| melchman's guide to: | UNIX Permission |
|---|
| Prerequisites: | Binary Numbers |
|---|---|
| Sources: | Experience with HP-UX 10.20 and 11.0 2000-2002 |
Basic Permission Structure
Unix associates permissions with every file. Everything in Unix is a file so permissions are important to understand. Permissions are displayed in a block of 10 characters.drwxrwxrwx
Notice the repeating sets of 3 letters. The letters are rwx. Logically this string of letters can be seen as four components: (d)(rwx)(rwx)(rwx). The last three sets control access to the file for different sets of users. The first set controls access for the owner of the file. The second set controls access for user in the owning group. The last set controls access for everbody else. This last set is sometimes called world permissions.
Access is controlled by enabling Read, Write and eXecute privileges for each user set. Read access means the user can read the contents of the file. Write acces means they can write to the file. Execute (the x of rwx) means they can read the file as an executable program.
File Type
This block decodes into 4 parts. The first character is the file type indicator. Usually this is blank (displayed as a "-") which means the file is a normal file. If this position is a "d" then the file is actually a directory. If this position holds an "l" it is a link to another file or directory.Sticky Bit
Ths sticky bit turns the x into an s. This allows users in the owning group to run programs as the owner. Effectively doing an su command without a password. (Security Klaxons begin sounding here) The sticky bit can be applied to the owner and group permission sets, but not to the world set. I don't understand why the owner would need to run the file as the owner, but it is possible. The sticky is not applicable to world to reduce the security risk. (Security Klaxons subside now)Sometimes the sticky bit is displayed as an "s" as in rws. Sometimes it is an "S" like rwS. The capital "S" indicates the execute permission was not granted but the execute as owner was granted.
Understanding the Numbers
Permissions can be expressed as numbers. These numbers are used in the chmod (CHange MODe) command. Using a binary interpretation of the position of the permission we can begin to understand the numbering scheme.Since x is in the first binary position it is equal to 1.
Since w is in the second binary position it is equal to 2.
Since x is in the third binary position it is equal to 4.
This is repeated for each permission set and the file type is excluded.
-421421421
-rwxrwxrwx
The sticky bit is set in a similar manner. Each permission set gets sticky by adding the binary positional value to a leading number. So, 4 sets the owner's sticky bit, 2 sets the group's sticky bit and 6 sets both. Using a 0 would turn off the sticky bit on all groups, but It is never specified. Simply omit the extra sticky digit and only use a 3 digit chmod value. In my experience 1, 3 and 7 are useless. They do not effect the permissions because the sticky bit does not stick to the world an equate to "0", 2 and 6.
| Command | Yields |
|---|---|
| chmod 777 | -rwxrwxrwx |
| chmod 1777 | -rwxrwxrwx |
| chmod 2777 | -rwxrwsrwx |
| chmod 3777 | -rwxrwsrwx |
| chmod 4777 | -rwsrwxrwx |
| chmod 5777 | -rwsrwxrwx |
| chmod 6777 | -rwsrwsrwx |
| chmod 7777 | -rwsrwsrwx |
| chmod 6660 | -rwSrwS--- |
Since each group following the set value system, if we
understand one we understand all three. This means only the
following combinations are possible in each permission set:
| Value | Code | Description |
|---|---|---|
| 1 | --x | can execute, but cannot read or change the content |
| 2 | -w- | can only write to the file |
| 3 | -wx | can write and execute the file |
| 4 | r-- | read only |
| 5 | r-x | read and execute, write protected |
| 6 | rw- | read and write, not an executable file |
| 7 | rwx | full permission |
For example, this file is owned by a devloper (melchman)
and the development group (devgroup). The developer needs
to read and edit (write) the file and execute it in
testing. The wants the other developers to read and test
(execute) his code, but does not want them to make changes
without consulting him. The world needs to execute the
file. The world should not be able to change (write) the
file. Reading the file will only send gibberish and noise
to the terminal session, it's a binary executable.
-rwxr-x--x melchman devgroup 1024 codefile
If the developer has permission to a library that the others do not have he may need to change the permission to allow the other developers to execute the code.
chmod 7751
this yields...
-rwsr-s--x melchman devgroup 1024 codefile