Introduction to Operating System Permission

Home / Introduction to Operating System Permission

Introduction to Operating System Permission

December 5, 2015 | Article | 3 Comments

UNIX are by default a multiuser and multitasking Operating System. Each user can login at same time on a single machine. Thus, UNIX have a regulation to manage users. One of this regulation is permission which constraint what user can do. A user can only do things they are privileged for.

In this article we will discuss about the Permission in UNIX Operating System, which can also used as reference for Linux‘s and FreeBSD‘s OS.

The Read, Write, & Execute Access Permission

In UNIX world, everything is a file. Whether you access real file such as text document, a web page documents, images, song, video, etc; or something such as socket, devices, etc. Everything is file.

UNIX then gives privileges of who can access what resource (files) on the system. The access are divided into three types: read (r), write (w), and execute (x).

As the name suggest, each permission limiting user what user can do. If user has read access to a certain file, He then can read the file. To write a file, a user must obtain write permission. While execute permission allow user to execute a file as executable file. The files such as script and application are treated in this way.

A permission given to user is a set of three access mention before. Thus user can combination of three access, such as: read & write, read & execute, read only, write only, etc. To denote what privilege a user have, there is a common method: using octal number.

In representation of octal based number,

  1. read access (r) represented by 4
  2. write access (w) represented by 2
  3. execute access (x) represented by 1

Thus, a general formula to obtain user privileges is read + write + execute. For example,

  1. a user have no read access, have write access, have execute access = 0 + 2 + 1 = 3
  2. a user have read, write, and execute access = 4 + 2 + 1 = 7

On UNIX, there is also a common method to denote privileges using combination of character. UNIX use three field filled by r, w, and x for read, write, and execute access respectively. If User have don’t have corresponding access, it will be denote by ‘-‘ character. Thus for example above we have:

  1. a user have no read access, have write access, have execute access = -wx
  2. a user have read, write, and execute access = rwx

User, Groups, and Other

In advance, a user of UNIX machine is fall to certain groups of users. Groups is a class of user share same interest and can only be decided by root account. UNIX then divided permission into three category: user (the one who own the file, not always the one who create the file), the group (users who shares same group), and other (users who doesn’t have specified similar group to owner).

Thus, in UNIX every file having ownership. The ownership is identified by two value: the user owner, and group owner. The user owner determine a permission for user permission to file while the group owner determines a permission set for group. The access is denote by same method as mentioned above.

For example: A file “System Blueprint.odt” is created by user xathrya. The ownership of this file is xathrya (user), engineer (group). The file can be read and written by xathrya (as owner), each user in group engineer can read but cannot write, a user which is not inside engineer group cannot read,write,or execute this file. Thus user alice who is on engineer group, can read it, while user bob who is not engineer group is disallowed to access.

Let’s invoke this:

ls -l

You will then see list of files and directory on current path. In the first segment of each entry, there is a string consist of d,r,w, and x. This denotes permission according to personal, group, and other classification we discuss above (except for d which denote if entry is a directory).

The character at 2nd to 4th denote permission for user. Character at 5th to 7 denote permission for group. Character at 8th to 10th denote permission for other. In short, if an entry has permission like this drw-rw-r–, then the directory (d) can be read & write by it user and group, while other user can only read / see it.

Changing the Permission

Like discussed above, a file can have permission of access. This privileges can be changed anytime using chmod. Here is an example:

chmod 444 foo

The 444 means user, group, and other can only read the foo (remember how we denote access using octal-based number).

Beside using numerical method like above, we can use chmod using symbol such as r,w, and x. First see this table:

Option character representing
(who) u User
(who) g Group owner
(who) o Other
(who) a All (“world”)
(action) + add permission
(action) remove permission
(action) = assign permission
(permissions) r Read
(permissions) w Write
(permissions) x Execute
(permissions) t Sticky bit
(permissions) s Set UID or GID

Now, let see some example:

chmod a+rwx foo

That example will assign permission to foo. Symbol a means all user is affected and the permission is setted for read, write, and execute. Those any user has total access to foo.

If you target a you can also ommit the command as:

chmod +rwx foo

Another example:

chmod g-x foobar

This command will remove execute permission from user who share same group of group owner. Thus this command only affect group owner.

FreeBSD File Flags

Exclusive to FreeBSD, there are some additional “file flags” applied. These flags is addition to control and security of file. With this, even root can be prevent to change or remove files.

The flags can be assigned with:

chflags

Some flags are described here:

  • arch: archived flag
  • nodump: nodump flag
  • sappnd: system append-only flag
  • schg: system immutable flag
  • sunlnk: system undeletable flag
  • uappnd: user append-only flag
  • uchg: user immutable flag
  • uunlnk: user undeletable flag

For example, we want to create a file and ensure the file cannot be written, then we use immutable flag, such as:

chflags schg foo

To check flags status, we can use:

ls -ol

Now try using root privileges to remove file with immutable flag 😀

setuid, setgid, and sticky

Along with permission system discussed before, another permission system is introduced: setuid, setgid, and sticky.These settings are important for some systems as they are providing functionality which are not given to normal user.

Setuid will set user ID upon execution. Setgid will set group ID upon execution. These

Before we proceed, let’s discuss about real-user ID and effective-user ID.

real-user ID is an UID which own or start a process.

effective-user ID is an UID which used at process’ runtime.

For example: a user run passwd will have passwd run by their UID but for updating password database, passwd will assign it’s UID as root. This will prevent user to get error message such as “Permission Denied”.

Permission setuid can be set by adding some set of permission with 4 as described here:

chmod 4755 foo

Then see the list of files on current directory. You will see an s symbol on file permission such as the permission will be rwsr-xr-x instead of rwxr-xr-x.

The setgid is similar to setuid, except it change group access. To set gid effective-user, add 2 instead of 4 for previous example such as:

chmod 2755 foo

Of course, using setuid and setgid will create threat. If an attacker can exploit setuid or setgid enabled binary, he can gain access to root level. To prevent this, make sure a normal user don’t have access to setuid, especially for user other then themselves.

For example: if text editor like vi having active setuid it can open any files which can be opened by only ertain user. It is because system will assume vi is ran by root even the one who ran it is normal user. Then, what if the user access sensitive files such as initialization script? or password files?

Last, the sticky permission. If this permission is set, then the one who can remove the file is only the file owner. To add sticky permission, we add 1 when setting permission with chmod, such as:

chmod 1755 foo

A permission set will emerge as character t on permission flags, such as: rwxr-xr-t instead of rwxr-xr-x.

About Author

about author

xathrya

A man who is obsessed to low level technology.

3 Comments
  1. UFS Access Control Lists on FreeBSD - Xathrya.ID

    […] seen on this article, traditional POSIX file system object permission model defines three classes of users: owner, […]

  2. Using Extended Filesystem Access Control List - Xathrya.ID

    […] seen on this article, traditional POSIX file system object permission model defines three classes of users: owner, […]

  3. Multiple Linux OS with Share Swap and Home partition - Xathrya.ID

    […] in distro 1 user xathrya‘s id is 1001 while in distro 2 is assigned to 10001. Remember the permissions? What if a  having 644 permission and owned by user xathrya. Created on distro 1, it will be owned […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial