Hubbry Logo
File-system permissionsFile-system permissionsMain
Open search
File-system permissions
Community hub
File-system permissions
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
File-system permissions
File-system permissions
File-system permissions
View on Wikipedia
from Wikipedia

Typically, a file system maintains permission settings for each stored item – commonly files and directories – that either grant or deny the ability to manipulate file system items. Often the settings allow controlling access based on function such as read, change, navigate, and execute and to different users and groups of users.

One well-established technology was developed for Unix and later codified by POSIX. Another common technology is an access-control list (ACL) with multiple variants implemented in file systems and one codified by POSIX. Since POSIX defines both the older Unix-based technology as well as ACLs, the former is called traditional POSIX permissions for clarity even though it is not a well-known term.

A permission-driven user interface tailors the functionality available to the user based on file system item permissions. For example, the interface might hide menu options that are not allowed based on the permissions stored for an item.

History

[edit]

CTSS

[edit]

An early time-sharing system, the Compatible Time-Sharing System (CTSS), supported multiple users; each user's account had a "problem number" and "programmer number".[1]

The first version of the CTSS file system supported only two "read-only" file modes, one of which can be unset by the user and the other of which can only be unset with edit cards submitted to the computer center.[1]: 45–46  Files can be shared between users in the same project; shared files are assigned to programmer number zero.[1]: 24  There is no protection other than that provided by the read-only bits.

The second version of the file system has separate permission bits for "read-only" and "write-only"; the latter allows only appending to the file. It also has a "private" bit, allowing only the author of the file to access it, and a "protected" bit, allowing only the author of the file to change the file's permissions.[2]

Multics

[edit]

Users on the Multics time-sharing system have a "Person_id", and projects have a "Project_id"; a user logs on to the system with their Person_id and a Project_id. A file has an access control list (ACL), with entries containing a Person_id or a "*", a Project_id or a "*", and an "instance tag" or a "*". An instance tag represents a type of process; an "a", for example, represents a process from a regular interactive session. The entries in an ACL are matched against the process's Person_id, Project_id, and instance tag; an "*" is a wildcard that matches all Person_ids, Project_Ids, or instance tags. The ACL entry that matches with the fewest wildcards is the one that is used.[3]: 6–2, 6-4­6-8 

An ACL for a file has access permissions of "read", "write", and "execute"; an ACL for a directory has access permissions of "status" (allows reading attributes of files and directories in the directory), "modify" (allows modification of attributes of files and directories in the directory and removing items from the directory), and "append" (allows adding new items to the directory).[3]: 6-3 

TENEX

[edit]

A user in TENEX belongs to a set of groups.[4]: 44 

A file or directory has a set of permission bits, with six bits for permissions for the file or directory's owner, six bits for permissions for other users in the file's or directory's group, and six bits for other users. For a file, the permission bits are "read", "write", "execute", "append", and "each page of the file has its own permissions", with the sixth bit not being used. For a directory, the permission bits are "access allowed" (if not set, no access to the directory is allowed), "files in the directory may be opened" (subject to the file's permission bits), "owner-like functions may be performed without the file's password", and "files may be added to the directory", with the fifth and sixth bits not being used.[4]: 42–44 

TOPS-10

[edit]

A user account in TOPS-10 has a programmer number and a project number.

A file has a set of permission bits, with three bits for permissions for the file's owner, three bits for permissions for other users with the same project number as the owner, and three bits for all other users. The operating system may be configured to treat any account with a programmer number that is the same as the programmer number of the containing directory as the owner or to treat only an account with the same programmer number and project number as those of the containing directory as the owner. The values for the permission bits are:

  • 7 - no access privileges, except that the owner may look up the file in order to change its permissions;
  • 6 - execute-only;
  • 5 - read and execute;
  • 4 - append, read, and execute;
  • 3 - update, append, read, and execute;
  • 2 - write, update, append, read, and execute;
  • 1 - rename, write, update, append, read, and execute;
  • 0 - change permissions, rename, write, update, append, read, and execute.

The owner is always allowed to change the permissions.[5]

UNIX and Unix-like systems

[edit]

Files in the first edition of Unix (v1) had five bits of permission:

  • write, non-owner;
  • read, non-owner;
  • write, owner;
  • read, owner;
  • executable;

and a set-UID bit.[6] It had no notion of groups. This continued until the third edition (v3);[7] the fourth edition (v4) introduced groups, and files in v4 had nine bits of permission:

  • read, owner;
  • write, owner;
  • execute, owner;
  • read, group;
  • write, group;
  • execute, group;
  • read, other;
  • write, other;
  • execute, other;

as well as a set-UID and set-GID bit;[8] This is the same set of permissions that are specified in POSIX and that are provided by current Unix and Unix-like systems.


Examples

[edit]

File system permissions have been implemented many ways. Some notable examples are described here.

NTFS which is in many versions of Windows including the current, uses ACLs to provide permission-based access control; NTFS ACLs are considered powerful yet complex.[9]

Linux file systems such as ext2, ext3, ext4, Btrfs support both POSIX permissions and POSIX.1e ACLs. There is experimental support for NFSv4 ACLs for ext3[10] and ext4 filesystems.

