Unix: Beyond owner, group, and everyone else

open lock rupert ganzer flickr / Ruprt Ganzer

The standard way of assigning file permissions on Unix systems is so tied into how people think of Unix that many of us seem to forget that this scheme was expanded many years ago to accomodate more than just file owners, groups, and everyone else. The setfacl (set file access control lists) and getfacl (get file access control list) commands were designed to allow more than the traditional limited assignment of privileges. While not disturing the customary owner-group-other permissions, you could, for example, give another account holder the same permissions as the owner or allow more than one group to have special access while not giving that access to just everyone. Everything comes at some cost, however, and to use the setfacl and getfacl commands, a file system has to be mounted with a special option that allows these commands and the underlying expansion of priviledges to be used. After all, there is overhead associated with keeping track of the extra permissions, so you have to opt in by adding an option to the file system in the /etc/fstab file -- the acl option. If you don't, anyone trying to use these commands will likely be confronted with an "operation not supported" error. You may also have to check whether your kernel provides support for this feature. To mount a file system with the acl option, you will need to use a command like this:

# mount -t ext4 -o acl /dev/hdb3 /data

In the /etc/fstab, this same operation might look like this:

/dev/hdb3    /data    ext4  defaults,acl     0    1

Indications that the extended permissions are in use are rather subtle. You'll just see a + sign at the end of the normal permissions field. For example:

-rw-r-----+ 1 smitten   admins 22088 Oct 26 recipe

That little + at the end of -rw-r-----+ tells you that there are more permissions than the rw-r----- permissions string is letting on. And, if you want to know more, you just have to use the getfacl command to display the complete permissions for the file. For a file with only standard permissions, you will see something like this:

$ getfacl beerlist
# file: beerlist
# owner: smitten
# group: admins

This shows us what we normally see in a long listing, but in a different format. For a file with the extended permissions, on the other hand, the getfacl command might show you any additional permissions that have been set -- like this:

$ getfacl beerlist
# file: beerlist
# owner: smitten
# group: admins

Notice that we now see another user (tsmiley) with read and write permissions and a new field -- the "mask" field that sets default permissions for the file. You can set extended permissions using the setfacl command. Here are some examples where we give a user read, write and execute or add write permission.

setfacl -m u:tsmiley:rwx /data/example
setfacl -m u:tsmiley:+w /data/example

The -m stands for modify. The "u" in u: stands for user. You can assign permissions to groups as well as to individuals. You would assign a group permissions with a "g" as in the examples shown below.

setfacl -m g:devt:rwx /data/testcase
setfacl -R -m g:devt:+x testcases/
setfacl -m d:g:admins:rwx /data/scripts

In the third line in this example, the d: before the g: makes the new settings (rwx) the default for this directory. When files or direcxtories are created under the /data/scripts directory, the admins group will have rwx permission to them as well. After setting a default, you can expect to see these values when you use the getfacl command in the form of an additional line that looks like this:


One of the other complexities that you are likely to run into is the idea of the effective mask setting. If the mask is more restrictive than the permissions that you grant, the mask will take precedence. In the example below, the mask is r-- and reduces the privileges given to the groups to r--.

$ getfacl /data/jumping.jar 
# file: /data/jumping.jar 
# owner: dbender
# group: users
group::rwx          #effective:r--
group:devt:rwx      #effective:r--

To remove extended permissions for a file or folder, you can use one of these commands. Remove all ACLs from a file:

setfacl -b /data/example

Remove the default ACL:

setfacl -k testcases

The mask setting is interesting. It will be set up whenever permissions beyond those of owner, group, and other are used. As you'd read in the man page for the setfacl command, the mask is the union of all permissions from the owning group, named user and group settings. It can limit the permissions that are available but you can change the mask with a command like this:

$ setfacl -m mask:rw- /data/example

Note that mask can be spelled (mask:) out or abbreviated to m (m:). Generally, it will be set to whatever permissions are intended for the expected collections of users and groups. You can also override this setting when you assign permissions by requesting that no mask be used with the -n or --no-mask setting. The traditional Unix permissions are easy to think about, but can be seriously confining when you need more flexibility in defining what various users or groups on your servers should be able to do. The newer ACL commands give you a lot more leeway in determining who gets what permissions. You just have to work a little harder to be sure they're right.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT