∑ Math 〖Curves ◆ Surfaces ◆ Wallpaper Groups ◆ Gallery ◆ Software ◆ POV-Ray〗
Programing 〖Linux ◆ Perl Python ◆ HTML ◆ CSS ◆ JavaScript ◆ PHP ◆ Java ◆ Lang Design ◆ Emacs ◆ ⌨ ◆ Unicode ♥〗

Intro to Linux File Permission System

Xah Lee

, 2009-06-11, 2011-12-25

This page is a basic tutorial on file permission system on unix and Windows.

Unix File Permission System

Each File has One Owner

Here's a example of a file's permission when you do ls -al.

  drwxr-xr-x   40 root  wheel     1360 May 13 08:50 bin
      ↑            ↑      ↑                          ↑
     perm         owner   group                   file name

On unixes, a file has a “owner” attribute. Owner is a login account name. Each file has one owner. (directory is also considered a file here) In the above example, the owner of the file “bin” is a login name named “root”.

Each File has One Group

A file also has a “group” attribute.

A group is a set of login names, and can be setup by sys admins.

For example, if the machine has logins of {jone, mary, david, joe}, a sys admin can create a group named “engineers”, and the group member can be {joe, david}, and there can be another group named “sales”, with membership of {jone, david, mary}. There can be any number of groups. Each login name can be in multiple groups.

The “wheel” group is created by the OS by default as a group name for “root”. (typicall, this group is for sys admins.)

Summary:

A unix machine has one or more “user”.
A unix machine has one or more “group”.
A “group” is a set of users.
A “user” has a id, called “uid”.
A “group” has a id, called “gid”.
Each user is associated with at least one group, called the user's “primary group”.

Each file is associated with with one user, called its “owner”.
Each file is associated with with one group.

You can read more about owner and group by man chown, man chgrp, man id, man group.

Read Write Execute Attributes

A file has also a permission attribute. Basically, the possible permissions are: read or no read, write or no write, execute or no execute. Together, these makes a permission set. Each set of permission is associated with the file's owner and group, and another special name called “other”, which means all those who are not owner or in the group).

So, typically, when you do ls -a in unix, you will see a lines like:

  drwxrw-rw-  1 xah xah  6608 06-08 06:48 Documents
  -rw-rw-rw-  1 xah xah  6608 06-08 06:48 my_notes.txt

The “d” means it's a directory. You'll see 3 sets of “rwx”.

r → read perm bit set
w → write perm bit set
x → execute perm bit set
- → bit not set

The first set of rwx is associated with the file's owner. The second set is associated with the group. The third set is the “other”, which is applied to all who are not owner and not in the group. Notice that directory Documents also have the execute bits on (the “x”) for the owner. That is because, in order to list directory content, the directory not only needs the read permission on, but due to unix idiosyncrasy, it must also have the execute bit on. (the tech detail of unix perm system is quite a convoluted f��up.)

The “xah xah” there is the owner and group attributes. On Mac OS X, by default will create a group with the same name as your login name. Here's another example showing different users and groups.

