File Permissions Basics and ACL
This is an overview of how file permissions and Access-control Lists (ACL) work on POSIX-based file systems. This forms a primer to understanding how exactly the actions in Setting Default File Permissions work and how to debug them.
In short, ACL helps to control which users can read, write, or execute certain file objects, which are defined as anything in the file system (regular files, directories, symlinks, etc.). Note that ACL does not have complete authority on creating permissions for new file objects.
Contents
Basics of Unix/POSIX File Permissions
What are they?
- All files and directories have permissions assigned to them via ACL entries
- There are three different "levels" of file permissions in a standard POSIX file system: read (
r
), write (w
), and execute (x
).- Read allows viewing the contents of the file/directory, and copying the files
- Write allows rewriting and deleting files. For a directory with write permissions, it also allows creation of subdirectories and creation of new files
- Execute allows files to be executed directly.
- Note that for script files (such as
bash
orpython
), they can still be run by passing the file to it's interpreter if the file is readable (ie.bash non_executableScript.sh
is still possible ifnon_executableScript.sh
hasrw-
permissions).
- Note that for script files (such as
- ACL entries apply the three different "levels" of file permission onto 6 possible tags. From the ACL manpage, they are:
ACL_USER_OBJ The ACL_USER_OBJ entry denotes access rights for the file owner. ACL_USER ACL_USER entries denote access rights for users identified by the entry's qualifier. ACL_GROUP_OBJ The ACL_GROUP_OBJ entry denotes access rights for the file group. ACL_GROUP ACL_GROUP entries denote access rights for groups identified by the entry's qualifier. ACL_MASK The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP. ACL_OTHER The ACL_OTHER entry denotes access rights for processes that do not match any other entry in the ACL.
ACL_USER_OBJ
, ACL_GROUP_OBJ
, and ACL_OTHER
correspond to the standard three user categories: file owner, file group, and "other". These three categories are the ones listed by ls -l
.
The file owner and file group are set to the user that originally created the file and their respective user group (though this can be changed using chown
).
"Others" simply refers to all other users that are not the file owner and are not members of the file group.
The other three tags, ACL_MASK
, ACL_GROUP
, and ACL_USER
, are only used for custom ACL entries that are set by a user.
- The file permissions for
ACL_USER_OBJ
,ACL_GROUP_OBJ
, andACL_OTHER
together form the filemode
parameter- This parameter is used by programs to set the permissions of files they create. This is discussed further in the Custom Permissions section.
Viewing them
As an example, if you run ls -l
on a directory, you might see:
drwxr-x---+ 2 jrwrigh7 a1983 4.0K 2020-07-04 08:09 test2 -rw-r-x---+ 1 jrwrigh7 a1983 38 2020-07-02 12:38 test2file lrwxrwxrwx 1 jrwrigh7 a1983 9 2020-07-04 08:40 test2fileLink -> test2file
The first block (-rw-r-x---+
) shows the permissions for the file (described below). The user owner is shown as jrwrigh7
and the group owner is a1983
.
Permissions Block:
- First character displays what kind of file it is, be it a link (
l
), directory (d
), regular file (-
), etc. - The next 9 characters show the permissions for the file owner, file group, and "others".
- So for
test2file
in the above output:- File Owner:
rw-
- File Group:
r-x
- Others:
---
- File Owner:
- So for
- The last character is optional. A
+
means that there are other permission rules not displayed. This is where ACL rules come into play.
See the ls coreutils manual for more information on the 'long' format for ls
.
Octal numbers
The file mode
is often conveyed in the form of three octal numbers (ie. base 8 numbers). It is very similar to how PHASTA handles specifying boundary conditions using bitwise logic.
The first bit handles read, the second bit handles write, and the third handles execute.
