Unix file rights
The Unix file rights are file permissions for Unix and Unix derivatives such as Linux and macOS . The division of permissions into owner , group and others has existed since UNIX-V4 (1974). In earlier UNIX versions there were only 6 bits for file rights (read / write for owner and non-owner, Execute and Set-UID). The current UNIX file rights are characterized by a simple structure that on the one hand can be used intuitively by people and on the other hand does not place high demands on computers . Nevertheless, with these file rights, even complex everyday problems can be solved in a multi-user environment.
Basics
User classes
On Unix file systems , each has an inode ; H. in the end every file , a regulation of access rights. The rights of the following user classes are regulated :
- owner
- (English user ), a special user account on the computer
- group
- (English group ), a special Unix user group
- Others
- (English others ), anyone else who is not the owner or a member of the owner group.
The effective rights that a user has to a file are assigned in the order given here. For example, the owner of a file has all the rights that are given to him in that position, regardless of the rights he would have as a group member.
The owner (in the case of non-fine-grained rights besides root ) is the only one able to change the file rights of his file or to change the file owner or group ( chown , chgrp ). In the case of fine-grained rights, any user with the PRIV_FILE_OWNER right may also do this for local files and it may even be that root does not have this right.
Fundamental rights
Each of the three user classes can be assigned one or more of the following rights:
- Read
- (English read ) The user is allowed to read from the file or, in the case of a directory, to read out its content, but has no file rights for these files. This right is often represented by the letter “r” for English read and therefore also called R-Bit .
- Write
- (English write ) The user may write to the file or create, rename, delete files and subdirectories in the directory and change their file rights. This right is often represented by the letter “w” for English write (“to write”) and is therefore also called a W bit .
- To run
- (English execute ) The user may execute the file as a program or change to the directory and access files or subdirectories there. Without the read right, however, the directory content cannot be read out. This right is often by the letter "x" for English execute represented ( "Run") and therefore X-bit mentioned.
In contrast to Access Control Lists , rights are not inherited. Newly created files in a directory do not necessarily have the same rights as this directory, but are derived from a rights mask ( umask ) of the generating program. The group assignment of newly created directories and files initially corresponds to either the active group of the user (e.g. with Linux) or the group of the directory (BSD Unix standard) , depending on the system settings .
Special rights / extended rights
- Setuid
- If a file that has set the setuid bit is executed, the process runs with the effective user ID of the file owner.
- The setuid bit for a directory is ignored on Unix and Linux systems. FreeBSD can be configured so that the owner (UID) is inherited on newly created objects in this directory.
- Setgid
- If a file that has set the Setgid bit is executed, the resulting process runs with the effective group ID of the owner group of the file.
- Applied to a directory, the group (GID) is inherited by the object newly created in the directory.
- Sticky bit
- The bit is used for directories where it means that users cannot delete files from other users. It used to be used for files where the sticky bit meant that after the file was executed, the program code remained in the working memory (in swapping systems without paging ).
Technical background
As a result, three pieces of information must be stored in each inode , from which all information can be derived:
- The user ID of the file owner
- The group ID of the owner group
- The rights mask
In the rights mask, the above-mentioned basic and extended rights are saved in 12-bit code.
Right notation
Octal notation
The notation of file rights in octal notation is very common. This consists of a three or four digit octal number . Each digit represents a user class, in the order owner , group , other . A number is the sum of the three rights:
-
1for run -
2for writing -
4for reading
Each possible combination results in a different number. 0 a special case means that the user class has no right to the object.
There is also an octal notation that is four digits long. To do this, the three-digit octal number is preceded by a fourth digit that represents the extended file rights. Analogous to the file rights, the number is formed as a sum of the special rights set:
-
1for the sticky bit -
2for the Setgid bit -
4for the setuid bit
Symbolic notation
In contrast to octal notation, symbolic notation is a more handy method of noting file rights. The rights of the three user classes are noted in the same order as in octal notation - one after the other - with the rights of each class being represented by a character triplet instead of a number. In place of the first character there is a r( read ) if the read bit is set. In the second position there is a w( write ), if writing is allowed. In the third position there is x( execute ) if execution is allowed. If a right has not been set, this is indicated by a -.
