What is the difference between UNIX permissions and ACLs, and when should I use each?

UNIX permissions (user/group/other) cover broad access. ACLs extend this model, letting you grant per-user or per-group rights beyond the basic trio. Use UNIX permissions as the baseline, and apply ACLs when you need fine-grained access on specific files or directories without changing ownership or creating numerous groups.

How do I ensure ACLs work on my filesystem?

Ensure your filesystem supports ACLs (ext4, xfs, etc.) and that ACLs are enabled in mount options (mount | grep acl or check /etc/fstab). Use getfacl to view and setfacl to modify. If ACLs aren’t taking effect, verify that the filesystem was mounted with ACL support and that recursive changes use -R when updating directories.

What should I consider before granting passwordless sudo (NOPASSWD)?

Only grant NOPASSWD to highly trusted automation or CI tasks, and limit it to specific commands. Prefer password prompts for interactive admin tasks to reduce risk, and document each NOPASSWD entry in /etc/sudoers.d with a clear rationale and expiration or review cadence.

How can I audit permission changes effectively?

Maintain a changelog of user/group additions, sudoers edits, and ACL modifications. Regularly review /etc/sudoers.d entries, verify that group memberships align with roles, and use getfacl to validate that ACLs still reflect intended access. Periodically test login and command execution paths to confirm permissions behave as expected.

user-permissions

Use Caution

linux user group sudo acl permissions

npx machina-cli add skill chaterm/terminal-skills/user-permissions --openclaw

Files (1)

SKILL.md

4.5 KB

User and Permission Management

Overview

Linux user management, group management, sudo configuration, ACL permissions and other skills.

User Management

View Users

# Current user
whoami
id

# User information
id username
finger username

# All users
cat /etc/passwd
getent passwd

# Logged in users
who
w
last                                # Login history

User Operations

# Create user
useradd username
useradd -m -s /bin/bash username    # Create home directory, specify shell
useradd -G group1,group2 username   # Specify supplementary groups

# Modify user
usermod -aG groupname username      # Add to group
usermod -s /bin/zsh username        # Change shell
usermod -L username                 # Lock user
usermod -U username                 # Unlock user

# Delete user
userdel username
userdel -r username                 # Also delete home directory

# Change password
passwd username
passwd -l username                  # Lock password
passwd -u username                  # Unlock password
chage -l username                   # View password policy

Group Management

View Groups

# User's groups
groups username
id -Gn username

# All groups
cat /etc/group
getent group

# Group members
getent group groupname

Group Operations

# Create group
groupadd groupname
groupadd -g 1001 groupname          # Specify GID

# Modify group
groupmod -n newname oldname         # Rename

# Delete group
groupdel groupname

# Manage group members
gpasswd -a username groupname       # Add user
gpasswd -d username groupname       # Remove user
gpasswd -M user1,user2 groupname    # Set member list

sudo Configuration

Basic Usage

# Execute as root
sudo command
sudo -i                             # Switch to root shell
sudo -u username command            # Execute as another user

# View permissions
sudo -l

sudoers Configuration

# Edit sudoers (recommended method)
visudo

# Or edit files under /etc/sudoers.d/
visudo -f /etc/sudoers.d/username

Common Configuration Examples

# /etc/sudoers.d/username

# Full privileges
username ALL=(ALL:ALL) ALL

# No password required
username ALL=(ALL) NOPASSWD: ALL

# Specific commands
username ALL=(ALL) /usr/bin/systemctl restart nginx

# Specific commands without password
username ALL=(ALL) NOPASSWD: /usr/bin/docker

# Group privileges
%groupname ALL=(ALL) ALL

ACL Permissions

View ACL

getfacl file
getfacl -R dir                      # Recursive view

Set ACL

# Set user permissions
setfacl -m u:username:rwx file
setfacl -m u:username:rx dir

# Set group permissions
setfacl -m g:groupname:rx file

# Set default ACL (new files inherit)
setfacl -d -m u:username:rwx dir

# Recursive set
setfacl -R -m u:username:rx dir

# Remove ACL
setfacl -x u:username file          # Remove specific
setfacl -b file                     # Remove all

Special Permissions

SUID/SGID/Sticky

# SUID (4) - Execute as file owner
chmod u+s file
chmod 4755 file

# SGID (2) - Execute as file group/directory inherits group
chmod g+s file
chmod 2755 dir

# Sticky (1) - Only owner can delete
chmod +t dir
chmod 1777 dir

# View
ls -la
# -rwsr-xr-x  SUID
# -rwxr-sr-x  SGID
# drwxrwxrwt  Sticky

Common Scenarios

Scenario 1: Create Developer User

# Create user and group
groupadd developers
useradd -m -s /bin/bash -G developers devuser

# Set password
passwd devuser

# Configure sudo
echo "devuser ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/systemctl" > /etc/sudoers.d/devuser
chmod 440 /etc/sudoers.d/devuser

