The Linux operating system allows users to assign granular permissions to all files and directories. Ordinarily, it is sufficient to hand out read, write, and/or execute permissions to individual user accounts or groups of users by utilizing the chmod command. But it is also possible to set granular permissions on a per user basis by configuring access control lists.
Access control lists allow us to grant permissions to specific users on our files. This works differently than
chmod, which can only assign permissions to the owner of the file, the user group, or all other users that are neither the owner nor in the group. Although
chmod is generally the go-to method for assigning file permissions on Linux, configuring access control lists can prove to be a more viable and simple solution to implement on systems with many different users.
In this tutorial, you will see how to assign file permissions to specific users with the
setfacl Linux commands. We will illustrate the difference between the two methods, which will help you make a decision on which one is best to use on your own file system. Many administrators choose to use a good mixture of both general file permissions and access control lists, ensuring that files are kept secure and that users are only granted the minimum access they need in order to complete their file viewing, editing, or executing tasks. Let’s see how below.
In this tutorial you will learn:
- How to configure file permissions for users with
- How to take ownership of files with the
- How to use
setfaclto configure file permissions for users
- How to view access control list information with
- How to get file permission settings with the
|Category||Requirements, Conventions or Software Version Used|
|System||Any Linux distro|
|Software||chmod, chown, setfacl, getfacl, ls, stat|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
How to View Current Permissions of a File
Let’s start by viewing the currently configured permissions of a given file. Then, we can move on to editing the permissions and access control lists to grant the intended permissions that we need.
- One of the simplest ways to view the permissions for a file, or even a whole directory of files at the same time, is with the ls command and the
-loption. Just specify the path to the file you want to view permissions for, or the directory where all your files reside.
$ ls -l example.txt -rw-rw-r-- 1 linuxconfig linuxconfig 0 Oct 12 12:15 example.txt
The output above shows permissions
-rw-rw-r--and indicates that the owner and group for the file is
linuxconfig. This user and group have
writepermissions, but no
executepermissions. Meanwhile, all other users (those that are neither the owner nor in the group) have
statcommand is another way to view permissions for a file. This is useful for viewing the permissions in both absolute mode and symbolic mode, which may help some users make more sense of the permissions for a file.
$ stat example.txt File: example.txt Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 803h/2051d Inode: 921746 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/linuxconfig) Gid: ( 1000/linuxconfig)
Just like the output for
ls, we are shown the owner, group, and permissions for the file.
- In addition to basic file permissions, Linux also features access control lists. These work independently of the file permissions shown above. Most files ordinarily only have file permissions configured, rather than access control list settings. You can determine whether a file has an access control list configured by examining the output of
$ ls -l example.txt -rw-rwxr--+ 1 linuxconfig linuxconfig 0 Oct 10 12:24 example.txt
+symbol in the permissions listed:
-rw-rwxr--+. The plus sign indicates that, in addition to the traditional file permissions, an access control list is also applied to the file.
- Now that we know our
example.txthas access control list settings applied to it, let’s view these permissions with the
$ getfacl example.txt user:linuxconfig:rwx
We have included the most relevant output in the snippet above. This particular line indicates that our user
linuxconfighas read, write, and execute permissions on the file.
Notice that in the screenshot above, the owner
linuxconfigof the file
example.txtis not shown to have execute permissions when viewing the ordinary file permissions with the
ls -lcommand. However, upon viewing the access control list with the
getfaclcommand, we learn that user
linuxconfighas explicitly been given full permissions (read, write, and execute) on the file. These settings will then override those given or restricted by the regular file permissions, if they had been set previous to the
Assign File Permissions With chmod and setfacl
Now that we know how to view file permissions and access control lists for our files, let’s see how we can modify the file permissions and access control lists in order to grant permissions to specific users.
In the majority of situations, using a combination of
chmodwill yield the results you need for granting file permissions for a user or group of users. Access control lists with
setfaclare only necessary to override some functionality with basic file permissions and grant abilities to specific users irrespective of their permissions granted with
- Broad file permissions can be set with the
chmodcommands, so let’s start with them. The access control list can be configured afterwards, to grant specific users additional permissions. Start by giving your file an owner and group owner with
$ sudo chown user:group file.txt
This is the general syntax for the
userwith the intended owner of the file, and
groupwith the user group that should have permissions on the file.
- Now that we have configured an owner and group for our file, let’s assign permissions for the owner, group, and other users by executing the
chmodcommand. For an example, we will grant read, write, and execute permissions to the owner; read and write permissions to the group; and just read permissions for all other users. This boils down to
764permissions in absolute mode, or
rwxrw-r--in symbolic mode:
$ chmod 764 file.txt
In the screenshot below, we can see that our file permissions are now assigned. By using a combination of
chmodcommands, we were able to assign the desired permissions which will affect the owner, all users within the group, and all other users on the system.
- Now let’s picture a tricky scenario in which you have another user (we will call the account
otheruser) on the system that needs to have full permissions of the file. Let’s say that this other user is not the owner of the file, and they are also not in the group which has permissions on the file. In that case, the other user currently only has read permissions. We can bypass these permissions and give the other user read, write, and execute abilities by setting up an access control list for the file.
$ setfacl -m u:otheruser:rwx file.txt
In the command above, we passed the
-moption (short for
--modify) which allows us to change the ACLs of a file, then the permission descriptions
u:otheruser:rwx. We have three sections divided by colons: in the first one, the
ustands for user, specifying that we want to set the ACLs for a specific user. It could have been a
gfor group, or an
ofor others. In the second section we have the name of the user whom we want to set the permissions for, and in the third, the permissions to assign.
- We can now view the access control list with the
getfaclcommand and see that
otheruserindeed has read, write, and execute permissions on the file, despite not having these abilities through the traditional file permissions we previously configured by using
$ getfacl file.txt user:otheruser:rwx
- For further confirmation, we can view the output of
$ ls -l file.txt -rwxrwxr--+ 1 linuxconfig mygroup 0 Oct 10 12:52 file.txt
Indeed, from this output, user
otherusershould only have read permissions. However, as mentioned before the
+plus sign indicates the presence of ACL settings, which can override the other file permissions. Upon viewing the output of
getfacl, we can be sure that
otheruserhas specific file permissions not granted by the
In this tutorial, we saw how to assign file permissions to specific users by using the
setfacl commands on a Linux system. Although traditional file permissions that are assigned through
chmod will usually suffice for the vast majority of situations, configuring an access control list allows for more flexibility when we need to assign specific permissions to individual users. This proves much simpler and straightforward on systems that have many different users and lots of files that they need permissions on.