unix filesystem access controls in a nutshell
August 22, 2007

  1. unix filesystem objects (files, directories, links, devices etc) have three types of access controls:

    1. file permissions (changed with chmod)
    2. user owner - the owner of the object (changed with chown)
    3. group owner - the group the object is a member of (changed with chgrp)

  2. File permissions allow access to be controlled in terms of read (r), write (w), and execute (x).

  3. Permission for read, write, and execute may be defined for the user-owner, for the group-owner, and for the world (any users who are not the owner of, or in the same group as, the object). Thus there are nine individual permissions (rwxrwxrwx) per object.

  4. All users are members of at least one group, possibly more.

  5. A new filesystem object inherits the user ownership of its creator, and the group ownership of its parent directory. Consequently, all objects have a user-owner, a group-owner, and a set of permissions.

  6. The user-owner of an object can interact with that object based on the file permissions for the user-owner (eg. rwx------).

  7. Any user who is a member of the same group as a particular filesystem object (ie. a group-owner) can interact with that object based on the file permissions for the group-owner (eg. ---rwx---).

  8. Any user who is not the owner of, AND is not in the same group as, a particular filesystem object (ie. neither user-owner or group-owner) can interact with that object based on the file permissions for the world (eg. ------rwx).

  9. File permissions (eg. rwxrwxrwx) may be represented numerically (eg. 777). These are equivalent and interchangable. The conversion is done by assigning a value to r (4), w (2) and x (1), then adding them together. This is done for the owner, for the group, and for the world, then these numbers are placed in a single string. Example:

    original permissions:

      rwxrw-r--
    

    English translation:

      OWNER: read, write, execute allowed
      GROUP: read, write allowed
      WORLD: read allowed
    

    conversion of English translation to numbers:

      OWNER: 4 + 2 + 1 = 7
      GROUP: 4 + 2 = 6
      WORLD: 4 = 4
    

    final numerical representation of original permissions:

      764
    

  10. More: