Access Permissions   «Prev  Next»
Lesson 4 Basic access permissions
ObjectiveDescribe the Three Levels of Access Control and the Three Types of Access.

Describe Three Levels of Access Control and Three Types of Access

Access to a file or other resource is based on permissions that are given or removed at the owner, group, and other levels.
Every file and directory (and, as usual, every other resource managed through the file mechanism) has a basic set of 9 access permission bits, each of which can be true or false. For each level of access control (user, group, other), the 3 bits correspond to three permission types.
For regular files, these 3 bits control read access, write access, and execute permission.
For directories and other file types, the 3 bits have slightly different interpretations.
The ls –l command output shows the state of the permission bits for files and directories. The permission bits are listed as a file type, followed by three blocks of three letters.
The first block represents the user permission bits, the second block represents the group permission bits, and the last block represents the other permission bits. These 9 characters are collectively referred to as the access mode.
  1. file type: The file type is the first character in the access mode column of the ls -l listing. The most common file types are - for a regular file and d for a directory.
  2. user permission: User permissions are the first set of read/write/execute permissions in an access mode. User permissions apply to the file owner.
  3. group permission: Group permissions are the second set of read/write/execute permissions in an access mode. Group permissions apply to users that are members of the file's group.
  4. other permission: Other permissions are the third set of read/write/execute permissions in an access mode. Other permissions apply to everyone besides the file owner and the group members.

Mouse over the code below to examine access permission bits.
  1. The file type - means this file is not a directory
  2. The file has the read permission and write permission bits set for the owner. The execute bit is not set for the owner.
  3. The group has the read permission bit set, but not the write or execute bits.
  4. The other permission bits are set so that read is set for everyone else (excluding the owner and the group), but write and execute are not.
  5. This file has read and write permissions set for the owner, and no other permissions set.
  6. This file has read and write permissions set for the user and the group, but only read permissions for everyone else.
  7. This file is a directory, as indicated by the d in the first slot. This file has read, write, and execute permissions set for the owner, and execute only permission set for the group and everyone else.

Unix Permission Components

When permission is granted or denied

The permission bits are used in granting or denying access to the file or other resource. Requests for access come from processes[1], which we will discuss in a later module. As you will see, each process has a group and an owner.
When the process requests access to a file, the operating system:
  1. Compares the owner of the file with the owner of the process; if they agree, it checks that the desired permission is available at the user level. If the permission is not available, the system denies access.
  2. Checks the groups of the process and the file if the owners are different. If they agree, it checks that the desired permission is available at the group level. If it is not, access is denied.
  3. Checks to see if the desired permission is available at the other level if neither the group nor the owner of the file and process is the same. If it is not, the system denies access.
For the balance of this module, you may assume that the permissions for file access are checked against your login ID and your default group because you own all commands that you run from a shell.

Basic Directory Access - Quiz

Click the Quiz link below to take a short multiple-choice quiz on access permissions.
Basic Directory Access - Quiz

[1]process: A UNIX process is a running program.