Linux File and Directory Permissions

From KHicks
Jump to: navigation, search

Linux-based file systems assign a 12-bit permission set to files and directories. These permissions determine what subjects (i.e., users) are allowed to do on and within files and directories. The most commonly seen permission sets consist of three triads of three bits each (total of 9 bits), with an additional 3 bits to assign special permissions and behaviors.

This table describes how each bit affects files and directories.

Type read write execute setuid setgid sticky
File The subject may read the contents of the file. The execute bit on the parent directory is required to view meta-information about the file. The subject may modify the contents of the file. The write bit on the parent directory is required to rename or delete the file. The subject may run the file as executable code (e.g., a script or binary). Other programs may still be able to read the file and execute its contents on its behalf. When applied to a binary program (not a script), the program will be run as the user who owns it instead of who invoked it. When applied to a binary program (not a script), the program will be run with the same group permissions as its group owner. No effect.
Directory The subject may list the files within the directory. This is not necessarily needed to traverse through the directory or operate on files within the directory. The subject may list the names of files without the execute bit, but it will not be able to see details about the files, read them, or write to them. The subject may create, rename, and delete files within the directory. Think of this as if the subject can modify the list of files within the directory, but not necessarily the files' contents. The execute bit is required to use these write privileges. The subject may traverse this directory. This permission is required to operate on any files or subdirectories within, with the exception of listing the contents of the directory. The subject may also access meta-information about files if the names are known. No effect. Files created inside the directory will be owned by the group of the directory instead of the user that created it. Files within the directory can only be deleted or moved/renamed by their respective owners. The directory owner is exempt from this restriction. Other users may still read or write to files if other permission bits allow.