Linux file permissions can be confusing for those new to it. The entire idea of file permissions revolves around owners and groups. Using the "chmod" command, we can assign specific rights to the owner, or any group. But what if these are not granular enough? What if you need to provide certain specific file permissions to only one user? What then?
The Traditional Linux Approach
The regular and traditional way to manage individual user rights to a file is to either:
- Create a new and separate group for that one user only;
- Make that user the owner of the file and manage permissions separately.
However, both of these solutions can be overkill. The second one particularly can completely mess up what you're trying to achieve if not careful. The first solution works - but is cumbersome. If you do this on a regular basis, creating random new groups to hold individual users can become difficult to manage. So what do we do?
Luckily we have a handy little tool called "setfacl" that gets the job done.
Creating an Owned File and Denying Permissions to Others
Let's first set up the test environment. In this example, I create a file called "ownedbyroot" as root and then deny permissions to everyone else using the command:
chmod og-rwx ownedbyroot
As you can see in the screenshot below, this reserves exclusive access for the owner of the file - in this case, root:
You can see that when I try and view the file as another user, I'm denied permissions as expected:
Now what if I want to give this user access? And this user alone? Instead of creating a separate group or changing the owner, I user "setfacl" instead.
Using Setfacl to Change User Specific File Permissions
To accomplish this, I run the following command as root:
setfacl -m u:bhagwad:rw ownedbyroot
The relevant part is highlighted in bold. The "-m" option tells setfacl to expect an Access Control List (ACL). Here, I want to change permissions for a specific user, so I type "u" followed by a colon (:) and the name of the user, followed by another colon, and then the permissions I want to assign to that particular user.
In this case, I've given the user "bhagwad" read and write (rw) permissions for the file called "ownedbyroot". You can get the complete documentation for the setfacl command here. If instead of a user, you want to control access for a specific group, you can use "g" instead of "u", followed by the group name as above.
Once the command executes, you can get a list of permissions that apply to the file by using the "getfacl" command as well:
You can see in the screenshot above, that the user "bhagwad" has been assigned "rw" rights as expected.
Testing out Access
So let's test setfacl and see if it's indeed done its job. In the screenshot below, I first "su" into another user and try and access the file. As you can see, I get a "Permission Denied" message - which is to be expected since my first chmod command removed access rights for all users other than the owner (root):
However, I then "su" into the user "bhagwad" and this time when I try and use the same command, I succeed due to the "setfacl" command. This time, there is no "Permission denied" message.
You can use setfacl to create any number of special permissions for individual users and groups, without worrying about creating new groups and changing owners. It's a flexible and powerful tool based around the concept of Access Control Lists (ACL). The drive must be mounted with the "acl" option enabled. Most modern distros use ACL, so you shouldn't have any problems using it.