FreeBSD supports POSIX.1e ACLs on UFS, and NFSv4 ACLs on UFS and ZFS.[11][12]

HFS, and its successor HFS+, as implemented in the Classic Mac OS operating systems, do not support permissions.

macOS supports POSIX-compliant permissions, and supports them in both HFS+ and APFS. Beginning with version 10.4 ("Tiger"), it also supports the use of NFSv4 ACLs in addition to POSIX-compliant permissions. The Apple Mac OS X Server version 10.4+ File Services Administration Manual recommends using only traditional Unix permissions if possible. macOS also still supports the Classic Mac OS's "Protected"/"Locked" attribute as the "user immutable" flag in the 4.4BSD flags field.[13]

File Allocation Table (original version) has a per-file read-only attribute that applies to all users.

OpenVMS defines four access functions: read, write, execute and delete and user selections: system, owner, group, and world where world includes group which in turn includes owner and system selects system users. This design is similar to that of Unix with notable extensions: additional function: delete and additional user selection: system.[14] ACLs are supported in VMS 4.0 and later.[15]

Solaris ACL support depends on the filesystem being used; the older UFS filesystem supports POSIX.1e ACLs, while ZFS supports only NFSv4 ACLs.[16]

IBM z/OS implements file security using RACF (Resource Access Control Facility)[17]

The AmigaOS Filesystem, AmigaDOS supports a permissions system relatively advanced for a single-user OS. In AmigaOS 1.x, files had Archive, Read, Write, Execute and Delete (collectively known as ARWED) permissions/flags. In AmigaOS 2.x and higher, additional Hold, Script, and Pure permissions/flags were added.

OpenHarmony operating system alongside its client side ecosystem in Oniro OS and HarmonyOS with HarmonyOS NEXT versions and also Linux-based openEuler server OS natively uses its Harmony Distributed File System (HMDFS) that supports access token manager (role-based access control) and Core File Kit API capability-based with granular permission management with exception to openEuler that is fine grained.[18][failed verification]

Traditional POSIX permissions

[edit]

Traditionally, file permissions on a Unix-based file system are defined by POSIX.1.[19] It specifies three classes (user, group and others) that allow for mapping permissions to users and three operations (read, write, execute) that can be granted or denied for each class. When a file is created, its permissions default to that as accessible via the umask command.

In a Unix-based file system, everything is a file, even directories and other special files.

Classes

[edit]

The classes determine how permissions map to a user. The user class permissions apply to the user who owns the file. The group class permissions apply to users of the file's owning group. The others class applies to other users.

The effective permissions are the permissions of the class in which the user falls first given the order: user, group then others. For example, the owning user has effective permissions of the user class even if they are in the owning group.

Permissions

[edit]

The following permissions grant the corresponding operations on files and directories:

Read (r)

[edit]
  • For files: grants the ability to read the file’s contents (not its name or metadata, which are determined by the permissions of its parent directory).
  • For directories: grants the ability to read the directory entry names of its contained files and directories, but not to access their metadata (inode) and therefore their content, which is determined by the directory execute permission.

Write (w)

[edit]
  • For files: grants the ability to modify the file contents.
  • For directories: grants the ability to modify entries in the directory, which allows creating, deleting, and renaming its files or directories.
    • Doing so also requires the execute permission in order to access the metadata (inode) of all its containing files and directories. Therefore, without execute permission the write permission is effectively meaningless.

Execute (x)

[edit]
  • For files: grants the ability to execute a file. This permission must be set for executable programs to allow running them.
    • Doing so also requires the read permission.
  • For directories: grants the ability to read the metadata of its containing files and directories if their names are known, but not to read their names. A directory without execute permission effectively blocks reading and writing the content of its contained files and directories.
    • A directory with execute permission but without read permission effectively makes it a name guessing game to access the contents of its files and directories.

General access requirement inside directories

[edit]

Accessing the content of file or directory inside a directory requires:

  1. Knowing its name which is discoverable if the parent directory read permission is set (or by guessing its name).
  2. The parent directory execute permission to access the file or directory inode.
  3. Its corresponding read, write or execute permissions.

Permission requirement summary for file operations

[edit]

To read from a file you need:

  • The file read permission.
  • Execute permission on its parent directory .

To write to a file you need:

  • The file write permission.
  • Execute permission on its parent directory .

To execute a file you need:

  • The file read and execute permission.
  • Execute permission on its parent directory .

To know the name of the file you need:

  • Read permission of its parent directory .

To add, remove, or rename a file you need:

  • write, and execute permission on its parent directory.

Notes

[edit]

Metadata of a file or directory typically includes inode id, file type, size, ownership (GUI and UID), and permission bits.

The effect of setting the permissions on a directory, rather than a file, is "one of the most frequently misunderstood file permission issues".[20]

Unlike ACL-based systems, these permissions are not inherited. Files created within a directory do not necessarily have the same permissions as its containing directory.

Changing permission behavior with setuid, setgid, and sticky bits

[edit]

Three additional single-bit attributes apply to each file that are related to permissions and stored in the file mode along with permissions.

  • The set user ID, setuid, or SUID mode. Executing a file with this bit set results in a process with user ID set to the file's owning user. This enables users to be treated temporarily as root (or another user).
  • The set group ID, setgid, or SGID permission. Executing a file with this bit set results in a process with group ID set to the file's owning group. When applied to a directory, new files and directories created under that directory inherit their group from that directory. (Default behavior is to use the primary group of the effective user when setting the group of new files and directories, except on BSD-derived systems which behave as though the setgid bit is always set on all directories (see Setuid).)
  • The sticky mode (also known as the Text mode). The classical behavior of the sticky bit on executable files has been to encourage the kernel to retain the resulting process image in memory beyond termination; however, such use of the sticky bit is now restricted to only a minority of Unix-like operating systems (HP-UX and UnixWare). On a directory, the sticky permission prevents users from renaming, moving or deleting contained files owned by users other than themselves, even if they have write permission to the directory. Only the directory owner and superuser are exempt from this.

