UNIX File Permissions
Owner & Group
chown myuser myfile
chown myuser:mygroup myfile
chown myuser:mygroup mydir
chown -R myuser:mygroup mydir
chgrp mygroup myfile
Change ownership of myfile to myuser (if you have permission to do so)
Change ownership and group of myfile
Change ownership and group of mydir
Change ownership and group of mydir and all files in it
Change group of myfile
Permissions
---x--x--x
--w--w--w-
--wx-wx-wx
-r--r--r--
-r-xr-xr-x
-rw-rw-rw-
-rwxrwxrwx
-rw-r--r--
chmod 111
chmod 222
chmod 333
chmod 444
chmod 555
chmod 666
chmod 777
chmod 644
chmod uog+x
chmod uog+w
chmod uog+wx
chmod uog+r
chmod uog+rx
chmod uog+rw
chmod uog+rwx
umask 666
umask 555
umask 444
umask 333
umask 222
umask 111
umask 000
umask 022
ACL (Access Control Lists)
AIX
aclput -i myacl myfile
aclget myfile
aclget -v myfile
acledit -t NFS4 -v myacl
To use acledit, the EDITOR environment variable must be set...
export EDITOR=/usr/bin/vi
Apply the ACLs contained in myacl to myfile
Show the ACLs applied to myfile
Show the ACLs applied to myfile with extra comments
Type can be NFS4 (default) or ACLX. "-v" = verbose (adds comments)
Example NFS4 ACL file
Lines generally have 4 "columns" known as IDENTITY, ACE_TYPE, ACE_MASK, ACE_FLAGS
ACE stands for Access Control Entrieswhere:IDENTITY => Has format of 'IDENTITY_type:(IDENTITY_name or IDENTITY_ID or IDENTITY_who):' where: IDENTITY_type => One of the following Identity type: u : user g : group s : special who string (IDENTITY_who must be a special who) IDENTITY_name => user/group name IDENTITY_ID => user/group ID IDENTITY_who => special who string (e.g. OWNER@, GROUP@, EVERYONE@)ACE_TYPE => One of the following ACE Type: a : allow d : deny l : alarm u : auditACE MASK => One or more of the following Mask value Key without separator: r : READ_DATA or LIST_DIRECTORY w : WRITE_DATA or ADD_FILE p : APPEND_DATA or ADD_SUBDIRECTORY R : READ_NAMED_ATTRS W : WRITE_NAMED_ATTRS x : EXECUTE or SEARCH_DIRECTORY D : DELETE_CHILD a : READ_ATTRIBUTES A : WRITE_ATTRIBUTES d : DELETE c : READ_ACL C : WRITE_ACL o : WRITE_OWNER s : SYNCHRONIZEACE_FLAGS (Optional) => One or more of the following Attribute Key without separater: fi : FILE_INHERIT di : DIRECTORY_INHERIT oi : INHERIT_ONLY ni : NO_PROPAGATE_INHERIT sf : SUCCESSFUL_ACCESS_ACE_FLAG ff : FAILED_ACCESS_ACE_FLAG
acledit Errors
3002-100 acledit: EDITOR environment variable not set
3002-104 acledit: EDITOR environment variable must be full pathname
3002-107 ACL type ANY is not supported
export EDITOR=/usr/bin/vi
export EDITOR=/usr/bin/vi
Linux
If a file has an ACL there will be a "+" at the end of the permissions section of ls -l output.
getfacl myfile
setfacl -m u:myuser:rw myfile
setfacl -m g:mygroup:rw myfile
setfacl -m u:myuser:rw,g:mygroup:rw myfile
setfacl -m default:u:myuser:rw mydir
setfacl -x u:myuser myfile
setfacl -b myfile
Show the ACLs applied to myfile
Modify the ACL to set read/write access on myfile for myuser
Modify the ACL to set read/write access on myfile for mygroup
Perform the above two modifications using a single command
Set a default ACL for all new files created in mydir
Remove the ACL for myuser from myfile
Remove all ACLs from myfile
ACL Backup & Restore
If your regular backup software does not preserve ACLs through a restore operation you may choose to use a specific ACL backup/restore process based on the commands show below...
cd mydir
getfacl -R * > mydir_facl
setfacl --restore=mydir_facl
Bibliography
aclhttps://www.ibm.com/docs/en/aix/7.2?topic=aclput-commandhttps://www.ibm.com/docs/en/aix/7.2?topic=aclget-commandhttps://www.ibm.com/docs/en/aix/7.2?topic=acledit-commandhttps://www.ibm.com/docs/en/aix/7.2?topic=system-aixc-access-control-listhttps://www.ibm.com/docs/en/aix/7.2?topic=system-nfs4-access-control-listhttps://www.thegeekdiary.com/unix-linux-access-control-lists-acls-basics/
lshttps://detailed.wordpress.com/2017/10/28/understanding-ls-command-output/
chmodhttps://www.howtogeek.com/437958/how-to-use-the-chmod-command-on-linux/