⚠ INFORMATION
This page was translated by an AI (LLM) with a cursory human check and is awaiting full review.

Managing file access rights

Unix rights

Unix rights allow you to give different access rights in reading, writing and/or execution to the following categories:

to the file owner (user),
to users belonging to the same Unix group as the file owner (group),
to all other users (other).

Simply use the chmod command to modify Unix rights (for more information, see man chmod).

note

Most of the time, Unix rights will be sufficient. If you need to control access to your data more finely, for example to open access to a directory to only one other user (regardless of their Unix group), you will need to use anACL (Access Control List).

Access Control List (ACL)

It is possible to create an Access Control List (ACL) on a directory or file to open access in reading, writing and/or execution to any other user or group.

Conversely, an ACL can also be used to impose access restrictions on certain files or directories using masks specifying "maximum rights" that can be assigned (see section Dependencies between ACL and Unix rights (for advanced users)).

Viewing ACLs

The getfacl command (for more information, see man getfacl) gives a detailed display of the ACLs set on a given file or directory:

getfacl <file|directory>

Default ACL set on a file
Default ACL set on a directory

$ getfacl myfile
# file: myfile
# owner: user1
# group: group1
user::rw-
group::r--
other::---

$ getfacl mydirectory
# file: mydirectory
# owner: user1
# group: group1
user::rwx
group::r-x
other::---

important

The rights rwx have the same meanings as the classic Unix rights rwx.

The goal is to open access to a file or directory beyond the current owner and owner group by enriching the associated ACLs. We explain how to do this in the Managing ACLs section.

Example of enriched ACL set on a file
Example of enriched ACL set on a directory

$ getfacl myfile
# file: myfile
# owner: user1
# group: group1
user::rw-
user:user2:rw-
user:user3:r--
user:user4:r--
group::r--
group:group2:r--
group:group3:r--
mask::rw-
other::r--

$ getfacl mydirectory
# file: mydirectory
# owner: user1
# group: group1
user::rwx
user:user2:r-x
user:user3:r-x
user:user4:r-x
group::r-x
group:group2:rwx
group:group3:r-x
mask::rwx
other::r-x

note

The -l option of the ls command allows you to display the classic Unix rights but also to see if ACLs are set. In this case, a sign + appears just after the Unix rights.

$ ls -ld repertoire_avec_acl repertoire_sans_acl
drwxr-x---+ 2 user1 group1  8192 2014-03-29 11:00 repertoire_avec_acl
drwxr-x---  2 user1 group1  8192 2014-03-29 11:00 repertoire_sans_acl

$ ls -l fichier_avec_acl fichier_sans_acl
-rwx------+ 2 user1 group1  8192 2014-03-29 11:00 fichier_avec_acl
-rwx------  2 user1 group1  8192 2014-03-29 11:00 fichier_sans_acl

Managing ACLs

If you wish to give access rights to a specific user and/or group, you can define an ACL (Access Control List) via the setfacl command on the desired file or directory.

A presentation of this command is provided below. For more details, you can type the command man setfacl.

The general syntax is as follows:

setfacl <ACL_options> <file|directory>

where <ACL_options> can have one of the following forms:

to create or replace an existing ACL:
```
--set=<arguments>
```
to modify an existing ACL:
```
-m <arguments>
```
to delete an existing ACL:
```
-b
```

The list of possible <arguments> fields is as follows:

u (as user) WITHOUT mention of the user corresponds to the rights given to the owner of the file or directory: u::[r|-][w|-][x|-] ;
note
For a directory (or an executable), we advise you to set u::rwx and for a file u::rw-.