Representation

[edit]

Permissions are commonly represented in symbolic or octal notation.

Symbolic notation

[edit]

Symbolic notation is used in the long output format of command ls -l.

The first character of the output indicates the Unix file type which is not a permission even though its next to the permissions information. The remaining nine characters represent the grants for the user, group and others classes as groups of operation grants for read, write and execute. An operation is denied when shown as a dash or granted when shown as r for read, w for write or x for execute.

Examples:

  • -rwxr-xr-x: initial - indicates a regular file, next three rwx indicate that user class has all permissions and group and others classes (both r-x) have only read and execute
  • crw-rw-r--: initial c indicates a character special file, user and group classes (both rw-) have read and write permissions and others class (r--) has only read permission
  • dr-x------: initial d indicates a directory, user class (r-x) has read and execute permissions and group and others classes (both ---) have no permissions

To represent the setuid, setgid and sticky/text attributes, the character in the third position for a class is modified, even though this position is otherwise only for execute and even though these attributes affect the file without concern for class. The setuid attribute modifies the execute character for the user class, the setgid attribute modifies the execute character for the group class, and the sticky or text attribute modifies the execute character for the others class. For setuid or setgid, x becomes s and - becomes S. For the sticky or text attribute x becomes t and - becomes T. For example -rwsr-Sr-t indicates a regular file, user class has read, write and execute permissions; group class has read permission; others class has read and execute permissions; and which has setuid, setgid and sticky attributes set.

Some systems show additional permission features:

  • + suffix indicates an access control list that can control additional permissions
  • . suffix indicates an SELinux context is present. Details may be listed with the command ls -Z
  • @ suffix indicates extended file attributes are present

Octal notation

[edit]

Permissions are often shown in octal notation, for example via the command stat -c %a. The notation consists of at least three digits. The last three digits represent the permission by class: user, group, and others. If a fourth digit is present, the leftmost represents the three special attributes: setuid, setgid and sticky.

Each operation grant is assigned a bit position that for an octal digit is:

  • Read: left, binary 100, octal 4
  • Write: middle, binary 010, octal 2
  • Execute: right, binary 001, octal 1

A class permission value is the sum or alternatively the logic OR of the grants.

Examples:

Symbolic Octal Description
---------- 0000 no permissions
-rwx------ 0700 read, write, & execute only for owner
-rwxrwx--- 0770 read, write, & execute for owner and group
-rwxrwxrwx 0777 read, write, & execute for owner, group and others
-rwxr----- 0740 owner can read, write, & execute; group can only read; others have no permissions

User private group

[edit]

Some systems diverge from the traditional POSIX model of users and groups by creating a new group – a "user private group" – for each user. Assuming that each user is the only member of its user private group, this scheme allows an umask of 002 to be used without allowing other users to write to newly created files in normal directories because such files are assigned to the creating user's private group. However, when sharing files is desirable, the administrator can create a group containing the desired users, create a group-writable directory assigned to the new group, and, most importantly, make the directory setgid. Making it setgid will cause files created in it to be assigned to the same group as the directory and the 002 umask (enabled by using user private groups) will ensure that other members of the group will be able to write to those files.[21][22]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

File-system permissions

View on Grokipedia
from Grokipedia
File-system permissions are access control mechanisms in operating systems that regulate the operations—such as reading, writing, or executing—users or processes can perform on files and directories within a file system, ensuring data security and integrity by restricting unauthorized access. These permissions form a core component of the operating system's security model, applying to all file-like objects including devices and sockets, and are enforced at the kernel level to prevent abuse or unintended modifications. In systems adhering to the standard, permissions are traditionally structured around three categories—owner (user), group, and others—each with three possible rights: read (r), write (w), and execute (x), often represented in symbolic notation (e.g., rw-r--r--) or values (e.g., 644). Ownership is managed via user ID (UID) and group ID (GID) attributes on each file, with commands like [chmod](/page/Chmod) for altering permissions and [chown](/page/Chown) for changing ownership, while directory permissions differ slightly: read allows listing contents, write enables creation or deletion, and execute permits traversal. This model, originating from early Unix implementations, provides a simple yet effective (DAC) framework but can be extended with access control lists (ACLs) for finer-grained control in modern file systems like or NFS. In contrast, Windows file systems such as employ a more flexible model based on descriptors containing lists (DACLs) and system lists (SACLs), where permissions are defined through entries (ACEs) specifying rights like read, write, delete, or full control for individual users, groups, or principals. These descriptors support inheritance from parent directories, allowing permissions to propagate to child objects unless explicitly blocked, and are managed via APIs like SetNamedSecurityInfo or tools such as icacls, integrating with for domain-wide enforcement. Both and Windows approaches underscore the role of file-system permissions in mitigating risks like , though misconfigurations remain a common vulnerability in multi-user environments.

Core Concepts

Definition and Purpose

File-system permissions are mechanisms in operating systems that govern access to files and directories, specifying which entities are authorized to interact with resources to ensure controlled usage in multi-user environments. These permissions originated in early multi-user systems during the 1970s, particularly with the development of Unix at , which drew inspiration from the more complex access controls in the operating system to enable secure without excessive administrative overhead. The primary purposes of file-system permissions include enforcing by restricting unauthorized reading of sensitive data, maintaining through limitations on modifications, and supporting by regulating execution and deletion to prevent disruptions. They also mitigate risks such as , where limited access prevents low-privilege users or processes from gaining elevated control over system resources. At their core, file-system permissions adhere to fundamental principles like least privilege, which mandates granting only the minimal access necessary for tasks, and , which distributes control across entities to avoid single points of failure or abuse. These principles apply across user classes, such as individual owners and groups, to balance with robust protection.

