The Linux operating system allows users to assign granular permissions to all files and directories. Ordinarily, it is sufficient to hand out read, write, and/or execute permissions to individual user accounts or groups of users by utilizing the chmod command. But it is also possible to set granular permissions on a per user basis by configuring access control lists.
Access control lists allow us to grant permissions to specific users on our files. This works differently than chmod, which can only assign permissions to the owner of the file, the user group, or all other users that are neither the owner nor in the group. Although chmod is generally the go-to method for assigning file permissions on Linux, configuring access control lists can prove to be a more viable and simple solution to implement on systems with many different users.
In this tutorial, you will see how to assign file permissions to specific users with the chmod and setfacl Linux commands. We will illustrate the difference between the two methods, which will help you make a decision on which one is best to use on your own file system. Many administrators choose to use a good mixture of both general file permissions and access control lists, ensuring that files are kept secure and that users are only granted the minimum access they need in order to complete their file viewing, editing, or executing tasks. Let’s see how below.
In this tutorial you will learn:
- How to configure file permissions for users with
chmod - How to take ownership of files with the
chowncommand - How to use
setfaclto configure file permissions for users - How to view access control list information with
getfaclcommand - How to get file permission settings with the
lsandstatcommands
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | chmod, chown, setfacl, getfacl, ls, stat |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to View Current Permissions of a File
Let’s start by viewing the currently configured permissions of a given file. Then, we can move on to editing the permissions and access control lists to grant the intended permissions that we need.
- One of the simplest ways to view the permissions for a file, or even a whole directory of files at the same time, is with the ls command and the
-loption. Just specify the path to the file you want to view permissions for, or the directory where all your files reside.$ ls -l example.txt -rw-rw-r-- 1 linuxconfig linuxconfig 0 Oct 12 12:15 example.txt
The output above shows permissions
-rw-rw-r--and indicates that the owner and group for the file islinuxconfig. This user and group haverw-permissions, meaningreadandwritepermissions, but noexecutepermissions. Meanwhile, all other users (those that are neither the owner nor in the group) haver--orreadpermissions only. - The
statcommand is another way to view permissions for a file. This is useful for viewing the permissions in both absolute mode and symbolic mode, which may help some users make more sense of the permissions for a file.$ stat example.txt File: example.txt Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 803h/2051d Inode: 921746 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/linuxconfig) Gid: ( 1000/linuxconfig)
Just like the output for
ls, we are shown the owner, group, and permissions for the file.
Viewing the file permissions with the ls and stat Linux commands
- In addition to basic file permissions, Linux also features access control lists. These work independently of the file permissions shown above. Most files ordinarily only have file permissions configured, rather than access control list settings. You can determine whether a file has an access control list configured by examining the output of
ls -l:$ ls -l example.txt -rw-rwxr--+ 1 linuxconfig linuxconfig 0 Oct 10 12:24 example.txt
Notice the
+symbol in the permissions listed:-rw-rwxr--+. The plus sign indicates that, in addition to the traditional file permissions, an access control list is also applied to the file. - Now that we know our
example.txthas access control list settings applied to it, let’s view these permissions with thegetfaclcommand.$ getfacl example.txt user:linuxconfig:rwx
We have included the most relevant output in the snippet above. This particular line indicates that our user
linuxconfighas read, write, and execute permissions on the file.
Viewing access control list settings with the getfacl command on Linux Notice that in the screenshot above, the owner
linuxconfigof the fileexample.txtis not shown to have execute permissions when viewing the ordinary file permissions with thels -lcommand. However, upon viewing the access control list with thegetfaclcommand, we learn that userlinuxconfighas explicitly been given full permissions (read, write, and execute) on the file. These settings will then override those given or restricted by the regular file permissions, if they had been set previous to thesetfaclcommand.
Assign File Permissions With chmod and setfacl
Now that we know how to view file permissions and access control lists for our files, let’s see how we can modify the file permissions and access control lists in order to grant permissions to specific users.
In the majority of situations, using a combination of
chown and chmod will yield the results you need for granting file permissions for a user or group of users. Access control lists with setfacl are only necessary to override some functionality with basic file permissions and grant abilities to specific users irrespective of their permissions granted with chmod. - Broad file permissions can be set with the
chownandchmodcommands, so let’s start with them. The access control list can be configured afterwards, to grant specific users additional permissions. Start by giving your file an owner and group owner withchown:$ sudo chown user:group file.txt
This is the general syntax for the
chowncommand. Replaceuserwith the intended owner of the file, andgroupwith the user group that should have permissions on the file. - Now that we have configured an owner and group for our file, let’s assign permissions for the owner, group, and other users by executing the
chmodcommand. For an example, we will grant read, write, and execute permissions to the owner; read and write permissions to the group; and just read permissions for all other users. This boils down to764permissions in absolute mode, orrwxrw-r--in symbolic mode:$ chmod 764 file.txt
In the screenshot below, we can see that our file permissions are now assigned. By using a combination of
chownandchmodcommands, we were able to assign the desired permissions which will affect the owner, all users within the group, and all other users on the system.
Assigning file permissions with chown and chmod, then viewing them with stat and ls - Now let’s picture a tricky scenario in which you have another user (we will call the account
otheruser) on the system that needs to have full permissions of the file. Let’s say that this other user is not the owner of the file, and they are also not in the group which has permissions on the file. In that case, the other user currently only has read permissions. We can bypass these permissions and give the other user read, write, and execute abilities by setting up an access control list for the file.$ setfacl -m u:otheruser:rwx file.txt
In the command above, we passed the
-moption (short for--modify) which allows us to change the ACLs of a file, then the permission descriptionsu:otheruser:rwx. We have three sections divided by colons: in the first one, theustands for user, specifying that we want to set the ACLs for a specific user. It could have been agfor group, or anofor others. In the second section we have the name of the user whom we want to set the permissions for, and in the third, the permissions to assign. - We can now view the access control list with the
getfaclcommand and see thatotheruserindeed has read, write, and execute permissions on the file, despite not having these abilities through the traditional file permissions we previously configured by usingchownandchmod.$ getfacl file.txt user:otheruser:rwx
Viewing the access control list settings for the file, confirming otheruser to have full permissions - For further confirmation, we can view the output of
ls -l:$ ls -l file.txt -rwxrwxr--+ 1 linuxconfig mygroup 0 Oct 10 12:52 file.txt
Indeed, from this output, user
otherusershould only have read permissions. However, as mentioned before the+plus sign indicates the presence of ACL settings, which can override the other file permissions. Upon viewing the output ofgetfacl, we can be sure thatotheruserhas specific file permissions not granted by thechmodcommand.
Closing Thoughts
In this tutorial, we saw how to assign file permissions to specific users by using the chmod and setfacl commands on a Linux system. Although traditional file permissions that are assigned through chown and chmod will usually suffice for the vast majority of situations, configuring an access control list allows for more flexibility when we need to assign specific permissions to individual users. This proves much simpler and straightforward on systems that have many different users and lots of files that they need permissions on.
