Permissions

Unix defines four categories of permissions for access to files.¹ The precise meanings of these categories differ somewhat according to whether the file in question is a regular file or a directory.

• read -- For a plain file, this grants permission to read and copy the file. For a directory, it grants permission to list the contents of the directory (e.g. by the ls command).

• write -- For a plain file, this grants permission to write to the file, i.e. to modify it by truncating it and/or appending to it. For a directory, it grants permission to create or delete files in the directory.

• execute -- For a plain file, this grants permission to run the file as a program. (The file should be a script or a compiled program.) For a directory, it grants permission to access the files in the directory (e.g. by the cd command). Note that it is possible to grant read permission but not execute permission on a directory, so that one can list the files in a directory but not access them. It is also possible to grant execute permission but not read permission on a directory, so that one can access the files in it (for instance reading them) but not list them.

• set-id -- The meaning of this permission depends on the category of user to which it applies.

  • For the user or owner of the file: the file is called set-user-id or simply suid. In this case, the permission is meaningful only if the file is executable. It causes the program to be run with the identity of the owner of the file, even if it is executed by some other user. This permission is commonly used to grant ordinary users extra privileges in order to perform some legitimate but sensitive administrative function such as changing their own password.

  • For the group to which the file belongs: the file is called set-group-id or simply sgid. Like the suid case, the permission is meaningful only if the file is executable. It causes the program to be run with the group identity of the group to which the file belongs. This permission is commonly used as a way of granting a program access to sensitive system files for a specific purpose, without granting as much privilege as suid confers. For instance, it can be used to grant the sendmail program permission to create or update the user's mail file in the system mail spool directory.

  • For the category others: this permission is meaningful only for directories. It implies that a file in the directory can be deleted only by the file's owner. This permission is commonly used for world-writable directories like /tmp to prevent users from tampering with one another's files.

In practice, access to a file is always performed by a running process. Each process on the system belongs to a specific user and group. (Normally, a process inherits its user and group identification from the parent process, e.g. the shell, but in some cases such as suid programs or processes that are started as root, the user or group can be different.) When the process attempts to access a file, its user id is compared to that of the file. If it matches, then the process gets the permissions granted for the user category. Failing that, its group id is compared to that of the file, and if it matches, then the process gets the permissions granted for the group category. Otherwise it gets the permissions for the other category.