Principal Entities and Access Rights

In file-system permissions, principal entities refer to the subjects that interact with files and directories, primarily consisting of users and groups. Users are individual accounts identified by unique user IDs (UIDs), representing human operators or processes acting on their behalf. Groups are collections of users sharing a group ID (GID), enabling collective access management for collaborative environments. In systems, every file or directory is associated with an owner—typically the user who created it—and a primary group. Permissions are then categorized into three classes: owner (applying solely to the file's owner), group (applying to members of the file's group), and others (encompassing all remaining users not covered by the prior classes). Other operating systems use different models, such as access control lists in Windows, as described in later sections. This structure allows fine-grained control by assigning distinct rights to each class, balancing security and usability. The core access rights granted to these entities are read, write, and execute. Read permission allows viewing the contents of a file or listing the names of files and subdirectories within a directory. Write permission enables modifying, renaming, or deleting the file's contents, or adding/removing entries in a directory. Execute permission permits running a file as a program or script; for directories, it specifically allows traversal—entering the directory to access its contents—though listing requires read permission in addition. These differ in behavior between files and directories to support hierarchical without unintended disclosure. In systems, to enforce permissions, the operating system follows a sequential evaluation using the requesting process's effective user ID and group IDs. First, if the 's effective UID matches the file's owner UID, the owner-class permissions are applied. If not, the system checks whether the 's effective GID or any supplementary GIDs match the file's group GID; if a match occurs, group-class permissions are used. Otherwise, others-class permissions apply, ensuring access is denied if the relevant class lacks the required right (e.g., read for viewing). This priority order—owner, then group, then others—prevents broader access when stricter controls are intended. For instance, in a system, consider a file owned by user Alice with read permission granted only to the owner class and no permissions for group or others. If user Bob, who is neither Alice nor in the file's group, attempts to read the file, the system evaluates Bob under the others class, resulting in access denial to protect the file's confidentiality.

Unix-like Permission Systems

POSIX Classes and Operations

In POSIX-compliant systems, file-system permissions are organized into three distinct user classes to determine access rights: the owner class, which applies to the user who owns the file; the group class, which applies to users belonging to the file's assigned group; and the other class, which applies to all remaining users not covered by the owner or group classes. These classes ensure a hierarchical and portable model, allowing fine-grained control over who can perform specific operations on files and directories. The core operations defined in are read (r), write (w), and execute (x), with meanings that vary slightly between regular files and directories. For regular files, the read permission allows a user to view the file's contents; the write permission enables modification of the contents; and the execute permission permits the file to be run as a program or script, provided the process has the necessary privileges. Note that deleting a file requires write permission on its parent directory, regardless of the file's own permissions. For directories, the read permission allows listing the directory's contents (e.g., via ls); the write permission enables creating, renaming, or deleting files and subdirectories within it; and the execute permission (also called search) allows traversing the directory to access its contents or subdirectories, which is essential for path resolution in operations like opening a file. Access is determined by mapping these operations to the relevant user class in a permission matrix, where each class independently grants or denies the three operations via 9 bits (3 per class) in the file's mode. By default, the owner class often receives full permissions (read, write, execute), enabling the owner to modify the file and its permissions, while group and other classes start with more restricted defaults like read-only, adjustable via tools such as chmod. This matrix provides a straightforward, bitmask-based structure for checking access during system calls like open() or stat(). These classes and operations were first standardized in POSIX.1 (IEEE Std 1003.1-1988), published in 1988 to promote portability across systems. Subsequent revisions, such as IEEE Std 1003.1-1990 and later editions up to IEEE Std 1003.1-2024, have refined the model for enhanced compatibility and integration with extended access controls, while preserving the core semantics.
User ClassRead (r)Write (w)Execute (x)
OwnerView contents (files); list contents (dirs)Modify contents (files); create/rename/delete entries (dirs)Run as program (files); traverse/access subdirs (dirs)
GroupView contents (files); list contents (dirs)Modify contents (files); create/rename/delete entries (dirs)Run as program (files); traverse/access subdirs (dirs)
OtherView contents (files); list contents (dirs)Modify contents (files); create/rename/delete entries (dirs)Run as program (files); traverse/access subdirs (dirs)
Note: Permissions are independently set for each class and operation; access is granted if the effective user matches a class with the required bit set.

