Home Directory Permissions

By default, permissions for a user's home directory are effectively 700, with an exception to allow our environment's web-server access to a user's public_html directory. All web-server content should be stored within public_html.

When creating new files or directories within your home directory, it's important to ensure permissions are set correctly to restrict or allow access. User's are responsible for ensuring permissions are set correctly if alterations are made.

Home directory permissions should look like the following:

// home directory
[student@portal ~]$ getfacl -p /u/student
# file: /u/student
# owner: student
# group: ugrad
user::rwx
group::---
group:apache:--x
mask::--x
other::---
default:user::rwx
default:group::---
default:other::---

// public_html directory
[student@portal ~]$ getfacl -p /u/student/public_html
# file: /u/student/public_html
# owner: student
# group: ugrad
user::rwx
group::---
group:apache:r-x
mask::r-x
other::---

Permissions Table

In POSIX environments, permissions for files and directories are formatted with three octals representing permissions for the owner user, group, and other. These permissions are represented numerically with 0 being no access, and 7 being full access.

The table below shows the numeric values associated with permissions.

read write execute
4 2 1

Thus, if a file has 700, the user has read, write, and execute permissions, but their group, and everyone else (other), has no access.

Viewing Permissions

There are multiple ways of displaying permissions for a given file. Three common commands are ls -l <file/directory>, getfacl <file/directory>', or list all directories and permissions ls -al'.

[student@portal ~]$ ls -l myfile
-rwx------ 1 student ugrad 0 Feb  8 14:23 myfile

[student@portal ~]$ getfacl myfile
# file: myfile
# owner: student
# group: ugrad
user::rwx
group::---
other::---

[student@portal ~]$ ls -al
total 103
... output omitted ...
-rwx------   1 student ugrad     0 Feb  8 14:23 myfile
... output omitted ...

Changing Permissions

The most common command for changing permissions on a file or directory is chmod <octal values> <file/directory>, or setfacl -m <permissions> <file/directory>. However, for your home and public_html directories, you must use setfacl commands to make alterations.

If you need to reset your home and public html directory permissions, the following commands will accomplish this. Replace <uid> with your username.

setfacl -m u::rwx,g::---,o::---,g:apache:x  /u/<uid>
setfacl -m u::rwx,g::---,o::---,g:apache:rx /u/<uid>/public_html

If you want to share a file with another user out of your home directory, in addition to the permissions on the file, you will need to adjust your home directory permissions as well. See below for an example.

Note, setfacl can use either numeric values or {r, w, x, -} characters for setting permissions.

In this example, there is a user “Bob” that we want to give read access for a file named “myfile” in your home directory.

// create a backup of your home directory permissions
[<uid>@portal ~]$ getfacl /u/<uid> > permissions_backup

// restore a backup if needed
[<uid>@portal ~]$ setfacl --restore=permissions_backup

// alter your home directory permissions
[<uid>@portal ~]$ setfacl -m u:bob:r-- /u/<uid>

// be sure that the file within your home directory is readable by Bob with one of the options below
// option 0: Bob belongs to the same group as <uid>
[<uid>@portal ~]$ chmod 740 my_file

// option 1: Bob does not belong to the same group as <uid>
[<uid>@portal ~]$ chmod 704 my_file

// option 2: User specific setting with ACLs
[<uid>@portal ~]$ setfacl -m u:bob:r-- myfile

// remove Bob's access to your home directory
[<uid>@portal ~]$ setfacl -x u:bob /u/<uid>
  • permissions.txt
  • Last modified: 2022/04/18 13:01
  • (external edit)