File system permissions
Most current file systems have methods of assigning permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the filesystem.
- 1 Operating system variations
- 2 Traditional Unix permissions
- 3 Notation of traditional Unix permissions
- 4 User private group
- 5 See also
- 6 References
- 7 External links
Operating system variations
Unix-like and otherwise POSIX-compliant systems, including Linux-based systems and all Mac OS X versions, have a simple system for managing individual file permissions, which in this article are called "traditional Unix permissions". Most of these systems also support some kind of access control lists, either proprietary (old HP-UX ACLs, for example), or POSIX.1e ACLs, based on an early POSIX draft that was abandoned, or NFSv4 ACLs, which are part of the NFSv4 standard.
Microsoft and IBM DOS variants including MS-DOS, PC DOS, Windows 95, Windows 98, Windows 98 SE, and Windows Me) do not have permissions, only file attributes. There is a read-only attribute (R), which can be set or unset on a file by any user or program, and therefore does not prevent him/her from changing/deleting the file. There is no permission in these systems which would prevent a user from reading a file.
Other MS-DOS/PC DOS-compatible operating systems such as DR DOS 3.31 and higher, PalmDOS, Novell DOS, and OpenDOS, FlexOS, 4680 OS, 4690 OS, Concurrent DOS, Multiuser DOS, Datapac System Manager and IMS REAL/32 support read/write/execute/delete file/directory access permissions on FAT volumes. With the exception of FlexOS, 4680 OS, and 4690 OS all these operating systems also support individual file/directory passwords. All operating systems except for DR DOS, PalmDOS, Novell DOS and OpenDOS also support three independent file/directory ownership classes world/group/owner, whereas the single-user operating systems DR DOS 6.0 and higher, PalmDOS, Novell DOS and OpenDOS only support them with an optional multi-user security module loaded.
OpenVMS (a.k.a. VMS), as well as Microsoft Windows NT and its derivatives (including Windows 2000 and Windows XP), use access control lists (ACLs) to administer a more complex and varied set of permissions. OpenVMS also uses a permission scheme similar to that of Unix, but more complex. There are four categories (System, Owner, Group, and World) and three types of access permissions (Read, Write, and Execute). The categories are not mutually disjoint: World includes Group which in turn includes Owner. The System category independently includes system users (similar to superusers in Unix).
Classic Mac Operating Systems are similar to DOS variants and DOS-based Windows: they do not support permissions, but only a "Protected" file attribute.
The AmigaOS Filesystem, AmigaDOS supports a relatively advanced permissions system, for a single-user OS. In AmigaOS 1.x, files had Archive, Read, Write, Execute and Delete (collectively known as ARWED) permissions/flags. In AmigaOS 2.x and higher, additional Hold, Script, and Pure permissions/flags were added.
Mac OS X versions 10.3 ("Panther") and prior use POSIX-compliant permissions. Mac OS X, beginning with version 10.4 ("Tiger"), also support the use of NFSv4 ACLs. They still support "traditional Unix permissions" as used in previous versions of Mac OS X, and the Apple Mac OS X Server version 10.4+ File Services Administration Manual recommends using only traditional Unix permissions if possible. It also still supports the Mac OS Classic's "Protected" attribute.
Traditional Unix permissions
Permissions on Unix-like systems are managed in three distinct classes. These classes are known as user, group, and others.
When a file is created on a Unix-like system, its permissions are restricted by the umask of the process that created it.
Files and directories are assigned a group, which define the file's group class. Distinct permissions apply to members of the file's group. The owner may be a member of the file's group.
Users who are not the owner, nor a member of the group, comprise a file's others class. Distinct permissions apply to others.
The effective permissions are determined based on the user's class. For example, the user who is the owner of the file will have the permissions given to the owner class regardless of the permissions assigned to the group class or others class.
There are three specific permissions on Unix-like systems that apply to each class:
- The read permission grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them such as contents, file type, size, ownership, permissions, etc.)
- The write permission grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.
- The execute permission grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled C++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to access file contents and metainfo if its name is known, but not list files inside the directory (unless read is set).
The effect of setting the permissions on a directory (rather than a file) is "one of the most frequently misunderstood file permission issues".
When a permission is not set, the rights it would grant are denied. Unlike ACL-based systems, permissions on a Unix-like system are not inherited. Files created within a directory will not necessarily have the same permissions as that directory.
Changing permission behavior with setuid, setgid, and sticky bits
Unix-like systems typically employ three additional modes. These are actually attributes but are referred to as permissions or modes. These special modes are for a file or directory overall, not by a class.
