Monday, June 7, 2010

Using system ACL's on Linux

I write this ages ago for a coworker who had never administrated a Linux box and thought I would share it again here since, ACL’s have come up a half dozen times in the last month. While it was written as a fairly basic Linux how to with user management and file manipulation included it is primarily a ACL How-To; so I hope you enjoy :)

Administrators Guide

to

Users, Groups, and ACL Permissions

Note For All Unix Operating Systems: 2

Section 0. Quick Start Command Reference. 2

.....Scenario: 2

.....Required Commands: 2

Section I 3

.....Creating Groups and Users. 3

..........Creating Groups

..........Creating Users

...............Example:

4

..........Setting a users passwd. 5

...............Example:

Section II Using ACL. 6

.....Using ACLs. 6

..........More setfacl Details and Examples

...............Remove Specific Entries from an ACL

...............Remove Entire ACL

...............Using the --set Option

...............Using setfacl Recursively

...............Using ACL Entries from a File:

...............Note on UID, GID, and Permissions

Appendix. 11

.....mkdir 11

..........Options

..........Examples

.....rm.. 12

..........Options

.....useradd. 13

..........Options

.....userdel 16

..........Option

.....usermod. 16

..........Options

.....chpasswd. 18

..........Option

.....passwd. 18

.....sudo. 19

..........Options

.....users. 21

..........Options

.....ls. 21

..........Options

Note For All Unix Operating Systems:

Please remember EVERYTHING in Linux is case sensitive. For example /home/YourFolder is not the same as /home/yourFolder or /home/youRfoldeR as such it is recommended you keep all folder names lowercase and advise users that their ID’s AND passwords are case sensitive. In addition I will be indicating key commands by bolding them, and will refer to the enter/return key as [ret].

Section 0. Quick Start Command Reference

Scenario:

A user who logs into the projects server as ‘even’ wants to create a group called scan and create two users (ted and tod) in that group who’s home folder was DevelopmentTeam.

Required Commands:

[even@projects DevelopmentTeam]# groupadd scan

[even@projects DevelopmentTeam]# useradd -c Ted_is_our_engineering_consultant –d /home/DevelopmentTeam –e 12/31/2005 –g scan ted [ret]

[even@projects DevelopmentTeam]# useradd -c Tod_is_the_citys_plan_reviewr –d /home/DevelopmentTeam –e 12/31/2005 –g scan tod [ret]

[even@projects DevelopmentTeam]# passwd tod [ret]

Changing password for user tod

New UNIX password: ********

BAD PASSWORD: it is based on a dictionary word

Retype new UNIX password: ********

passwd: all authentication tokens updated successfully.

[even@projects DevelopmentTeam]# passwd ted

Changing password for user ted

New UNIX password: ********

BAD PASSWORD: it is based on a dictionary word

Retype new UNIX password: ********

passwd: all authentication tokens updated successfully.

[even@projects DevelopmentTeam]#


Section I Perquisites

Enabling ACL’s

ACL’s or Access Control Lists enable you to provide a more robust set of file permissions. The core benefits com in being able to have more then one group associated with a file and the ability to have tight on non existent upstream permissions for a user or group while giving them total control of the downstream directories and files. The other great advantage is integration of a file server into the active directory of you windows domain. With ACL’s you get much a much closer approximation to NTFS style permission (still limited to just RWX permissions, but there is more flexibility who has those permissions) and your samba server can translate everything for you such that those permissions can be easily, albeit slowly, controlled by your end users on the windows box.

Enabling ACL’s

Technically ACL is not supported in the official kernel by default. You can add it as a module, or use a distribution that compiles it as part of the kernel. Most RedHat based distributions come with support. However we are required to mount the volume with ACL support. To do this in the short term you can just remount “mount / -o remount,acl” or you can edit /etc/fstab and append acl to your partition mount opents “defaults,acl”, “rw,acl” etc.

/dev/VolGroup00/LogVol00 / ext3 defaults,acl 1 1

Creating Groups and Users

Since we already had a lesson on creating groups and users I will keep this brief. What you need to keep in mind is that any user can belong to any group, and indeed any number of groups. As such, with a little planning you can make managing your users and groups very easy. However, without this prior planning, the difficulty of management grows proportionally to the product of the number of users, groups, and project folders/files.

