Thursday, August 12, 2010
Pants
Thank you,
Monday, June 7, 2010
Using system ACL's on Linux
I write this ages ago for a coworker who had never administrated a Linux box and thought I would share it again here since, ACL’s have come up a half dozen times in the last month. While it was written as a fairly basic Linux how to with user management and file manipulation included it is primarily a ACL How-To; so I hope you enjoy :)
Administrators Guide
to
Users, Groups, and ACL Permissions
Note For All Unix Operating Systems: 2
Section 0. Quick Start Command Reference. 2
.....Scenario: 2
.....Required Commands: 2
.....Creating Groups and Users. 3
..........Creating Groups
..........Creating Users
...............Example:
..........Setting a users passwd. 5
...............Example:
.....Using ACLs. 6
..........More setfacl Details and Examples
...............Remove Specific Entries from an ACL
...............Remove Entire ACL
...............Using the --set Option
...............Using setfacl Recursively
...............Using ACL Entries from a File:
...............Note on UID, GID, and Permissions
.....mkdir 11
..........Options
..........Examples
.....rm.. 12
..........Options
.....useradd. 13
..........Options
.....userdel 16
..........Option
.....usermod. 16
..........Options
.....chpasswd. 18
..........Option
.....passwd. 18
.....sudo. 19
..........Options
.....users. 21
..........Options
.....ls. 21
..........Options
Note For All Unix Operating Systems:
Please remember EVERYTHING in Linux is case sensitive. For example /home/YourFolder is not the same as /home/yourFolder or /home/youRfoldeR as such it is recommended you keep all folder names lowercase and advise users that their ID’s AND passwords are case sensitive. In addition I will be indicating key commands by bolding them, and will refer to the enter/return key as [ret].
Section 0. Quick Start Command Reference
Scenario:
A user who logs into the projects server as ‘even’ wants to create a group called scan and create two users (ted and tod) in that group who’s home folder was DevelopmentTeam.
Required Commands:
[even@projects DevelopmentTeam]# groupadd scan
[even@projects DevelopmentTeam]# useradd -c Ted_is_our_engineering_consultant –d /home/DevelopmentTeam –e 12/31/2005 –g scan ted [ret]
[even@projects DevelopmentTeam]# useradd -c Tod_is_the_citys_plan_reviewr –d /home/DevelopmentTeam –e 12/31/2005 –g scan tod [ret]
[even@projects DevelopmentTeam]# passwd tod [ret]
Changing password for user tod
New UNIX password: ********
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: ********
passwd: all authentication tokens updated successfully.
[even@projects DevelopmentTeam]# passwd ted
Changing password for user ted
New UNIX password: ********
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: ********
passwd: all authentication tokens updated successfully.
[even@projects DevelopmentTeam]#
Section I Perquisites
Enabling ACL’s
ACL’s or Access Control Lists enable you to provide a more robust set of file permissions. The core benefits com in being able to have more then one group associated with a file and the ability to have tight on non existent upstream permissions for a user or group while giving them total control of the downstream directories and files. The other great advantage is integration of a file server into the active directory of you windows domain. With ACL’s you get much a much closer approximation to NTFS style permission (still limited to just RWX permissions, but there is more flexibility who has those permissions) and your samba server can translate everything for you such that those permissions can be easily, albeit slowly, controlled by your end users on the windows box.
Enabling ACL’s
Technically ACL is not supported in the official kernel by default. You can add it as a module, or use a distribution that compiles it as part of the kernel. Most RedHat based distributions come with support. However we are required to mount the volume with ACL support. To do this in the short term you can just remount “mount / -o remount,acl” or you can edit /etc/fstab and append acl to your partition mount opents “defaults,acl”, “rw,acl” etc.
/dev/VolGroup00/LogVol00 / ext3 defaults,acl 1 1
Creating Groups and Users
Since we already had a lesson on creating groups and users I will keep this brief. What you need to keep in mind is that any user can belong to any group, and indeed any number of groups. As such, with a little planning you can make managing your users and groups very easy. However, without this prior planning, the difficulty of management grows proportionally to the product of the number of users, groups, and project folders/files.
