Hi, can I have some help removing permissions for a user to a folder and it’s sub-folders…
I have been looking at chmod -rwx /folder1/folder2/folder3
…but where do I put the user?
Thanks, Lee
You use the chown command to change ownership/user and the chmod to change permissions on a Linux filesystem. You can do it recursively (use -R) to change ownership of sub-directories. The link below gives some basic information on the command and you can get the same and more detailed information from the man pages. Open a terminal and type man chown (hit enter key) or man chmod (hit enter key).
1 Like
I think we need to know some basic information first.
A user on the same machine? Separate login?
Where do you want to remove permissions from, system or user folders?
It’s a user folder and I don’t want to change ownership. Just remove xrw from a folder for a user who is not logged on and on the same machine. The logged on user is Root.
I was finding things difficult because the examples I kept finding where about changing ownership and not specifying a user.
This is actually pretty easy with ACLs. Let me give you a surprising example:
$ touch /tmp/foo
$ ls -l /tmp/foo | awk '{print $1}'
-rw-rw-r--
$ setfacl -m u:root:--- /tmp/foo
$ ls -l /tmp/foo | awk '{print $1}'
-rw-rw-r--+
$ sudo su
# echo foo > /tmp/foo
bash: /tmp/foo: Permission denied
Let me explain what’s going on here:
- First we create a file with a user (not root)
- We print only the file permissions of the file and everything looks normal
- We change the ACL on the file so that root has no access
- We repeat step 2 and see a plus sign at the end, indicating a custom ACL
- We login as root
- We attempt to write to the file, which is denied
…and we thought root had access to everything!
You can get the details of the ACLs with setfacl. Check the manpage for getfacl but tl;dr the -m option adds, while the -x option removes and the u:xxxx indicates user xxxx while the --- indicate the read, write, and execute bits, in that order.
3 Likes
Did you create a user “Root” because Ubuntu by default has the “root” user disabled and to make changes of this sort outside a user /home directory almost always requires the use of sudo. If you remove execute permissions on a directory your user will not be able to access sub-directories but should be able to do so as root user, using sudo.
This seems thoroughly confusing. Please explain a bit more clearly.
Does this mean the username is “Root?”
Or does is mean the “user” is really an admin, and is logged in as (real) root?
Are you trying to deny access to admin?
I didn’t use “Root” but “root.” See above. The case was intentional. The user is disabled but it certainly exists. You can log into it with sudo (that’s what sudo su does).
Are you really sure about that ? On my XUbuntu 22.04 in my $HOME on an ext4 partition doing what you showed results in root still having read and write access to the file - which is what I expected.
As far as normal users are concerned ACLs are indeed able to revoke access - which surprised me, since I always assumed they could only grant additional access, not revoke permissions granted through ‘normal’ permissions.
Well it worked here on 24.10. Either way, it certainly should work on normal users. ACLs in the kernel have been around for over twenty years.
Thanks everyone for your suggestions.
Same here both on Arch and Xubuntu, they sure have been around a beat.(A length of time)
1 Like
/usr/lib/tmpfiles.d
/usr/lib/sysusers.d
and similar says otherwise.
And if there is some additions to /etc/apparmor.d,
alias lsverify='dpkg --verify' in .bashrc is not in situation that it stands its duty…
If you want to remove permissions for a specific user on a folder and its sub-folders, you can use setfacl instead of chmod, since chmod isn’t as flexible for individual user permissions. Here’s an example:
setfacl -R -x u:username /folder1/folder2/folder3
This will remove the permissions for the user username on the folder and all its sub-folders.
1 Like