For example, let us say we have three projects, for the most part each project has the same users, and each user will either be either a contributor, a editor, or a reviewer; or some combination their of. Now, let us say that a contributor, is any one who will be posting original material, an editor will be anyone who can change original material, and a reviewer is anyone who can read the material. This way you can assignee the same group level permissions (write, modify, and read respectively) to each file in the project, and then simply add users to the groups, knowing they will then have the appropriate level of permissions to the files.

By the same token, it could be that 98% of all your users will require access to read, write, and modify files; in which case you would create a single ‘power user’ group. In this way you have cut your work down by 66%, simply by knowing the nature of your users and how they will interact with the files. To further simplify your permission settings, since users will very rarely, if ever, actually modify a file on the server, you real concern is simply if the have the proper permissions to add and remove files and modify folders. This is because to the file server the process of modifying the file is completely removed onto a different system. As such if some one is to download a file they need read access. If they are to upload a different file they need add permissions to the folder and to up load and replace the same file (is essence modifying it) they need permission to remove the old file and add the new one.

If this seems a bit complicated don’t worry it is really very simple once you start to play with the permissions a bit. And while there are a few caveats about how certain permission setting interact with other permission settings, they system will display all effective permissions and I can help track down any conflicts. On that note, let us start with the commands needed to add groups and users.

Creating Groups

Creating groups could not be easier, all you need do is issue the command groupadd groupName. For example if the name of your group was name planReviewers the you would issue the command:

groupadd planReviewers [ret]

Creating Users

useradd [options] [user]

  • where the [options] you will use are
    • -c For user comment. For example –c iPlan’s employee account to download and print plans.
    • -d For the users home directory. This will always be your root folder, which will also be the highest level of access your users will ever get (at least once the chroot fences are constructed) Please remember everything is relative to YOUR root, so you will need to put /home/ in front of your folders name. Much like, if you wanted to give access to the Projects folder in the Shared Documents folder on the C:\ drive of a windows system you would have to address it as C:\Shared Documents\Projects,. Linux however makes no reference to drives in its file system, so it would just be \Shared\ Documents\Projects. Note the \, this is because a space is used to separate commands and thus requires the \ to tell the system to take the space as a literal character. If this is confusing, just avoid spaces in your folder names.
    • -e is the date you want the account to expire, it is always good to have the account go inactive after a certain time. You can use any date you wish in a MM/DD/YYYY format. I would recommend it be no more then two years out. Really, you should just think of what the useful life of this account will be and ensure it expires sometime after that.
    • -g For group. Please assignee your users to the group that you created and feel best fits their role. For example –g landscapeArchitects This will be their primary group. Other role based groups can be assigned as well.
    • -G For supplementary groups. These secondary groups are given by name or number in a comma-separated list with no white space. Such as reviewer,contributer,suprovisor
  • [user] is just the name/ID of the user, but please avoid uppercase characters, white space, and punctuation marks. That is to say Evan, or evan Schube, or evanSchube or evan.schube would all be bad usernames, but evan, or eschube, or evan_schube or evan-schube would be good usernames. Personally I would stick with first letter of there fist name and their last name; like boneal or eschube.

Exmaple:

[yourUserID@fc4 projectBox]# useradd -c Association_with_CompanyX –d /home/WhatEverYourRootFolderIs –e 12/31/2005 –g groupName [ret]

Or, if say you were using the server projects.companyx.com and wanted to create a group called scan and create two users (ted and tod) in that group who’s home folder was DevelopmentTeam then you would issue the following commands.

[even@projects DevelopmentTeam]# groupadd scan

[even@projects DevelopmentTeam]# useradd -c Ted.Smith_is_our_engineering_consultant –d /home/DevelopmentTeam –e 12/31/2005 –g scan ted [ret]

[even@projects DevelopmentTeam]# useradd -c Tod.Jones_is_the_citys_plan_reviewr –d /home/DevelopmentTeam –e 12/31/2005 –g scan tod [ret]

Setting a users passwd

passwd [user]

The password command is simple and must be used in order to set an initial password. This way users can login and change their own password. Please not, as the users administrator you are the only one who will ever use the [user] option; being that to change your own password specifying you as the user is incredibly redundant.