For example, let us say we have three projects, for the most part each project has the same users, and each user will either be either a contributor, a editor, or a reviewer; or some combination their of. Now, let us say that a contributor, is any one who will be posting original material, an editor will be anyone who can change original material, and a reviewer is anyone who can read the material. This way you can assignee the same group level permissions (write, modify, and read respectively) to each file in the project, and then simply add users to the groups, knowing they will then have the appropriate level of permissions to the files.
By the same token, it could be that 98% of all your users will require access to read, write, and modify files; in which case you would create a single ‘power user’ group. In this way you have cut your work down by 66%, simply by knowing the nature of your users and how they will interact with the files. To further simplify your permission settings, since users will very rarely, if ever, actually modify a file on the server, you real concern is simply if the have the proper permissions to add and remove files and modify folders. This is because to the file server the process of modifying the file is completely removed onto a different system. As such if some one is to download a file they need read access. If they are to upload a different file they need add permissions to the folder and to up load and replace the same file (is essence modifying it) they need permission to remove the old file and add the new one.
If this seems a bit complicated don’t worry it is really very simple once you start to play with the permissions a bit. And while there are a few caveats about how certain permission setting interact with other permission settings, they system will display all effective permissions and I can help track down any conflicts. On that note, let us start with the commands needed to add groups and users.
Creating Groups
Creating groups could not be easier, all you need do is issue the command groupadd groupName. For example if the name of your group was name planReviewers the you would issue the command:
groupadd planReviewers [ret]
Creating Users
useradd [options] [user]
- where the [options] you will use are
- -c For user comment. For example –c iPlan’s employee account to download and print plans.
- -d For the users home directory. This will always be your root folder, which will also be the highest level of access your users will ever get (at least once the chroot fences are constructed) Please remember everything is relative to YOUR root, so you will need to put /home/ in front of your folders name. Much like, if you wanted to give access to the Projects folder in the Shared Documents folder on the C:\ drive of a windows system you would have to address it as C:\Shared Documents\Projects,. Linux however makes no reference to drives in its file system, so it would just be \Shared\ Documents\Projects. Note the \, this is because a space is used to separate commands and thus requires the \ to tell the system to take the space as a literal character. If this is confusing, just avoid spaces in your folder names.
- -e is the date you want the account to expire, it is always good to have the account go inactive after a certain time. You can use any date you wish in a MM/DD/YYYY format. I would recommend it be no more then two years out. Really, you should just think of what the useful life of this account will be and ensure it expires sometime after that.
- -g For group. Please assignee your users to the group that you created and feel best fits their role. For example –g landscapeArchitects This will be their primary group. Other role based groups can be assigned as well.
- -G For supplementary groups. These secondary groups are given by name or number in a comma-separated list with no white space. Such as reviewer,contributer,suprovisor
- [user] is just the name/ID of the user, but please avoid uppercase characters, white space, and punctuation marks. That is to say Evan, or evan Schube, or evanSchube or evan.schube would all be bad usernames, but evan, or eschube, or evan_schube or evan-schube would be good usernames. Personally I would stick with first letter of there fist name and their last name; like boneal or eschube.
Exmaple:
[yourUserID@fc4 projectBox]# useradd -c Association_with_CompanyX –d /home/WhatEverYourRootFolderIs –e 12/31/2005 –g groupName [ret]
Or, if say you were using the server projects.companyx.com and wanted to create a group called scan and create two users (ted and tod) in that group who’s home folder was DevelopmentTeam then you would issue the following commands.
[even@projects DevelopmentTeam]# groupadd scan
[even@projects DevelopmentTeam]# useradd -c Ted.Smith_is_our_engineering_consultant –d /home/DevelopmentTeam –e 12/31/2005 –g scan ted [ret]
[even@projects DevelopmentTeam]# useradd -c Tod.Jones_is_the_citys_plan_reviewr –d /home/DevelopmentTeam –e 12/31/2005 –g scan tod [ret]
Setting a users passwd
passwd [user]
The password command is simple and must be used in order to set an initial password. This way users can login and change their own password. Please not, as the users administrator you are the only one who will ever use the [user] option; being that to change your own password specifying you as the user is incredibly redundant.
