The following are three key UNIX file permission attributes. 

1. Based on the owner’s UNIX login user id (referred to in most UNIX documentation as the "uid"). 
2. Associated with the user’s membership in a group of users, using the owner’s UNIX group id (referred to as the "gid").
3. A set of general "access permissions" that apply to users who are not associated with either the "uid" or "gid." 

Note: Only the "superuser" (usually with a uid of "root"), has the authority to change the owner uid and gid for files or directories they own. 

UNIX Commands
There are three different UNIX commands that manipulate file access permissions.

1. Changes to the file or directory owner’s uid assignment, can only be changed by a superuser, using the "chown" command, in the format: chown <username> <filename>.
   Example: chown mary thisfile (gives the user "mary" ownership of "thisfile") 

2. Changes to the file or directory group’s gid assignment can be made by a superuser using the "chgrp" command, in the format: chgrp <groupname> <filename>. The owner may also change the assignment to any other group to which they belong
   Example: chgrp engineers partsdir (gives all members of the group "engineers" access to the directory named "partsdir")

3. The specific access permissions themselves are changed with the "chmod" command, in the format: chmod <permissions> <filename or directory name>.

• For a directory, Execute permission is used to allow the creation of new files within that directory.  
• Users whose UNIX login match the owner uid of a file or directory are given access to that file or directory based on the owner access permissions of that file or directory. 
• Users belonging to any group whose gid matches the gid of a file or directory are given access to that file or directory based on the group access permissions of that file or directory. 
• Users who do not meet the uid or gid comparisons, will be given access to files or directories based on the assigned "other" file access permissions. 

• the first digit is the owner permissions,
• the second digit is the group permissions, and 
• the third digit is the "other" permissions. 

• A permissions set of "644" represents read/write access (6) for the owner and read-only access (4) for group and other users.  
• A permissions set of "755" represents read/write/execute access (7) for the owner and read-only/execute access (5) for group and other users. 

Executable programs, which become UNIX processes after being started, are usually given access permissions based on the login user-id of the person who started the process. Thus that user’s identity is passed on through the process to the file system. If uid "mary" executes "updateprog" and the program accesses/updates a file, the file system uses the "mary" user-id to determine whether access and/or updating is allowed. This could hinder setting up strict security and privacy on servers with large diverse user communities wanting to share only specific applications. 

Special UNIX Permissions
In addition to the standard read, write, and execute permissions, UNIX provides two special permissions that can only be added by a superuser: setuid and setgid.  Because they both work the same way (one applies to uids, the other to gids), the remainder of this discussion will refer to them both as "setuid." 

The setuid (and setgid) permission only applies to executable programs.  When a program has the setuid permission set, the login uid of the person started the UNIX process is NOT inherited by the process, nor is it passed through to the file system for determining access permissions. Instead, the program’s owner uid is used, thereby hiding the actual login identity of the user from the file system whenever the executing process requests file access. 

Using the setuid capability allows a process to operate with a different uid than the UNIX login uid of the user who started the process. This becomes very important when a process is started by another process, like a web server starting an application. Please remember, only a superuser is able to grant the setuid permission and only a superuser can change the ownership of a program to a different uid. 

The setuid/setgid permissions are granted by placing a special 4th digit preceding the standard three permission digits in the chmod command. Setuid and setgid permissions can be assigned independently, so a program can have neither, either, or both. As with the other digit values, the value of the prefix is determined by which of the login user’s ownership attribute you want to ignore (uid, gid, or both). In calculating the prefix digit’s value, the setuid override permission has a value of 4 and the setgid a value of 2. Therefore, giving a program file setuid/setgid permissions as well as owner read/write/execute and group and other read/execute permissions would require the command: "chmod 6755 <filename>".