiple identities to be assigned multiple levels of access. ACLs are not configured via the chmod command. Instead, use the setfacl command to configure access control lists and the getfacl command to display current ACLs. ACLs recognize standard permissions, so those settings are the basis and additional access levels are defined.

Before editing the access control list, use the getfacl command to display the current settings:

P8

The syntax to set an ACL is a little more complex than chmod:

setfacl -option {identity:access} {resource}

Assuming group1 already has access via standard permissions, to grant group2 rw to test.txt, enter:

$ setfacl -m g:group2:rw test.txt

P9

To grant user2 r-- to test.txt (assuming user1 has access based on standard permissions), run:

$ setfacl -m u:user2:r test.txt

P10

Note: The -m option stands for modify.

Remove entries by using the -x option. To remove the group2 ACL setting for the test.txt file, enter:

$ setfacl -x g:group2 test.txt

P11

Can You Do It?

Q3: What is the ACL command to grant user2 read and write to file test.txt?

The answer is at the end of the article.

Learn the Skills You Need With CompTIA Linux+

The importance of basic permissions cannot be overstated. When used with SELinux, proper updating habits and other hardening techniques, permissions help mitigate access threats. Linux standard permissions apply to three identities and offer three levels of access. Standard permissions can be supplemented with access control lists. The commands are straightforward (mainly chmod and setfacl) but you must be familiar with absolute and symbolic modes to manage permissions efficiently.

Learn these skills (and more) with CompTIA Linux+. CompTIA Linux+ is an intermediate-level IT certification and is the only job-focused Linux certification covering the latest foundational skills demanded by hiring managers. CompTIA Linux+ validates the competencies required of an early career supporting Linux systems.

Check Your Answers

Q1: To grant the user read and write, the group read, and all others no access, use a value of 640.

Q2: If the test.txt file's permissions are currently rwxrw-rw-, then to set the user read and write, the group read, and all others no access, type:

$ chmod u-x test.txt

$ chmod g-w test.txt

$ chmod o-rw test.txt

Again, there are faster ways, but this example shows the logic.

Q3: The ACL command to grant user2 read and write to file test.txt is:

$ setfacl -m u:user2:rw test.txt

Ready to get started? Download the CompTIA Linux+ exam objectives for free to see what's covered.

Email us at [email protected] for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment