What are the different ways to set file permissions etc on gnu/linux
chmod: change file mode bits
Usage (octal mode):
chmod <octal-mode> files...
Usage (symbolic mode):
chmod <references><operator><modes> files..
references is a combination of the letters ugoa, which specify which user's access to the files will be modified:
uthe user who owns itgother users in thefile's groupoother users not in the file's groupaall usersIf the omitted, it defaults to all users, but only permissions allowed by the
umaskare modified.operatoris one of the characters+-=:+add the specified file mode bits to the existing file mode bits of eachfile-removes the specified file mode bits to the existing file mode bits of eachfile=adds the specified bits and removes unspecified bits, except thesetuidandsetgidbits set for directories, unless explicitly specified.
modeconsists of a combination of the lettersrwxXst, which specify which permission bit is to be modified:rreadwwritexexecute (or search for directories)Xexecute/search only if the file is a directory or already has execute bit set for some userssetuid or setgid (depending on the specifiedreferences)trestricted deletion flag or sticky bit
Alternatively, the
modecan consist of one of the lettersugo, in which case case the mode corresponds to the permissions currently granted to the owner (u), member's of thefile's group (g) or permissions of users in neither of the preceding categories (o).
The various bits of chmod explained:
- Access control (see also
setfacl)rwx— read (r), write (w), and execute/cross (x) permissions.- Read (r) affects if a file can be read, or if a directory can be listed.
- Write (w) affects if a file can be written to, or if a directory can be edited (files added, deleted, renamed).
- Execute (x) affects if a file can be run, use for scripts (see
#!), and other executable files. - Cross (x) affects if a directory can be traversed.
sandt— sticky bit (t), and setgid (s) on directories- The sticky bit only affects directories. Will prevent any one except file owner, and root, from deleting files in the directory.
- the setgid bit on directories, will cause new files and directories to have the group set to the same group, and new directories to have there setgid bit set (see also defaults in setfacl).
s— setuid, setgid, on executable files.- This can affect security in a bad way, if you don't know what you are doing.
- When an executable is run, if one of these bits is set, then the effective user/group of the executable will become that of the file. Thus the program runs as that user. see
setcapfor a more modern way to do this.
chown chgrp:
chattr: change file attributes
Usage:
chattr <operator><attribute> files...
operator is one of the characters +-=:
* + adds the selected attributes to be to the existing attributes of the files
* - removes the selected attributes
* = overwrites the current set of attributes the files have with the specified attributes.
attribute is a combination of the letters acdeijstuADST, which correspond the attributes:
aappend onlyccompresseddno dumpeextent formatiimmutablejdata journallingssecure deletiontno tail-merginguundeletableAnoatimeupdatesDsynchronous directory updatesSsynchronous updatesTtop of directory hierarchy
setfattr: change extended file attributes
Usage (set attribute):
setfattr -n <name> -v <value> files...
Usage (remove):
setfattr -x <name> files...
name is the name of the extended attribute to set or remove
value is the new value of the extended attribute
setfacl: change file access control lists
Usage:
setfacl <option> [default:][<target>:][<param>][:<perms>] files...
option must include one of the following:
--setset the ACL of a file or a directory, replacing the previous ACL-m|--modifymodify the ACL of a file or directory-x|--removeremove ACL entries of a file or directorytargetis one of the lettersugmo(or the longer form shown below):u,userspermission of a named user identified byparam, defaults to file owneruidif omittedg,grouppermission of a named group identified byparam, default to owning groupuidif omittedm,maskeffective rights masko,otherpermissions of otherspermsis a combination of the lettersrwxX, which correspond to the permissions:rreadwwritexexecuteXexecute only if the file is a directory or already has execute permission for some userAlternatively,
permsmay be an octal digit (0-7) indicating the set of permissions.
setcap: change file capabilities
Usage:
setcap <capability-clause> file
A capability-clause consists of a comma-separated list of capability names followed by a list of operator-flag pairs.
The available operators are =, + and -. The available flags are e, i and p which correspond to the Effective, Inheritable and Permitted capability sets.
The = operator will raise the specified capability sets and reset the others. If no flags are given in conjunction with the = operator all the capability sets will be reset. The + and - operators will raise or lower the one or more specified capability sets respectively.
chcon: change file SELinux security context
Usage:
chcon [-u <user>] [-r <role>] [-t <type>] files...
user is the SELinux user, such as user_u, system_u or root.
role is the SELinux role (always object_r for files)
type is the SELinux subject type
chsmack: change SMACK extended attributes
Usage:
chsmack -a <value> file
value is the SMACK label to be set for the SMACK64 extended file attribute
setrichacl: change rich access control list.
richacls are a feature that will add more advanced ACLs.
Currently a work in progress, so I can not tell you much about them. I have not used them.
See also this question Are there more advanced filesystem ACLs beyond traditional 'rwx' and POSIX ACL? and man page