Example:
[even@projects DevelopmentTeam]# groupadd scan
[even@projects DevelopmentTeam]# useradd -c Ted.Smith_is_our_engineering_consultant –d /home/DevelopmentTeam –e 12/31/2005 –g scan ted [ret]
[even@projects DevelopmentTeam]# useradd -c Tod.Jones_is_the_citys_plan_reviewr –d /home/DevelopmentTeam –e 12/31/2005 –g scan tod [ret]
[even@projects DevelopmentTeam]# passwd tod [ret]
Changing password for user tod
New UNIX password: ********
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: ********
passwd: all authentication tokens updated successfully.
[even@projects DevelopmentTeam]# passwd ted
Changing password for user ted
New UNIX password: ********
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: ********
passwd: all authentication tokens updated successfully.
NOTE: the warning that what ever password you type is a bad password is quite common. Unless you speak a language that was not loaded onto the system, or you use a password that is neither a name, phrase, or dictionary word, and you password contains upper and lowercase characters, and numbers or special characters, and it rather long, it will give you a warning… Which most of us promptly ignore. Although, this is an excellent time to learn Gallic, or memorize Shakespearean plays backwards, or know every number in PI from the 29 decimal place all the way up, or even the name to every angle in the quire… also backwards. Then again, you could also just ignore the warning and trust your own judgment on what is a secure enough password.
Section II Using ACL
Using ACLs
Now, we can actually start using ACLs. The basic commands that we are interested in are:
- getfacl
- setfacl
We will first look at the getfacl command. The owner of the directory we will be working with is "tristan", and the guest user will be "axel" and the guest group will be "lensmen". First, create a test file, then look at the permissions and the ACL:
[yourUserID@fc4 projectBox]#cd /home/tristan
[yourUserID@fc4 projectBox]#cp /etc/services pizza
Note the use of the command ls (lower case LS). This stands for list, and is similar to the doss command dir, in that is gives you a list of all files and folders in a directory.
[yourUserID@fc4 projectBox]#ls -l pizza
-rw-r--r-- 1 tristan tristan 19936 May 28 16:59 pizza
[yourUserID@fc4 projectBox]#getfacl pizza
# file: pizza
# owner: tristan
# group: tristan
user::rw-
group::r--
other::r--
So far, there is nothing very exciting to see. Now, let's change the ACL so that user "axel" can read and write to the file:
[yourUserID@fc4 projectBox]#setfacl -m u:axel:rw- pizza
[yourUserID@fc4 projectBox]#getfacl pizza
# file: pizza
# owner: tristan
# group: tristan
user::rw-
user:axel:rw-
group::r--
mask::rw-
other::r--
[yourUserID@fc4 projectBox]#ls -l pizza
-rw-rw-r--+ 1 tristan tristan 19936 May 28 16:59 pizza
You will notice that there is now an extra user entry in the ACL, and there is a "+" next to the file in the output from the ls command. The "+" indicates that an ACL has been applied to the file or directory. Now, let's add a group ("lensmen") and another user ("tippy") to the ACL for pizza:
[root@fc2 tristan]# setfacl -m u:tippy:r--,g:lensmen:r-- pizza
[root@fc2 tristan]# getfacl pizza
# file: pizza
# owner: tristan
# group: tristan
user::rw-
user:axel:rw-
user:tippy:r--
group::r--
group:lensmen:r--
mask::rw-
other::r--
Hmmm...what's the mask entry? This is the effective rights mask. This entry limits the effective rights granted to all ACL groups and ACL users. The traditional Unix User, Group, and Other entries are not affected. If the mask is more restrictive than the ACL permissions that you grant, then the mask takes precedence. For example, let's change the mask to "r--" and give user "tippy" and group "lensmen" the permissions rwx, and see what happens:
[yourUserID@fc4 projectBox]#setfacl -m u:tippy:rwx,g:lensmen:rwx pizza
[yourUserID@fc4 projectBox]#setfacl -m mask::r-- pizza
[yourUserID@fc4 projectBox]#getfacl --omit-header pizza
user::rw-
user:axel:rw- #effective:r--
user:tippy:rwx #effective:r--
group::r--
group:lensmen:rwx #effective:r--
mask::r--
other::r--
The ACL now shows an "effective" rights mask. Even though "tippy" has been given rwx permissions, he actually only has r-- permissions because of the mask.
