This page was translated by an AI (LLM) with a cursory human check and is awaiting full review.
Managing file access rights
Unix rights
Unix rights allow you to give different access rights in reading, writing and/or execution to the following categories:
- to the file owner (
user), - to users belonging to the same Unix group as the file owner (
group), - to all other users (
other).
Simply use the chmod command to modify Unix rights (for more information, see man chmod).
Most of the time, Unix rights will be sufficient. If you need to control access to your data more finely, for example to open access to a directory to only one other user (regardless of their Unix group), you will need to use anACL (Access Control List).
Access Control List (ACL)
It is possible to create an Access Control List (ACL) on a directory or file to open access in reading, writing and/or execution to any other user or group.
Conversely, an ACL can also be used to impose access restrictions on certain files or directories using masks specifying "maximum rights" that can be assigned (see section Dependencies between ACL and Unix rights (for advanced users)).
Viewing ACLs
The getfacl command (for more information, see man getfacl)
gives a detailed display of the ACLs set on a given file or
directory:
getfacl <file|directory>
- Default ACL set on a file
- Default ACL set on a directory
$ getfacl myfile
# file: myfile
# owner: user1
# group: group1
user::rw-
group::r--
other::---
$ getfacl mydirectory
# file: mydirectory
# owner: user1
# group: group1
user::rwx
group::r-x
other::---
The rights rwx have the same meanings as the classic Unix rights rwx.
The goal is to open access to a file or directory beyond the current owner and owner group by enriching the associated ACLs. We explain how to do this in the Managing ACLs section.
- Example of enriched ACL set on a file
- Example of enriched ACL set on a directory
$ getfacl myfile
# file: myfile
# owner: user1
# group: group1
user::rw-
user:user2:rw-
user:user3:r--
user:user4:r--
group::r--
group:group2:r--
group:group3:r--
mask::rw-
other::r--
$ getfacl mydirectory
# file: mydirectory
# owner: user1
# group: group1
user::rwx
user:user2:r-x
user:user3:r-x
user:user4:r-x
group::r-x
group:group2:rwx
group:group3:r-x
mask::rwx
other::r-x
The -l option of the ls command allows you to display the classic Unix rights but also to see if ACLs are set. In this case, a
sign + appears just after the Unix rights.
$ ls -ld repertoire_avec_acl repertoire_sans_acl
drwxr-x---+ 2 user1 group1 8192 2014-03-29 11:00 repertoire_avec_acl
drwxr-x--- 2 user1 group1 8192 2014-03-29 11:00 repertoire_sans_acl
$ ls -l fichier_avec_acl fichier_sans_acl
-rwx------+ 2 user1 group1 8192 2014-03-29 11:00 fichier_avec_acl
-rwx------ 2 user1 group1 8192 2014-03-29 11:00 fichier_sans_acl
Managing ACLs
If you wish to give access rights to a specific user and/or group, you can define an ACL (Access Control List)
via the setfacl command on the desired file or directory.
A presentation of this command is provided below. For more details, you can type the command man setfacl.
The general syntax is as follows:
setfacl <ACL_options> <file|directory>
where <ACL_options> can have one of the following forms:
-
to create or replace an existing ACL:
--set=<arguments> -
to modify an existing ACL:
-m <arguments> -
to delete an existing ACL:
-b
The list of possible <arguments> fields is as follows:
u(as user) WITHOUT mention of the user corresponds to the rights given to the owner of the file or directory:u::[r|-][w|-][x|-];noteFor a directory (or an executable), we advise you to set
u::rwxand for a fileu::rw-.dangerWithout these rights, the owner can no longer access the file or directory. They will then be blocked by the ACLs even if the Unix rights are well set.
g(as group) WITHOUT mention of group corresponds to the rights given to the owner group of the file:g::[r|-][w|-][x|-];o(as other) WITHOUT any mention corresponds to the rights given to users who are not mentioned in theuandgfields:o::[r|-][w|-][x|-];u(as user) WITH mention of the user corresponds to the rights given to a particular user (hereuserX) :u:userX:[r|-][w|-][x|-];g(as group) WITH mention of the group corresponds to the rights assigned to all users of the specified Unix group (heregroupX) :g:groupX:[r|-][w|-][x|-];m(as mask) defines the maximum (or effective) rights of the users concerned by theu:userX:...and/org:groupX:...fields.importantIt is advisable to:
- fill in this field yourself each time you modify an ACL to avoid a default value being defined that is not consistent with your needs;
- give the mask the highest rights (
m::rwx) to not restrict the rights given to a user and/or a group.
warningIf the mask field is empty (
m::---), the access rights opened thanks to theufields with mention of the user orgfields with mention of the group are inoperative. See the Dependencies between ACL and Unix rights (for advanced users) section for more details.
