[kwlug-disc] Access rights to file/folder

John Van Ostrand john at netdirect.ca
Thu Jul 29 14:27:19 EDT 2010


----- Original Message -----
> At 10:19 2010-07-29, John Van Ostrand wrote:
> >I'm not sure of the proper terms, but I would use "traditional unix
> >permissions" or posix permissions to describe the "-rw-rw-rw user
> >group" permissions that you see when you run "ls -l" and posix ACLs
> >for the access control lists that you see when you run "getfacl *"
> >
> >Traditional permissions allow for only three classifications of
> >people: user, group and others whereas ACLs allow a more complex
> >list.
> 
> IIRC The descriptions of the traditional permissions "-rw-rw-rw" are
> world(others), group, and user - in that order - reading from left to
> right. For executables and if the "-" is replaced with an "x", the
> file can be executed.

You have it backwards. From left to right it is officially 'u' for user, 'g' for group and 'o' for other. These letters are important when using symbolic permissions with chmod, e.g;

    chmod u=rw,g=rw,o=r filename

The first char of it is the file type and can be one of:

d - directory
c - character device
b - block device
s - socket
p - pipe
l - link
- - regular file

The next three are 'rwx' permissions for the user,

The next three are 'rwx' permissions for the group,

The next three are 'rwx' permissions for others,

If a permission is absent an '-' is displayed. The characters are positional so 'r' will only show up in one of those three spots, and 'w' only within it's three spots, etc.

The 'rwx' triplet of bits can be expressed as octal quite nicely. So you can express 'rwx' as 7, 'rw-' as 6, 'r--' as 4 and '---' as 0. This is how octal permissions work. So a permission of 'rw-rw-r--' is the same as 664. Additionally the setuid, setgid and sticky bits can be the first digit:  0664 for none set and 7664 for setuid, setgid and sticky bits set. It is common to use octal with chmod. e.g.:

    chmod 0664 filename
 
> Again IIRC, for directories(folders) and if the "-" is replaced with
> an "x", the directory can be traversed, i.e. can be an intermediate
> directory in a path to another directory which has both "x" and "r"
> attributes.

'x' on a directory means that it can be "searched". I think that's a bad term, your term traversed is better. Without 'x' you cannot access any of the children of a directory.

'r' on a directory means you can read the file names. So if you want to allow a user to see the file names in a directory but not access the files put 'r' permissions but not 'x' permissions.
 
> As I am unfamiliar with the sticky bit, the setgid bit and with ACL,
> I am following this thread closely.

Setuid (u+s) and setgid (g+s) bits set whether an executable assumes the rights of that user or group. This is why a lowly user can run /usr/bin/passwd to change their password in the /etc/shadow file when the user doesn't have rights to file directly. The passwd command is given the rights of 'root' because passwd is owned by root and the setuid bit is set. The same applies to setgid, except the group is changed.

For directories the setgid bit works by forcing new children to have the same group as the directory. I don't think the setuid bit has any effect on directories.


-- 
John Van Ostrand 
CTO, co-CEO 
Net Direct Inc. 
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6 
Ph: 866-883-1172 x5102 
Fx: 519-883-8533 

Linux Solutions / IBM Hardware 




More information about the kwlug-disc_kwlug.org mailing list