Example:

[even@projects DevelopmentTeam]# groupadd scan

[even@projects DevelopmentTeam]# useradd -c Ted.Smith_is_our_engineering_consultant –d /home/DevelopmentTeam –e 12/31/2005 –g scan ted [ret]

[even@projects DevelopmentTeam]# useradd -c Tod.Jones_is_the_citys_plan_reviewr –d /home/DevelopmentTeam –e 12/31/2005 –g scan tod [ret]

[even@projects DevelopmentTeam]# passwd tod [ret]

Changing password for user tod

New UNIX password: ********

BAD PASSWORD: it is based on a dictionary word

Retype new UNIX password: ********

passwd: all authentication tokens updated successfully.

[even@projects DevelopmentTeam]# passwd ted

Changing password for user ted

New UNIX password: ********

BAD PASSWORD: it is based on a dictionary word

Retype new UNIX password: ********

passwd: all authentication tokens updated successfully.

NOTE: the warning that what ever password you type is a bad password is quite common. Unless you speak a language that was not loaded onto the system, or you use a password that is neither a name, phrase, or dictionary word, and you password contains upper and lowercase characters, and numbers or special characters, and it rather long, it will give you a warning… Which most of us promptly ignore. Although, this is an excellent time to learn Gallic, or memorize Shakespearean plays backwards, or know every number in PI from the 29 decimal place all the way up, or even the name to every angle in the quire… also backwards. Then again, you could also just ignore the warning and trust your own judgment on what is a secure enough password.


Section II Using ACL

Using ACLs

Now, we can actually start using ACLs. The basic commands that we are interested in are:

  • getfacl
  • setfacl

We will first look at the getfacl command. The owner of the directory we will be working with is "tristan", and the guest user will be "axel" and the guest group will be "lensmen". First, create a test file, then look at the permissions and the ACL:

[yourUserID@fc4 projectBox]#cd /home/tristan

[yourUserID@fc4 projectBox]#cp /etc/services pizza

Note the use of the command ls (lower case LS). This stands for list, and is similar to the doss command dir, in that is gives you a list of all files and folders in a directory.

[yourUserID@fc4 projectBox]#ls -l pizza

-rw-r--r-- 1 tristan tristan 19936 May 28 16:59 pizza

[yourUserID@fc4 projectBox]#getfacl pizza

# file: pizza

# owner: tristan

# group: tristan

user::rw-

group::r--

other::r--

So far, there is nothing very exciting to see. Now, let's change the ACL so that user "axel" can read and write to the file:

[yourUserID@fc4 projectBox]#setfacl -m u:axel:rw- pizza

[yourUserID@fc4 projectBox]#getfacl pizza

# file: pizza

# owner: tristan

# group: tristan

user::rw-

user:axel:rw-

group::r--

mask::rw-

other::r--

[yourUserID@fc4 projectBox]#ls -l pizza

-rw-rw-r--+ 1 tristan tristan 19936 May 28 16:59 pizza

You will notice that there is now an extra user entry in the ACL, and there is a "+" next to the file in the output from the ls command. The "+" indicates that an ACL has been applied to the file or directory. Now, let's add a group ("lensmen") and another user ("tippy") to the ACL for pizza:

[root@fc2 tristan]# setfacl -m u:tippy:r--,g:lensmen:r-- pizza

[root@fc2 tristan]# getfacl pizza

# file: pizza

# owner: tristan

# group: tristan

user::rw-

user:axel:rw-

user:tippy:r--

group::r--

group:lensmen:r--

mask::rw-

other::r--

Hmmm...what's the mask entry? This is the effective rights mask. This entry limits the effective rights granted to all ACL groups and ACL users. The traditional Unix User, Group, and Other entries are not affected. If the mask is more restrictive than the ACL permissions that you grant, then the mask takes precedence. For example, let's change the mask to "r--" and give user "tippy" and group "lensmen" the permissions rwx, and see what happens:

[yourUserID@fc4 projectBox]#setfacl -m u:tippy:rwx,g:lensmen:rwx pizza

[yourUserID@fc4 projectBox]#setfacl -m mask::r-- pizza

[yourUserID@fc4 projectBox]#getfacl --omit-header pizza

user::rw-

user:axel:rw- #effective:r--

user:tippy:rwx #effective:r--

group::r--

group:lensmen:rwx #effective:r--

mask::r--

other::r--

The ACL now shows an "effective" rights mask. Even though "tippy" has been given rwx permissions, he actually only has r-- permissions because of the mask.