Permissions | Read bit | Write Bit | Execute Bit | Octal Number equivalent |
---|---|---|---|---|
---
|
0 | 0 | 0 | 0 |
r--
|
1 | 0 | 0 | 1 |
-w-
|
0 | 1 | 0 | 2 |
rw-
|
1 | 1 | 0 | 3 |
--x
|
0 | 0 | 1 | 4 |
r-x
|
1 | 0 | 1 | 5 |
-wx
|
0 | 1 | 1 | 6 |
rwx
|
1 | 1 | 1 | 7 |
Using test2file
as the example permissions block, it is stored as 110 101 000
. When translated into decimal, that equals 3 5 0
.
Another way to think about it is that the octal number equivalent of a permission set = 1*r + 2*w + 4*x, where r, w, and x equal 1 or 0 depending on whether they're set or not.
Custom Permissions
The other two tags, ACL_GROUP
and ACL_USER
, are for more custom permissions and are not set by default on a blank system.
The ACL_MASK
entry plays an important role in how new file permissions are set.
Note that the ACL_MASK
is only used when ACL_GROUP
or ACL_USER
are used for ACL entries.
What determines the permissions for a new file?
There are three sources that determine what file permissions will be set; umask
, the "mode" parameter used by the program creating the file, and ACL.
umask
umask
is a function that contains file permission settings for any file created by a user and it is unique to the user. The user can change it at anytime using the umask
command. To see what it is set to, simply run umask
with no arguments.
"Mode" Parameter
When a new file is created, the syscall
open()
(among others) is used and a file mode parameter must be chosen by that program. For example, `touch` will automatically apply the mode 666
to the file, which will make the file owner, file group, and "others" all have rw-
permissions
ACL Defaults
The Access-control List (ACL) has the ability to set more nuanced permissions for files (ie. permissions for specific users or groups that are not file owner or file group). They can be set for a specific file/directory, or as a default setting. This default setting is set for a directory and is used for files and subdirectories created inside that directory.
There are 6 different tags that ACL rules can apply to. From the acl
manpage:
ACL_USER_OBJ The ACL_USER_OBJ entry denotes access rights for the file owner. ACL_USER ACL_USER entries denote access rights for users identified by the entry's qualifier. ACL_GROUP_OBJ The ACL_GROUP_OBJ entry denotes access rights for the file group. ACL_GROUP ACL_GROUP entries denote access rights for groups identified by the entry's qualifier. ACL_MASK The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP. ACL_OTHER The ACL_OTHER entry denotes access rights for processes that do not match any other entry in the ACL.
ACL_USER_OBJ
, ACL_GROUP_OBJ
, and ACL_OTHER
correspond to the file owner, file group, and "other" permissions mentioned above and shown by ls -l
. The other two (ACL_GROUP
and ACL_USER
) are for custom permissions.
The ACL_MASK
entry plays an important role in how new file permissions are set.
How are new file permissions set?
The manpage for ACL is a great resource to answering this question. Most of the information below is simply paraphrasing what is written in the "Object Creation and Default ACLs" section.
When creating a file/subdirectory in a parent directory:
- If the parent directory does have default ACL rules, only the ACL default rules and "mode" parameter are used:
- The new file/subdirectory first inherits the default ACL rules of its parent directory
- The new file/subdirectory has its ACL entries adjusted such that no permissions exceed the "mode" parameter.
- The
ACL_USER_OBJ
andACL_OTHER
are changed directly - The
ACL_GROUP
,ACL_GROUP_OBJ
, andACL_USER
are changed through adjusting theACL_MASK
- The
- Additionally, if a new subdirectory is created, it will inherit its parents default ACL rules. Note that a file cannot have default ACL rules set.
- If the parent directory does not have default ACL rules, only
umask
and "mode" parameter are used:- The new file/subdirectory's
ACL_USER_OBJ
,ACL_GROUP_OBJ
, andACL_OTHER
are set based on the permissions set byumask
- The new file/subdirectory's are then adjusted to limit permissions to be no looser than the "mode" parameter
- The new file/subdirectory's
Note that this all means that if you have a default ACL rule that gives execute permissions to a group, the group will not have execute permissions by default unless the "mode" parameter also has execute permissions. Most compilers will use the execute permission bit for the "mode" parameter of it's executable, but other files will not.