How do I grant different permissions for each user?

Traditional unix permissions only allow user, group, other permissions as you've found. These can result in some awkward combination of groups needing to be created...

So a new form of ACL (Access Control Lists) were tacked on. This allows you to specify multiple users and multiple groups with different permissions. These are set with the setfacl command and read with getfacl

$ setfacl -m u:root:r-- file.txt
$ setfacl -m u:bin:-wx file.txt 
$ setfacl -m u:lp:--x file.txt 
$ getfacl file.txt
# file: file.txt
# owner: sweh
# group: sweh
user::rw-
user:root:r--
user:bin:-wx
user:lp:--x
group::r--
mask::rwx
other::r--

You can easily tell if a file has an ACL by looking at the ls output:

$ ls -l file.txt
-rw-rwxr--+ 1 sweh sweh 0 Jul 26 10:33 file.txt

The + at the end of the permissions indicates an ACL.


Yes, ACL:s allow freely setting different rights to different users or groups. IIRC the usual group permissions limit the set of permissions that groups and users can have through ACL:s (shown as mask in getfacl), but setfacl should deal with that if you add permissions.

But in some cases you need to ask if the set of permissions makes any sense.

I have 3 users with these desired permissions....
- user1 rwx
- user2 rw_
- user3 r__

You could implement this with ACL:s, or (approximately) with the usual Unix permissions by making user1 the owner of the file, user2 a member of the group, and let others, including user3 have read-access. Though then everyone (with access to the directory) would also have read-access.

Let's consider the meaning of those permissions. You have one user that can read, and another that can read and write. That's completely usual. Neither of these have access to execute the file, but then a third user is supposed to be able to do that, too.

That doesn't make much sense in my mind. Any user who can read the file, can make a copy(*), mark it executable, and run it, without access to execute the original file. The only situation it makes sense to have execute access for some users but not for others, is when the executable has elevated privileges through suid. But if that were the case, you shouldn't have other users with write access to the file, either.

In the same sense, user4 with -wx and user5 with --x don't make sense to me. Write-only access might make sense if there was a possibility of only allowing appends, but the permission system isn't that fine-grained.

(* unless they can't write anywhere)


Though, if we remove the weird requirement for the x bit, we're left with a file where user1 and user2 should have write access, and user3 should have read access. One writer and multiple readers would be easy with the traditional model, but this case would need tricks to combine the file permissions with the permissons of the containing directory. Luckily, in many cases one user with more permissions is sufficient.

Without the requirement on the execute bit, this looks like a case to use ACL:s. But with it, this particular example seems rather convoluted to me.