In most cases, I want the effective mask to allow whatever permissions I granted to named users and groups, so my mask will be rw- or rwx. I will reset it like this:
[yourUserID@fc4 projectBox]#setfacl -m m::rw- pizza
[yourUserID@fc4 projectBox]#getfacl --omit pizza
user::rw-
user:axel:rw-
user:tippy:rw-
group::r--
group:lensmen:rwx #effective:rw-
mask::rw-
other::r--
What about using the setfacl command to change normal User, Group, and Other permissions? No problem! This can be used instead of chmod:
[yourUserID@fc4 projectBox]#setfacl -m u::rwx,g::rwx,o:rwx pizza
[yourUserID@fc4 projectBox]#ls -l pizza
-rwxrwxrwx+ 1 tristan tristan 19965 May 29 09:31 pizza
[yourUserID@fc4 projectBox]#getfacl --omit pizza
user::rwx
user:axel:rw-
user:tippy:rw-
group::rwx
group:lensmen:rwx
mask::rwx
other::rwx
Note that the mask changed! Whenever you change the permissions of a user or a group with setfacl, the mask is changed to match. Therefore, if you want a restrictive mask, it must be applied after the user and group permissions are modified.
Another thing to keep in mind is that the chmod command does not alter the file's ACL...the ACL information will remain intact, except that the mask entry can change as described above.
More setfacl Details and Examples
The setfacl command has many options. In this section, we will look at some of the more useful ones.
Remove Specific Entries from an ACL
You can remove specific ACL entries with the -x option. In this example, we will remove the entry for user "tippy" and user "axel" but leave the other entries alone:
[yourUserID@fc4 projectBox]#getfacl --omit pizza
user::rwx
user:axel:rw-
user:tippy:rw-
group::rwx
group:lensmen:rwx
mask::rwx
other::rwx
[yourUserID@fc4 projectBox]#setfacl -x u:tippy,u:axel pizza
[yourUserID@fc4 projectBox]#getfacl --omit pizza
user::rwx
group::rwx
group:lensmen:rwx
mask::rwx
other::rwx
Remove Entire ACL
To completely remove an ACL from a file or directory:
[yourUserID@fc4 projectBox]#setfacl -b pizza
You can also use:
[yourUserID@fc4 projectBox]#setfacl --remove-all pizza
Using the --set Option
If you want to explicitly set all of the file permissions on a file or a group of files, you must use the --set option. This is different from the -m option, which only modifies the existing ACL. The --set option replaces all permissions and ACLs with the new values. When you use the --set option, all of the User, Group, and Other permissions must be defined. Here is an example:
[yourUserID@fc4 projectBox]#setfacl --set u::rw,g::rw,o::-,u:tippy:r pizza
[yourUserID@fc4 projectBox]#getfacl --omit pizza
user::rw-
user:tippy:r--
group::rw-
mask::rw-
other::---
Using setfacl Recursively
If you want to apply ACLs to an entire directory and all of its subdirectories, use the -R option. Given the directory hierarchy /home/tristan/Level1/Level2/Level3/Level4, the following command will add an ACL entry for group "lensmen" to all of the Level* directories and their contents:
[yourUserID@fc4 projectBox]#setfacl -R -m g:lensmen:r-x /home/tristan/Level1
Using ACL Entries from a File:
What if you have a lengthy ACL that needs to be used frequently? Rather than typing it over and over again on the command line, you can save the ACL as a text file and use it to apply ACLs to other files. For example, we will create the ACL config file /home/tristan/myacl:
user:axel:rw-
user:tippy:rw-
group:lensmen:r--
group:marty:r--
group:fafnir:r--
mask::rw-
other::---
Now, we can easily apply these ACL modifications to files:
[yourUserID@fc4 projectBox]#setfacl -M myacl test*
[yourUserID@fc4 projectBox]#ls -l test*
-rw-rw----+ 1 tristan tristan 168 May 30 09:41 test1
-rw-rw----+ 1 tristan tristan 168 May 30 09:42 test2
-rw-rw----+ 1 tristan tristan 168 May 30 09:42 test3
[yourUserID@fc4 projectBox]#getfacl test1
# file: test1
# owner: tristan
# group: tristan
user::rw-
user:axel:rw-
user:tippy:rw-
group::rw-
group:marty:r--
group:lensmen:r--
group:fafnir:r--
mask::rw-
other::---
Note on UID, GID, and Permissions
When you are using setfacl, you can use numeric UIDs and GIDs instead of the actual names. The UIDs and GIDs do not have to exist yet. If you use names, then they must exist or you will get an error. You can use the
getfacl --numeric filename
command to view the numeric values.