danger
Without these rights, the owner can no longer access the file or directory. They will then be blocked by the ACLs even if the Unix rights are well set.
g (as group) WITHOUT mention of group corresponds to the rights given to the owner group of the file: g::[r|-][w|-][x|-] ;
o (as other) WITHOUT any mention corresponds to the rights given to users who are not mentioned in the u and g fields: o::[r|-][w|-][x|-] ;
u (as user) WITH mention of the user corresponds to the rights given to a particular user (here userX) : u:userX:[r|-][w|-][x|-] ;
g (as group) WITH mention of the group corresponds to the rights assigned to all users of the specified Unix group (here groupX) : g:groupX:[r|-][w|-][x|-] ;
m (as mask) defines the maximum (or effective) rights of the users concerned by the u:userX:... and/or g:groupX:... fields.
important
It is advisable to:
- fill in this field yourself each time you modify an ACL to avoid a default value being defined that is not consistent with your needs;
- give the mask the highest rights (m::rwx) to not restrict the rights given to a user and/or a group.
warning
If the mask field is empty (m::---), the access rights opened thanks to the u fields with mention of the user or g fields with mention of the group are inoperative. See the Dependencies between ACL and Unix rights (for advanced users) section for more details.

To set a new ACL with the setfacl --set=<argument> command, the first three fields u without mention of the user, g without mention of the group and o are mandatory.

For example, the following command gives all rights to the owner (u::rwx) on the directory mon_repertoire, allows members of the owner group to consult the contents of the directory in read-only mode (g::r-x), and closes access to other users (o::---) :

setfacl --set=u::rwx,g::r-x,o::--- mon_repertoire

important

Access to subdirectories and files contained in mon_repertoire remains controlled by Unix rights. See the Tips on using ACLs section for more details on this.

warning

When you set ACL rights on a directory (for example $WORK/sub_dir/shared_dir/) or a file (for example $WORK/sub_dir/shared_file.h5), you must also set the ACL rights allowing you to traverse each of the directories that make up the access path to this directory or file (for this example $WORK/ and sub_dir/). Without this, access will be denied.

Using the setfacl command with these three fields only gives the same permissions as the chmod command and is therefore of little interest. To broaden access rights, you need to add the u fields with mention of the user, g fields with mention of the group and/or the m field.

Adding a user

For example, if user1 wants to give read and write access rights to the user user2 on their directory DIR_user1, they must use the following setfacl command:

[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ setfacl --set=u::rwx,u:user2:rwx,g::r-x,o::---,m::rwx .

They can then check the ACLs set with the getfacl command:

[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::---

Reading the output:

with the u::rwx field, the owner user1 has the rights rwx on their directory DIR_user1;
with the g::r-x field, users belonging to the owner group (group1) have the rights r-x: they can therefore traverse the directory and read its contents but not write to it;
with the o::--- field, no other user has any rights on this directory;
with the u:user2:rwx field, user1 adds the rights rwx only for the user user2: they can therefore read and write in the directory DIR_user1;
with the m::rwx field: the maximum rights allowed for users outside the owner group are rwx.

Adding a group

For example, if user1 wants to give specific access rights to the group group3 on their directory DIR_user1, they must use the following setfacl command:

[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ setfacl --set=u::rwx,g::r-x,g:group3:r-x,o::---,m::rwx .

They can then check the ACLs set with the getfacl command:

[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group3:r-x
mask::rwx
other::---

Reading the output:

with the u::rwx field, the owner user1 has the rights rwx on their directory DIR_user1;
with the g::r-x field, users belonging to the owner group (group1) have the rights'' r-x'' : they can therefore traverse the directory and read its contents but not write to it;
with the o::--- field, no other user has any rights on this directory;
with the g:group3:r-x field, user1 adds the rights r-x for users belonging to the group group3: they can therefore traverse the directory and see its contents but not write to it;
with the m::rwx field: the maximum rights allowed for users outside the owner group are rwx.

Updating an ACL

To modify the ACLs, you can use the setfacl command with either:

the --set=... option: the existing ACLs are then overwritten. In this case, you must always specify at least the u::rwx, g::..., o::--- fields and the mask m::rwx to be sure that the ACL rights set for the specified user(s) and/or group(s) will be really effective.
the -m ... option: the existing ACLs are then modified.