Scenario 2: Shared Directory Permissions

# Create shared directory
mkdir /shared
groupadd shared
chown root:shared /shared
chmod 2775 /shared                  # SGID ensures new files inherit group

# Add users to group
usermod -aG shared user1
usermod -aG shared user2

Scenario 3: Restrict User to Specific Commands

# /etc/sudoers.d/limited-user
limited ALL=(ALL) NOPASSWD: /usr/bin/systemctl status *, /usr/bin/journalctl

Troubleshooting

Problem	Solution
sudo permission denied	Check `/etc/sudoers.d/` configuration
User cannot login	Check shell, password lock status
Group permissions not working	Re-login or `newgrp groupname`
ACL not working	Check if filesystem supports ACL

Source

git clone https://github.com/chaterm/terminal-skills/blob/main/linux/user-permissions/SKILL.mdView on GitHub

Overview

You manage Linux user accounts, groups, sudo privileges, and access controls. This skill provides practical, step-by-step guidance for creating and modifying users and groups, configuring secure sudo access, applying ACLs for fine-grained permissions, and handling SUID/SGID/Sticky bits on files and directories.

How This Skill Works

You operate on core Linux primitives for identity and access: users (/etc/passwd, /etc/shadow), groups (/etc/group), and permissions. You create and modify accounts with useradd/usermod/userdel, manage groups with groupadd/groupmod/groupdel, and assign users to groups. For elevated privileges, you configure sudoers via visudo or /etc/sudoers.d to grant least-privilege access. For granular file permissions, you read and set ACLs with getfacl/setfacl in addition to traditional UNIX permissions, and you can enforce special behaviors with SUID/SGID/Sticky bits using chmod. Verification is done with commands like id, groups, getfacl, ls -la, and by inspecting /etc/sudoers.d entries.

When to Use It

When onboarding a new developer and granting controlled sudo capabilities (Scenario 1).
When you need a shared project directory that automatically inherits the group (SGID) and proper permissions (Scenario 2).
When you must restrict a user to specific commands via sudoers instead of giving full root access (Scenario 3).
When you require fine-grained access to individual files without changing ownership using ACLs (e.g., granting a read/write to a file for a specific user or group).
When auditing permissions and ensuring password policies, account locks, and default behaviors are consistently applied across the system.

Quick Start

Create a new user and assign to a group:
- groupadd developers
- useradd -m -s /bin/bash -G developers devuser
Set a password for the new user:
passwd devuser
Configure sudo privileges for the user via a dedicated sudoers file (recommended):
echo "devuser ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/systemctl" > /etc/sudoers.d/devuser
chmod 440 /etc/sudoers.d/devuser
Optionally prepare a shared directory with SGID so new files inherit the group:
mkdir /shared
groupadd shared
chown root:shared /shared
chmod 2775 /shared

Best Practices

Prefer group-based permissions and assign users to roles via groups rather than granting access to individual users.
Use the /etc/sudoers.d method for sudo privileges; avoid editing /etc/sudoers directly unless necessary to reduce conflicts during upgrades.
Limit sudo privileges to only the exact commands needed; avoid broad NOPASSWD where possible unless you have a controlled, auditable environment.
Use ACLs to grant fine-grained access in addition to standard UNIX permissions, and verify with getfacl after changes.
Apply SGID on shared directories to ensure new files inherit the correct group ownership, and document group ownership conventions for consistency.
Regularly audit sudoers entries, user memberships, and ACLs; disable or lock unused accounts with usermod -L and monitor for password policy compliance with chage.
When removing access, clean up associated ACLs, sudoers entries, and group memberships to prevent orphaned rights.

Example Use Cases

Onboarding a new developer: create a dev user, add to the developers group, set a password, and grant narrowly scoped sudo rights via /etc/sudoers.d to manage Docker and systemctl usage.
Shared project workspace: establish a /shared directory owned by root:shared with 2775 permissions; add developers to the shared group so new files inherit the group.
Restrict a user to specific commands: configure a sudoers entry that only allows running systemctl status and journalctl for a given user, reducing blast radius while maintaining needed visibility.
Fine-grained access with ACLs: grant read access to a confidential log file for a junior engineer without changing file ownership, using getfacl/setfacl to apply u:engineering:rx or r-x as needed.
Special permissions management: enable a SUID binary where execution should run with the file owner’s privileges, or apply STICKY on /tmp to restrict deletions to file owners.

Frequently Asked Questions

Add this skill to your agents

Related Skills

network-tools

chaterm/terminal-skills

Linux network tools and diagnostics

shell-scripting

chaterm/terminal-skills

Bash Shell 脚本编写

file-operations

chaterm/terminal-skills

Linux file and directory operations

process-management

chaterm/terminal-skills

Linux process management and control

systemd

chaterm/terminal-skills

Systemd 服务管理

system-admin

chaterm/terminal-skills

Linux system administration and monitoring