Special Permission Bits

In operating systems, special permission bits extend the standard read, write, and execute permissions by providing mechanisms for elevated or restricted access during execution or file operations. These bits—, setgid, and sticky—modify the behavior of files and directories in ways that can facilitate secure privilege delegation or protect shared resources, but they also introduce potential vulnerabilities if misconfigured. The (set user ID) bit, when set on an file, causes the program to run with the effective user ID of the file's owner rather than the invoking user. This allows non-privileged users to perform tasks requiring elevated permissions without granting full administrative access. For instance, the /usr/bin/[passwd](/page/Passwd) utility, owned by , uses the setuid bit to enable ordinary users to update their password entries in system files like /etc/shadow, which are otherwise protected. However, this bit poses significant risks, such as if the contains vulnerabilities or is replaced by a malicious version, potentially allowing attackers to gain -level access. Administrators are advised to audit and minimize setuid binaries to mitigate these threats. The setgid (set group ID) bit functions similarly but applies to the group ID. On executable files, it causes the program to run with the effective group ID of the file's group, enabling group-specific access to resources. For directories, the setgid bit ensures that newly created files and subdirectories inherit the directory's group ownership, which is useful for collaborative environments where members of a shared group need consistent access. For example, in a project directory owned by a development group, setting the setgid bit prevents new files from defaulting to the creator's personal group, maintaining group cohesion. Like , setgid can lead to unintended privilege exposure if applied to insecure executables. The , also known as the restricted deletion flag, applies primarily to directories and prevents users from deleting or renaming files within them unless they are the file owner, the directory owner, or . This protects shared directories from unauthorized removal of others' files while allowing writing. A common example is the /tmp directory, where the sticky bit ensures temporary files created by different users coexist without interference. Historically, the sticky bit on executable files indicated that the program's image should remain in after execution to improve , but this usage has been deprecated in modern systems in favor of its directory protection role. These special bits are stored as part of the file's mode bits in the filesystem inode and can be set or unset using the chmod command in either or notation. For example, chmod u+s file sets the bit on a file, while chmod +t directory applies the to a directory; modes like 4755 (setuid with read/write/execute for owner, read/execute for group and others) provide precise control. Security best practices include avoiding or setgid on world-writable files to prevent tampering and regularly scanning for unnecessary special permissions.

Notation and Representation

In Unix-like systems, file permissions are commonly represented and manipulated using two primary notations: symbolic and octal. Symbolic notation employs letters to specify classes (user/owner u, group g, others o, or all a) combined with operators (+ to add, - to remove, or = to set exactly) and permission types (read r, write w, execute/search x). For instance, the command chmod u+rwx,g+rw,o-r file grants read, write, and execute permissions to the owner, adds read and write to the group, and removes read from others. This notation allows precise modifications without altering unspecified permissions. The ls -l command displays permissions in a compact symbolic format, prefixed by a file type indicator (e.g., d for directory, - for regular file) followed by nine characters representing the three classes, each with read (r), write (w), execute (x), or absent (-). An example output might show drwxr-xr-x for a directory where the owner has full access (rwx), the group has read and execute (r-x), and others have the same (r-x). Special permission bits, such as or setgid, replace the execute x with s or S in the owner or group execute position, with their effects detailed in the section on special permission bits. The stat command provides similar output, often in a more verbose or structured format for scripting purposes. Octal notation uses three base-8 digits to represent permissions for owner, group, and others, where each digit is the sum of values for read (4), write (2), and execute (1); for example, 7 equals rwx (4+2+1), 6 equals rw- (4+2), 5 equals r-x (4+1), 4 equals r-- (4), and 0 equals --- (0). A mode like 755 corresponds to rwxr-xr-x, granting full access to the owner and read/execute to group and others. Special permissions prepend a fourth digit: 4 for , 2 for setgid, and 1 for , so 4755 sets on an with 755 permissions. The [chmod](/page/Chmod) command applies modes absolutely, replacing all existing permissions. To parse an mode like 644, break it into owner (6 = rw-), group (4 = r--), and others (4 = r--), resulting in rw-r--r-- for a regular file. The chmod utility supports both notations, with octal preferred for absolute settings and symbolic for incremental changes; for example, chmod 644 file or chmod u=rw,go=r file. Default permissions for newly created files and directories are determined by the process's , which masks out bits from the system's base modes (0666 for files, 0777 for directories) using bitwise AND with the complement of the umask value. A common umask of 022 subtracts write permissions for group and others, yielding 644 for files (0666 & ~022) and 755 for directories (0777 & ~022). The [umask](/page/Umask) command sets or displays this value, typically configured in shell profiles for consistent defaults across sessions.

Permissions in Other Operating Systems

Windows NTFS Permissions

The Windows file system employs a discretionary access control model, where permissions are managed through (DACLs) associated with files and directories. A DACL consists of ordered access control entries (ACEs) that specify allow or deny permissions for security principals, such as users or groups, identified by unique Security Identifiers (SIDs). SIDs are binary values assigned to accounts and groups, enabling precise identification across domains and local systems. If a file or directory lacks a DACL, the system grants full access to all users by default. This model was introduced with in 1993, providing robust security for enterprise environments. NTFS supports a of standard permissions that can be assigned to trustees—users, groups, or computer accounts—via the DACL. The six primary standard permissions are Full Control (encompassing all actions, including changing permissions and ownership), Modify (allowing read, write, execute, delete, and attribute changes but not permission modifications), Read & Execute (permitting reading files, executing programs, and traversing directories), List Folder Contents (enabling viewing file names and subfolders without opening files), Read (allowing viewing file contents and attributes), and Write (supporting creation, modification, and deletion of files). These can be further refined through granular special permissions, such as Traverse Folder (to navigate directories without read access), Delete Subfolders and Files (to remove contents within a folder), and Read Permissions (to view the settings without altering them). Permissions are typically assigned to built-in groups like Administrators (with broad control) or Users (with limited access) to simplify management. File ownership in designates a responsible for the object, granting the owner the ability to view and modify the DACL, as well as take ownership if necessary. Owners can delegate permission changes to other trustees, but only administrators or those with explicit Take Ownership privileges can override ownership. Built-in groups such as Administrators and often hold default ownership for system files, while user-created files inherit the creator's ownership. Permission evaluation in is handled by the AccessCheck function within the Windows security subsystem, which examines the DACL from most specific to least specific entries to determine effective access for a requesting principal. The process resolves the user's SID against the DACL, applying the first matching and stopping at explicit denies. Permissions inherit from parent directories unless explicitly blocked or disabled, allowing efficient propagation of access rules across folder hierarchies while supporting overrides for subobjects. This mechanism, combined with deny precedence, ensures granular and secure access resolution.

