Explain Linux folder permission
 

Hello,
I have been using linux for years now but I have never thought about this until now

What if I want to deny a specific user from accessing a specific folder, how can this be done?

This command is after a quick search
where did this command specify the user or the group?
and as a modern linux user how can this be done through the GUI? (you may not answer that)

In the permissions tab in any file properties under "Advanced permissions" you will find three check boxes "Set UID", "Set GID" and "Sticky" what are these?

Thank you.

Last qns sound like homework, so I'll just say: http://linux.die.net/man/1/chmod

Hmmmm---starts like a real question and ends sounding like homework.....

I'm not up on the "sticky" part, so I'll stick to basics....pun unintentional....;)

For any file or directory, you have 3 entities: the owner, the group, and everyone else. To control access to ONE item, simply assign it to a unique group, and then manage who gets assigned to that group....

To the best of my knowledge, there is no simple way to deny just one user---you have to just make sure that he or she is the only one not assigned to the unique group.

There was a very good article abouot just this in the most recent Linux Format #125.

Actually IIRC, there is a fairly simple approach that goes something like this:

Also look at the manpage for setfacl. I will sometimes have to resort to the manpage to remember the exact syntax, so I'm not really RTFM'ing you. The manpage has examples, which are clearer then using the --help option.

If there is already a group assigned, and you need more granular control, setfacl can help. Especially in a case such as when the group has read-only access but you want a particular user to have read-write control.

Of course, you should create your own users and learn by experimentation, using chmod, chgrp and setfacl on a directory and gain first hand experience using permissions.

Thank you all,

First, I have finished my education for a very long time so this is not a homework.
Second, I am Microsoft Certified and administering a windows 2003 server and of course a windows network. Linux OS is on my personal laptop only so there is no one using it but me. I have never thought about securing a folder in linux until I read this article yesterday about windows 7 security.

In windows you can explicitly deny a user from accessing a folder in a couple of simple steps but it seems to be more than that in Linux. and your replies just made me think I have to go out to the very beginning to understand how to do such a simple task. for example in all those years I have not heard/used chown, setfacl, getfacle, acl or umask. Only chmod 777 and sometimes done with kdesudo dolphin so I do not have to open a konsole

I do not know where to start but I need a source that will sum all things up not a man page explaining a single command or a command for a single task. if you know such source please let me know

Thank you.

There is also, for example...

http://tldp.org/HOWTO/DOS-Win-to-Linux-HOWTO-4.html

If that HOWTO wasn't helpful, there are many others; tldp has collected many sources of information in one place.

http://tldp.org/

Does not that syntax change the owner and the group attributes for the file? i.e. you would still have to assign your restricted user to the "excluded-user" group.

Fundamentally, Linux perms are built around the concept of restricting positive access, not specifying negative access.
IOW, get the correct ownerships (user:group) and give the minimum reqd access perms (of rwx) to each of ugo (user,group,other).
For finer tuning, you may add acls.

I think you mean that the computer is restricted to the root account only and whoever I want to access a folder I give them a permission for that specific folder, other than that the user is already restricted

Am I correct?

Not exactly. That link in post #8 is good. Have a read first, then come back with any qns.
Just point out that for a file rwx = read,write,execute; for a dir its read,write,x=search(!).
See also http://en.wikipedia.org/wiki/File_system_permissions

On the systems I am familiar with every user has a default group that is the same as their username. What I meant was, assign ownership of the file to some arbitrary user, and assign the group to that default self-named group of the user to be excluded, not to some larger group that includes the user. While I think that approach would work, after thinking about it some more, I believe my memory may have been in error. See what you think about this example:

The username to be excluded is "excluded-guy"
The file is named FILE
We want everyone else to be able to read or write to the file.
Then root could do:

# chown excluded-guy:root FILE
chmod 077 FILE

If FILE was in a directory owned by root, then anyone except excluded-guy could read or write, but not delete FILE, and excluded-guy could do neither, but would be able to see it in a directory listing. Imagine the frustration of being the owner of a file, yet you can't read, write, or delete it!

Give it a try on a test file/dir. I suspect that the owner could (should be able to) change the perms.