!ls -l /etc/passwd
-rw-r--r-- 1 root root 3434 Sep 27 06:12 /etc/passwd
!ls -l /etc/shadow
-rw-r----- 1 root shadow 1795 Sep 27 06:14 /etc/shadow
!man chmod
CHMOD(1) User Commands CHMOD(1) NAME chmod - change file mode bits SYNOPSIS chmod [OPTION]... MODE[,MODE]... FILE... chmod [OPTION]... OCTAL‐MODE FILE... chmod [OPTION]... ‐‐reference=RFILE FILE... DESCRIPTION This manual page documents the GNU version of chmod. chmod changes the file mode bits of each given file according to mode, which can be ei‐ ther a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. The format of a symbolic mode is [ugoa...][[‐+=][perms...]...], where perms is either zero or more letters from the set rwxXst, or a single letter from the set ugo. Multiple symbolic modes can be given, sepa‐ rated by commas. A combination of the letters ugoa controls which users’ access to the file will be changed: the user who owns it (u), other users in the file’s group (g), other users not in the file’s group (o), or all users (a). If none of these are given, the effect is as if (a) were given, but bits that are set in the umask are not affected. The operator + causes the selected file mode bits to be added to the existing file mode bits of each file; ‐ causes them to be removed; and = causes them to be added and causes unmentioned bits to be removed ex‐ cept that a directory’s unmentioned set user and group ID bits are not affected. The letters rwxXst select file mode bits for the affected users: read (r), write (w), execute (or search for directories) (x), execute/search only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted dele‐ tion flag or sticky bit (t). Instead of one or more of these letters, you can specify exactly one of the letters ugo: the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file’s group (g), and the permissions granted to users that are in neither of the two preceding categories (o). A numeric mode is from one to four octal digits (0-7), derived by adding up the bits with values 4, 2, and 1. Omitted digits are assumed to be leading zeros. The first digit selects the set user ID (4) and set group ID (2) and restricted deletion or sticky (1) attributes. The second digit selects permissions for the user who owns the file: read (4), write (2), and execute (1); the third selects permissions for other users in the file’s group, with the same values; and the fourth for other users not in the file’s group, with the same values. chmod never changes the permissions of symbolic links; the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each sym‐ bolic link listed on the command line, chmod changes the permissions of the pointed‐to file. In contrast, chmod ignores symbolic links encoun‐ tered during recursive directory traversals. SETUID AND SETGID BITS chmod clears the set‐group‐ID bit of a regular file if the file’s group ID does not match the user’s effective group ID or one of the user’s supplementary group IDs, unless the user has appropriate privileges. Additional restrictions may cause the set‐user‐ID and set‐group‐ID bits of MODE or RFILE to be ignored. This behavior depends on the policy and functionality of the underlying chmod system call. When in doubt, check the underlying system behavior. For directories chmod preserves set‐user‐ID and set‐group‐ID bits un‐ less you explicitly specify otherwise. You can set or clear the bits with symbolic modes like u+s and g-s. To clear these bits for directo‐ ries with a numeric mode requires an additional leading zero like 00755, leading minus like -6000, or leading equals like =755. RESTRICTED DELETION FLAG OR STICKY BIT The restricted deletion flag or sticky bit is a single bit, whose in‐ terpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the re‐ stricted deletion flag for the directory, and is commonly found on world‐writable directories like /tmp. For regular files on some older systems, the bit saves the program’s text image on the swap device so it will load more quickly when run; this is called the sticky bit. OPTIONS Change the mode of each FILE to MODE. With --reference, change the mode of each FILE to that of RFILE. -c, --changes like verbose but report only when a change is made -f, --silent, --quiet suppress most error messages -v, --verbose output a diagnostic for every file processed --no-preserve-root do not treat ’/’ specially (the