What are the different ways to set file permissions etc on gnu/linux

chmod: change file mode bits

Usage (octal mode):

    chmod <octal-mode> files...

Usage (symbolic mode):

    chmod <references><operator><modes> files..

references is a combination of the letters ugoa, which specify which user's access to the files will be modified:

  • u the user who owns it
  • g other users in the file's group
  • o other users not in the file's group
  • a all users

    If the omitted, it defaults to all users, but only permissions allowed by the umask are modified.

    operator is one of the characters +-=:

    • + add the specified file mode bits to the existing file mode bits of each file
    • - removes the specified file mode bits to the existing file mode bits of each file
    • = adds the specified bits and removes unspecified bits, except the setuid and setgid bits set for directories, unless explicitly specified.

    mode consists of a combination of the letters rwxXst, which specify which permission bit is to be modified:

    • r read
    • w write
    • x execute (or search for directories)
    • X execute/search only if the file is a directory or already has execute bit set for some user
    • s setuid or setgid (depending on the specified references)
    • t restricted deletion flag or sticky bit

    Alternatively, the mode can consist of one of the letters ugo, in which case case the mode corresponds to the permissions currently granted to the owner (u), member's of the file's group (g) or permissions of users in neither of the preceding categories (o).

The various bits of chmod explained:

  • Access control (see also setfacl)
    • rwx — read (r), write (w), and execute/cross (x) permissions.
      • Read (r) affects if a file can be read, or if a directory can be listed.
      • Write (w) affects if a file can be written to, or if a directory can be edited (files added, deleted, renamed).
      • Execute (x) affects if a file can be run, use for scripts (see #!), and other executable files.
      • Cross (x) affects if a directory can be traversed.
    • s and t — sticky bit (t), and setgid (s) on directories
      • The sticky bit only affects directories. Will prevent any one except file owner, and root, from deleting files in the directory.
      • the setgid bit on directories, will cause new files and directories to have the group set to the same group, and new directories to have there setgid bit set (see also defaults in setfacl).
    • s — setuid, setgid, on executable files.
      • This can affect security in a bad way, if you don't know what you are doing.
      • When an executable is run, if one of these bits is set, then the effective user/group of the executable will become that of the file. Thus the program runs as that user. see setcap for a more modern way to do this.

chown chgrp:


chattr: change file attributes

Usage:

    chattr <operator><attribute> files...

operator is one of the characters +-=: * + adds the selected attributes to be to the existing attributes of the files * - removes the selected attributes * = overwrites the current set of attributes the files have with the specified attributes.

attribute is a combination of the letters acdeijstuADST, which correspond the attributes:

  • a append only
  • c compressed
  • d no dump
  • e extent format
  • i immutable
  • j data journalling
  • s secure deletion
  • t no tail-merging
  • u undeletable
  • A no atime updates
  • D synchronous directory updates
  • S synchronous updates
  • T top of directory hierarchy

setfattr: change extended file attributes

Usage (set attribute):

    setfattr -n <name> -v <value> files...

Usage (remove):

    setfattr -x <name> files...

name is the name of the extended attribute to set or remove

value is the new value of the extended attribute


setfacl: change file access control lists

Usage:

    setfacl <option> [default:][<target>:][<param>][:<perms>] files...

option must include one of the following:

  • --set set the ACL of a file or a directory, replacing the previous ACL
  • -m|--modify modify the ACL of a file or directory
  • -x|--remove remove ACL entries of a file or directory

    target is one of the letters ugmo (or the longer form shown below):

  • u, users permission of a named user identified by param, defaults to file owner uid if omitted

  • g, group permission of a named group identified by param, default to owning group uid if omitted
  • m, mask effective rights mask
  • o, other permissions of others

    perms is a combination of the letters rwxX, which correspond to the permissions:

  • r read

  • w write
  • x execute
  • X execute only if the file is a directory or already has execute permission for some user

    Alternatively, perms may be an octal digit (0-7) indicating the set of permissions.


setcap: change file capabilities

Usage:

    setcap <capability-clause> file 

A capability-clause consists of a comma-separated list of capability names followed by a list of operator-flag pairs.

The available operators are =, + and -. The available flags are e, i and p which correspond to the Effective, Inheritable and Permitted capability sets.

The = operator will raise the specified capability sets and reset the others. If no flags are given in conjunction with the = operator all the capability sets will be reset. The + and - operators will raise or lower the one or more specified capability sets respectively.


chcon: change file SELinux security context

Usage:

    chcon [-u <user>] [-r <role>] [-t <type>] files...

user is the SELinux user, such as user_u, system_u or root.

role is the SELinux role (always object_r for files)

type is the SELinux subject type


chsmack: change SMACK extended attributes

Usage:

    chsmack -a <value> file

value is the SMACK label to be set for the SMACK64 extended file attribute


setrichacl: change rich access control list.

richacls are a feature that will add more advanced ACLs.

Currently a work in progress, so I can not tell you much about them. I have not used them.

See also this question Are there more advanced filesystem ACLs beyond traditional 'rwx' and POSIX ACL? and man page