Also, when you are specifying permissions, you can use octal permissions (0-7) instead of (r,w,x,-).
Appendix
http://www.linuxdevcenter.com/linux/cmd/cmd.csp?path=g/groupadd
http://gnumonks.org/ftp/pub/doc/chroot-howto.html
http://www.vanemery.com/Linux/linux.html
mkdir
mkdir [options] directories
Create one or more directories. You must have write permission in the parent directory in order to create a directory. See also rmdir. The default mode of the new directory is 0777, modified by the system or user's umask.
Options
-m, --mode mode
Set the access mode for new directories. See chmod for an explanation of acceptable formats for mode.
-p, --parents
Create intervening parent directories if they don't exist.
--verbose
Print a message for each directory created.
--help
Print help message and then exit.
--version
Print version number and then exit.
Examples
Create a read-only directory named personal:
mkdir -m 444 personal
The following sequence:
mkdir work; cd work mkdir junk; cd junk mkdir questions; cd ../..
can be accomplished by typing this:
mkdir -p work/junk/questions
rm
rm [options] files
Delete one or more files. To remove a file, you must have write permission in the directory that contains the file, but you need not have permission on the file itself. If you do not have write permission on the file, you will be prompted (y or n) to override.
Options
-d, --directory
Remove directories, even if they are not empty. Available only to a privileged user.
-f, --force
Remove write-protected files without prompting.
--help
Print a help message and then exit.
-i, --interactive
Prompt for y (remove the file) or n (do not remove the file).
-r, -R, --recursive
If file is a directory, remove the entire directory and all its contents, including subdirectories. Be forewarned: use of this option can be dangerous.
-v, --verbose
Verbose mode (print the name of each file before removing it).
--version
Print version information and then exit.
--
Mark the end of options. Use this when you need to supply a filename beginning with -.
useradd
useradd [options] [user]
System administration command. Create new user accounts or update default account information. Unless invoked with the -D option, user must be given. useradd will create new entries in system files. Home directories and initial files may also be created as needed.
Options
-c comment
Comment field.
-d dir
Home directory. The default is to use user as the directory name under the home directory specified with the -D option.
-e date
Account expiration date. date is in the format MM/DD/YYYY. Two-digit year fields are also accepted. The value is stored as the number of days since January 1, 1970. This option requires the use of shadow passwords.
-f days
Permanently disable account this many days after the password has expired. A value of -1 disables this feature. This option requires the use of shadow passwords.
-g group
Initial group name or ID number. If a different default group has not been specified using the -D option, the default group is 1.
-G groups
Supplementary groups given by name or number in a comma-separated list with no whitespace.
-k [dir]
Copy default files to the user's home directory. Meaningful only when used with the -m option. Default files are copied from /etc/skel/ unless an alternate dir is specified.
-m
Make user's home directory if it does not exist. The default is not to make the home directory.
-M
Do not create a home directory for the user, even if the system default in /etc/login.defs is to create one.
-n
Red Hat-specific option. Turn off the Red Hat default that creates a group with the same name as the username and puts the user in that group.
-o
Override. Accept a nonunique uid with the -u option. (Probably a bad idea.)