For example, first set ACLs on the directory MY_DIR for the Unix group group3 via the option --set= which requires us to specify everything:

$ cd MY_DIR
$ setfacl --set=u::rwx,g::r-x,g:group3:r-x,o::---,m::rwx .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group3:r-x
mask::rwx
other::---

Then modify the ACLs by replacing the Unix group group3 with group4 via the option --set= which still requires us to specify everything:

$ cd MY_DIR
$ setfacl --set=u::rwx,g::r-x,g:group4:r-x,o::---,m::rwx .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group4:r-x
mask::rwx
other::---

Finally, modify the ACLs by adding a second group group2 but via the option -m which avoids having to specify everything:

$ cd MY_DIR
$ setfacl -m g:group2:r-x .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group2:r-x
group:group4:r-x
mask::rwx
other::---

Deleting an ACL

To delete the ACLs, you can use the setfacl command with the -b option. For example:

$ cd MY_DIR
$ ls -ld .
drwxr-x---+ 2 user1 group1  8192 2014-03-29 11:00 .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group3:r-x
mask::rwx
other::---

$ setfacl -b .
$ ls -ld .
drwxr-x---  2 user1 group1  8192 2014-03-29 11:00 .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
other::---

Tips on using ACLs

We advise you to place an ACL only on the root directory of the directory tree to be shared to filter access, and then set the Unix rights on the files and subdirectories it contains using the chmod command.

For example, if the account user1 wishes to share a directory tree contained in ROOT_TREE with the account user3 and the Unix group group2:

[user1@hostname:~]$ cd ROOT_TREE
[user1@hostname:~]$ setfacl --set=u::rwx,u:user3:rwx,g::r-x,g:group2:r-x,o::---,m::rwx .
[user1@hostname:~]$ ls -l .
drwxrwx---+ 0 user1 group1 4096 2014-03-30 11:46 .
-rwxr-xrwx  0 user1 group1 1001 2014-03-30 11:46 file1
drwxrwxrwx  0 user1 group1 4096 2014-03-30 11:46 SUB_DIR

[user1@hostname:~]$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
user:user3:rwx
group::r-x
group:group2:r-x
mask::rwx
other::---

If we analyse these access rights, we see that:

	ACL rights on `ROOT_TREE`	Unix rights on `file1`	Unix rights on `SUB_DIR`
`user3`	`rwx` (line `user:user3:` of the output of `getfacl`)	`rwx` (field `other` of the output of `ls` for `file1`)	`rwx` (field `other` of the output of `ls` for `SUB_DIR`)
`group1`	`r-x` (line `group::` of the output of `getfacl`)	`r-x` (field `group` of the output of `ls` for `file1`)	`rwx` (field `group` of the output of `ls` for `SUB_DIR`)
`group2`	`r-x` (line `group:group2:` of the output of `getfacl`)	`rwx` (field `other` of the output of `ls` for `file1`)	`rwx` (field `other` of the output of `ls` for `SUB_DIR`)

The user user3 has the ACL rwx on the directory ROOT_TREE and the Unix rights rwx (field other) on the file file1. They can thus access the file file1 contained in the ROOT_TREE of user1 in read and write mode. Note that they can also create new files and directories under ROOT_TREE of user1 thanks to the ACL rwx. Moreover, they can also see and modify the contents of the subdirectories such as SUB_DIR for which the Unix rights (field other) allow them to do so.
The owner group (group1) has the ACL r-x on ROOT_TREE and the Unix rights r-x (field group) on the file file1. The members of the group group1 can therefore traverse ROOT_TREE and read file1 but not write to it (therefore not modify it). Moreover, they cannot create anything directly in ROOT_TREE of user1 (ACL r-x). But they can see and modify the contents of the subdirectories such as SUB_DIR for which the Unix rights (field group) allow them to do so.
However, the group group2 has the ACL r-x on ROOT_TREE and the Unix rights rwx (field other) on the file file1. The members of the group group2 can therefore traverse ROOT_TREE and read or write (therefore modify or overwrite) file1, which may not be desired. But, like group1, they cannot create anything directly in the ROOT_TREE of user1 (ACL r-x). But they can see and modify the contents of the subdirectories such as SUB_DIR for which the Unix rights (field other) allow them to do so.

