UNIX FILE PERMISSIONS
This document provides information about file permissions within the UNIX environment. It is written for those users who are not familiar with these permissions.

The following are three key UNIX file permission attributes. 

  1. Based on the owner’s UNIX login user id (referred to in most UNIX documentation as the "uid"). 
  2. Associated with the user’s membership in a group of users, using the owner’s UNIX group id (referred to as the "gid").
  3. A set of general "access permissions" that apply to users who are not associated with either the "uid" or "gid." 
UNIX login user ids belong to one or more groups. One of these groups will be defined as the "default group."  When a user creates a file or directory, that file or directory will be "owned by" the user's uid and default gid (System 5), or the owner's group or directory (BSD). The owner has the ability to change the file or directory, and may also change the file or directory to any other group to which the owner belongs.
    Note: Only the "superuser" (usually with a uid of "root"), has the authority to change the owner uid and gid for files or directories they own. 

UNIX Commands
There are three different UNIX commands that manipulate file access permissions.

  1. Changes to the file or directory owner’s uid assignment, can only be changed by a superuser, using the "chown" command, in the format: chown <username> <filename>.
      Example: chown mary thisfile (gives the user "mary" ownership of "thisfile") 

  2. Changes to the file or directory group’s gid assignment can be made by a superuser using the "chgrp" command, in the format: chgrp <groupname> <filename>. The owner may also change the assignment to any other group to which they belong
      Example: chgrp engineers partsdir (gives all members of the group "engineers" access to the directory named "partsdir")

  3. The specific access permissions themselves are changed with the "chmod" command, in the format: chmod <permissions> <filename or directory name>.
Primary Access Permissions
Each file or directory has three primary access permissions: owner, group, and other. Each access permission includes a combination of Read, Write, and Execute permissions.  
  • For a directory, Execute permission is used to allow the creation of new files within that directory.  
  • Users whose UNIX login match the owner uid of a file or directory are given access to that file or directory based on the owner access permissions of that file or directory. 
  • Users belonging to any group whose gid matches the gid of a file or directory are given access to that file or directory based on the group access permissions of that file or directory. 
  • Users who do not meet the uid or gid comparisons, will be given access to files or directories based on the assigned "other" file access permissions. 
Actual file access permissions are usually represented as a 3-digit number, where 
    • the first digit is the owner permissions,
    • the second digit is the group permissions, and 
    • the third digit is the "other" permissions. 
Each digit contains a number calculated by adding any or all of the following digits, each of which represents a specific permission of : 4 (read), 2 (write), and 1 (execute). 
  • A permissions set of "644" represents read/write access (6) for the owner and read-only access (4) for group and other users.  
  • A permissions set of "755" represents read/write/execute access (7) for the owner and read-only/execute access (5) for group and other users. 
Any user who "owns" a file (UNIX login id matches owner uid) can use the chmod command to change the permissions on files or directories they own, but only a superuser can arbitrarily change permissions for any file or directory. 

Executable programs, which become UNIX processes after being started, are usually given access permissions based on the login user-id of the person who started the process. Thus that user’s identity is passed on through the process to the file system. If uid "mary" executes "updateprog" and the program accesses/updates a file, the file system uses the "mary" user-id to determine whether access and/or updating is allowed. This could hinder setting up strict security and privacy on servers with large diverse user communities wanting to share only specific applications. 

Special UNIX Permissions
In addition to the standard read, write, and execute permissions, UNIX provides two special permissions that can only be added by a superuser: setuid and setgid.  Because they both work the same way (one applies to uids, the other to gids), the remainder of this discussion will refer to them both as "setuid." 

The setuid (and setgid) permission only applies to executable programs.  When a program has the setuid permission set, the login uid of the person started the UNIX process is NOT inherited by the process, nor is it passed through to the file system for determining access permissions. Instead, the program’s owner uid is used, thereby hiding the actual login identity of the user from the file system whenever the executing process requests file access. 

Using the setuid capability allows a process to operate with a different uid than the UNIX login uid of the user who started the process. This becomes very important when a process is started by another process, like a web server starting an application. Please remember, only a superuser is able to grant the setuid permission and only a superuser can change the ownership of a program to a different uid. 

The setuid/setgid permissions are granted by placing a special 4th digit preceding the standard three permission digits in the chmod command. Setuid and setgid permissions can be assigned independently, so a program can have neither, either, or both. As with the other digit values, the value of the prefix is determined by which of the login user’s ownership attribute you want to ignore (uid, gid, or both). In calculating the prefix digit’s value, the setuid override permission has a value of 4 and the setgid a value of 2. Therefore, giving a program file setuid/setgid permissions as well as owner read/write/execute and group and other read/execute permissions would require the command: "chmod 6755 <filename>".

Copyright 2000-2003 CyberTeams, Inc., http://www.cyberteams.com All rights reserved
CyberTeams and WebSite Director are registered trademarks of CyberTeams, Inc. All other marks are the property of their respective owners.