Linux File Permissions & Access Control Query

2

1

Let's say I am user bob in group users. There's this file:

-rw----r--  1 root users     4 May  8 22:34 testfile

First question:
Why can't bob read the file as it's readable by others? Is it simply that if you are denied by group, then you are auto-blacklisted for others? I always assumed that the final 3 bits too precedence over user/group permission bits, guess I was wrong...

Second question:
How is this implemented? I suppose it's linked to the first query, but how does this work in relation to Access Control, is it related to how ACLs work / are queried? Just trying to understand how these 9 permission bits are actually implemented/used in Linux.

Thanks alot.

Jason

Posted 2010-05-08T21:53:45.573

Reputation:

If bob is in the users group and users group has no read permission than bob has no read permission, even if bob has permission and others have permission, it's a real gotcha! To make bob read it, either remove bob from the group users or chmod g+r the file! – None – 2010-05-08T23:44:30.110

Answers

3

The answer is that the most specific permission which apply to a user take precedence.

  • User bits govern if they apply to the user requesting access.
  • Group bits apply if the user is not the owner but is in the group.
  • Other bits apply only if the first two sets do not.

So it's not the union of the permissions but rather a precedence from specific to generic.

T.Rob

Posted 2010-05-08T21:53:45.573

Reputation: 176

1

Quite simply we have to break up the permissions into 3 chunks.

  1. Owner: rw-

  2. Group (users): ---

  3. Everyone: r--

To the owner we grant read and write access. To the group we explicitly provide no access. To everyone we provide read access.

The problem here is that you have explicitly denied the users of the group the file belongs to (group: users) access in any form to the file. In Linux these permissions aren't part of a hierarchy, it is a flat structure here. You need to change your permissions to rw-r--r-- for everybody including your "users" group to read the file.

Daisetsu

Posted 2010-05-08T21:53:45.573

Reputation: 5 195

1

The third set of permissions does not apply to "everyone". It applies to "everyone else" that is not the owner and not in the group. http://superuser.com/questions/547699/difference-between-chmod-777-and-chmod-007

– sawdust – 2013-02-16T01:30:54.750

Asked: 2010-05-08T21:53:45.573

Viewed: 1 483 times

Active: 2011-01-30T22:44:23.427