To prevent the group group2 from being able to overwrite file1, you may be tempted to remove the Unix write right in the other field with the chmod 755 file1 command. But this would then also prevent user3 from modifying the file. In this case, you must also set an ACL on file1:

$ setfacl --set=u::rwx,u:user3:rwx,g::r-x,g:group2:r-x,o::---,m::rwx file1
$ getfacl file1
# file: file1
# owner: user1
# group: group1
user::rwx
user:user3:rwx
group::r-x
group:group2:r-x
mask::rwx
other::---

Attention

Do not use the full path of your $HOME, as you would set the ACLs not only on your $HOME itself, but also on all the directories and files it contains. Therefore, avoid this type of command:

$ setfacl --set=u::rwx,u:user2:rwx,g::r-x,o::---,m::rwx /full/path/to/home

attention

Setting an ACL on your directory $HOME involving write rights for another person makes the SSH key authentication mechanism inoperative (an SSH connection will then ask for the password). For SSH keys to work, you must check that you have the following "maximum" Unix rights on the $HOME (no write rights except for the owner):

$ ls -ld ~
drwxr-xr-x+ 9 user1 group1 4096 Apr 13 09:42 /chemin/complet/vers/home

If necessary, the procedure consists of first activating the ACLs, then changing the Unix rights on your HOME with the chmod 750 ~ command which avoids giving write access to everyone:

$ cd $HOME
$ setfacl --set=u::rwx,u:user2:rwx,g::r-x,o::---,m::rwx .
$ chmod 750 ~

Dependencies between ACL and Unix rights (for advanced users)

Classic Unix rights and ACL rights are interdependent. The setfacl command modifies the ACLs but also the Unix rights. However, the Unix chmod command modifies only certain fields of the ACLs.

To understand this interdependence, we need to detail the functionality of the ACL mask (field mask::...). Indeed, the effective rights of the users concerned by the user:user:..., group::... and group:group:... fields can be restricted by the rights present in the mask.

Action of ACLs on Unix rights

For example, if you set ACLs on the current directory (the one you are in) as indicated below:

$ setfacl --set=u::rwx,u:user3:rwx,g::rwx,g:group2:rwx,o::---,m::r-x .

$ ls -ld .
drwxr-x---+ 0 user1 group1 4096 2014-03-30 16:28 .

$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx         # indépendant du masque ACL
user:user3:rwx    # mais droits effectifs r-x en raison du masque ACL
group::rwx        # mais droits effectifs r-x en raison du masque ACL
group:group2:rwx  # mais droits effectifs r-x en raison du masque ACL
mask::r-x         # masque ACL
other::---        # indépendant du masque ACL

Remarks concerning the ACL rights:

The user user3, the members of the owner group group1 as well as those of the group group2 have as effective rights r-x and not rwx as expected due to the requested ACL mask m::r-x. The setfacl command performs a logical AND bit by bit between their respective requested ACL rights u:user3:rwx, g::rwx, g:group2:rwx and the requested ACL mask m::r-x.
However, the ACL mask does not apply to determine the rights user::rwx of the owner and the rights other::--- of the users who are not concerned by the user:user3:rwx, group::rwx and group:group2:rwx fields. These are the ACL rights requested via setfacl that apply (u::rwx and o::---).

Remarks concerning the Unix rights:

The owner user1 of the directory has the rights rwx which corresponds to the ACL field user::rwx.
The owner group group1 has the rights r-x which corresponds to the ACL mask mask::r-x which defines the maximum rights of the users concerned by the user:user3:rwx, group::rwx or group:group2:rwx fields.
Users not belonging to the previous categories have no rights --- which corresponds to the ACL field other::---.