To set a new ACL with the setfacl --set=<argument> command, the first three fields u without mention of the user, g without mention of the group and o are mandatory.
For example, the following command gives all rights to the owner (u::rwx) on the directory mon_repertoire, allows members of the owner group to consult the contents of the directory in read-only mode (g::r-x), and closes access to other users (o::---) :
setfacl --set=u::rwx,g::r-x,o::--- mon_repertoire
Access to subdirectories and files contained in mon_repertoire remains controlled by Unix rights. See the Tips on using ACLs section for more details on this.
When you set ACL rights on a directory (for example $WORK/sub_dir/shared_dir/) or a file (for example $WORK/sub_dir/shared_file.h5), you must also set the ACL rights allowing you to traverse each of the directories that make up the access path to this directory or file (for this example $WORK/ and sub_dir/). Without this, access will be denied.
Using the setfacl command with these three fields only gives the same permissions as the chmod command and is therefore of little interest. To broaden access rights, you need to add the u fields with mention of the user, g fields with mention of the group and/or the m field.
Adding a user
For example, if user1 wants to give read and write access rights to the user user2 on their directory DIR_user1, they must use the following setfacl command:
[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ setfacl --set=u::rwx,u:user2:rwx,g::r-x,o::---,m::rwx .
They can then check the ACLs set with the
getfacl command:
[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::---
Reading the output:
- with the
u::rwxfield, the owneruser1has the rightsrwxon their directoryDIR_user1; - with the
g::r-xfield, users belonging to the owner group (group1) have the rightsr-x: they can therefore traverse the directory and read its contents but not write to it; - with the
o::---field, no other user has any rights on this directory; - with the
u:user2:rwxfield,user1adds the rightsrwxonly for the useruser2: they can therefore read and write in the directoryDIR_user1; - with the
m::rwxfield: the maximum rights allowed for users outside the owner group arerwx.
Adding a group
For example, if user1 wants to give specific access rights to
the group group3 on their directory DIR_user1, they must use the
following setfacl command:
[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ setfacl --set=u::rwx,g::r-x,g:group3:r-x,o::---,m::rwx .
They can then check the ACLs set with the
getfacl command:
[user1@hostname:~]$ cd $DIR_user1
[user1@hostname:~]$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group3:r-x
mask::rwx
other::---
Reading the output:
- with the
u::rwxfield, the owneruser1has the rightsrwxon their directoryDIR_user1; - with the
g::r-xfield, users belonging to the owner group (group1) have the rights'' r-x'' : they can therefore traverse the directory and read its contents but not write to it; - with the
o::---field, no other user has any rights on this directory; - with the
g:group3:r-xfield,user1adds the rightsr-xfor users belonging to the groupgroup3: they can therefore traverse the directory and see its contents but not write to it; - with the
m::rwxfield: the maximum rights allowed for users outside the owner group arerwx.
Updating an ACL
To modify the ACLs, you can use the setfacl command with
either:
- the
--set=...option: the existing ACLs are then overwritten. In this case, you must always specify at least theu::rwx,g::...,o::---fields and the maskm::rwxto be sure that the ACL rights set for the specified user(s) and/or group(s) will be really effective. - the
-m ...option: the existing ACLs are then modified.
For example, first set ACLs on the directory MY_DIR for the Unix group group3 via the option --set=
$ cd MY_DIR
$ setfacl --set=u::rwx,g::r-x,g:group3:r-x,o::---,m::rwx .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group3:r-x
mask::rwx
other::---
Then modify the ACLs by replacing the Unix group group3 with group4 via the option --set=
$ cd MY_DIR
$ setfacl --set=u::rwx,g::r-x,g:group4:r-x,o::---,m::rwx .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group4:r-x
mask::rwx
other::---
Finally, modify the ACLs by adding a second group group2 but via the option -m which avoids having to specify everything:
$ cd MY_DIR
$ setfacl -m g:group2:r-x .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group2:r-x
group:group4:r-x
mask::rwx
other::---
Deleting an ACL
To delete the ACLs, you can use the setfacl command with
the -b option. For example:
$ cd MY_DIR
$ ls -ld .
drwxr-x---+ 2 user1 group1 8192 2014-03-29 11:00 .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
group:group3:r-x
mask::rwx
other::---
$ setfacl -b .
$ ls -ld .
drwxr-x--- 2 user1 group1 8192 2014-03-29 11:00 .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
group::r-x
other::---
Tips on using ACLs
We advise you to place an ACL only on the root directory of the directory tree to be shared to filter access, and then set the Unix rights on the files and subdirectories it contains using the chmod command.
For example, if the account user1 wishes to share a directory tree contained in ROOT_TREE with the account user3 and the Unix group group2:
[user1@hostname:~]$ cd ROOT_TREE
[user1@hostname:~]$ setfacl --set=u::rwx,u:user3:rwx,g::r-x,g:group2:r-x,o::---,m::rwx .