macOS and APFS Permissions

macOS utilizes a hybrid permission model that integrates the standard with proprietary extensions, providing both traditional and advanced access controls. At its core, the system adheres to permissions, featuring read (r), write (w), and execute (x) bits assigned to the file owner (u), group (g), and others (o), managed through user ID (UID) and group ID (GID) attributes. This foundation allows basic , where owners can modify permissions for their files. Complementing these are Access Control Lists (ACLs), introduced in macOS 10.4 (), which enable finer-grained permissions via access control entries (ACEs) that specify allow or deny rules for individual users, groups, or everyone, beyond the standard u/g/o categories. The (APFS), adopted as the default file system starting with (10.13) in 2017, fully supports this hybrid model while enhancing metadata handling. APFS maintains and ACL compatibility but introduces nanosecond-precision timestamps for creation, modification, access, and change times, represented as nanoseconds since January 1, 1970 UTC, which aids in precise auditing and for permissions. Additionally, APFS snapshots create read-only, point-in-time copies of volumes or directories, preserving the exact permissions and ACLs active at the snapshot's creation, thereby supporting without altering ongoing access controls. These features ensure that permission evaluations remain consistent across versions, even as files evolve. Apple extends this model with security mechanisms like System Integrity Protection (SIP), implemented since macOS 10.11 (El Capitan) in 2015, which enforces read-only restrictions on critical system directories such as /System, /usr, /bin, and /sbin, even for the root user, to prevent unauthorized modifications by malware or misconfigured software. App sandboxing further bolsters this by confining applications to predefined resources via entitlements, restricting file read/write/execute operations outside approved paths regardless of POSIX or ACL allowances. Permissions are inspected using the ls -le command to reveal ACL details alongside standard modes (indicated by a '+' suffix), while chmod and chown handle modifications—chmod +a adds ACL entries, and flags like com.apple.rootless denote SIP protections on system files. Inheritance in macOS permissions combines defaults—where new files inherit the parent's group and mode—with ACL propagation flags, such as File Inherit and Directory Inherit, allowing ACEs to automatically apply to child objects upon creation. Administrators can propagate existing ACLs to enclosed items using tools like Server.app or command-line options in chmod, ensuring consistent access across directory trees. complements these by mandating for executables; it verifies signatures and notarization before permitting execution, blocking unsigned or altered binaries to enforce secure run permissions at the system level.

Advanced Access Control Mechanisms

Access Control Lists (ACLs)

Access Control Lists (ACLs) provide a mechanism for fine-grained in file systems, extending beyond basic owner-group-others permissions by associating specific rules with individual users, groups, or entities on files and directories. ACLs support only allow rules, while Windows, NFSv4, and macOS ACLs also permit deny rules. An ACL consists of an ordered list of access control entries (ACEs), where each ACE defines a (user or group), a set of access rights, and flags controlling application or inheritance. ACLs, derived from the draft .1e standard, support this through minimum ACLs that map to traditional permissions and extended ACLs that add named entries with a mask for effective rights calculation. NFSv4 ACLs, specified in RFC 8881, further refine this model with detailed rights such as read_data, write_data, execute, and delete_child, enabling compatibility across networked environments. In Windows , ACLs are categorized into discretionary ACLs (DACLs), which owners or administrators set to control access, and system ACLs (SACLs), used for auditing access attempts without affecting permissions. In DACLs, ACEs explicitly allow or deny to trustees, with evaluation proceeding sequentially until a match is found—denies overriding allows. in ACEs vary by system but commonly include read, write, execute, and delete operations; for instance, ACLs use read, write, and execute bits, while NFSv4 ACLs specify atomic actions like append_data or list_directory. In ACLs, effective are the union of all applicable allow entries, intersected by the ACL mask, without explicit denies or short-circuiting. Inheritance flags in ACEs, such as file_inherit or directory_inherit, propagate permissions to child objects, with options to limit scope to containers or non-containers. Implementations of ACLs appear across major operating systems and file systems, requiring explicit enablement in some cases. In , ACLs are supported on (via the acl mount option), , and other kernels since version 2.5.46, with tools like getfacl for viewing and setfacl for modifying entries. Windows uses ACLs as the default mechanism, storing DACLs and SACLs in file metadata for granular trustee-based control. macOS, on APFS and HFS+, implements ACLs with extensions for inheritance and compatibility with SMB shares, managed via with +a or -a flags. These systems ensure ACL evaluation integrates with base permissions, applying the most restrictive effective rights. Compared to traditional permissions, ACLs offer superior flexibility by permitting per-user or per-group access without relying solely on group memberships, reducing administrative overhead in diverse environments. For example, in a shared directory with restrictive "others" permissions, an ACL can grant read access to a single additional user via a named , avoiding broad group changes. This supports scenarios like collaborative projects or cross-platform interoperability, such as integrating with Windows ACLs, while maintaining compatibility with base classes.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is a security model in which access to resources, such as files, is regulated by a central authority through predefined policies rather than by the resource owners or users themselves. These policies typically assign security labels to subjects (e.g., processes) and objects (e.g., files), enforcing rules based on attributes like sensitivity levels or categories to prevent unauthorized information flow. A foundational example is the Bell-LaPadula model, which prioritizes confidentiality with principles such as "no read up" (subjects cannot access data at higher sensitivity levels) and "no write down" (subjects cannot transfer data to lower levels). Prominent implementations of MAC in file systems include SELinux, which has been integrated into the since 2003 and employs Type Enforcement to restrict access based on types assigned to processes and files. , another Linux Security Module, uses path-based profiles to confine applications since its maintenance by began in 2009, allowing administrators to define granular access rules tied to executable paths. Smack (Simplified Mandatory Access Control Kernel), also in the , applies labels to subjects and objects for straightforward enforcement of access decisions. In macOS, the Framework, derived from TrustedBSD and included since macOS 10.5, enables kernel-level policy modules to control file operations beyond discretionary permissions. Enforcement in MAC systems occurs at the kernel level, where modules intercept operations like open, read, and write to verify compliance with label-based rules before granting access. Many implementations, such as SELinux, support modes like "enforcing" (where violations are blocked and logged) and "permissive" (where violations are logged but allowed for testing). Unlike (DAC), where resource owners can grant or revoke permissions at their discretion, MAC prohibits such overrides to ensure system-wide policy adherence, making it suitable for high-security environments like government and military systems. This centralized approach complements mechanisms like Lists by adding non-discretionary layers for stricter protection.

