7

How can I get a list which users are authorized to a folder and which permissions they have?

I tried already the most common ones like 'ls', 'namei' or 'getfacl'

LStrike
  • 227
  • 1
    ls only shows basic Unix permissions, if there are more it shows a +. What do you get with getfacl? what do you expect? – ctrl-alt-delor Jan 17 '17 at 10:44
  • This may be of use: http://unix.stackexchange.com/questions/101263/what-are-the-different-ways-to-set-file-permissions-etc-on-gnu-linux – ctrl-alt-delor Jan 17 '17 at 10:48

3 Answers3

5

When you 

ls -ld */

you get a list (-l) of your directories (-d) in the current path. You may see the access rights of owner, group and others.
For more details regarding the access rights you may check:
This link

When you check the output from the ls command you can see the owner of the file or directory and next to it the group owner of the file or directory. If for example the group is called "logistics" you can view the members of this group with the following command:

grep 'logistics' /etc/group
blametheadmin
  • 583
3

There is no way to do this in full generality. For example, if the file is exported over a network filesystem such as NFS or Samba, then you'd need to know about accounts on the authorized clients. If the file is visible via a web or FTP server then potentially the whole world might be able to access it.

Even without involving other machines (real or virtual), a file could be hard linked in another directory. A directory tree could be accessible somewhere else due to a bind mount. A file could be located on a disk image to which some users also have direct access. And so on.

In the nominal case, where a file can only be accessed through one path, a file is only accessible to processes that can traverse the whole directory tree from the root to that file. Or from their current directory to that file (it's unusual but possible to arrange for a process to have a current directory that it wouldn't be able to chdir into, by either changing the directory permissions or lowering the process's privileges after the chdir operation) — but we're getting away from the nominal case. So, in the nominal case, take the users who have the desired permissions on the file, and remove the users who don't have x permission on any of the directories in the chain leading from the root to that file. For example, to write to /one/two/three, a user must have x permission on /, /one and /one/two and must have write permission on /one/two/three.

To determine who has what permissions on a file, most Unix variants provide a command called getfacl. This command is available on Linux but not always part of the default installation. It lists permissions by users and groups; a user's permissions on the file are determined by the user list if the user is listed explicitly, and if not then the user has all the permissions granted by any group that the user is in, and if the user is in none of the listed groups then the user has the “other” set of permissions.

Note that a user's processes doesn't always have the exact set of groups conferred by the entries in /etc/group or similar network databases, but we're again getting into edge case territories. One thing that isn't so much of an edge case is that security frameworks such as SELinux and AppArmor can add further restrictions. You can tell whether such restrictions might be in effect by looking at the output of ls -ld /path/to/file: if there's a punctuation character after the permissions, it indicates that the permissions don't tell the whole story (+ indicates ACL entries, . indicates an SELinux context that you can display with ls -Z, etc.).

I don't know of a tool that would collect all this information for you.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
0

use ls with -d option for directory:

ls -ld yourDirectory
Wissam Roujoulah
  • 3,229
  • well, seems ok, but my result is strange. There should be at least 2 Users with permissions on my folder, but I get only the user displayed with which I am logged in.... – LStrike Jan 17 '17 at 10:27
  • 2
    @LStrike The result will give you the owner and the group and will give you the permissions for the owner and for group and for other users which don't belong to the group. look here for understanding the permissions in linux https://www.linux.com/learn/understanding-linux-file-permissions – Wissam Roujoulah Jan 17 '17 at 10:43
  • 2
    The result is not to do with logged in use. It is from files point of view: owner, and group and other. But not ACLs, it just shows a + if there are ACLs. – ctrl-alt-delor Jan 17 '17 at 10:46