[user1@hostname:~]$ ls -l .
drwxrwx---+ 0 user1 group1 4096 2014-03-30 11:46 .
-rwxr-xrwx 0 user1 group1 1001 2014-03-30 11:46 file1
drwxrwxrwx 0 user1 group1 4096 2014-03-30 11:46 SUB_DIR
[user1@hostname:~]$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx
user:user3:rwx
group::r-x
group:group2:r-x
mask::rwx
other::---
If we analyse these access rights, we see that:
ACL rights on ROOT_TREE | Unix rights on file1 | Unix rights on SUB_DIR | |
|---|---|---|---|
user3 | rwx(line user:user3: of the output of getfacl) | rwx(field other of the output of ls for file1) | rwx(field other of the output of ls for SUB_DIR) |
group1 | r-x(line group:: of the output of getfacl) | r-x(field group of the output of ls for file1) | rwx(field group of the output of ls for SUB_DIR) |
group2 | r-x(line group:group2: of the output of getfacl) | rwx(field other of the output of ls for file1) | rwx(field other of the output of ls for SUB_DIR) |
- The user
user3has the ACLrwxon the directoryROOT_TREEand the Unix rightsrwx(field other) on the filefile1. They can thus access the filefile1contained in theROOT_TREEofuser1in read and write mode. Note that they can also create new files and directories underROOT_TREEofuser1thanks to the ACLrwx. Moreover, they can also see and modify the contents of the subdirectories such asSUB_DIRfor which the Unix rights (field other) allow them to do so. - The owner group (
group1) has the ACLr-xonROOT_TREEand the Unix rightsr-x(field group) on the filefile1. The members of the groupgroup1can therefore traverseROOT_TREEand readfile1but not write to it (therefore not modify it). Moreover, they cannot create anything directly inROOT_TREEofuser1(ACLr-x). But they can see and modify the contents of the subdirectories such asSUB_DIRfor which the Unix rights (field group) allow them to do so. - However, the group
group2has the ACLr-xonROOT_TREEand the Unix rightsrwx(field other) on the filefile1. The members of the groupgroup2can therefore traverseROOT_TREEand read or write (therefore modify or overwrite)file1, which may not be desired. But, likegroup1, they cannot create anything directly in theROOT_TREEofuser1(ACLr-x). But they can see and modify the contents of the subdirectories such asSUB_DIRfor which the Unix rights (field other) allow them to do so.
To prevent the group group2 from being able to overwrite file1, you may be tempted to remove the Unix write right in the other field with the chmod 755 file1 command. But this would then also prevent user3 from modifying the file. In this case, you must also set an ACL on file1:
$ setfacl --set=u::rwx,u:user3:rwx,g::r-x,g:group2:r-x,o::---,m::rwx file1
$ getfacl file1
# file: file1
# owner: user1
# group: group1
user::rwx
user:user3:rwx
group::r-x
group:group2:r-x
mask::rwx
other::---
Do not use the full path of your $HOME, as you would set the ACLs not only on your $HOME itself, but also on all the directories and files it contains. Therefore, avoid this type of command:
$ setfacl --set=u::rwx,u:user2:rwx,g::r-x,o::---,m::rwx /full/path/to/home
Setting an ACL on your directory $HOME involving write rights for another person makes the SSH key authentication mechanism inoperative (an SSH connection will then ask for the password).
For SSH keys to work, you must check that you have the following "maximum" Unix rights on the $HOME (no write rights except for the owner):
$ ls -ld ~
drwxr-xr-x+ 9 user1 group1 4096 Apr 13 09:42 /chemin/complet/vers/home
If necessary, the procedure consists of first activating the ACLs, then changing the Unix rights on your HOME with the chmod 750 ~ command which avoids giving write access to everyone:
$ cd $HOME
$ setfacl --set=u::rwx,u:user2:rwx,g::r-x,o::---,m::rwx .
$ chmod 750 ~
Dependencies between ACL and Unix rights (for advanced users)
Classic Unix rights and ACL rights are interdependent. The setfacl command modifies the ACLs but also the Unix rights. However, the Unix chmod command modifies only certain fields of the ACLs.
To understand this interdependence, we need to detail the functionality of the ACL mask (field mask::...). Indeed, the effective rights of the users concerned by the user:user:..., group::... and group:group:... fields can be restricted by the rights present in the mask.
Action of ACLs on Unix rights
For example, if you set ACLs on the current directory (the one you are in) as indicated below:
$ setfacl --set=u::rwx,u:user3:rwx,g::rwx,g:group2:rwx,o::---,m::r-x .
