Access to a file or other resource is based on permissions that are given or removed at the owner, group, and other levels.
Every file and directory (and, as usual, every other resource managed through the file mechanism) has a basic set of 9 access permission bits
, each of which can be true or false. For each level of access control (user, group, other), the 3 bits correspond to three permission types
For regular files, these 3 bits control read access, write access, and execute permission.
For directories and other file types, the 3 bits have slightly different interpretations
The ls l command output shows the state of the permission bits for files and directories.
The permission bits are listed as a file type
, followed by three blocks of three letters.
The first block represents the user permission
bits, the second block represents the group permission
bits, and the last block represents the other permission
bits. These 9 characters are collectively referred to as the access mode
- file type: The file type is the first character in the access mode column of the ls -l listing.
The most common file types are - for a regular file and d for a directory.
- user permission: User permissions are the first set of read/write/execute permissions in an access mode. User permissions apply to the file owner.
- group permission: Group permissions are the second set of read/write/execute permissions in an access mode. Group permissions apply to users that are members of the file's group.
- other permission: Other permissions are the third set of read/write/execute permissions in an access mode. Other permissions apply to everyone besides the file owner and the group members.
The permission bits are used in granting or denying access to the file or other resource. Requests for access come from processes
, which we will discuss in a later module. As you will see, each process has a group and an owner.
When the process requests access to a file, the operating system:
- Compares the owner of the file with the owner of the process; if they agree, it checks that the desired permission is available at the user level. If the permission is not available, the system denies access.
- Checks the groups of the process and the file if the owners are different. If they agree, it checks that the desired permission is available at the group level. If it is not, access is denied.
- Checks to see if the desired permission is available at the other level if neither the group nor the owner of the file and
process is the same. If it is not, the system denies access.
For the balance of this module, you may assume that the permissions for file access are checked against your login ID and your default group because you own all commands that you run from a shell.