- The set user ID, setuid, or SUID mode. When a file with setuid is executed, the resulting process will assume the effective user ID given to the owner class. This enables users to be treated temporarily as root (or another user).
- The set group ID, setgid, or SGID permission. When a file with setgid is executed, the resulting process will assume the group ID given to the group class. When setgid is applied to a directory, new files and directories created under that directory will inherit the group from that directory. (Default behaviour is to use the primary group of the effective user when setting the group of new files and directories.)
- The sticky mode. (Also known as the Text mode.) The classical behaviour of the sticky bit on executable files has been to encourage the kernel to retain the resulting process image in memory beyond termination; however such use of the sticky bit is now restricted to only a minority of unix-like operating systems (HP-UX and UnixWare). On a directory, the sticky permission prevents users from renaming, moving or deleting contained files owned by users other than themselves, even if they have write permission to the directory. Only the directory owner and superuser are exempt from this.
These additional modes are also referred to as setuid bit, setgid bit, and sticky bit, due to the fact that they each occupy only one bit.
Notation of traditional Unix permissions
There are several ways by which Unix permissions are represented.
The most common form is symbolic notation as shown by ls -l.
|Three permission triads|
|first triad||what the owner can do|
|second triad||what the group members can do|
|third triad||what other users can do|
|first character||r: readable|
|second character||w: writable|
|third character||x: executable
s or t: executable and setuid/setgid/sticky
S or T: setuid/setgid or sticky, but not executable
The first character indicates the file type and is not related to permissions. The remaining nine characters are in three sets, each representing a class of permissions as three characters. The first set represents the user class. The second set represents the group class. The third set represents the others class.
Each of the three characters represent the read, write, and execute permissions:
- r if reading is permitted, - if it is not.
- w if writing is permitted, - if it is not.
- x if execution is permitted, - if it is not.
The following are some examples of symbolic notation:
-rwxr-xr-xa regular file whose user class has full permissions and whose group and others classes have only the read and execute permissions.
crw-rw-r--a character special file whose user and group classes have the read and write permissions and whose others class has only the read permission.
dr-x------a directory whose user class has read and execute permissions and whose group and others classes have no permissions.
Note that in some Unix like systems in a display of permissions:
- + (plus) suffix indicates an Access Control List which can grant additional permissions. See details with man getfacl.
- . (dot) suffix indicates an SELinux context is present. See details with ls -Z.
- @ suffix indicates extended attributes are set
Another method for representing Unix permissions is an octal (base-8) notation as shown by stat -c %a. This notation consists of at least three digits. Each of the three rightmost digits represents a different component of the permissions: owner, group, and others.
Each of these digits is the sum of its component bits (see also Binary numeral system). As a result, specific bits add to the sum as it is represented by a numeral:
- The read bit adds 4 to its total (in binary 100),
- The write bit adds 2 to its total (in binary 010), and
- The execute bit adds 1 to its total (in binary 001).
These values never produce ambiguous combinations; each sum represents a specific set of permissions. More technically, this is an octal representation of a bit field – each bit references a separate permission, and grouping 3 bits at a time in octal corresponds to grouping these permissions by user, group, and others.
These are the examples from the Symbolic notation section given in octal notation:
|Symbolic Notation||Octal Notation||English|
||0333||write & execute|
||0555||read & execute|
||0666||read & write|
||0777||read, write, & execute|
User private group
Some systems diverge from the traditional POSIX-model of users and groups, by creating a new group – a "user private group" – for each user. The "user private group" scheme can be preferred for a variety of reasons including using a umask of 002 and not having every "user" able to write to newly created files. In this case however, no other users must be added to the "user private group" or they will have write-permission on all files.
- Access control list
- chattr or chflags which set attributes or flags including "immutable" flags which lock files, overriding and restricting their permissions
- chmod, the command used to set permissions on Unix-like systems
- File system
- Group identifier (Unix)
- User identifier (Unix)
- Hatch, Brian. "Linux File Permission Confusion pt 2", "Hacking Linux Exposed", April 24, 2003, accessed July 6, 2011.
- O'Reilly ONLamp Blog, Using User Private Groups
- Red Hat 9 Manual, User Private Groups
- Red Hat Enterprise Linux 5 Manual, 32.5. User Private Groups
- Apple Mac OS X Server version 10.4+ File Services Administration Manual (see pages 16-26)
- "Linux File Permission Confusion" by Brian Hatch 2003.
- "Linux File Permission Confusion pt 2" by Brian Hatch 2003.
- The Linux Cookbook: Groups and How to Work in Them by Michael Stutz 2004