How to check if a user can access a given file?

Question

*nix user permissions are really simple, but things can get messy when you have to take in account all the parent directory access before reaching a given file. How can I check if the user has enough privileges? If not, then which directory is denying access?

For example, suppose a user joe, and the file /long/path/to/file.txt. Even if file.txt was chmoded to 777, joe still has to be able to access /long/, and then /long/path/ and then /long/path/to/ before. What I need is a way to automatically check this. If joe does not have access, I would also like to know where he has been denied. Maybe he can access /long/, but not /long/path/.

So you're question is more "how to determine why a user cannot access a file"? :) — rogerdpack
– rogerdpack, Commented Nov 14, 2019 at 23:34

Kevin Burke · Accepted Answer · 2020-06-23 00:56:09Z

111

To verify access visually, you can use

namei -m /path/to/really/long/directory/with/file/in

which will output all of the permissions in the path in a vertical list.

or

namei -l /path/to/really/long/directory/with/file/in

to list all owners and the permissions. Other answers explain how to verify this programmatically.

edited Jun 23, 2020 at 0:56

Kevin Burke

2,0914 gold badges24 silver badges30 bronze badges

answered Sep 26, 2014 at 8:48

exussum

4,1535 gold badges21 silver badges21 bronze badges

2

This should be the right answer. In fact using namei <path> || exit 1 allows you to detect a permission problem much easily in a script.

lorenzog
– lorenzog

2016-06-02 10:01:18 +00:00
Commented Jun 2, 2016 at 10:01
30

it doesn't answer directly whether joe has access to the file.

jfs
– jfs

2017-11-06 20:03:22 +00:00
Commented Nov 6, 2017 at 20:03
1

This also does not elucidate how access control lists might influence things.

Andrew M
– Andrew M

2021-09-15 00:41:50 +00:00
Commented Sep 15, 2021 at 0:41

Add a comment |

Jesse Nickles · Accepted Answer · 2022-08-15 14:13:21Z

30

If you have root access, impersonate the user, then run test -r (read), test -w (write), or test -x (execute) to check whether the user can read/write/execute the given file.

sudo -u otheruser test -w /file/to/test || {
   echo "otheruser cannot write the file"
}

edited Aug 15, 2022 at 14:13

Jesse Nickles

2193 silver badges11 bronze badges

answered Nov 14, 2019 at 22:41

Kevin Burke

2,0914 gold badges24 silver badges30 bronze badges

3

This is exact answer what I was searching for. Title of this question could be misleading.

Mojtaba Rezaeian
– Mojtaba Rezaeian

2020-04-29 05:01:25 +00:00
Commented Apr 29, 2020 at 5:01
3

a slight embellishment to check if a process running as "USER:GROUP" can access a given file would be the following command: sudo su - USER -g GROUP -s /bin/bash -c "test -r /path/to/file"

MNB
– MNB

2021-01-23 14:53:11 +00:00
Commented Jan 23, 2021 at 14:53

Add a comment |

score 21 · Accepted Answer · 2013-07-10 19:40:01Z

21

You can use bash to do this.

$ cat check-permissions.sh
#!/bin/bash
file=$1
# Handle non-absolute paths
if ! [[ "$file" == /* ]] ; then
    path=.
fi
dirname "$file" | tr '/' $'\n' | while read part ; do
    path="$path/$part"
    # Check for execute permissions
    if ! [[ -x "$path" ]] ; then
        echo "'$path' is blocking access."
    fi
done
if ! [[ -r "$file" ]] ; then
    echo "'$file' is not readable."
fi
$ ./check-permissions.sh /long/path/to/file.txt

To check this for a specific user, you can use sudo.

sudo -u joe ./check-permissions.sh /long/path/to/file.txt

edited Jul 10, 2013 at 19:40

answered Jul 9, 2013 at 14:19

user26112

sudo -u joe script . Here script is the name of the script file right? so your telling sudo to act like joe was calling the script?

tgkprog
– tgkprog

2013-07-09 14:24:07 +00:00
Commented Jul 9, 2013 at 14:24
Precisely. I have modified my answer to clarify that.

user26112
– user26112

2013-07-09 14:31:31 +00:00
Commented Jul 9, 2013 at 14:31
I made a slight modification to my script to handle non-absolute paths.

user26112
– user26112

2013-07-09 14:47:46 +00:00
Commented Jul 9, 2013 at 14:47
@EvanTeitelman With an absolute path, did you mean to initialize path to be empty? or /?

Gilles 'SO- stop being evil'
– Gilles 'SO- stop being evil'

2013-07-09 20:31:40 +00:00
Commented Jul 9, 2013 at 20:31
@Gilles: I meant for it to be empty. In the example, path is set to /long the first time around the loop, which is correct. Should I set path to nothing explicitly (path=)? Also, thanks for simplifying out my use of tr.

user26112
– user26112

2013-07-09 20:58:43 +00:00
Commented Jul 9, 2013 at 20:58

| Show 6 more comments

rush · Accepted Answer · 2013-07-10 17:48:26Z

5

As I got from your question, you should check it for different users (not only joe), so in that case the easiest way is to recursivly check it via sudo like this:

FILE=$1 ; T_USER=$2 ;
if sudo -u $T_USER [ -r "$FILE" ] ; then
    echo "original file $1 is readable for $T_USER"
else
    while sudo -u $T_USER [ ! -x "$FILE" ] ; do FILE=$(dirname "$FILE") ; done
    echo "only $FILE is readable for $T_USER"
fi

usage:

./script.sh /long/path/to/file.txt joe

edited Jul 10, 2013 at 17:48

answered Jul 9, 2013 at 14:18

rush

28.1k9 gold badges92 silver badges115 bronze badges

Joe needs execute permissions on the directories, not read permissions.

user26112
– user26112

2013-07-09 14:20:23 +00:00
Commented Jul 9, 2013 at 14:20
@EvanTeitelman yes, you're right. Fixed.

rush
– rush

2013-07-09 14:29:52 +00:00
Commented Jul 9, 2013 at 14:29
@rush I tried to test it using the following file: /root/test/test.txt (permissions are 0755, 0700, and 0777). I issued ./script.sh /root/test/test.txt joe and it echoed original file /root/test/test.txt is readable for joe. Also, while trying this I misstyped the test dir: ./script.sh /root/tst/test.txt joe, and it echoed original file /root/tst/test.txt is readable for joe. Did I missed something?

Metalcoder
– Metalcoder

2013-07-10 17:46:31 +00:00
Commented Jul 10, 2013 at 17:46
@Metalcoder sorry, it's my fault. There was one extra exclamation. It's removed now, you can try it one more time, it should work fine now.

rush
– rush

2013-07-10 17:50:02 +00:00
Commented Jul 10, 2013 at 17:50
@rush it worked! That extra exclamation negates the result of -r $FILE, right?

Metalcoder
– Metalcoder

2013-07-10 18:10:27 +00:00
Commented Jul 10, 2013 at 18:10

| Show 1 more comment

slm · Accepted Answer · 2013-07-09 20:56:21Z

Here's my attempt at providing this functionality. I've opted to use stat, a while loop, and dirname.

I've created this script, walkdir.bash:

#/bin/bash

cwd="$1"
while [ "x$cwd" != x/ ]; do
  info=`stat "$cwd" |grep "Access: ("`
  printf "%s : %s\n" "$info" "$cwd"

  cwd=`dirname "$cwd"`;
done

You run it like so:

$ walkdir.bash "/home/saml/blog/vmware_networking_tutorial/url.txt"
Access: (0664/-rw-rw-r--)  Uid: (  500/    saml)   Gid: (  501/    saml) : /home/saml/blog/vmware_networking_tutorial/url.txt
Access: (0775/drwxrwxr-x)  Uid: (  500/    saml)   Gid: (  501/    saml) : /home/saml/blog/vmware_networking_tutorial
Access: (0775/drwxrwxr-x)  Uid: (  500/    saml)   Gid: (  501/    saml) : /home/saml/blog
Access: (0700/drwx------)  Uid: (  500/    saml)   Gid: (  501/    saml) : /home/saml
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root) : /home

rainu · Accepted Answer · 2024-07-07 03:20:31Z

0

To check for a specific user, you can try the below.

sudo -u username namei path /long/path/to/file.txt

It will give you output as below if the user has access to the file.

f: /long/path/to/file.txt
d /
d long
d path
d to
- file.txt

Taking reference from https://serverfault.com/a/1139094/1104571

answered Jul 7, 2024 at 3:20

rainu

1011 bronze badge

Add a comment |

Stack Exchange Network

How to check if a user can access a given file?

6 Answers 6

You must log in to answer this question.

Linked

Hot Network Questions

How to check if a user can access a given file?

6 Answers 6

You must log in to answer this question.

Linked

Related

Hot Network Questions