In most cases, I want the effective mask to allow whatever permissions I granted to named users and groups, so my mask will be rw- or rwx. I will reset it like this:

[yourUserID@fc4 projectBox]#setfacl -m m::rw- pizza

[yourUserID@fc4 projectBox]#getfacl --omit pizza

user::rw-

user:axel:rw-

user:tippy:rw-

group::r--

group:lensmen:rwx #effective:rw-

mask::rw-

other::r--

What about using the setfacl command to change normal User, Group, and Other permissions? No problem! This can be used instead of chmod:

[yourUserID@fc4 projectBox]#setfacl -m u::rwx,g::rwx,o:rwx pizza

[yourUserID@fc4 projectBox]#ls -l pizza

-rwxrwxrwx+ 1 tristan tristan 19965 May 29 09:31 pizza

[yourUserID@fc4 projectBox]#getfacl --omit pizza

user::rwx

user:axel:rw-

user:tippy:rw-

group::rwx

group:lensmen:rwx

mask::rwx

other::rwx

Note that the mask changed! Whenever you change the permissions of a user or a group with setfacl, the mask is changed to match. Therefore, if you want a restrictive mask, it must be applied after the user and group permissions are modified.

Another thing to keep in mind is that the chmod command does not alter the file's ACL...the ACL information will remain intact, except that the mask entry can change as described above.

More setfacl Details and Examples

The setfacl command has many options. In this section, we will look at some of the more useful ones.

Remove Specific Entries from an ACL

You can remove specific ACL entries with the -x option. In this example, we will remove the entry for user "tippy" and user "axel" but leave the other entries alone:

[yourUserID@fc4 projectBox]#getfacl --omit pizza

user::rwx

user:axel:rw-

user:tippy:rw-

group::rwx

group:lensmen:rwx

mask::rwx

other::rwx

[yourUserID@fc4 projectBox]#setfacl -x u:tippy,u:axel pizza

[yourUserID@fc4 projectBox]#getfacl --omit pizza

user::rwx

group::rwx

group:lensmen:rwx

mask::rwx

other::rwx

Remove Entire ACL

To completely remove an ACL from a file or directory:

[yourUserID@fc4 projectBox]#setfacl -b pizza

You can also use:

[yourUserID@fc4 projectBox]#setfacl --remove-all pizza

Using the --set Option

If you want to explicitly set all of the file permissions on a file or a group of files, you must use the --set option. This is different from the -m option, which only modifies the existing ACL. The --set option replaces all permissions and ACLs with the new values. When you use the --set option, all of the User, Group, and Other permissions must be defined. Here is an example:

[yourUserID@fc4 projectBox]#setfacl --set u::rw,g::rw,o::-,u:tippy:r pizza

[yourUserID@fc4 projectBox]#getfacl --omit pizza

user::rw-

user:tippy:r--

group::rw-

mask::rw-

other::---

Using setfacl Recursively

If you want to apply ACLs to an entire directory and all of its subdirectories, use the -R option. Given the directory hierarchy /home/tristan/Level1/Level2/Level3/Level4, the following command will add an ACL entry for group "lensmen" to all of the Level* directories and their contents:

[yourUserID@fc4 projectBox]#setfacl -R -m g:lensmen:r-x /home/tristan/Level1

Using ACL Entries from a File:

What if you have a lengthy ACL that needs to be used frequently? Rather than typing it over and over again on the command line, you can save the ACL as a text file and use it to apply ACLs to other files. For example, we will create the ACL config file /home/tristan/myacl:

user:axel:rw-

user:tippy:rw-

group:lensmen:r--

group:marty:r--

group:fafnir:r--

mask::rw-

other::---

Now, we can easily apply these ACL modifications to files:

[yourUserID@fc4 projectBox]#setfacl -M myacl test*

[yourUserID@fc4 projectBox]#ls -l test*

-rw-rw----+ 1 tristan tristan 168 May 30 09:41 test1

-rw-rw----+ 1 tristan tristan 168 May 30 09:42 test2

-rw-rw----+ 1 tristan tristan 168 May 30 09:42 test3

[yourUserID@fc4 projectBox]#getfacl test1

# file: test1

# owner: tristan

# group: tristan

user::rw-

user:axel:rw-

user:tippy:rw-

group::rw-

group:marty:r--

group:lensmen:r--

group:fafnir:r--

mask::rw-

other::---

Note on UID, GID, and Permissions

When you are using setfacl, you can use numeric UIDs and GIDs instead of the actual names. The UIDs and GIDs do not have to exist yet. If you use names, then they must exist or you will get an error. You can use the

getfacl --numeric filename

command to view the numeric values.

Also, when you are specifying permissions, you can use octal permissions (0-7) instead of (r,w,x,-).


Appendix

http://www.linuxdevcenter.com/linux/cmd/cmd.csp?path=g/groupadd

http://gnumonks.org/ftp/pub/doc/chroot-howto.html

http://www.vanemery.com/Linux/linux.html

mkdir

mkdir [options] directories

Create one or more directories. You must have write permission in the parent directory in order to create a directory. See also rmdir. The default mode of the new directory is 0777, modified by the system or user's umask.

Options

-m, --mode mode

Set the access mode for new directories. See chmod for an explanation of acceptable formats for mode.

-p, --parents

Create intervening parent directories if they don't exist.

--verbose

Print a message for each directory created.

--help

Print help message and then exit.

--version

Print version number and then exit.

Examples

Create a read-only directory named personal:

mkdir -m 444 personal

The following sequence:

mkdir work; cd work mkdir junk; cd junk mkdir questions; cd ../..

can be accomplished by typing this:

mkdir -p work/junk/questions

rm

rm [options] files

Delete one or more files. To remove a file, you must have write permission in the directory that contains the file, but you need not have permission on the file itself. If you do not have write permission on the file, you will be prompted (y or n) to override.

Options

-d, --directory

Remove directories, even if they are not empty. Available only to a privileged user.

-f, --force

Remove write-protected files without prompting.

--help

Print a help message and then exit.

-i, --interactive

Prompt for y (remove the file) or n (do not remove the file).

-r, -R, --recursive

If file is a directory, remove the entire directory and all its contents, including subdirectories. Be forewarned: use of this option can be dangerous.

-v, --verbose

Verbose mode (print the name of each file before removing it).

--version

Print version information and then exit.

--

Mark the end of options. Use this when you need to supply a filename beginning with -.

useradd

useradd [options] [user]

System administration command. Create new user accounts or update default account information. Unless invoked with the -D option, user must be given. useradd will create new entries in system files. Home directories and initial files may also be created as needed.

Options

-c comment

Comment field.

-d dir

Home directory. The default is to use user as the directory name under the home directory specified with the -D option.

-e date

Account expiration date. date is in the format MM/DD/YYYY. Two-digit year fields are also accepted. The value is stored as the number of days since January 1, 1970. This option requires the use of shadow passwords.

-f days

Permanently disable account this many days after the password has expired. A value of -1 disables this feature. This option requires the use of shadow passwords.

-g group

Initial group name or ID number. If a different default group has not been specified using the -D option, the default group is 1.

-G groups

Supplementary groups given by name or number in a comma-separated list with no whitespace.

-k [dir]

Copy default files to the user's home directory. Meaningful only when used with the -m option. Default files are copied from /etc/skel/ unless an alternate dir is specified.

-m

Make user's home directory if it does not exist. The default is not to make the home directory.

-M

Do not create a home directory for the user, even if the system default in /etc/login.defs is to create one.

-n

Red Hat-specific option. Turn off the Red Hat default that creates a group with the same name as the username and puts the user in that group.