Action of Unix rights on ACLs

Conversely, to better understand the action of the chmod command on the current directory (the one you are in) whose access is supposed to be controlled by ACL, we start from the following situation:

$ setfacl --set=u::r-x,u:user3:rwx,g::---,g:group2:r-x,o::---,m::--- .

$ ls -ld .
dr-x------+ 15 user1 group1 4096 2014-03-30 16:28 .

$ getfacl .
# file: .
# owner: user1
# group: group1
user::r-x         # indépendant du masque ACL
user:user3:rwx    # mais droits effectifs --- en raison du masque ACL
group::---        # droits effectifs --- car demandés via setfacl (g::---)
group:group2:r-x  # mais droits effectifs --- en raison du masque ACL
mask::---         # masque ACL vide
other::---        # indépendant du masque ACL

Remarks:

You will notice that the effective rights are empty (because the ACL mask is empty): the user user3 and the group group2 therefore have no rights on the directory despite the requested ACL fields u:user3:rwx and g:group2:r-x.
The Unix rights indicated by the ls -ld . command show that only the owner can access the directory.

Then, we note that the Unix chmod command modifies the ACLs according to the options used:

chmod u+rwx modifies the user::... field of the ACL:

$ chmod u+w .

$ ls -ld .
drwx------+ 15 user1 group1 4096 2014-03-30 16:28 .

$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx         # indépendant du masque ACL mais modifié par chmod u+...
user:user3:rwx    # mais droits effectifs --- en raison du masque ACL
group::---        # droits effectifs --- car demandés initialement via setfacl (g::---)
group:group2:r-x  # mais droits effectifs --- en raison du masque ACL
mask::---         # masque ACL vide
other::---

chmod g+rwx modifies the ACL mask (mask::...) but not the ACL field group::.... But as the mask influences the effective rights of the ACL fields group::..., group:group2:rwx and user:user3:rwx of the ACLs, the user user3 and the group group2 regain their respective rights initially requested in the command setfacl (fields u:user3:rwx and g:group2:r-x) :

$ chmod g+rwx .

$ ls -ld .
drwxrwx---+ 15 user1 group1 4096 2014-03-30 16:28 .

$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
user:user3:rwx    # et droits effectifs rwx en raison du masque ACL modifié
group::---        # pas modifié par chmod g+... !
group:group2:r-x  # et droits effectifs r-x en raison du masque ACL modifié
mask::rwx         # masque ACL modifié par chmod g+...
other::---

note

The rights concerning the group::... field of the ACLs can only be modified by the setfacl command:

$ setfacl -m g::r-x .

$ ls -ld .
drwxrwx---+ 15 user1 group1 4096 2014-03-30 16:29 .

$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
user:user3:rwx
group::r-x        # modifiable uniquement par setfacl !
group:group2:r-x
mask::rwx
other::---

The chmod o+rx command modifies the other::... field of the ACLs:

$ chmod o+rx .

$ ls -ld .
drwxrwxr-x+ 15 user1 group1 4096 2014-03-30 16:29 .

$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
user:user3:rwx
group::r-x
group:group2:r-x
mask::rwx
other::r-x         # modified by o+...

Unix rights​

Access Control List (ACL)​

Viewing ACLs​

Managing ACLs​

Adding a user​

Adding a group​

Updating an ACL​

Deleting an ACL​

Tips on using ACLs​

Dependencies between ACL and Unix rights (for advanced users)​

Action of ACLs on Unix rights​

Action of Unix rights on ACLs​

Unix rights

Access Control List (ACL)

Viewing ACLs

Managing ACLs

Adding a user

Adding a group

Updating an ACL

Deleting an ACL

Tips on using ACLs

Dependencies between ACL and Unix rights (for advanced users)

Action of ACLs on Unix rights

Action of Unix rights on ACLs