  /:
  total used in directory 14611 available 21849492
  drwxrwxr-t   38 root  admin     1394 Jun 10 11:07 .
  drwxrwxr-t   38 root  admin     1394 Jun 10 11:07 ..
  -rw-rw-r--    1 root  admin    21508 Jun 10 11:56 .DS_Store
  drw-------    9 root  admin      306 Nov  9  2005 .Spotlight-V100
  d-wx-wx-wt    2 root  admin       68 Oct  8  2005 .Trashes
  -rw-------    1 root  wheel  1048576 Nov  9  2005 .hotfiles.btree
  dr-xr-xr-x    2 root  wheel      128 Jun 10 11:07 .vol
  drwxrwxr-x   71 root  admin     2414 Jun 10 11:56 Applications
  drwxrwxr-x   17 root  admin      578 Oct 13  2007 Applications (Mac OS 9)
  -rw-rw-r--    1 root  admin   196608 Jun  7 18:26 Desktop DB
  -rw-rw-r--    1 root  admin  1223010 Mar  1 14:55 Desktop DF
  drwxrwxr-x    2 root  admin       68 Sep 26  2003 Desktop Folder
  drwxrwxr-x   17 root  admin      578 Mar 14  2008 Developer
  drwxrwxr-t   49 root  admin     1666 Jul 17  2006 Library
  drwxr-xr-x    1 root  wheel      512 Jun 10 11:09 Network
  drwxr-xr-x    4 root  wheel      136 Jun 10 11:08 System
  drwxrwxr-x   35 root  admin     1190 Dec  1  2005 System Folder
  drwxr-xr-x    2 o     admin       68 Nov 18  2005 TheVolumeSettingsFolder
  lrwxr-xr-x    1 root  admin       60 Nov  9  2005 User Guides And Information -> /Library/Documentation/User Guides and Information.localized
  drwxrwxr-t    9 root  admin      306 Jan 10 17:12 Users
  drwxrwxrwt    5 root  admin      170 Jun 10 11:10 Volumes
  drwxr-xr-x    4 root  admin      136 Nov  9  2005 automount
  drwxr-xr-x   40 root  wheel     1360 May 13 08:50 bin
  drwxrwxr-t    3 root  admin      102 Mar 25  2006 cores
  dr-xr-xr-x    2 root  wheel      512 Jun 10 11:07 dev
  lrwxr-xr-x    1 root  admin       11 Oct  8  2005 etc -> private/etc
  lrwxr-xr-x    1 root  admin        9 Jun 10 11:07 mach -> /mach.sym
  -r--r--r--    1 root  admin   604360 Jun 10 11:07 mach.sym
  -rw-r--r--    1 root  wheel  4352200 Oct 17  2007 mach_kernel
  drwxr-xr-x    3 root  wheel      102 Apr 14  2006 opt
  drwxr-xr-x    7 root  wheel      238 Jun 10 11:07 private
  drwxr-xr-x   63 root  wheel     2142 May 13 08:50 sbin
  -rw-r--r--    1 xah   admin        0 Jul 23  2008 siplog.txt
  drwxr-xr-x   12 root  admin      408 Jul  9  2008 sw
  lrwxr-xr-x    1 root  admin       11 Oct  8  2005 tmp -> private/tmp
  -rw-r--r--    1 xah   admin       23 Feb 27 22:09 url_history.xml
  drwxr-xr-x   11 root  wheel      374 Nov 10  2005 usr
  lrwxr-xr-x    1 root  admin       11 Oct  8  2005 var -> private/var

You can use the following commands to change permission:

chmod → change permission on a file
chown → change owner
chgrp → change group
umask → set a default permission bits for newly created files

For detail, see: File system permissions.

Windows Permission System

Windows's permission system for files access, is called Access Control List. It is simpler and more powerful. Here's the basics.

Basically, a file has a owner. Typically the person who created the file.

A file (or in general, a process, or “object”), has a list of access properties. This list specifies who can access the object, and what type of access. For example, a file will have a group or user names. Each element in the list is either a login account, or a group (similar to unix's notion of group, but is not a hard-coded per-machine system. The group can include users in a network). For a user or a group, there is a set of permissions. This set includes: Full control, modify, read ＆ execute, list folder content, read, write, special permissions.

In contrast to unix, the Windows system is not just one single owner and one single group for a file. A file can have several users and or several groups attached to it, and each of these is not a simple rwx bits, but a richer permissions. Also, the permissions can be inherited. ⁖ a subfolder created typically inherit its parent ACL. On unix, the there's no concept of perm inheritance. When a file is created, its perm is done by hardcoded so-called bitmask f��.

For detail and reference, see: Access control list, AGDLP, User Account Control, MSDN Access Control Model: Source.

Mac OS X

Mac OS X 10.4 or later uses unix perm system but also allows Windows ACL. See: Source arstechnica.com

Tools

In unixes, you use {chown, chgrp, chmod}, together with “find”, to set perm to any possible bits for files or folders recursively.

In Windows, you can use the GUI (right click to get folder 〖Properties〗, then 〖Security〗 tab.). In “cmd.exe”, use “cacls” or “icacls”. See: Cacls and SetACL.