default) --preserve-root fail to operate recursively on ’/’ --reference=RFILE use RFILE’s mode instead of MODE values -R, --recursive change files and directories recursively --help display this help and exit --version output version information and exit Each MODE is of the form ’[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+’. AUTHOR Written by David MacKenzie and Jim Meyering. REPORTING BUGS GNU coreutils online help: <https://www.gnu.org/software/coreutils/> Report any translation bugs to <https://translationproject.org/team/> COPYRIGHT Copyright © 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. SEE ALSO chmod(2) Full documentation <https://www.gnu.org/software/coreutils/chmod> or available locally via: info '(coreutils) chmod invocation' GNU coreutils 9.1 September 2022 CHMOD(1)
!man chown
CHOWN(1) User Commands CHOWN(1) NAME chown - change file owner and group SYNOPSIS chown [OPTION]... [OWNER][:[GROUP]] FILE... chown [OPTION]... ‐‐reference=RFILE FILE... DESCRIPTION This manual page documents the GNU version of chown. chown changes the user and/or group ownership of each given file. If only an owner (a user name or numeric user ID) is given, that user is made the owner of each given file, and the files’ group is not changed. If the owner is followed by a colon and a group name (or numeric group ID), with no spaces between them, the group ownership of the files is changed as well. If a colon but no group name follows the user name, that user is made the owner of the files and the group of the files is changed to that user’s login group. If the colon and group are given, but the owner is omitted, only the group of the files is changed; in this case, chown performs the same function as chgrp. If only a colon is given, or if the entire operand is empty, neither the owner nor the group is changed. OPTIONS Change the owner and/or group of each FILE to OWNER and/or GROUP. With --reference, change the owner and group of each FILE to those of RFILE. -c, --changes like verbose but report only when a change is made -f, --silent, --quiet suppress most error messages -v, --verbose output a diagnostic for every file processed --dereference affect the referent of each symbolic link (this is the default), rather than the symbolic link itself -h, --no-dereference affect symbolic links instead of any referenced file (useful only on systems that can change the ownership of a symlink) --from=CURRENT_OWNER:CURRENT_GROUP change the owner and/or group of each file only if its current owner and/or group match those specified here. Either may be omitted, in which case a match is not required for the omitted attribute --no-preserve-root do not treat ’/’ specially (the default) --preserve-root fail to operate recursively on ’/’ --reference=RFILE use RFILE’s owner and group rather than specifying OWNER:GROUP values -R, --recursive operate on files and directories recursively The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified, only the fi‐ nal one takes effect. -H if a command line argument is a symbolic link to a directory, traverse it -L traverse every symbolic link to a directory encountered -P do not traverse any symbolic links (default) --help display this help and exit --version output version information and exit Owner is unchanged if missing. Group is unchanged if missing, but changed to login group if implied by a ’:’ following a symbolic OWNER. OWNER and GROUP may be numeric as well as symbolic. EXAMPLES chown root /u Change the owner of /u to "root". chown root:staff /u Likewise, but also change its group to "staff". chown -hR root /u Change the owner of /u and subfiles to "root". AUTHOR Written by David MacKenzie and Jim Meyering. REPORTING BUGS GNU coreutils online help: <https://www.gnu.org/software/coreutils/> Report any translation bugs to <https://translationproject.org/team/> COPYRIGHT Copyright © 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. SEE ALSO chown(2) Full documentation <https://www.gnu.org/software/coreutils/chown> or available locally via: info '(coreutils) chown invocation' GNU coreutils 9.1 September 2022 CHOWN(1)
!touch subor
!ls -l subor
-rw-r--r-- 1 kali kali 0 Oct 4 04:15 subor
!umask
022
!chmod +x subor
!ls -l subor
-rwxr-xr-x 1 kali kali 0 Oct 4 04:15 subor
!chmod u-x,g+w,o= subor
!ls -l subor
-rw-rwx--- 1 kali kali 0 Oct 4 04:15 subor
!chmod 420 subor
!ls -l subor