$ ls -ld .
drwxr-x---+ 0 user1 group1 4096 2014-03-30 16:28 .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::rwx # indépendant du masque ACL
user:user3:rwx # mais droits effectifs r-x en raison du masque ACL
group::rwx # mais droits effectifs r-x en raison du masque ACL
group:group2:rwx # mais droits effectifs r-x en raison du masque ACL
mask::r-x # masque ACL
other::--- # indépendant du masque ACL
Remarks concerning the ACL rights:
- The user
user3, the members of the owner groupgroup1as well as those of the groupgroup2have as effective rightsr-xand notrwxas expected due to the requested ACL maskm::r-x. Thesetfaclcommand performs a logical AND bit by bit between their respective requested ACL rightsu:user3:rwx,g::rwx,g:group2:rwxand the requested ACL maskm::r-x. - However, the ACL mask does not apply to determine the rights
user::rwxof the owner and the rightsother::---of the users who are not concerned by theuser:user3:rwx,group::rwxandgroup:group2:rwxfields. These are the ACL rights requested viasetfaclthat apply (u::rwxando::---).
Remarks concerning the Unix rights:
- The owner
user1of the directory has the rightsrwxwhich corresponds to the ACL fielduser::rwx. - The owner group
group1has the rightsr-xwhich corresponds to the ACL maskmask::r-xwhich defines the maximum rights of the users concerned by theuser:user3:rwx,group::rwxorgroup:group2:rwxfields. - Users not belonging to the previous categories have no rights
---which corresponds to the ACL fieldother::---.
Action of Unix rights on ACLs
Conversely, to better understand the action of the chmod command on the current directory (the one you are in) whose access is supposed to be controlled by ACL, we start from the following situation:
$ setfacl --set=u::r-x,u:user3:rwx,g::---,g:group2:r-x,o::---,m::--- .
$ ls -ld .
dr-x------+ 15 user1 group1 4096 2014-03-30 16:28 .
$ getfacl .
# file: .
# owner: user1
# group: group1
user::r-x # indépendant du masque ACL
user:user3:rwx # mais droits effectifs --- en raison du masque ACL
group::--- # droits effectifs --- car demandés via setfacl (g::---)
group:group2:r-x # mais droits effectifs --- en raison du masque ACL
mask::--- # masque ACL vide
other::--- # indépendant du masque ACL
Remarks:
- You will notice that the effective rights are empty (because the ACL mask is empty): the user
user3and the groupgroup2therefore have no rights on the directory despite the requested ACL fieldsu:user3:rwxandg:group2:r-x. - The Unix rights indicated by the
ls -ld .command show that only the owner can access the directory.
Then, we note that the Unix chmod command modifies the ACLs according to the options used:
-
chmod u+rwxmodifies theuser::...field of the ACL:$ chmod u+w .$ ls -ld .drwx------+ 15 user1 group1 4096 2014-03-30 16:28 .$ getfacl .# file: .# owner: user1# group: group1user::rwx # indépendant du masque ACL mais modifié par chmod u+...user:user3:rwx # mais droits effectifs --- en raison du masque ACLgroup::--- # droits effectifs --- car demandés initialement via setfacl (g::---)group:group2:r-x # mais droits effectifs --- en raison du masque ACLmask::--- # masque ACL videother::--- -
chmod g+rwxmodifies the ACL mask (mask::...) but not the ACL fieldgroup::.... But as the mask influences the effective rights of the ACL fieldsgroup::...,group:group2:rwxanduser:user3:rwxof the ACLs, the useruser3and the groupgroup2regain their respective rights initially requested in the commandsetfacl(fieldsu:user3:rwxandg:group2:r-x) :$ chmod g+rwx .$ ls -ld .drwxrwx---+ 15 user1 group1 4096 2014-03-30 16:28 .$ getfacl .# file: .# owner: user1# group: group1user::rwxuser:user3:rwx # et droits effectifs rwx en raison du masque ACL modifiégroup::--- # pas modifié par chmod g+... !group:group2:r-x # et droits effectifs r-x en raison du masque ACL modifiémask::rwx # masque ACL modifié par chmod g+...other::---noteThe rights concerning the
group::...field of the ACLs can only be modified by thesetfaclcommand:$ setfacl -m g::r-x .$ ls -ld .drwxrwx---+ 15 user1 group1 4096 2014-03-30 16:29 .$ getfacl .# file: .# owner: user1# group: group1user::rwxuser:user3:rwxgroup::r-x # modifiable uniquement par setfacl !group:group2:r-xmask::rwxother::--- -
The
chmod o+rxcommand modifies theother::...field of the ACLs:$ chmod o+rx .$ ls -ld .drwxrwxr-x+ 15 user1 group1 4096 2014-03-30 16:29 .$ getfacl .# file: .# owner: user1# group: group1user::rwxuser:user3:rwxgroup::r-xgroup:group2:r-xmask::rwxother::r-x # modified by o+...