-p passwd
The encrypted password, as returned by crypt(3).
-r
Red Hat-specific option. Create a system account with a non-expiring password and a UID lower than the minimum defined in /etc/login.defs. Do not create a home directory for the account unless -m is also specified.
-s shell
Login shell.
-u uid
Numerical user ID. The value must be unique unless the -o option is used. The default value is the smallest ID value greater than 99 and greater than every other uid.
-D [options]
Set or display defaults. If options are specified, set them. If no options are specified, display current defaults. The options are:
-b dir
Home directory prefix to be used in creating home directories. If the -d option is not used when creating an account, the user name will be appended to dir.
-e date
Expire date. Requires the use of shadow passwords.
-f days
Number of days after a password expires to disable an account. Requires the use of shadow passwords.
-g group
Initial group name or ID number.
-s shell
Default login shell.
userdel
userdel [option] user
System administration command. Delete all entries for user in system account files.
Option
-r
Remove the home directory of user and any files contained in it.
Since all users are using the same home directory, you should NEVER user the –r option. And unless you never plane to have that user on this sytem again, I would not remvove users, but instead disable them.
usermod
usermod [options] user
System administration command. Modify user account information.
Options
-c comment
Comment field.
-d dir
Home directory.
-e date
Account expiration date. date is in the format MM/DD/YYYY; two-digit year fields are also accepted. The value is stored as the number of days since January 1, 1970. This option requires the use of shadow passwords.
-f days
Permanently disable account this many days after the password has expired. A value of -1 disables this feature. This option requires the use of shadow passwords.
-g group
Initial group name or number.
-G groups
Supplementary groups given by name or number in a comma-separated list with no whitespace. user will be removed from any groups to which it currently belongs that are not included in groups.
-l name
Login name. This cannot be changed while the user is logged in.
-L
Lock user's password by putting a ! in front of it. This option cannot be used with -p or -U.
-o
Override. Accept a nonunique uid with the -u option.
-p pw
Encrypted password, as returned from crypt(3).
-s shell
Login shell.
-u uid
Numerical user ID. The value must be unique unless the -o option is used. Any files owned by user in the user's home directory will have their user ID changed automatically. Files outside of the home directory will not be changed. user should not be executing any processes while this is changed.
-U
Unlock the user's password by removing the ! that -L put in front of it. This option cannot be used with -p or -L.
chpasswd
chpasswd [option]
System administration command. Change user passwords in a batch. chpasswd accepts input in the form of one username:password pair per line. If the -e option is not specified, password is encrypted before being stored.
Option
-e
Passwords given are already encrypted
passwd
passwd [user]
Create or change a password associated with a user name. Only the owner or a privileged user may change a password. Owners need not specify their user name
sudo
sudo [options] [command]
If you are allowed, execute command as the superuser. Authorized users of sudo and the commands they are permitted to execute are listed in the sudo configuration file, /etc/sudoers. If an unauthorized user attempts to run a command, sudo will inform an administrator via email. By default, it will send the message to the root account. Users attempting to run commands are prompted for their password. Once authenticated, sudo sets a timestamp for the user. For five minutes from the timestamp, the user may execute further commands without being prompted for their password. This grace period may be overriden by settings in the /etc/sudoers file.
Options
-b
Execute command in the background.
-h
Print help message, then exit.
-k
Revoke user's sudo permissions. Similar to -K, but changes user's timestamp to the Epoch instead of revoking it.
-l
List all allowed and forbidden commands for the user on the current host, then exit.
-p promptstring
Use the specified promptstring to prompt for a password. The string may contain escape codes %u and %h, which will be replaced with the current user's login name and local hostname.
-s
Run the shell specified in the SHELL environment variable, or the default shell specified in /etc/passwd. If a command is given, it should be a shell script and not a binary file.
-u user
Run command as the specified user instead of the root user. This may also be specified as a user ID number using #uid.
-v
Update timestamp for user. Prompt for password if necessary.
-H
Set the HOME environment variable to the home directory of the target user.
-K
Remove user's timestamp.
-L
List parameters that may be set as defaults for a user in the /etc/sudoers file.
