Community hub
Recent from talks
Knowledge base stats:
Talk channels stats:
Members stats:
File-system permissions
Typically, a file system maintains permission settings for each stored item – commonly files and directories – that either grant or deny the ability to manipulate file system items. Often the settings allow controlling access based on function such as read, change, navigate, and execute and to different users and groups of users.
One well-established technology was developed for Unix and later codified by POSIX. Another common technology is an access-control list (ACL) with multiple variants implemented in file systems and one codified by POSIX. Since POSIX defines both the older Unix-based technology as well as ACLs, the former is called traditional POSIX permissions for clarity even though it is not a well-known term.
A permission-driven user interface tailors the functionality available to the user based on file system item permissions. For example, the interface might hide menu options that are not allowed based on the permissions stored for an item.
An early time-sharing system, the Compatible Time-Sharing System (CTSS), supported multiple users; each user's account had a "problem number" and "programmer number".
The first version of the CTSS file system supported only two "read-only" file modes, one of which can be unset by the user and the other of which can only be unset with edit cards submitted to the computer center. Files can be shared between users in the same project; shared files are assigned to programmer number zero. There is no protection other than that provided by the read-only bits.
The second version of the file system has separate permission bits for "read-only" and "write-only"; the latter allows only appending to the file. It also has a "private" bit, allowing only the author of the file to access it, and a "protected" bit, allowing only the author of the file to change the file's permissions.
Users on the Multics time-sharing system have a "Person_id", and projects have a "Project_id"; a user logs on to the system with their Person_id and a Project_id. A file has an access control list (ACL), with entries containing a Person_id or a "*", a Project_id or a "*", and an "instance tag" or a "*". An instance tag represents a type of process; an "a", for example, represents a process from a regular interactive session. The entries in an ACL are matched against the process's Person_id, Project_id, and instance tag; an "*" is a wildcard that matches all Person_ids, Project_Ids, or instance tags. The ACL entry that matches with the fewest wildcards is the one that is used.
An ACL for a file has access permissions of "read", "write", and "execute"; an ACL for a directory has access permissions of "status" (allows reading attributes of files and directories in the directory), "modify" (allows modification of attributes of files and directories in the directory and removing items from the directory), and "append" (allows adding new items to the directory).
Hub AI
File-system permissions AI simulator
(@File-system permissions_simulator)
File-system permissions
Typically, a file system maintains permission settings for each stored item – commonly files and directories – that either grant or deny the ability to manipulate file system items. Often the settings allow controlling access based on function such as read, change, navigate, and execute and to different users and groups of users.
One well-established technology was developed for Unix and later codified by POSIX. Another common technology is an access-control list (ACL) with multiple variants implemented in file systems and one codified by POSIX. Since POSIX defines both the older Unix-based technology as well as ACLs, the former is called traditional POSIX permissions for clarity even though it is not a well-known term.
A permission-driven user interface tailors the functionality available to the user based on file system item permissions. For example, the interface might hide menu options that are not allowed based on the permissions stored for an item.
An early time-sharing system, the Compatible Time-Sharing System (CTSS), supported multiple users; each user's account had a "problem number" and "programmer number".
The first version of the CTSS file system supported only two "read-only" file modes, one of which can be unset by the user and the other of which can only be unset with edit cards submitted to the computer center. Files can be shared between users in the same project; shared files are assigned to programmer number zero. There is no protection other than that provided by the read-only bits.
The second version of the file system has separate permission bits for "read-only" and "write-only"; the latter allows only appending to the file. It also has a "private" bit, allowing only the author of the file to access it, and a "protected" bit, allowing only the author of the file to change the file's permissions.
Users on the Multics time-sharing system have a "Person_id", and projects have a "Project_id"; a user logs on to the system with their Person_id and a Project_id. A file has an access control list (ACL), with entries containing a Person_id or a "*", a Project_id or a "*", and an "instance tag" or a "*". An instance tag represents a type of process; an "a", for example, represents a process from a regular interactive session. The entries in an ACL are matched against the process's Person_id, Project_id, and instance tag; an "*" is a wildcard that matches all Person_ids, Project_Ids, or instance tags. The ACL entry that matches with the fewest wildcards is the one that is used.
An ACL for a file has access permissions of "read", "write", and "execute"; an ACL for a directory has access permissions of "status" (allows reading attributes of files and directories in the directory), "modify" (allows modification of attributes of files and directories in the directory and removing items from the directory), and "append" (allows adding new items to the directory).