-o

Override. Accept a nonunique uid with the -u option. (Probably a bad idea.)

-p passwd

The encrypted password, as returned by crypt(3).

-r

Red Hat-specific option. Create a system account with a non-expiring password and a UID lower than the minimum defined in /etc/login.defs. Do not create a home directory for the account unless -m is also specified.

-s shell

Login shell.

-u uid

Numerical user ID. The value must be unique unless the -o option is used. The default value is the smallest ID value greater than 99 and greater than every other uid.

-D [options]

Set or display defaults. If options are specified, set them. If no options are specified, display current defaults. The options are:

-b dir

Home directory prefix to be used in creating home directories. If the -d option is not used when creating an account, the user name will be appended to dir.

-e date

Expire date. Requires the use of shadow passwords.

-f days

Number of days after a password expires to disable an account. Requires the use of shadow passwords.

-g group

Initial group name or ID number.

-s shell

Default login shell.

userdel

userdel [option] user

System administration command. Delete all entries for user in system account files.

Option

-r

Remove the home directory of user and any files contained in it.

Since all users are using the same home directory, you should NEVER user the –r option. And unless you never plane to have that user on this sytem again, I would not remvove users, but instead disable them.

usermod

usermod [options] user

System administration command. Modify user account information.

Options

-c comment

Comment field.

-d dir

Home directory.

-e date

Account expiration date. date is in the format MM/DD/YYYY; two-digit year fields are also accepted. The value is stored as the number of days since January 1, 1970. This option requires the use of shadow passwords.

-f days

Permanently disable account this many days after the password has expired. A value of -1 disables this feature. This option requires the use of shadow passwords.

-g group

Initial group name or number.

-G groups

Supplementary groups given by name or number in a comma-separated list with no whitespace. user will be removed from any groups to which it currently belongs that are not included in groups.

-l name

Login name. This cannot be changed while the user is logged in.

-L

Lock user's password by putting a ! in front of it. This option cannot be used with -p or -U.

-o

Override. Accept a nonunique uid with the -u option.

-p pw

Encrypted password, as returned from crypt(3).

-s shell

Login shell.

-u uid

Numerical user ID. The value must be unique unless the -o option is used. Any files owned by user in the user's home directory will have their user ID changed automatically. Files outside of the home directory will not be changed. user should not be executing any processes while this is changed.

-U

Unlock the user's password by removing the ! that -L put in front of it. This option cannot be used with -p or -L.

chpasswd

chpasswd [option]

System administration command. Change user passwords in a batch. chpasswd accepts input in the form of one username:password pair per line. If the -e option is not specified, password is encrypted before being stored.

Option

-e

Passwords given are already encrypted

passwd

passwd [user]

Create or change a password associated with a user name. Only the owner or a privileged user may change a password. Owners need not specify their user name

sudo

sudo [options] [command]

If you are allowed, execute command as the superuser. Authorized users of sudo and the commands they are permitted to execute are listed in the sudo configuration file, /etc/sudoers. If an unauthorized user attempts to run a command, sudo will inform an administrator via email. By default, it will send the message to the root account. Users attempting to run commands are prompted for their password. Once authenticated, sudo sets a timestamp for the user. For five minutes from the timestamp, the user may execute further commands without being prompted for their password. This grace period may be overriden by settings in the /etc/sudoers file.

Options

-b

Execute command in the background.

-h

Print help message, then exit.

-k

Revoke user's sudo permissions. Similar to -K, but changes user's timestamp to the Epoch instead of revoking it.

-l

List all allowed and forbidden commands for the user on the current host, then exit.

-p promptstring

Use the specified promptstring to prompt for a password. The string may contain escape codes %u and %h, which will be replaced with the current user's login name and local hostname.

-s

Run the shell specified in the SHELL environment variable, or the default shell specified in /etc/passwd. If a command is given, it should be a shell script and not a binary file.

-u user

Run command as the specified user instead of the root user. This may also be specified as a user ID number using #uid.

-v

Update timestamp for user. Prompt for password if necessary.

-H

Set the HOME environment variable to the home directory of the target user.

-K

Remove user's timestamp.

