Most modern file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users affected to view or make changes to the contents of the file system. In computing, a file system (often also written as filesystem) is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. ...

Differences between operating systems

Unix-like and otherwise POSIX-compliant systems, including Linux-based systems and Mac OS X (through version 10.3), have a simple system for managing individual file permissions. POSIX also specifies a system of access control lists, but it is only implemented by certain file systems and operating systems. Diagram of the relationships between several Unix-like systems A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. ... POSIX or Portable Operating System Interface[1] is the collective name of a family of related standards specified by the IEEE to define the application programming interface (API) for software compatible with variants of the Unix operating system. ... Linux (IPA pronunciation: ) is a Unix-like computer operating system. ... Mac OS X (official IPA pronunciation: ) is a line of proprietary, graphical operating systems developed, marketed, and sold by Apple Inc. ... In computer security, an access control list (ACL) is a list of permissions attached to an object. ...

DOS variants (including the Microsoft products MS-DOS, Windows 95, Windows 98, and Windows Me) do not have permissions. There is a "read-only" attribute that can be set or unset on a file by any user or program. Instructions on how to use the directory command. ... Microsofts disk operating system, MS-DOS, was Microsofts implementation of DOS, which was the first popular operating system for the IBM PC, and until recently, was widely used on the PC compatible platform. ... Windows 95 is a consumer-oriented graphical user interface-based operating system. ... Windows 98 (codenamed Memphis) is a graphical operating system released on June 25, 1998 by Microsoft and the successor to Windows 95. ... Windows Millennium Edition, or Windows Me (IPA pronunciation: [miː], [ɛm iː]), is a hybrid 16-bit/32-bit graphical operating system released on September 14, 2000 by Microsoft. ...

Microsoft Windows NT and its derivatives (including Windows 2000 and Windows XP), as well as VMS and OpenVMS use access control lists (ACLs) to administer a more complex and varied set of permissions. Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. ... Windows 2000 (also referred to as Win2K) is a preemptible, interruptible, graphical and business-oriented operating system that was designed to work with either uniprocessor or symmetric multi-processor 32-bit Intel x86 computers. ... Windows XP is a line of proprietary operating systems developed by Microsoft for use on general-purpose computer systems, including home and business desktops, notebook computers, and media centers. ... OpenVMS[1] (Open Virtual Memory System or just VMS) is the name of a high-end computer server operating system that runs on the VAX[2] and Alpha[3] family of computers developed by Digital Equipment Corporation of Maynard, Massachusetts (DIGITAL was then purchased by Compaq, and is now owned... In computer security, an access control list (ACL) is a list of permissions attached to an object. ...

Classic Mac OSes are similar to DOS variants and DOS based Windows: they do not support permissions, but only a "Protected" file attribute. Logo: Mac OS System 7, 8 and 9 On January 24th, 1984 Apple Computer introduced the Apple Macintosh personal computer, with the Macintosh 128K model, which came bundled with the Mac OS operating system. ...

Mac OS X, beginning with version 10.4 ("Tiger"), supports both the use of complex access control lists (ACLs) and the traditional POSIX-compliant Unix-like simple system for managing individual file permissions. It also still supports the Mac OS Classic's "Protected" attribute. Mac OS X (official IPA pronunciation: ) is a line of proprietary, graphical operating systems developed, marketed, and sold by Apple Inc. ... In computer security, an access control list (ACL) is a list of permissions attached to an object. ... POSIX or Portable Operating System Interface[1] is the collective name of a family of related standards specified by the IEEE to define the application programming interface (API) for software compatible with variants of the Unix operating system. ... Diagram of the relationships between several Unix-like systems A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. ...

Traditional Unix permissions

Permissions on Unix-like systems are managed in three distinct classes. These classes are known as user, group, and others. In effect, Unix permissions are a simplified form of access control lists (ACLs). Diagram of the relationships between several Unix-like systems A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. ... In computer security, an access control list (ACL) is a list of permissions attached to an object. ...

Classes

On Unix file systems, every file and directory is owned by a specific user. The owner of an object comprises its user class. Permissions assigned to the user class only apply to that specific user. In computing, a file system (often also written as filesystem) is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. ... A computer file is a collection of information that is stored in a computer system and can be identified by its full path name. ... In computing, a directory, catalog, or folder, is an entity in a file system which can contain a group of files and/or other directories. ...

