5

I understand that with Unix file permissions, there's "user", "group", and "world" octets. For the sake of this discussion, let's assume that setuid/sticky bits don't exist.

Consider the following example:

$ echo "Hello World" > strange

$ chmod 604 strange

$ ls -l strange
-rw----r-- 1 mrllama foo 12 Apr 13 15:59 strange

Let's assume that there's another user, john, who is a member of my group, foo.

  • What permissions does John have regarding this file?
  • Does the system go with the most specific permission match (i.e. John isn't owner, but he's in the foo group, so use the permissions for the "group" octet)?
  • ...or does it go by the most permissive of the octets that apply to him (i.e. John meets the criteria for "group" and "world", so it goes with the more permissive of the two)?

Bonus questions:

  • What if the permissions were instead 642? Can John only read, only write, or both?
  • Are there any reasons to have strange permissions like 604?
Mr. Llama
  • 152
  • Looks like you could quickly recreate this permissions configuration, what have you tried so far ? – steve Apr 13 '16 at 21:13
  • I've managed to test same groups, but not different groups. In the case of same groups, it seems to go with the group octet, regardless of the world octet. I'm not at liberty to to change user groups on the servers I have access to, so I can't test how "world" octets apply. – Mr. Llama Apr 13 '16 at 21:20
  • (cont.) I'm assuming that world permissions work similarly, even if they're more lax than user or group. However, my final question regarding when it might be useful still stands. – Mr. Llama Apr 13 '16 at 21:24

2 Answers2

6

When determining access permissions using Unix-style permissions, the current user is compared with the file's owner, then the group, and the permissions applied are those of the first component which matches. Thus the file's owner has the owner's permissions (and only those), members of the file's group have the group's permissions (and only those), everyone else has the "other users'" permissions.

Thus:

  • John has no permissions for this file.
  • The most specific permission match wins, not the most permissive (access rights aren't cumulative).
  • With permissions 642, John could read the file.
  • There are reasons to give permissions such as 604: this allows the group to be excluded, which can be handy in some situations — I've seen it on academic systems with a students group, where staff could create files accessible to anyone but students.

root has access to everything, regardless of the permissions defined on the file.

For more complex access control you should look into SELinux and POSIX ACLs. (SELinux in particular can even limit what root has access to.)

Stephen Kitt
  • 434,908
2

Assuming john does not bear uid 0, john would have no permissions, as john is a member of the group, and the permission check would not consider the world bits because of the group match (source: "Advanced Programming in the Unix Environment", chapter 4, section 5, p. 80 in the first edition.) 642 would result in the 4 bits being applied for the same reason. 604 is quite uncommon, but might suit something someone did not want other members of their group to see.

thrig
  • 34,938