-r---w---- 1 kali kali 0 Oct 4 04:15 subor
ls -la /
total 1048656 drwxr-xr-x 18 root root 4096 Sep 27 02:40 ./ drwxr-xr-x 18 root root 4096 Sep 27 02:40 ../ lrwxrwxrwx 1 root root 7 Aug 21 14:50 bin -> usr/bin/ drwxr-xr-x 3 root root 4096 Sep 27 03:16 boot/ drwxr-xr-x 17 root root 3320 Oct 4 04:03 dev/ drwxr-xr-x 182 root root 12288 Oct 4 04:08 etc/ drwxr-xr-x 7 root root 4096 Sep 27 06:12 home/ lrwxrwxrwx 1 root root 33 Aug 21 16:02 initrd.img -> boot/initrd.img-6.3.0-kali1-amd64 lrwxrwxrwx 1 root root 33 Aug 21 16:02 initrd.img.old -> boot/initrd.img-6.3.0-kali1-amd64 lrwxrwxrwx 1 root root 7 Aug 21 14:50 lib -> usr/lib/ lrwxrwxrwx 1 root root 9 Aug 21 14:50 lib32 -> usr/lib32/ lrwxrwxrwx 1 root root 9 Aug 21 14:50 lib64 -> usr/lib64/ drwx------ 2 root root 16384 Aug 21 16:01 lost+found/ drwxr-xr-x 2 root root 4096 Aug 21 14:51 media/ drwxr-xr-x 2 root root 4096 Aug 21 14:51 mnt/ drwxr-xr-x 3 root root 4096 Aug 21 14:56 opt/ dr-xr-xr-x 226 root root 0 Oct 4 04:02 proc/ drwx------ 4 root root 4096 Oct 4 04:02 root/ drwxr-xr-x 32 root root 800 Oct 4 04:04 run/ lrwxrwxrwx 1 root root 8 Aug 21 14:50 sbin -> usr/sbin/ drwxr-xr-x 3 root root 4096 Aug 21 14:57 srv/ -rw------- 1 root root 1073741824 Aug 21 16:02 swapfile dr-xr-xr-x 13 root root 0 Oct 4 04:02 sys/ drwxrwxrwt 14 root root 4096 Oct 4 04:12 tmp/ drwxr-xr-x 15 root root 4096 Sep 27 02:40 usr/ drwxr-xr-x 12 root root 4096 Aug 21 14:54 var/ lrwxrwxrwx 1 root root 30 Aug 21 16:02 vmlinuz -> boot/vmlinuz-6.3.0-kali1-amd64 lrwxrwxrwx 1 root root 30 Aug 21 16:02 vmlinuz.old -> boot/vmlinuz-6.3.0-kali1-amd64
ls -ld /dev/sda
brw-rw---- 1 root disk 8, 0 Oct 4 04:02 /dev/sda
ls -ld /dev/tty1
crw--w---- 1 root tty 4, 1 Oct 4 04:03 /dev/tty1
!ls -l $(which passwd)
-rwsr-xr-x 1 root root 68248 Mar 23 2023 /usr/bin/passwd
!ls -ld /tmp
drwxrwxrwt 14 root root 4096 Oct 4 04:12 /tmp
!man lsattr
LSATTR(1) General Commands Manual LSATTR(1) NAME lsattr - list file attributes on a Linux second extended file system SYNOPSIS lsattr [ -RVadlpv ] [ files... ] DESCRIPTION lsattr lists the file attributes on a second extended file system. See chattr(1) for a description of the attributes and what they mean. OPTIONS -R Recursively list attributes of directories and their contents. -V Display the program version. -a List all files in directories, including files that start with ‘.’. -d List directories like other files, rather than listing their contents. -l Print the options using long names instead of single character abbreviations. -p List the file’s project number. -v List the file’s version/generation number. AUTHOR lsattr was written by Remy Card <Remy.Card@linux.org>. It is currently being maintained by Theodore Ts’o <tytso@alum.mit.edu>. BUGS There are none :‐). AVAILABILITY lsattr is part of the e2fsprogs package and is available from http://e2fsprogs.sourceforge.net. SEE ALSO chattr(1) E2fsprogs version 1.47.0 February 2023 LSATTR(1)
!lsattr -d /
--------------e------- /
!lsattr -d /etc/alternatives/
-----------I--e------- /etc/alternatives/
!man chattr
CHATTR(1) General Commands Manual CHATTR(1) NAME chattr - change file attributes on a Linux file system SYNOPSIS chattr [ -RVf ] [ -v version ] [ -p project ] [ mode ] files... DESCRIPTION chattr changes the file attributes on a Linux file system. The format of a symbolic mode is +‐=[aAcCdDeFijmPsStTux]. The operator ’+’ causes the selected attributes to be added to the ex‐ isting attributes of the files; ’‐’ causes them to be removed; and ’=’ causes them to be the only attributes that the files have. The letters ’aAcCdDeFijmPsStTux’ select the new attributes for the files: append only (a), no atime updates (A), compressed (c), no copy on write (C), no dump (d), synchronous directory updates (D), extent format (e), case‐insensitive directory lookups (F), immutable (i), data journaling (j), don’t compress (m), project hierarchy (P), secure dele‐ tion (s), synchronous updates (S), no tail‐merging (t), top of direc‐ tory hierarchy (T), undeletable (u), and direct access for files (x). The following attributes are read‐only, and may be listed by lsattr(1) but not modified by chattr: encrypted (E), indexed directory (I), in‐ line data (N), and verity (V). Not all flags are supported or utilized by all file systems; refer to file system‐specific man pages such as btrfs(5), ext4(5), mkfs.f2fs(8), and xfs(5) for more file