How to know if a given user has read and/or write permissions for a given path

Question

I should start by saying I consider myself a proficient user. But today I had the need to automate this and was stumped.

Let's suppose I am root, and as such I'm able to traverse the whole filesystem but I can't run "sudo" nor "su".

I have a given user and a given path.

How can I check, over the CLI, whether the user will be able to read and/or write to the path?

I know this sounds easy, but keep in mind that:

• We're not, nor can we become, the user.
• We can't just rely on the final directory permissions, as permissions higher up the path may be blocking access to the final directory.
• We can't just rely just on the directory group permissions either, in this age of inherited groups.

I'm assuming this can't be done through any command, and I'd need to first gather all user groups, then traverse the whole hierarchy of the path, check read permissions all along the path and then read & write for the final directory. Sounds awfully expensive, though.

Answer 1

Tag me a scripting guru!

check_access() {
  checked_file=$1
  target_user=$2
  result=PASS

  groups=`id -G $target_user | sed -e 's| | -o -group |g' -e 's|^|\\( -group |' -e 's|$| \\)|'`

  while [ $checked_file != / ]; do 
    find $checked_file -maxdepth 0 \
      -type f \( \
        \( -user $target_user -perm 0400 \) \
        -o \( $groups -perm 0040 \) \
        -o -perm 0004 \
      \) -o -type d \( \
        \( -user $target_user -perm 0100 \) \
        -o \( $groups -perm 0010 \) \
        -o -perm 0001 \
      \) >/dev/null 2>&1 || result=FAIL
    checked_file=`dirname $checked_file`
  done
  echo $result
}

Answer 2

I cannot actually provide a full answer, and I can't add anything substantial to your own ideas, except perhaps this:

I suspect that a general approach to checking effective access rights does not exist, simply because access rights depend heavily on the underlying file system(s). For example, checking access rights works quite differently on file systems that use the standard Unix rwx flags (e.g. Linux' ext2, ext3) than with file systems that support ACLs (such as XFS or NTFS).

There might be several specific command-line tools that do what you want to do for specific file system types. (Analogy: tools such as fsck, mkfs may exist per file system type.)

Especially with UNIX-like operating systems, where all kinds of file systems can be mounted in one big directory structure, assuming only one specific permissions mechanism might lead to problems.

If you build your own solution for this problem, think about this fact first, then decide exactly which access right mechanism(s) you want to support. (I'm not sure, but I could imagine that Unix / the POSIX specification prescribes the rwx access rights flags as a minimum that every Unix should support.)

Answer 3

ls -l <file-name or dir-name>

Suppose you want to check the permissions for uploads directory.Enter ls -l uploads This will result like this

total 20
drwxrwxr-x 2 tomcat ec2-user 4096 Nov  5 04:21 deals
drwxrwxr-x 2 tomcat ec2-user 4096 Nov  5 04:25 gallery-images
drwxrwxr-x 3 tomcat ec2-user 4096 Nov  5 04:25 hotels
drwxrwxr-x 3 tomcat ec2-user 4096 Nov  5 04:28 rooms
drwxrwxr-x 3 tomcat ec2-user 4096 Nov  5 04:32 temp

Answer 4

the best way is to validate via user himself:

if sudo su - $user_to_check -c "[[ -r $path_to_check ]]"
then echo "$user_to_check can read $path_to_check"
else echo "$user_to_check can not read $path_to_check"
fi
if sudo su - $user_to_check -c "[[ -w $path_to_check ]]"
then echo "$user_to_check can write $path_to_check"
else echo "$user_to_check can not write $path_to_check"
fi