-L

List parameters that may be set as defaults for a user in the /etc/sudoers file.

-P

Preserve initial user's group membership.

-S

Read password from standard input instead of from the console.

-V

Print version number, then exit. When run by the root user, print sudo's defaults and the local network address as well.

--

Stop reading command-line arguments.

users

users [file]users option

Print a space-separated list of each login session on the host. Note that this may include the same user multiple times. Consult file or, by default, /var/log/utmp or /var/log/wtmp.

Options

--help

Print usage information and exit.

--version

Print version information and exit.

ls

ls [options] [names]

List contents of directories. If no names are given, list the files in the current directory. With one or more names, list files contained in a directory name or that match a file name. names can include filename metacharacters. The options let you display a variety of information in different formats. The most useful options include -F, -R, -l, and -s. Some options don't make sense together (e.g., -u and -c).

Options

-1, --format=single-column

Print one entry per line of output.

-a, --all

List all files, including the normally hidden files whose names begin with a period.

-b, --escape

Display nonprinting characters in octal and alphabetic format.

-c, --time-ctime, --time=status

List files by status change time (not creation/modification time).

--color =when

Colorize the names of files depending on the type of file. Accepted values for when are never, always, or auto.

-d, --directory

Report only on the directory, not its contents.

-f

Print directory contents in exactly the order in which they are stored, without attempting to sort them.

--full-time

List times in full, rather than use the standard abbreviations.

-g

Long listing like -l, but don't show file owners.

-h

Print sizes in kilobytes and megabytes.

--help

Print a help message and then exit.

-i, --inode

List the inode for each file.

--indicator-style=none

Display filenames without the flags assigned by -p or -f (default).

-k, --kilobytes

If file sizes are being listed, print them in kilobytes. This option overrides the environment variable POSIXLY_CORRECT.

-l, --format=long, --format=verbose

Long format listing (includes permissions, owner, size, modification time, etc.).

-m, --format=commas

Merge the list into a comma-separated series of names.

-n, --numeric-uid-gid

Like -l, but use group ID and user ID numbers instead of owner and group names.

-o

Long listing like -l, but don't show group information.

-p, --filetype, --indicator-style=file-type

Mark directories by appending / to them.

-q, --hide-control-chars

Show nonprinting characters as ? (default for display to a terminal).

-r, --reverse

List files in reverse order (by name or by time).

-s, --size

Print file size in blocks.

--show-control-chars

Show nonprinting characters verbatim (default for printing to a file).

--si

Similar to -h, but uses powers of 1000 instead of 1024.

-t, --sort=time

Sort files according to modification time (newest first).

-u, --time=atime, --time=access, --time=use

Sort files according to file access time.

--version

Print version information on standard output, then exit.

-x, --format=across, --format=horizontal

List files in rows going across the screen.

-v, --sort=version

Interpret the digits in names such as file.6 and file.6.1 as versions, and order filenames by version.

-w, --width=n

Format output to fit n columns.

-A, --almost-all

List all files, including the normally hidden files whose names begin with a period. Does not include the . and .. directories.

-B, --ignore-backups

Do not list files ending in ~ unless given as arguments.

-C, --format=vertical

List files in columns (the default format).

-D, --dired

List in a format suitable for Emacs dired mode.

-F, --classify, --indicator-style=classify

Flag filenames by appending / to directories, * to executable files, @ to symbolic links, | to FIFOs, and = to sockets.

-G, --no-group

In long format, do not display group name.

-H, --dereference-command-line

When symbolic links are given on the command line, follow the link and list information from the actual file.

-I, --ignore pattern

Do not list files whose names match the shell pattern pattern unless they are given on the command line.

-L, --dereference

List the file or directory referenced by a symbolic link rather than the link itself.

-N, --literal

Display special graphic characters that appear in filenames.

-Q, --quote-name

Quote filenames with "; quote nongraphic characters.

-R, --recursive

List directories and their contents recursively.

-S, --sort=size

Sort by file size, largest to smallest.

-Rfile, --reload-state file

Load state from file before starting execution.

-U, sort=none

Do not sort files.

-X, sort=extension

Sort by file extension, then by filename