-P
Preserve initial user's group membership.
-S
Read password from standard input instead of from the console.
-V
Print version number, then exit. When run by the root user, print sudo's defaults and the local network address as well.
--
Stop reading command-line arguments.
users
users [file]users option
Print a space-separated list of each login session on the host. Note that this may include the same user multiple times. Consult file or, by default, /var/log/utmp or /var/log/wtmp.
Options
--help
Print usage information and exit.
--version
Print version information and exit.
ls
ls [options] [names]
List contents of directories. If no names are given, list the files in the current directory. With one or more names, list files contained in a directory name or that match a file name. names can include filename metacharacters. The options let you display a variety of information in different formats. The most useful options include -F, -R, -l, and -s. Some options don't make sense together (e.g., -u and -c).
Options
-1, --format=single-column
Print one entry per line of output.
-a, --all
List all files, including the normally hidden files whose names begin with a period.
-b, --escape
Display nonprinting characters in octal and alphabetic format.
-c, --time-ctime, --time=status
List files by status change time (not creation/modification time).
--color =when
Colorize the names of files depending on the type of file. Accepted values for when are never, always, or auto.
-d, --directory
Report only on the directory, not its contents.
-f
Print directory contents in exactly the order in which they are stored, without attempting to sort them.
--full-time
List times in full, rather than use the standard abbreviations.
-g
Long listing like -l, but don't show file owners.
-h
Print sizes in kilobytes and megabytes.
--help
Print a help message and then exit.
-i, --inode
List the inode for each file.
--indicator-style=none
Display filenames without the flags assigned by -p or -f (default).
-k, --kilobytes
If file sizes are being listed, print them in kilobytes. This option overrides the environment variable POSIXLY_CORRECT.
-l, --format=long, --format=verbose
Long format listing (includes permissions, owner, size, modification time, etc.).
-m, --format=commas
Merge the list into a comma-separated series of names.
-n, --numeric-uid-gid
Like -l, but use group ID and user ID numbers instead of owner and group names.
-o
Long listing like -l, but don't show group information.
-p, --filetype, --indicator-style=file-type
Mark directories by appending / to them.
-q, --hide-control-chars
Show nonprinting characters as ? (default for display to a terminal).
-r, --reverse
List files in reverse order (by name or by time).
-s, --size
Print file size in blocks.
--show-control-chars
Show nonprinting characters verbatim (default for printing to a file).
--si
Similar to -h, but uses powers of 1000 instead of 1024.
-t, --sort=time
Sort files according to modification time (newest first).
-u, --time=atime, --time=access, --time=use
Sort files according to file access time.
--version
Print version information on standard output, then exit.
-x, --format=across, --format=horizontal
List files in rows going across the screen.
-v, --sort=version
Interpret the digits in names such as file.6 and file.6.1 as versions, and order filenames by version.
-w, --width=n
Format output to fit n columns.
-A, --almost-all
List all files, including the normally hidden files whose names begin with a period. Does not include the . and .. directories.
-B, --ignore-backups
Do not list files ending in ~ unless given as arguments.
-C, --format=vertical
List files in columns (the default format).
-D, --dired
List in a format suitable for Emacs dired mode.
-F, --classify, --indicator-style=classify
Flag filenames by appending / to directories, * to executable files, @ to symbolic links, | to FIFOs, and = to sockets.
-G, --no-group
In long format, do not display group name.
-H, --dereference-command-line
When symbolic links are given on the command line, follow the link and list information from the actual file.
-I, --ignore pattern
Do not list files whose names match the shell pattern pattern unless they are given on the command line.
-L, --dereference
List the file or directory referenced by a symbolic link rather than the link itself.
-N, --literal
Display special graphic characters that appear in filenames.
-Q, --quote-name
Quote filenames with "; quote nongraphic characters.
-R, --recursive
List directories and their contents recursively.
-S, --sort=size
Sort by file size, largest to smallest.
-Rfile, --reload-state file
Load state from file before starting execution.
-U, sort=none
Do not sort files.
-X, sort=extension
Sort by file extension, then by filename