LINFO

Permissions Definition



A major feature of Linux and other Unix-like operating systems is the system of mandatory access permissions for every object (i.e., file, directory and link). This system plays a key role in providing the very high level of security and stability that characterizes such operating systems.

Each object has three types of permissions: read, write (i.e., modify) and execute (i.e., run as a program). And each of these is defined for three types of users: the owner of the object, the group (i.e., a set of users that share the same access rights) that the owner belongs to and all others. The owner is by default the user that created the object.

The root (i.e., administrative) user differs from ordinary users in that it has all three types of permissions for every object on the system. The root user can also change permissions for any object on the system for any user and can transfer ownership of objects among users.

Group permissions were designed to facilitate cooperative work. They allow the owner of an object to associate users with a group rather than having to grant access rights independently to a number of users. This can be particularly convenient when a number of objects require access by the same set of users.

The meanings of these three types of permissions are slightly different for directories than they are for files. That is, read permission for a directory provides the ability to see the names and other information about objects contained in it, write permission provides the ability to create and delete objects in it, and execute permission allows entering the directory to open objects within it.

Because there are three types of permissions for each of three types of users for each object, there are thus nine bits of permission information associated with each object. Each of these bits can have either of two values: permitted or denied.

Permissions for an object can be represented in several ways. One is textual, which appears when examining the contents of a directory using the ls (i.e., list) command with its -l (i.e., long) option.

This representation consists of a ten-character string (i.e., sequence of characters). The first character shows the file type (e.g., a hyphen for a regular file or a d for a directory). The remaining nine characters consist of three groups of three characters each, representing read (designated by r if allowed), write (designated by w if allowed) and execute (designated by x if allowed) for the owner, group and all others. Any of the three permissions for any of the three users that is not allowed is designated by a hyphen instead of a letter.

Thus, for example, if the string -rwxrw-r-- were returned by ls -l for an object, it would indicate that the object is a regular file, that the owner has read, write and execute permissions, that the group has read and write permission, and that all others only have read permission. Likewise, the string drwxr-xr-x would indicate that the object is a directory for which owner has read, write and execute permissions while everyone else has only read and execute permissions.

Permissions can also be expressed more compactly as a set of three octal (i.e., base eight) digits. The first digit represents the owner, the second digit the group and the third digit everyone else. For each of these three digits there are eight possible values, with 0 standing for all types of access, 1 for execute only, 2 for write only, 3 for write and execute, 4 for read only, 5 for read and execute, 6 for read and write, and 7 for everything is allowed.

To combine the permissions for any of the three types of users, all that is necessary is to add numbers to get the needed combination. For example, read and write permission (i.e., 6) can be obtained by adding 4 and 2. Likewise, all permissions (i.e., 7) can be obtained by adding the corresponding numbers for read, write and execute.

There are several ways that permissions can be changed. They include use of the chmod command (which can change permissions using either the string or octal data) , the chown command (which changes the owner) and the chgrp command (which changes the group ownership).






Created June 9, 2006.
Copyright © 2006 The Linux Information Project. All Rights Reserved.