Linux-Ubuntu - chmod -- change file ACLs (Access Control Lists)

Linux-Ubuntu | chmod -- change file ACLs (Access Control Lists)

Notes
Examples
Command Help (man chmod)

Notes
```
chmod ACL file ...
```
The chmod command can be used to modify the Access Control Lists (ACLs) associated with files and directories.

The chmod command can also be used to modify the file mode of files and directories: chmod -- change file modes.

If a file/directory has an ACL, the sign "+" will be printed when using the command "ls -l".

Each file/directory has one ACL, containing an ordered list of entries.
Each entry refers to a user or group, and grants ("allow") or denies ("deny") a set of permissions.
In cases where a user and a group exist with the same name, the user or the group name can be prefixed with "user:" or "group:".
If the user or group name contains spaces you can use ':' as the delimiter between name and permission.

Examples

Add a new ACL entry that grants the permission "read", "write", "append", and "execute" to "user1" on the file "file1".

$ ls -le file1
-rwx------  1 mtitek  mtitek  5  7 Feb 07:45 file1

#change ACL permissions
$ chmod +a "user:user1 allow read,write,append,execute" file1

$ ls -le file1
-rwx------+ 1 mtitek  mtitek  5  7 Feb 07:45 file1
 0: user:user1 allow read,write,execute,append

Add a new ACL entry that denies the permission "write", "append", and "execute" to "user2" on the file "file1".

#change ACL permissions
$ chmod +a "user:user2 deny write,append,execute" file1

$ ls -le
-rwx------+ 1 mtitek  mtitek  5  7 Feb 07:45 file1
 0: user:user2 deny write,execute,append
 1: user:user1 allow read,write,execute,append

Add a new ACL entry, in a specific location, that grants the permission "read" to "user3" on the file "file1".

#change ACL permissions
$ chmod +a# 2 "user:user3 allow read" file1

$ ls -le
-rwx------+ 1 mtitek  mtitek  5  7 Feb 07:45 file1
 0: user:user2 deny write,execute,append
 1: user:user1 allow read,write,execute,append
 2: user:user3 allow read

Delete an ACL entry on the file "file1".

Delete deny write permission for "user2" on the file "file1":

#change ACL permissions
$ chmod -a "user:user2 deny write" file1

#Note that only the "deny write" permission is deleted for "user2"
$ ls -le
-rwx------+ 1 mtitek  mtitek  4  7 Feb 07:45 file1
 0: user:user2 deny execute,append
 1: user:user1 allow read,write,execute,append
 2: user:user3 allow read

Delete deny execute and append permissions for "user2" on the file "file1":

$ chmod -a "user:user2 deny execute,append" file1

#Note that "user2" has now no ACL entry
$ ls -le
-rwx------+ 1 mtitek  mtitek  4  7 Feb 07:45 file1
 0: user:user1 allow read,write,execute,append
 1: user:user3 allow read

Delete an ACL entry by its index:

$ chmod -a# 0 file1

#Note that "user1" has now no ACL entry
$ ls -le
-rwx------+ 1 mtitek  mtitek  4  7 Feb 07:45 file1
 0: user:user3 allow read

Modify an ACL entry by its index.

#change ACL permissions
$ chmod =a# 0 "group:group1 deny write,execute,append" file1

$ ls -le
-rwx------+ 1 mtitek  mtitek  5  7 Feb 07:45 file1
 0: group:group1 deny write,execute,append

Set the permission "list", "search", "add_file", "add_subdirectory", and "delete_child" to "user1" on the directory "folder1".

$ mkdir folder1

$ ls -le
drwxr-xr-x  2 mtitek  mtitek  68  7 Feb 07:52 folder1

#change ACL permissions
$ chmod +a "user:user1 allow list,search,add_file,add_subdirectory,delete_child" folder1

$ ls -le
drwxr-xr-x+ 2 mtitek  mtitek  68  7 Feb 07:52 folder1
 0: user:user1 allow list,add_file,search,add_subdirectory,delete_child

Command Help (man chmod)

The following options can be used:

+a
|Add an ACL entry.
|If the ACL entry refers to an identity already listed, the new entry will be combined with the existing one.

-a
|Delete an ACL entry.
|All entries exactly matching the supplied entry will be deleted.
|If the entry lists a subset of permissions granted by an entry, only the listed permissions are removed.

+a#
|Add an ACL entry using an index to specify the location of the entry.

-a#
|Delete an ACL entry by its index.

=a#
|Update an ACL entry by its index.

-N
|Removes the ACL entries from the named file(s).

The following permissions are applicable to files:

read
|The permission to read the file.

write
|The permission to write to a file.
|You may need the "append" permission in order to append data to the file.

append
|The permission to append data to a file (does not allow changing previously written data).

execute
|The permission to execute the file.

The following permissions are applicable to directories:

list
|The permission to list files and directories.

search
|The permission to search files by name.

add_file
|The permission to add a file.

add_subdirectory
|The permission to add a sub-directory.

delete_child
|The permission to delete the content of the directory.
|You may need also the "search" permission.

The following permissions are applicable to files and directories:

chown
|The permission to change the ownership of the file and directory.

delete
|The permission to delete the file and directory.

readattr
|The permission to read basic attributes of the file and directory.
|This is implicitly granted if the file and directory can be looked up.

writeattr
|The permission to write basic attributes of the file and directory.

readextattr
|The permission to read extended attributes of the file and directory.

writeextattr
|The permission to write extended attributes of the file and directory.

readsecurity
|The permission to read extended security information (ACL) of the file and directory.

writesecurity
|The permission to write security information (mode, ACL) of the file and directory.

ACL inheritance is controlled with the following permissions:

file_inherit
|Allow newly created files to inherit ACL permissions.

directory_inherit
|Allow newly created directories to inherit ACL permissions.