A file or directory is also assigned a group, which comprises its group class. Permissions assigned to the group class only apply to members of that group (other than the owner).

Users who are not otherwise represented by the other two classes comprise a file's others class.

The effective permissions that have applied to a specific user in relation to a file are determined in logical precedence. For example, the user who owns the file will have the effective permissions given to the user class regardless of those assigned to the group or others class.

Basic Permissions

There are three specific permissions on Unix-like systems that apply to each class: Diagram of the relationships between several Unix-like systems A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. ...

• The read permission, which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them, including file type, size, ownership, permissions, etc.)
• The write permission, which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, changing file permissions, and renaming files.
• The execute permission, which grants the ability to execute a file. This permission must be set for executable binaries in order to allow the operating system to run them. When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unless read is set).

When a permission is not set, the rights it would grant are denied. Unlike ACL-based systems, permissions on a Unix-like system are not inherited. Files created within a directory will not necessarily have the same permissions as that directory. The permissions to be assigned are determined using umasks. In computer security, an access control list (ACL) is a list of permissions attached to an object. ... umask (abbreviated from user file creation mode mask) is a function in POSIX environments which affects the default file system mode for newly created files and directories of the current process. ...

Additional Permissions

Unix-like systems typically employ three additional permissions or modes. These special permissions are set for a file or directory overall, not by a class. Diagram of the relationships between several Unix-like systems A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. ...

• The set user ID, setuid, or SUID permission. When a file for which this permission has been set is executed, the resulting process will assume the effective user ID given to the user class.
• The set group ID, setgid, or SGID permission. When a file for which this permission has been set is executed, the resulting process will assume the group ID given to the group class. When setgid is applied to a directory, new files and directories created under that directory will inherit the group from that directory. (Default behaviour is to use the primary group of the effective user when setting the group of new files and directories.)
• The sticky permission. The typical behaviour of the sticky bit on executable files encourages the kernel to retain the resulting process image beyond termination. On a directory, the sticky permission prevents users from renaming, moving or deleting contained files owned by users other than themselves, even if they have write permission to the directory. Only the directory owner and superuser are exempt from this.

These additional permissions are also referred to as setuid bit, setgid bit, and sticky bit respectively, due to the fact that they each occupy only one bit. Setuid and setgid are Unix terms, which are short for Set User ID and Set Group ID, respectively. ... On Unix-like systems, users are represented by a user identifier, often abbreviated UID. The range of values for a UID varies amongst different systems; at the very least, a UID can be between 0 and 32767, with some restrictions: The Superuser must always have a UID of zero (0). ... Setuid is a UNIX term, and is short for Set User ID. Setuid, also sometimes referred to as suid, is an access right flag that can be assigned to files and directories on a UNIX based operating system. ... In Unix-like systems, multiple users can be combined to form groups. ... The sticky bit is an access-right flag that can be assigned to files and directories on Unix systems. ... A kernel connects the application software to the hardware of a computer. ...

Permission notation

Symbolic notation

There are many ways by which Unix permission schemes are represented. The most common form is symbolic notation. This scheme represents permissions as a series of 10 characters.

The first character indicates the file type: In computing, a directory, catalog, or folder, is an entity in a file system which can contain a group of files and/or other directories. ... Setuid and setgid are Unix terms, which are short for Set User ID and Set Group ID, respectively. ... // Unix file types For normal files in the file system, Unix does not impose or provide any internal file structure. ...

• - denotes a regular file
• d denotes a directory
• b denotes a block special file
• c denotes a character special file
• l denotes a symbolic link
• p denotes a named pipe
• s denotes a domain socket

Each class of permissions is represented by three characters. The first set of characters represents the user class. The second set represents the group class. The third and final set of three characters represents the others class. In computing, a directory, catalog, or folder, is an entity in a file system which can contain a group of files and/or other directories. ... A device node is a special file type used on many Unix-like operating systems. ... A device node is a special file type used on many Unix-like operating systems. ... In computing, a symbolic link (often shortened to symlink and also known as a soft link) consists of a special type of file that serves as a reference to another file. ... In computing, a named pipe (also FIFO for its behaviour) is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication. ... A Unix domain socket or IPC socket (inter-procedure call socket) is a virtual socket, similar to an internet socket that is used in POSIX operating systems for inter-process communication. ...