| owner | group | Others | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Right to read |
r
|
-
|
-
|
r
|
-
|
-
|
r
|
-
|
-
|
| Write permission |
-
|
w
|
-
|
-
|
w
|
-
|
-
|
w
|
-
|
| Right of execution |
-
|
-
|
x
|
-
|
-
|
x
|
-
|
-
|
x
|
The result is a string with nine characters. The extended file rights are displayed in position 3, 6 and 9, where the xexecution rights marked with are otherwise . If an additional execution right is to be displayed at this position, the extended file right is displayed with a lower case letter; otherwise with a capital letter. The following applies: The SUID or SGID bits are shown with and the sticky bit with .
S/sT/t
| Execution bit: | Not set | set |
|---|---|---|
| SUID bit |
--S------
|
--s------
|
| SGID bit |
-----S---
|
-----s---
|
| Sticky bit |
--------T
|
--------t
|
Examples
| special rights | owner | group | Others | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Designation (identification) |
SUID (S / s) |
SGID (S / s) |
Sticky (T / t) |
read (r) |
write (w) |
execute (x) |
read (r) |
write (w) |
execute (x) |
read (r) |
write (w) |
execute (x) |
| Value | 4th | 2 | 1 | 4th | 2 | 1 | 4th | 2 | 1 | 4th | 2 | 1 |
| Example 1 - file rights 755 | ||||||||||||
| Set bits | No | No | No | Yes | Yes | Yes | Yes | No | Yes | Yes | No | Yes |
| Octal value | 0 + 0 + 0 = 0 | 4 + 2 + 1 = 7 | 4 + 0 + 1 = 5 | 4 + 0 + 1 = 5 | ||||||||
| Symbolic notation | r |
w |
x
|
r |
- |
x
|
r |
- |
x
|
|||
| Explanation | Typical file rights for an executable file (a program or a script ). Only the owner can change the file. All others can only read and execute them. | |||||||||||
| Example 2 - file rights 664 | ||||||||||||
| Set bits | No | No | No | Yes | Yes | No | Yes | Yes | No | Yes | No | No |
| Octal value | 0 + 0 + 0 = 0 | 4 + 2 + 0 = 6 | 4 + 2 + 0 = 6 | 4 + 0 + 0 = 4 | ||||||||
| Symbolic notation | r |
w |
-
|
r |
w |
-
|
r |
- |
-
|
|||
| Explanation | Possible file rights for a non-executable file (e.g. a text document) that can be edited by the owner and group but can only be read by the rest. | |||||||||||
| Example 3 - file right 4755 | ||||||||||||
| Set bits | Yes | No | No | Yes | Yes | Yes | Yes | No | Yes | Yes | No | Yes |
| Octal value | 4 + 0 + 0 = 4 | 4 + 2 + 1 = 7 | 4 + 0 + 1 = 5 | 4 + 0 + 1 = 5 | ||||||||
| Symbolic notation | r |
w
|
s
|
r |
- |
x
|
r |
- |
x
|
|||
| Explanation | The file can be used with the rights of the owner. This can be necessary if a program requires root rights but is to be called by normal users, such as the application passwd(password change; owner: root ). Identification by the lower case letter sdue to the owner's additional execution rights.
|
|||||||||||
| Example 4 - File rights 1777 for a directory | ||||||||||||
| Set bits | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Octal value | 0 + 0 + 1 = 1 | 4 + 2 + 1 = 7 | 4 + 2 + 1 = 7 | 4 + 2 + 1 = 7 | ||||||||
| Symbolic notation | r |
w |
x
|
r |
w |
x
|
r |
w
|
t
|
|||
| Explanation | Identification of a folder for common use for all users. However, files and folders contained therein may only be edited or deleted by their owners, for example with the /tmpdirectory. Identification by the lower case letter tdue to the additionally set sticky bit, displayed for other users with the Execute bit.
|
|||||||||||
Programs for changing the file rights
In the Unix command line , file rights can be changed with the command chmod(abbreviation of change mode ). Owner and group affiliations are influenced with the commands chownor chgrp. Many file managers and FTP client programs of modern graphical user interfaces also offer options for changing file permissions.