Practical Implementation

User Private Groups

In Unix-like operating systems, User Private Groups (UPGs) implement a scheme where each user account is automatically assigned a unique primary group bearing the same name as the username, with the user as its sole member. This design simplifies permission management by isolating individual user files while facilitating controlled collaboration through secondary group memberships. The concept originated in Solaris 2, released in 1992, where it became a common practice for enhancing security in multi-user environments. The primary benefit of UPGs lies in enabling safer default permissions for user home directories without risking exposure to other system users. By setting the default to 002, new directories created by the user receive 775 permissions (read/write/execute for owner and group, read/execute for others), and files get 664 (read/write for owner and group, read for others). Since the group contains only the user, these permissions remain private to the owner, avoiding the insecurities of world-writable homes (777 or 666 equivalents). This contrasts with traditional shared primary groups, where multiple users might inadvertently access each other's files; instead, UPGs reserve shared groups for explicit collaboration, such as project teams, where users are added as secondary members to enable group-write access on specific directories. Implementation occurs during user creation, typically via commands like useradd in Linux, which by default (or with the -g option) generates the private group. In the /etc/group file, this appears as an entry such as username:x:1001:username, where the GID is unique and the member list includes only the user. This setup integrates with POSIX group classes, allowing the primary group to govern default file ownership while secondary groups handle shared resources. UPGs have been widely adopted as a standard in major Linux distributions, including since early versions and (inheriting from Debian's implementation), where they are enabled by default to mitigate permission-related risks in shared systems. This practice avoids the vulnerabilities of broader group assignments, promoting a more secure baseline for file-system .

Permission Management Tools and Best Practices

In Unix-like systems, core permission management tools include chmod, which modifies file mode bits to set read, write, and execute permissions for owners, groups, and others using symbolic or notation. The chown command changes file ownership to a specified user and optionally group, while chgrp specifically alters the group ownership. These tools support recursive operations to apply changes across directories and files, essential for maintaining consistent access controls. In Windows, the icacls command displays or modifies discretionary access control lists (DACLs) on files and folders, supporting inheritance, denial, and propagation options for granular control. The older cacls tool performs similar functions but is deprecated in favor of icacls for enhanced features like backup and restore semantics. For macOS, the ditto utility copies files and directories while preserving ownership, permissions, resource forks, and metadata, making it suitable for backups or migrations without altering access rights. Auditing tools aid in monitoring permission changes. In Unix-like systems, getfacl retrieves and displays ACL entries for files, revealing effective rights and masks beyond basic permissions. The auditd daemon, part of the Linux Audit System, logs permission modifications, ownership changes, and access attempts via configurable rules, enabling forensic analysis of events. In Windows, records file system access audits through event logs, capturing events like permission changes (e.g., Event ID 4670) when auditing is enabled on objects. Best practices emphasize secure defaults and maintenance. Setting the umask to 022 ensures new files default to 644 (rw-r--r--) and directories to 755 (rwxr-xr-x), preventing overly permissive creation by subtracting from base modes of 666 and 777, respectively. Avoid assigning 777 or 666 permissions, as they grant universal read/write/execute access, exposing systems to unauthorized modifications; instead, use targeted grants like 755 for executables. Conduct regular audits using tools like auditd or to detect drifts, ensuring compliance and identifying misconfigurations. Be cautious with permission inheritance in directories: in Unix, altering a parent's or modes does not retroactively apply to existing children, potentially leaving inconsistent access; in Windows , disabling inheritance converts rules to explicit ones, which may inadvertently grant or deny access if not propagated correctly. Security tips center on minimizing exposure. Adhere to the principle of least privilege by granting only necessary read/write/execute , reducing attack surfaces as recommended in federal standards. Upon user departure, promptly revoke accounts, credentials, and privileges through coordinated termination processes to prevent lingering access. For cross-system environments, use to bridge Unix and Windows sharing, mapping permissions to ACLs while enforcing consistent controls during migrations. Common errors include misusing setuid bits, which elevate privileges and invite exploits; the 1988 Morris Worm, for instance, overflowed a buffer in the root-running fingerd daemon to spawn a root shell, infecting thousands of systems due to unchecked input in privileged code. To debug such issues, trace system calls with strace in Linux to inspect permission denials during file operations. In Windows, review Event Viewer logs for access failures to pinpoint inheritance or ACL mismatches.

