Linux permissions: Users, Groups, Others, white list or black list? And help sharing directories with full, partial, and no permissions

Question

Update: for my general purposes, what I figured out here is good enough: UPDATE: https://raspberrypi.stackexchange.com/questions/13401/locking-down-raspbian-to-only-allow-limited-features/58778#58778

---

So it seems to me that Linux permissions function as a white-list (forcefully allow a single, specified user or single, specified group something) rather than a black-list (forcefully deny a single, specified user or single, specified group something). Is this correct? If so, how can I blacklist someone from being able to read, write, or execute in a particular directory or on a set of files?

Ex: ls -l showing a permissions on a directory as drwxr-xr-x means that it's a directory, Users have read, write, execute (rwx) permissions, Groups have r-x permissions, and Others have r-x permissions. Let's say the user is "user0" and the group is "user0".

How do I explicitly allow "user1" and "user2" the ability to do have all permissions on this "user0" directory, "user3" and "user4" get no permissions, and "user5" and "user6 get partial permissions?

It seems to me I'd need to black-list user3 and user4, white-list user1 and user2, and partially white-list or partially black-list user5 and user6.

Since (I think) Linux's permissions are white-list only, what's the best way to achieve this?

Note that part of my confusion lies in the facts that:

1. A directory or file can belong to only one user or group at a time (rather than, per say, giving permissions to multiple groups to access a particular directory or file)
2. A user can belong to multiple groups

I think I just need some good examples of this stuff.

---

One partial solution, which helps demonstrate the problem I am having, is as follows:

Let's assume the user0 directory I want to set these permissions on is "/home/user0"

First, make the directory user "user0", and group "user0" (already done by default just by using sudo adduser user0 in the first place). Next, set permissions to "drwxrwx---" (user and group both rwx, but Others nothing)

Allow user1 and user2 all permissions to the directory by adding them each to the user0 group

Give user3 and user4 no permissions: already done since Others have "---" access, and user3 and user4 are NOT part of the user0 group.

Give user5 and user6 partial permissions (ex: "r-x"): -can't be done???? --because if I make the Other permissions "r-x" then it gives that to user3 and user4 too, but I want them to be black-listed (by having "---" permissions).

---

Background reading I've already done includes:

• How to I use Linux Groups to restrict read, write, execute access by other users to a directory?
• https://stackoverflow.com/questions/527876/how-to-restrict-a-linux-user-to-be-only-able-to-read-home-user-and-nothing-else/527976#527976
• https://raspberrypi.stackexchange.com/questions/13401/locking-down-raspbian-to-only-allow-limited-features/14712#14712
• https://askubuntu.com/questions/88356/changing-ownership-of-home-folders/88396#88396
• https://www.linode.com/docs/tools-reference/linux-users-and-groups

Answer 1

Yes, if you like to phrase it that way, the standard unix permissions are "whitelist".

The usual way to deal with permissions is to create a new group that abstracts over all files that should behave similarly, give those files the corresponding group id, and make all users that should get those permissions part of the group. That's why users can be members of many groups.

Permissions to use devices are handled in the same way, that's why you have groups like input, disk etc. in many distributions.

So in that sense, you could think of a group as a particular "rule" of your "permission ruleset". The restriction is that each file only can have a single rule with a single rwx combination of permissions, beyond the "user" and "other" permissions.

So your scenario where one group of users needs to have one set of permissions and another group needs to have a different set of permissions for the same file or directory can't be implemented with standard unix permissions.

However, there's an extension to the standard unix permissions called access control lists (ACL). See man acl for details. For many file systems, you must specify an option to activate acl's when mounting them.

Answer 2

For this type of granularity you'll want to use ACLs. With ALCs you can assign different permissions to multiple users or groups. To accomplish what you're asking you would run the following commands (assuming your directory is called dir):

setfacl -m u:user1:rwx dir
setfacl -m u:user2:rwx dir
setfacl -m u:user3:- dir
setfacl -m u:user4:- dir
setfacl -m u:user5:rx dir
setfacl -m u:user6:rx dir

This will give full access to user1 and 2, no access to user3 and 4, and read/execute permissions to user5 and 6. If you do a ls -ld on the directory you will notice it now has a + appended to the permission bits.

$ ls -ld dir
drwxrwxr-x+ 2 user0 users 40 Dec  7 11:42 dir

The + means it has one or more ACLs associated with it. You can see the ACLs with the getfacl command:

$ getfacl dir
# file: dir
# owner: user0
# group: users
user::rwx
user:user1:rwx
user:user2:rwx
user:user3:---
user:user4:---
user:user5:r-x
user:user6:r-x
group::r-x
mask::rwx
other::r-x

Also worth noticing is that the ls command seems to show that the directory is group writable, but the getfacl command shows that it's not. The ACL is correct here, meaning if a user in the users group, but not otherwise named in the ACL or the file ownership tries to create a file in the directory, it will fail.