UNIX Permissions
Website http://en.wikipedia.org/wiki/File_system_permissions
- When a file is created, its permission is restricted by the umask of the process that created the file.
- umask only strips permissions. For example,
umask 0077will strip all permissions for group and other, whileumask 0022makes stuff read-only by non-owner.
- umask only strips permissions. For example,
- Unlike ACL, the permissions are not inherited from the parent directory.
Permissions (Modes) for Classes
Clases are user/owner (u), group (g), and other (o).
| File | Directory | |
|---|---|---|
Read (r) |
Read the file | Read the names of the files (but not other metadata) |
Write (w) |
Modify the file | Create, delete, or rename files / directories |
Execute (x) |
Execute the file | Access the content and metadata of a file whose filename is known |
Attribute Bits
These attributes do not belong to any class; they are properties of the file / directory.
| File | Directory | |
|---|---|---|
set user ID (setuid) (s/S) |
When executed, the resulting process gets effective user ID from the file's owner. This allows the person who executes the file to masquerade as someone else (e.g. root, which of course has security risk) | - |
set group ID (setgid) (s/S) |
When executed, the resulting process gets effective group ID from the file's group. | Newly created files / directories will inherit the group from that directory (instead of the default = primary group of the effective user) |
sticky (t/T) |
- | Forbid people from renaming, moving, or deleting files that they do not own. (The directory's owner and superusers are exempt.) |
sandt= executable.SandT= not executable.- To set setuid and setgid separately, use chmod with numeric code (setuid = 4000, setgid = 2000, sticky = 1000)
Symbolic Notation
drwxr-xr-x 26 root root 4096 Sep 22 09:29 /- First character: file type
d= directoryl= symlinkp= named pipes= socketc= character device (stream only / no random access)b= block device (allow random access)
- Then we have
uuugggooowhere each class hasrwxbits - Apart from
x, the last character of each class can also bes,t,S, orT
AFS Permissions
Website https://sipb.mit.edu/doc/afs-and-you/#ControllingWhocanAccessFiles
- AFS uses ACL (access control list), which assigns permission per directory and ignore UNIX permissions. (Exception: the UNIX execute bit is still used)
- When a directory is created, it inherits the permissions from its parent directory.
| Name | Code | Rights |
|---|---|---|
| read | r |
See the contents of the files |
| list | l |
List filenames + See permission of the directory |
| insert | i |
Create files or directories in the directory |
| delete | d |
Delete files or directories in the directory |
| write | w |
Change the contents of the files |
| lock | k |
Lock files (not that useful) |
| admin | a |
Change permission of the directory (but not subdirectories) |
read |
Shorthand for rl |
|
write |
Shorthand for rlidwk |
|
all |
Shorthand for rlidwka |
|
none |
Shorthand for empty string |
Commands
fs sa <directory> [<user|group> <permissions>]+find <maindirectory> -type d -exec fs sa {} <user|group> <permissions> \;