References

  1. https://dl.acm.org/doi/fullHtml/10.5555/1017973.1017984
  2. https://www.redhat.com/en/blog/linux-file-permissions-explained
  3. https://docs.oracle.com/javase/8/docs/api/java/nio/file/attribute/PosixFilePermissions.html
  4. https://learn.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights
  5. https://dl.acm.org/doi/10.1145/3606020
  6. https://matrix.senecapolytechnic.ca/~john.sellens/ops102/pdfs/ops102_4_1.pdf
  7. https://people.cs.rutgers.edu/~pxk/articles/big-ideas-fs.html
  8. https://mirror.math.princeton.edu/pub/unixarchive/Documentation/OralHistory/finalhis.htm
  9. https://www.itprotoday.com/linux-os/mastering-file-permissions-in-linux
  10. https://wiki.sei.cmu.edu/confluence/display/c/POS02-C.%2BFollow%2Bthe%2Bprinciple%2Bof%2Bleast%2Bprivilege
  11. https://cseweb.ucsd.edu/~dstefan/cse127-winter19/slides/lecture9.pdf
  12. https://csf.tools/reference/nist-cybersecurity-framework/v1-1/pr/pr-ac/pr-ac-4/
  13. https://docs.nersc.gov/filesystems/unix-file-permissions/
  14. https://www.cs.purdue.edu/homes/ninghui/courses/Spring18/handouts/02_unixdac.pdf
  15. https://unix.stackexchange.com/questions/134332/precedence-of-user-and-group-owner-in-file-permissions
  16. https://pubs.opengroup.org/onlinepubs/9699919799.2013edition/basedefs/V1_chap04.html
  17. https://nvlpubs.nist.gov/nistpubs/Legacy/FIPS/fipspub151-1.pdf
  18. https://pubs.opengroup.org/onlinepubs/9699919799/utilities/unlink.html
  19. https://standards.ieee.org/ieee/1003.1/1388/
  20. http://www.opengroup.org/austin/papers/posix_faq.html
  21. https://pubs.opengroup.org/onlinepubs/9799919799/
  22. https://pubs.opengroup.org/onlinepubs/9699919799/utilities/chmod.html
  23. https://www.redhat.com/en/blog/suid-sgid-sticky-bit
  24. https://docs.oracle.com/cd/E19253-01/816-4557/secfile-64/index.html
  25. https://docs.oracle.com/cd/E19120-01/open.solaris/819-3321/secfile-69/index.html
  26. https://www.linuxfoundation.org/blog/blog/classic-sysadmin-understanding-linux-file-permissions
  27. https://www.thegeekstuff.com/2013/02/sticky-bit/
  28. https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/utilities/chmod.html
  29. https://pubs.opengroup.org/onlinepubs/9699919799/utilities/ls.html
  30. https://man7.org/linux/man-pages/man2/umask.2.html
  31. https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemDetails/FileSystemDetails.html
  32. https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html
  33. https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf
  34. https://support.apple.com/en-us/102149
  35. https://developer.apple.com/documentation/security/app_sandbox
  36. https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web
  37. https://simson.net/ref/1997/posix_1003.1e-990310.pdf
  38. https://man7.org/linux/man-pages/man5/acl.5.html
  39. https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
  40. https://www.kernel.org/doc/man-pages/online/pages/man5/acl.5.html
  41. https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-security-acls.html
  42. https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-3/ac-3-3/
  43. https://www.cs.purdue.edu/homes/ninghui/courses/Spring18/handouts/05_blp.pdf
  44. https://www.nsa.gov/portals/75/documents/what-we-do/research/selinux/documentation/presentations/2005-flexible-support-for-security-policies-into-linux-os-presentation.pdf
  45. https://apparmor.net/
  46. https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Smack.html
  47. https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Permissions/Permissions.html
  48. https://www.cs.utexas.edu/~byoung/cs361/lecture11.pdf
  49. https://www.redhat.com/en/blog/selinux-and-rhel-technical-exploration-security-hardening
  50. https://delinea.com/blog/access-control-models-methods
  51. https://lists.debian.org/debian-user/1994/03/msg00111.html
  52. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s1-users-groups-private-groups
  53. https://unix.stackexchange.com/questions/153390/why-does-every-user-have-their-own-group
  54. https://wiki.debian.org/UserPrivateGroups
  55. https://man7.org/linux/man-pages/man1/chmod.1.html
  56. https://man7.org/linux/man-pages/man1/chown.1.html
  57. https://man7.org/linux/man-pages/man1/chgrp.1.html
  58. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
  59. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cacls
  60. https://ss64.com/mac/ditto.html
  61. https://man7.org/linux/man-pages/man1/getfacl.1.html
  62. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-red_hat_enterprise_linux-security_guide-using_the_audit_system
  63. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4670
  64. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/managing-file-system-permissions_configuring-basic-system-settings
  65. https://www.redhat.com/en/blog/introduction-chmod
  66. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf
  67. https://learn.microsoft.com/en-us/archive/msdn-magazine/2004/november/manage-access-to-windows-objects-with-acls-and-the-net-framework
  68. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/800-171r3/NIST.SP.800-171r3.html
  69. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
  70. https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
  71. https://spaf.cerias.purdue.edu/tech-reps/823.pdf
  72. https://www.redhat.com/en/blog/container-permission-denied-errors
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.