File System Permissions Article Index for
File 		Website Links For
File System 		 

Information About

File System Permissions
  CATEGORIES ABOUT FILE SYSTEM PERMISSIONS
   
computer file systems
   
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...




DIFFERENCES BETWEEN OPERATING SYSTEMS

Unix-like and otherwise POSIX -compliant systems have a simple system for managing individual file permissions. POSIX also specifies a system of Access Control List s, but it is only implemented by certain file systems and operating systems.

DOS variants (including the Microsoft products MS-DOS , Windows 95 , Windows 98 , and Windows Me ) do not have permissions. There is a "read-only" attribute that can be set or unset on a file by any user or program.

Mac OS X , Microsoft Windows NT and its derivatives (including Windows 2000 and Windows XP ), as well as VMS and OpenVMS use Access Control List s (ACLs) to administer a more complex and varied set of permissions.


TRADITIONAL UNIX PERMISSIONS

Permissions on Unix-like systems are managed in three distinct ''classes''. These classes are known as ''user'', ''group'', and ''others''. In effect, Unix permissions are a simplified form of Access Control List s (ACLs).


Classes

On Unix File System s, every File and Directory is ''owned'' by a specific user. The owner of an object comprises its ''user class''. Permissions assigned to the user class only apply to that specific user.

A file or directory is also assigned a group, which comprises its ''group class.'' Permissions assigned to the group class only apply to members of that group.

Users who are not otherwise represented by the other two classes comprise a file's others class.

The ''effective permissions'' that have applied to a specific user in relation to a file are determined in logical precedence. For example, the user who owns the file will have the effective permissions given to the user class regardless of those assigned to the group or others class.


Basic Permissions

There are three specific permissions on Unix-like systems that apply to every class:
  • The ''read'' permission, which grants the ability to read a file or directory tree.

  • The ''write'' permission, which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify its tree. This includes creating files, changing their permissions, and deleting files.

  • The ''execute'' permission, which grants the ability to execute a file. This permission must be set in order for any file—even an executable binary—to be executed or "run" on a system. When set for a directory, this permission grants the ability to traverse its tree.


When a permission is not set, the rights it would grant are denied. Unlike ACL -based systems, permissions on a Unix-like system are not ''inherited''. Files created within a directory will not necessarily have the same permissions as that directory. The permissions to be assigned are determined using Umask s.


Additional Permissions

Unix-like systems typically employ three additional permissions or modes. These special permissions are set for a file or directory overall, not by a class.
  • The '' Set User ID '', ''setuid'', or SUID permission. When a file for which this permission has been set is executed, the resulting process will assume the effective User ID given to the user class.

  • The '' Set Group ID '', ''setgid'', or SGID permission. When a file for which this permission has been set is executed, the resulting process will assume the Group ID given to the group class. When setgid is applied to a directory, all new files created under that directory will inherit the group owner from that directory. (Default behaviour is to use the primary group of the effective user when setting group owner of new files)

  • The '' Sticky '' permission. The typical behaviour of the sticky bit on executable files encourages the Kernel to retain the resulting process image beyond termination. Directories for which the sticky permission has been set restrict user modifications to ''append-only''. Users have full control over their own files and they may create new files. However, they can only append or add to the existing files of other users.


These additional permissions are also referred to as ''setuid bit'', ''setgid bit'', and ''sticky bit'' respectively, due to the fact that they each occupy only one bit.


PERMISSION NOTATION


Symbolic notation

There are many ways by which Unix permission schemes are represented. The most common form is symbolic notation. This scheme represents permissions as a series of 10 characters.

The first character indicates the file type:

Each class of permissions is represented by three characters. The first set of characters represents the user class. The second set represents the group class. The third and final set of three characters represents the others class.

Each of the three characters represent the read, write, and execute permissions respectively:

  • 'r' if the read bit is set, '-' if it is not.

  • 'w' if the write bit is set, '-' if it is not.

  • 'x' if the execute bit is set, '-' if it is not.


The following are some examples of symbolic notation:
#"-rwxr-xr-x" for a regular file whose user class has full permissions and whose group and others classes have only the read and execute permissions.
#"crw-rw-r--" for a character special file whose user and group classes have the read and write permissions and whose others class has only the read permission.
#"dr-x
--" for a directory whose user class has read and execute permissions and whose group and others classes have no permissions.


Symbolic notation and additional permissions

The additional permissions complicate the symbolic notation somewhat. Because they are not often set by unprivileged users, knowledge of their specific convention is not necessary for an understanding of symbolic notation in general.

  1. The character that will be used to indicate that the execute bit is also set.

  2. The character that will be used when the execute bit is not set.



Here is an example:
  • "-rwsr-Sr-x" for a file whose user class has read, write, execute, and setuid permissions; whose group class has read and setgid permissions; and whose others class has read and execute permissions.



Octal notation

Another common method for representing Unix permissions is '' Octal notation''. Octal notation consists of a three- or four-digit Base -8 value.

With three-digit octal notation, each numeral represents a different component of the permission set: user class, group class, and "others" class respectively.

Each of these digits is the sum of its component bits (see also Binary Numeral System ). As a result, specific bits add to the sum as it is represented by a numeral:
  • The read bit adds 4 to its total,

  • The write bit adds 2 to its total, and

  • The execute bit adds 1 to its total.

    • These values never produce ambiguous combinations; each sum represents a specific set of permissions.


These are the examples from the Symbolic Notation section given in octal notation:
  • "-rwxr-xr-x" would be represented as 755 in three-digit octal.

  • "-rw-rw-r--" would be represented as 664 in three-digit octal.

  • "-r-x
    --"     would be represented as 500 in three-digit octal.



Octal notation and additional permissions

There is also a ''four-digit'' form of octal notation. In this scheme, the standard three digits described above become the last three digits. The first digit represents the additional permissions. On some systems, this first digit cannot be omitted; it is therefore common to use all four digits (where the first digit is zero).

This first digit is also the sum of component bits:
  • The setuid bit adds 4 to the total,

  • The setgid bit adds 2 to the total, and

  • The sticky bit adds 1 to the total.


The example from the ''Symbolic notation and additional permissions'' section, "-rwsr-Sr-x" would be represented as 6745 in four-digit octal. In addition, the examples in the previous section would be represented as 0755, 0664, and 0500 respectively in four-digit octal notation.


SEE ALSO