Each of the three characters represent the read, write, and execute permissions respectively:

• r if the read bit is set, - if it is not.
• w if the write bit is set, - if it is not.
• x if the execute bit is set, - if it is not.
• The x will be an s if the setuid or setgid bit is also set, and in the third, it will be a t if the sticky bit is set. If these are set but the execute bit is not, the letter will be in uppercase.

The following are some examples of symbolic notation: The sticky bit is an access-right flag that can be assigned to files and directories on Unix systems. ...

1. "-rwxr-xr-x" for a regular file whose user class has full permissions and whose group and others classes have only the read and execute permissions.
2. "crw-rw-r--" for a character special file whose user and group classes have the read and write permissions and whose others class has only the read permission.
3. "dr-x------" for a directory whose user class has read and execute permissions and whose group and others classes have no permissions.

Symbolic notation and additional permission

The three additional permissions are indicated by changing one of the three "execute" characters as shown in the following table:

1. The character that will be used to indicate that the execute bit is also set.
2. The character that will be used when the execute bit is not set.

Here is an example:

• "-rwsr-Sr-x" for a file whose user class has read, write and execute permissions; whose group class has read permission; whose others class has read and execute permissions; and which has setuid and setgid permissions set.

Setuid and setgid are Unix terms, which are short for Set User ID and Set Group ID, respectively. ... Setuid is a UNIX term, and is short for Set User ID. Setuid, also sometimes referred to as suid, is an access right flag that can be assigned to files and directories on a UNIX based operating system. ...

Octal notation

Another common method for representing Unix permissions is octal notation. Octal notation consists of a three- or four-digit base-8 value. The octal numeral system, or oct for short, is the base-8 number system, and uses the digits 0 to 7. ... A numeral is a symbol or group of symbols that represents a number. ...

With three-digit octal notation, each numeral represents a different component of the permission set: user class, group class, and "others" class respectively.

Each of these digits is the sum of its component bits (see also Binary numeral system). As a result, specific bits add to the sum as it is represented by a numeral: The binary numeral system, or base-2 number system, is a numeral system that represents numeric values using two symbols, usually 0 and 1. ...

• The read bit adds 4 to its total,
• The write bit adds 2 to its total, and
• The execute bit adds 1 to its total.

These values never produce ambiguous combinations; each sum represents a specific set of permissions.

These are the examples from the Symbolic notation section given in octal notation:

• "-rwxr-xr-x" would be represented as 755 in three-digit octal.
• "-rw-rw-r--" would be represented as 664 in three-digit octal.
• "-r-x------" would be represented as 500 in three-digit octal.

Octal notation and additional permissions

There is also a four-digit form of octal notation. In this scheme, the standard three digits described above become the last three digits. The first digit represents the additional permissions. On some systems, this first digit cannot be omitted; it is therefore common to use all four digits (where the first digit is zero).

This first digit is also the sum of component bits:

• The setuid bit adds 4 to the total,
• The setgid bit adds 2 to the total, and
• The sticky bit adds 1 to the total.

The example from the Symbolic notation and additional permissions section, "-rwsr-Sr-x" would be represented as 6745 in four-digit octal. In addition, the examples in the previous section would be represented as 0755, 0664, and 0500 respectively in four-digit octal notation.

See also

• chmod, the command used to set permissions on Unix-like systems
• Access control list
• POSIX
• File system
• User identifier (Unix)
• Group identifier (Unix)

The chmod command (abbreviated from change mode) is a shell command in Unix and Unix-like environments. ... In computer security, an access control list (ACL) is a list of permissions attached to an object. ... POSIX or Portable Operating System Interface[1] is the collective name of a family of related standards specified by the IEEE to define the application programming interface (API) for software compatible with variants of the Unix operating system. ... In computing, a file system (often also written as filesystem) is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. ... On Unix-like systems, users are represented by a user identifier, often abbreviated UID. The range of values for a UID varies amongst different systems; at the very least, a UID can be between 0 and 32767, with some restrictions: The Superuser must always have a UID of zero (0). ... In Unix-like systems, multiple users can be combined to form groups. ...

External links

• Apple Mac OS X Server version 10.4+ File Services Administration Manual (see pages 16-26)
• Permissions Definition - by The Linux Information Project (LINFO)