system‐specific details. OPTIONS -R Recursively change attributes of directories and their contents. -V Be verbose with chattr’s output and print the program version. -f Suppress most error messages. -v version Set the file’s version/generation number. -p project Set the file’s project number. ATTRIBUTES a A file with the ’a’ attribute set can only be opened in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this at‐ tribute. A When a file with the ’A’ attribute set is accessed, its atime record is not modified. This avoids a certain amount of disk I/O for laptop systems. c A file with the ’c’ attribute set is automatically compressed on the disk by the kernel. A read from this file returns uncom‐ pressed data. A write to this file compresses data before stor‐ ing them on the disk. Note: please make sure to read the bugs and limitations section at the end of this document. (Note: For btrfs, If the ’c’ flag is set, then the ’C’ flag cannot be set. Also conflicts with btrfs mount option ’nodatasum’) C A file with the ’C’ attribute set will not be subject to copy‐ on‐write updates. This flag is only supported on file systems which perform copy‐on‐write. (Note: For btrfs, the ’C’ flag should be set on new or empty files. If it is set on a file which already has data blocks, it is undefined when the blocks assigned to the file will be fully stable. If the ’C’ flag is set on a directory, it will have no effect on the directory, but new files created in that directory will have the No_COW at‐ tribute set. If the ’C’ flag is set, then the ’c’ flag cannot be set.) d A file with the ’d’ attribute set is not a candidate for backup when the dump(8) program is run. D When a directory with the ’D’ attribute set is modified, the changes are written synchronously to the disk; this is equiva‐ lent to the ’dirsync’ mount option applied to a subset of the files. e The ’e’ attribute indicates that the file is using extents for mapping the blocks on disk. It may not be removed using chattr(1). E A file, directory, or symlink with the ’E’ attribute set is en‐ crypted by the file system. This attribute may not be set or cleared using chattr(1), although it can be displayed by lsattr(1). F A directory with the ’F’ attribute set indicates that all the path lookups inside that directory are made in a case‐insensi‐ tive fashion. This attribute can only be changed in empty di‐ rectories on file systems with the casefold feature enabled. i A file with the ’i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file’s metadata can not be modified, and the file can not be opened in write mode. Only the superuser or a process possess‐ ing the CAP_LINUX_IMMUTABLE capability can set or clear this at‐ tribute. I The ’I’ attribute is used by the htree code to indicate that a directory is being indexed using hashed trees. It may not be set or cleared using chattr(1), although it can be displayed by lsattr(1). j A file with the ’j’ attribute has all of its data written to the ext3 or ext4 journal before being written to the file itself, if the file system is mounted with the "data=ordered" or "data=writeback" options and the file system has a journal. When the file system is mounted with the "data=journal" option all file data is already journalled and this attribute has no effect. Only the superuser or a process possessing the CAP_SYS_RESOURCE capability can set or clear this attribute. m A file with the ’m’ attribute is excluded from compression on file systems that support per‐file compression. N A file with the ’N’ attribute set indicates that the file has data stored inline, within the inode itself. It may not be set or cleared using chattr(1), although it can be displayed by lsattr(1). P A directory with the ’P’ attribute set will enforce a hierarchi‐ cal structure for project id’s. This means that files and di‐ rectories created in the directory will inherit the project id of the directory, rename operations are constrained so when a file or directory is moved into another directory, that the project ids must match. In addition, a hard link to file can only be created when the project id for the file and the desti‐ nation directory match. s When a file with the ’s’ attribute set is deleted, its blocks are zeroed and written back to the disk. Note: please make sure to read the bugs and limitations section at the end of this doc‐ ument. S