Child pages
  • snippet - File permissions and Access Control Lists
Skip to end of metadata
Go to start of metadata

Users with Unix experience will be familiar with the use of chmod to control the level of access for myself, those in my Unix group (typically others in my department), and all other users of the system. This is a simple but limited form of access control, and at NYU is now deprecated (for access control - chmod is still used to set execute permissions) in favor of Access Control Lists.

An access control list (or ACL) gives per-file, per-directory and per-user control over who can read, write and execute files. You can see the ACL for a file or directory with the getfacl command:

$ getfacl myfile.txt

To modify permissions for files or directories, use setfacl. For a detailed description, see 'man setfacl'. In the example below, I give read permission on dummy.txt to user bob123:

$ setfacl -m u:bob123:r myfile.txt

 For setting execute permission on files - useful for scripts, and for allowing directories to be entered - chmod is still used.

When running getfacl you will notice, in most cases, that the ACL is just like the chmod-based permissions: in the example below I have read and write permission and nobody else has any permissions at all.

After using setfacl as above to give permissions to a specific user, you see an extra line in the getfacl output:

You can see it with 'ls -l' too: the '+' in the last column of the permissions field indicates that this file has detailed access permissions via ACLs:

As well as setting permissions on the specific file you want to share, you must also set permissions "r" and "x" on the directory it is in and it's parent directories, all the way back to your $SCRATCH (or $HOME, etc) directory.

The -m switch means "modify". Its opposite is -x for "remove all permissions":

$ setfacl -x u:bob123 myfile.txt
  • No labels