File system permissions

Most modern file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users affected to view or make changes to the contents of the file system.

Differences between operating systems

Unix-like and otherwise POSIX-compliant systems, including Linux-based systems and all Mac OS X versions, have a simple system for managing individual file permissions, which in this article are called "traditional Unix permissions". Most of these systems also support some kind of access control lists, either proprietary (old HP-UX ACLs, for example), or POSIX.1e ACLs, based on early POSIX draft that was abandoned, or NFSv4 ACLs, which are the part of NFSv4 standard.

DOS variants (including the Microsoft products MS-DOS, Windows 95, Windows 98, and Windows Me) do not have permissions. There is a "read-only" attribute that can be set or unset on a file by any user or program.

Windows 2000 and Windows XP have better access control list [] .

VMS and OpenVMS as well as Microsoft Windows NT and its derivatives (including Windows 2000 and Windows XP), use access control lists (ACLs) to administer a more complex and varied set of permissions.

Classic Mac OSes are similar to DOS variants and DOS based Windows: they do not support permissions, but only a "Protected" file attribute.

Mac OS X, beginning with version 10.4 ("Tiger"), supports the use of NFSv4 ACLs. It also supports "traditional Unix permissions" as used in previous versions of Mac OS X, and the "Apple Mac OS X Server version 10.4+ File Services Administration Manual" recommends using only traditional Unix permissions if possible. It also still supports the Mac OS Classic's "Protected" attribute.

Traditional Unix permissions

Permissions on Unix-like systems are managed in three distinct "classes". These classes are known as "user", "group", and "others". In effect, Unix permissions are a simplified form of access control lists (ACLs).

When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it.


On Unix file systems, every file and directory is "owned" by a specific user. The owner of an object comprises its "user class". Permissions assigned to the user class only apply to that specific user.

A file or directory is also assigned a group, which comprises its "group class." Permissions assigned to the group class only apply to members of that group (other than the owner). It is not necessary that the owner be a member of the file's group.While a particular file can be assigned to only one group, a particular user can be a member of any number of groups, and a group can include any number of users. The "groups" command lists all the groups that include a user; the "members" command lists all the users that are the member of a particular group (Stutz 2004).The system administrator uses "addgroup" to add a user to a group.

Users who are not otherwise represented by the other two classes comprise a file's "others class".

The "effective permissions" that have applied to a specific user in relation to a file are determined in logical precedence. For example, the user who owns the file will have the effective permissions given to the user class regardless of those assigned to the group or others class.

Basic Permissions

There are three specific permissions on Unix-like systems that apply to each class:
*The "read" permission, which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them, including file type, size, ownership, permissions, etc.)
*The "write" permission, which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.
*The "execute" permission, which grants the ability to execute a file. This permission must be set for executable binaries in order to allow the operating system to run them. When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unless "read" is set).

The effect of setting the permissions on a directory (rather than a file) is "one of the most frequently misunderstood file permission issues" (Hatch 2003).

When a permission is not set, the rights it would grant are denied. Unlike ACL-based systems, permissions on a Unix-like system are not "inherited". Files created within a directory will not necessarily have the same permissions as that directory. The permissions to be assigned are determined using umasks.

Additional Permissions

Unix-like systems typically employ three additional permissions or modes. These special permissions are set for a file or directory overall, not by a class.
*The "set user ID", "setuid", or SUID permission. When a file for which this permission has been set is executed, the resulting process will assume the effective user ID given to the user class.
*The "set group ID", "setgid", or SGID permission. When a file for which this permission has been set is executed, the resulting process will assume the group ID given to the group class. When setgid is applied to a directory, new files and directories created under that directory will inherit the group from that directory. (Default behaviour is to use the primary group of the effective user when setting the group of new files and directories.)
*The "sticky" permission. The typical behaviour of the sticky bit on executable files encourages the kernel to retain the resulting process image beyond termination. On a directory, the sticky permission prevents users from renaming, moving or deleting contained files owned by users other than themselves, even if they have write permission to the directory. Only the directory owner and superuser are exempt from this.

These additional permissions are also referred to as "setuid bit", "setgid bit", and "sticky bit" respectively, due to the fact that they each occupy only one bit.

Notation of traditional Unix permissions

ymbolic notation

There are many ways by which Unix permission schemes are represented. The most common form is symbolic notation. This scheme represents permissions as a series of 10 characters.

The first character indicates the file type:
*- denotes a regular file
*d denotes a directory
*b denotes a block special file
*c denotes a character special file
*l denotes a symbolic link
*p denotes a named pipe
*s denotes a domain socket

Each class of permissions is represented by three characters. The first set of characters represents the user class. The second set represents the group class. The third and final set of three characters represents the others class.

Each of the three characters represent the read, write, and execute permissions respectively:

*r if the read bit is set, - if it is not.
*w if the write bit is set, - if it is not.
*x if the execute bit is set, - if it is not.
* The x will be an s if the setuid or setgid bit is also set, and in the third, it will be a t if the sticky bit is set. If these are set but the execute bit is not, the letter will be in uppercase.

The following are some examples of symbolic notation:
*-rwxr-xr-x for a regular file whose user class has full permissions and whose group and others classes have only the read and execute permissions.
*crw-rw-r-- for a character special file whose user and group classes have the read and write permissions and whose others class has only the read permission.
*dr-x------ for a directory whose user class has read and execute permissions and whose group and others classes have no permissions.

ymbolic notation and additional permission

The three additional permissions are indicated by changing one of the three "execute" characters as shown in the following table:

  1. The character that will be used to indicate that the execute bit is also set.
  2. The character that will be used when the execute bit is not set.