When a file with the ’S’ attribute set is modified, the changes are written synchronously to the disk; this is equivalent to the ’sync’ mount option applied to a subset of the files. t A file with the ’t’ attribute will not have a partial block fragment at the end of the file merged with other files (for those file systems which support tail‐merging). This is neces‐ sary for applications such as LILO which read the file system directly, and which don’t understand tail‐merged files. Note: As of this writing, the ext2, ext3, and ext4 file systems do not support tail‐merging. T A directory with the ’T’ attribute will be deemed to be the top of directory hierarchies for the purposes of the Orlov block al‐ locator. This is a hint to the block allocator used by ext3 and ext4 that the subdirectories under this directory are not re‐ lated, and thus should be spread apart for allocation purposes. For example it is a very good idea to set the ’T’ attribute on the /home directory, so that /home/john and /home/mary are placed into separate block groups. For directories where this attribute is not set, the Orlov block allocator will try to group subdirectories closer together where possible. u When a file with the ’u’ attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion. Note: please make sure to read the bugs and limitations section at the end of this document. x A file with the ’x’ requests the use of direct access (dax) mode, if the kernel supports DAX. This can be overridden by the ’dax=never’ mount option. For more information see the kernel documentation for dax: <https://www.kernel.org/doc/html/lat‐ est/filesystems/dax.html>. If the attribute is set on an existing directory, it will be in‐ herited by all files and subdirectories that are subsequently created in the directory. If an existing directory has con‐ tained some files and subdirectories, modifying the attribute on the parent directory doesn’t change the attributes on these files and subdirectories. V A file with the ’V’ attribute set has fs‐verity enabled. It cannot be written to, and the file system will automatically verify all data read from it against a cryptographic hash that covers the entire file’s contents, e.g. via a Merkle tree. This makes it possible to efficiently authenticate the file. This attribute may not be set or cleared using chattr(1), although it can be displayed by lsattr(1). AUTHOR chattr was written by Remy Card <Remy.Card@linux.org>. It is currently being maintained by Theodore Ts’o <tytso@alum.mit.edu>. BUGS AND LIMITATIONS The ’c’, ’s’, and ’u’ attributes are not honored by the ext2, ext3, and ext4 file systems as implemented in the current mainline Linux ker‐ nels. Setting ’a’ and ’i’ attributes will not affect the ability to write to already existing file descriptors. The ’j’ option is only useful for ext3 and ext4 file systems. The ’D’ option is only useful on Linux kernel 2.5.19 and later. AVAILABILITY chattr is part of the e2fsprogs package and is available from http://e2fsprogs.sourceforge.net. SEE ALSO lsattr(1), btrfs(5), ext4(5), mkfs.f2fs(8), xfs(5). E2fsprogs version 1.47.0 February 2023 CHATTR(1)
!chmod 640 subor
!ls -l subor
-rw-r----- 1 kali kali 0 Oct 4 04:15 subor
!echo ahoj > subor
cat subor
ahoj
!sudo chattr +a subor
!lsattr subor
-----a--------e------- subor
!echo svet >subor
zsh:1: operation not permitted: subor
!echo svet >>subor
cat subor
ahoj svet
!man getfacl
GETFACL(1) Access Control Lists GETFACL(1) NAME getfacl - get file access control lists SYNOPSIS getfacl [-aceEsRLPtpndvh] file ... getfacl [-aceEsRLPtpndvh] - DESCRIPTION For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, get‐ facl also displays the default ACL. Non‐directories cannot have default ACLs. If getfacl is used on a file system that does not support ACLs, getfacl displays the access permissions defined by the traditional file mode permission bits. The output format of getfacl is as follows: 1: # file: somedir/ 2: # owner: lisa 3: # group: staff 4: # flags: -s- 5: user::rwx 6: user:joe:rwx #effective:r-x 7: group::rwx #effective:r-x 8: group:cool:r-x 9: mask::r-x 10: other::r-x 11: default:user::rwx 12: default:user:joe:rwx #effective:r-x 13: default:group::r-x 14: default:mask::r-x 15: default:other::--- Lines 1--3 indicate the file name, owner, and owning group. Line 4 indicates the setuid (s), setgid (s), and sticky (t) bits: ei‐ ther the letter representing the bit, or else a dash (-). This line is included if any of those bits is set and left out otherwise, so it will not be shown for most files. (See CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 below.) Lines 5, 7 and 10 correspond to the user, group and other fields of the file mode permission bits. These three are called the base ACL entries. Lines 6 and 8 are named user and named group entries. Line 9 is the ef‐ fective rights mask. This entry limits the effective rights granted to all groups and to named users. (The file owner and others permissions are not affected by the effective rights mask; all other entries are.) Lines 11--15 display the default ACL associated with this directory. Directories may have a default ACL. Regular files never have a default ACL. The default behavior for getfacl is to display both the ACL and the de‐ fault ACL, and to include an effective rights comment for lines where the rights of the entry differ from the effective rights. If output is to a terminal, the effective rights comment is aligned to column 40. Otherwise, a single tab character separates the ACL entry and the effective rights comment. The ACL listings of multiple files are separated by blank lines. The output of getfacl can also be used as input to setfacl. PERMISSIONS Process with search access to a file (i.e., processes with read access to the containing directory of a file) are also granted read access to the file’s ACLs. This is analogous to the permissions required for ac‐ cessing the file mode. OPTIONS -a, --access Display the file access control list. -d, --default Display the default access control list. -c, --omit‐header Do not display the comment header (the first three lines of each file’s output). -e, --all‐effective Print all effective rights comments, even if identical to the rights defined by the ACL entry. -E, --no‐effective Do not print effective rights comments. -s, --skip‐base Skip files that only have the base ACL entries (owner, group, oth‐ ers). -R, --recursive List the ACLs of all files and directories recursively. -L, --logical Logical walk, follow symbolic links to directories. The default be‐ havior is to follow symbolic link arguments, and skip symbolic links encountered in subdirectories. Only effective in combination with -R. -P, --physical Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only effective in combination with -R. -t, --tabular Use an alternative tabular output format. The ACL and the default ACL are displayed side by side. Permissions that are ineffective due to the ACL mask entry are displayed capitalized. The entry tag names for the ACL_USER_OBJ and ACL_GROUP_OBJ entries are also dis‐ played in capital letters, which helps in spotting those entries. -p, --absolute‐names Do not strip leading slash characters (‘/’). The default behavior is to strip leading slash characters. -n, --numeric List numeric user and group IDs -v, --version Print the version of getfacl and exit. -h, --help Print help explaining the command line options. -- End of command line options. All remaining parameters are inter‐ preted as file names, even if they start with a dash character. - If the file name parameter is a single dash character, getfacl reads a list of files from standard input. CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 If the environment variable POSIXLY_CORRECT is defined, the default be‐ havior of getfacl changes in the following ways: Unless otherwise spec‐ ified, only the ACL is printed. The default ACL is only printed if the -d option is given. If no command line parameter is given, getfacl be‐ haves as if it was invoked as ‘‘getfacl -’’. No flags comments indi‐ cating the setuid, setgid, and sticky bits are generated. AUTHOR Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>. Please send your bug reports and comments to the above address. SEE ALSO setfacl(1), acl(5) May 2000 ACL File Utilities GETFACL(1)
!touch text
!getfacl text
# file: text # owner: kali # group: kali user::rw- group::r-- other::r--
!man setfacl