Here is an example:
*"-rwsr-Sr-x" for a file whose user class has read, write and execute permissions; whose group class has read permission; whose others class has read and execute permissions; and which has "setuid" and "setgid" permissions set.

Octal notation

Another common method for representing Unix permissions is "octal notation". Octal notation consists of a three- or four-digit base-8 value.

With three-digit octal notation, each numeral represents a different component of the permission set: user class, group class, and "others" class respectively.

Each of these digits is the sum of its component bits (see also Binary numeral system). As a result, specific bits add to the sum as it is represented by a numeral:
*The read bit adds 4 to its total (in binary 100),
*The write bit adds 2 to its total (in binary 010), and
*The execute bit adds 1 to its total (in binary 001).These values never produce ambiguous combinations; each sum represents a specific set of permissions.

These are the examples from the Symbolic notation section given in octal notation:
*"-rwxr-xr-x" would be represented as 755 in three-digit octal.
*"-rw-rw-r--" would be represented as 664 in three-digit octal.
*"-r-x------" would be represented as 500 in three-digit octal.

Here is a summary of the meanings for individual octal digit values:

1 --x execute 2 -w- write 3 -wx write and execute 4 r-- read 5 r-x read and execute 6 rw- read and write 7 rwx read, write and execute

Octal digit values can be added together to make Symbolic Notations:
(4=r)+(1=x) = (5=r-x)
(4=r)+(2=w) = (6=rw-)
(4=r)+(2=w)+(1=x) = (7=rwx)

Here is a summary showing which octal digits affect permissions for user, group, and other:
*UGO = User, Group, Other
*777 = "-rwxrwxrwx" = rwx for all
*754 = "-rwxr-xr--" = rwx for owner, r-x for group, r-- for other
*124 = "---x-w-r--" = x for owner, w for group, r for other

Octal notation and additional permissions

There is also a "four-digit" form of octal notation. In this scheme, the standard three digits described above become the last three digits. The first digit represents the additional permissions. On some systems, this first digit cannot be omitted; it is therefore common to use all four digits (where the first digit is zero).

This first digit is also the sum of component bits:
*The setuid bit adds 4 to the total,
*The setgid bit adds 2 to the total, and
*The sticky bit adds 1 to the total.

The example from the "Symbolic notation and additional permissions" section, "-rwsr-Sr-x" would be represented as 6745 in four-digit octal. In addition, the examples in the previous section (755, 664, and 500) would be represented as 0755, 0664, and 0500 respectively in four-digit octal notation.

User private group

Some system administrators create a new group -- a "user private group" -- for each new user.The "user private group" scheme makes it easier [ [ Using User Private Groups - O'Reilly ONLamp Blog ] ] [ [ User Private Groups ] ] [ [ 32.5. User Private Groups ] ] to set up a directory dedicated to each project of that group.Only members of that group can create new files in that directory, and everyone in a group (and only the people in that group) can edit files in that directory.

ee also

*chmod, the command used to set permissions on Unix-like systems
*Access control list
*File system
*User identifier (Unix)
*Group identifier (Unix)


External links

* [ Apple Mac OS X Server version 10.4+ "File Services Administration" Manual (see pages 16-26)]
* [ "Linux File Permission Confusion"] by Brian Hatch 2003.
* [ "Linux File Permission Confusion pt 2"] by Brian Hatch 2003.
* [ The Linux Cookbook: Groups and How to Work in Them] by Michael Stutz 2004

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • File system — For library and office filing systems, see Library classification. Further information: Filing cabinet A file system (or filesystem) is a means to organize data expected to be retained after a program terminates by providing procedures to store,… …   Wikipedia

  • OneFS distributed file system — OneFS Developer Isilon Systems Full name OneFS Introduced 2003 (OneFS 1.0 based on FreeBSD) Structures Directory contents B+ trees File allocation …   Wikipedia

  • Veritas File System — For other uses, see Veritas (disambiguation). VERITAS File System Full name VERITAS File System Introduced 1991 Structures Directory contents extensible hash Limits Max file size 8 EB ( …   Wikipedia

  • Be File System — BFS Developer Be Inc. Full name Be File System Introduced May 10, 1997 (BeOS Advanced Access Preview Release[1]) Partition identifier Be BFS (Apple Partition Map) 0xEB (MBR) …   Wikipedia

  • MINIX file system — Developer Open Source Community Full name MINIX file system version 3 Introduced 1987 (MINIX 1.0) Partition identifier 0x81 (MBR) Features Dates recorded …   Wikipedia

  • Global File System — Traduction à relire Global File System → …   Wikipédia en Français

  • Andrew File System — The Andrew File System (AFS) is a distributed networked file system which uses a set of trusted servers to present a homogeneous, location transparent file name space to all the client workstations. It was developed by Carnegie Mellon University… …   Wikipedia

  • Lustre (file system) — Infobox software name = Lustre developer = Sun Microsystems latest release version = latest release date = release date|2008|07|10 operating system = Linux genre = Shared disk file system license = GPL website =,… …   Wikipedia

  • Encrypting File System — The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS[1] that provides filesystem level encryption. The technology enables files to be transparently encrypted to protect confidential data from… …   Wikipedia

  • Moose File System — Developer(s) Gemius SA Stable release 1.6.20 / January 17, 2011; 9 months ago (2011 01 17) …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”