SETFACL(1) Access Control Lists SETFACL(1) NAME setfacl - set file access control lists SYNOPSIS setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ... setfacl --restore={file|‐} DESCRIPTION This utility sets Access Control Lists (ACLs) of files and directories. On the command line, a sequence of commands is followed by a sequence of files (which in turn can be followed by another sequence of com‐ mands, ...). The -m and -x options expect an ACL on the command line. Multiple ACL entries are separated by comma characters (‘,’). The -M and -X options read an ACL from a file or from standard input. The ACL entry format is described in Section ACL ENTRIES. The --set and --set‐file options set the ACL of a file or a directory. The previous ACL is replaced. ACL entries for this operation must in‐ clude permissions. The -m (--modify) and -M (--modify‐file) options modify the ACL of a file or directory. ACL entries for this operation must include permis‐ sions. The -x (--remove) and -X (--remove‐file) options remove ACL entries. It is not an error to remove an entry which does not exist. Only ACL en‐ tries without the perms field are accepted as parameters, unless POSIXLY_CORRECT is defined. When reading from files using the -M and -X options, setfacl accepts the output getfacl produces. There is at most one ACL entry per line. After a Pound sign (‘#’), everything up to the end of the line is treated as a comment. If setfacl is used on a file system which does not support ACLs, set‐ facl operates on the file mode permission bits. If the ACL does not fit completely in the permission bits, setfacl modifies the file mode per‐ mission bits to reflect the ACL as closely as possible, writes an error message to standard error, and returns with an exit status greater than 0. PERMISSIONS The file owner and processes capable of CAP_FOWNER are granted the right to modify ACLs of a file. This is analogous to the permissions required for accessing the file mode. (On current Linux systems, root is the only user with the CAP_FOWNER capability.) OPTIONS -b, --remove‐all Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained. -k, --remove‐default Remove the Default ACL. If no Default ACL exists, no warnings are issued. -n, --no‐mask Do not recalculate the effective rights mask. The default behavior of setfacl is to recalculate the ACL mask entry, unless a mask en‐ try was explicitly given. The mask entry is set to the union of all permissions of the owning group, and all named user and group entries. (These are exactly the entries affected by the mask en‐ try). --mask Do recalculate the effective rights mask, even if an ACL mask entry was explicitly given. (See the -n option.) -d, --default All operations apply to the Default ACL. Regular ACL entries in the input set are promoted to Default ACL entries. Default ACL entries in the input set are discarded. (A warning is issued if that hap‐ pens). --restore={file|‐} Restore a permission backup created by ‘getfacl -R’ or similar. All permissions of a complete directory subtree are restored using this mechanism. If the input contains owner comments or group comments, setfacl attempts to restore the owner and owning group. If the in‐ put contains flags comments (which define the setuid, setgid, and sticky bits), setfacl sets those three bits accordingly; otherwise, it clears them. This option cannot be mixed with other options ex‐ cept ‘--test’. If the file specified is ’‐’, then it will be read from standard input. --test Test mode. Instead of changing the ACLs of any files, the resulting ACLs are listed. -R, --recursive Apply operations to all files and directories recursively. This op‐ tion cannot be mixed with ‘--restore’. -L, --logical Logical walk, follow symbolic links to directories. The default be‐ havior is to follow symbolic link arguments, and skip symbolic links encountered in subdirectories. Only effective in combination with -R. This option cannot be mixed with ‘--restore’. -P, --physical Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only effective in combination with -R. This option cannot be mixed with ‘--restore’. -v, --version Print the version of setfacl and exit. -h, --help Print help explaining the command line options. -- End of command line options. All remaining parameters are inter‐ preted as file names, even if they start with a dash. - If the file name parameter is a single dash, setfacl reads a list of files from standard input. ACL ENTRIES The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity): [d[efault]:] [u[ser]:]uid [:perms] Permissions of a named user. Permissions of the file owner if uid is empty. [d[efault]:] g[roup]:gid [:perms] Permissions of a named group. Permissions of the owning group if gid is empty. [d[efault]:] m[ask][:] [:perms] Effective rights mask [d[efault]:] o[ther][:] [:perms] Permissions of others. Whitespace between delimiter characters and non‐delimiter characters is ignored. Proper ACL entries including permissions are used in modify and set op‐ erations. (options -m, -M, --set and --set‐file). Entries without the perms field are used for deletion of entries (options -x and -X). For uid and gid you can specify either a name or a number. Character literals may be specified with a backslash followed by the 3‐digit oc‐ tal digits corresponding to the ASCII code for the character (e.g., \101 for ’A’). If the name contains a literal backslash followed by 3 digits, the backslash must be escaped (i.e., \\). The perms field is a combination of characters that indicate the read (r), write (w), execute (x) permissions. Dash characters in the perms field (-) are ignored. The character X stands for the execute permis‐ sion if the file is a directory or already has execute permission for some user. Alternatively, the perms field can define the permissions numerically, as a bit‐wise combination of read (4), write (2), and exe‐ cute (1). Zero perms fields or perms fields that only consist of dashes indicate no permissions. AUTOMATICALLY CREATED ENTRIES Initially, files and directories contain only the three base ACL en‐ tries for the owner, the group, and others. There are some rules that need to be satisfied in order for an ACL to be valid: * The three base entries cannot be removed. There must be exactly one entry of each of these base entry types. * Whenever an ACL contains named user entries or named group objects, it must also contain an effective rights mask. * Whenever an ACL contains any Default ACL entries, the three Default ACL base entries (default owner, default group, and default others) must also exist. * Whenever a Default ACL contains named user entries or named group objects, it must also contain a default effective rights mask. To help the user ensure these rules, setfacl creates entries from ex‐ isting entries under the following conditions: * If an ACL contains named user or named group entries, and no mask entry exists, a mask entry containing the same permissions as the group entry is created. Unless the -n option is given, the permis‐ sions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry. (See the -n option description). * If a Default ACL entry is created, and the Default ACL contains no owner, owning group, or others entry, a copy of the ACL owner, own‐ ing group, or others entry is added to the Default ACL. * If a Default ACL contains named user entries or named group en‐ tries, and no mask entry exists, a mask entry containing the same permissions as the default Default ACL’s group entry is added. Un‐ less the -n option is given, the permissions of the mask entry are further adjusted to include the union of all permissions affected by the mask entry. (See the -n option description). EXAMPLES Granting an additional user read access setfacl -m u:lisa:r file Revoking write access from all groups and all named users (using the effective rights mask) setfacl -m m::rx file Removing a named group entry from a file’s ACL setfacl -x g:staff file Copying the ACL of one file to another getfacl file1 | setfacl --set‐file=- file2 Copying the access ACL into the Default ACL getfacl --access dir | setfacl -d -M- dir CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 If the environment variable POSIXLY_CORRECT is defined, the default be‐ havior of setfacl changes as follows: All non‐standard options are dis‐ abled. The ‘‘default:’’ prefix is disabled. The -x and -X options also accept permission fields (and ignore them). AUTHOR Andreas Gruenbacher, <andreas.gruenbacher@gmail.com>. Please send your bug reports, suggested features and comments to the above address. SEE ALSO getfacl(1), chmod(1), umask(1), acl(5) May 2000 ACL File Utilities SETFACL(1)
!setfacl -m u::rwx text
!getfacl text
# file: text # owner: kali # group: kali user::rwx group::r-- other::r--
!setfacl -m u:bpd01:rw text
!setfacl -m u:bpd02:r text
!getfacl text
# file: text # owner: kali # group: kali user::rwx user:bpd01:rw- user:bpd02:r-- group::r-- mask::rw- other::r--
ls -l text
-rwxrw-r--+ 1 kali kali 0 Oct 4 04:38 text*