Xah Lee, 2009-06-11
This document is a basic tutorial on file permission system on unix and Windows.
On unixes, a file has a owner and group attributions. Owner is a login account name. A set of arbitrary chosen login accounts forms a group. Group can be arbitrarily created by sys admins. (e.g. sales, programers, managers, etc.)
A file has also a permission attribute. Basically, the possible permissions are: read or no read, write or no write, execute or no execute. Together, these makes a permission set. Each set of permission is associated with the file's owner and group, and another special name called “other”, which means all those who are not owner or in the group).
So, typically, when you do “ls -a” in unix, you will see a lines like:
drwxrw-rw- 1 xah xah 6608 06-08 06:48 Documents -rw-rw-rw- 1 xah xah 6608 06-08 06:48 my_notes.txt
The “d” means it's a directory. You'll see 3 sets of “rwx”. The r means read. The w means write. The x means execute. When the permission bit is not on, it shows as “-”. The first set of rwx is associated with the file's owner. The second set is associated with the group. The third set is the “other”, which is applied to all who are not owner and not in the group. Notice that directory Documents also have the execute bits on (the “x”) for the owner. That is because, in order to list directory content, the directory not only needs the read permission on, but due to unix idiosyncrasy, it must also have the execute bit on. (the tech detail of unix perm system is quite convoluted fucking motherfuck fucked up fuck.)
The “xah xah” there is the owner and group attributes. On Mac OS X, by default will create a group with the same name as your login name. Here's another example showing different users and groups.
/: total used in directory 14611 available 21849492 drwxrwxr-t 38 root admin 1394 Jun 10 11:07 . drwxrwxr-t 38 root admin 1394 Jun 10 11:07 .. -rw-rw-r-- 1 root admin 21508 Jun 10 11:56 .DS_Store drw------- 9 root admin 306 Nov 9 2005 .Spotlight-V100 d-wx-wx-wt 2 root admin 68 Oct 8 2005 .Trashes -rw------- 1 root wheel 1048576 Nov 9 2005 .hotfiles.btree dr-xr-xr-x 2 root wheel 128 Jun 10 11:07 .vol drwxrwxr-x 71 root admin 2414 Jun 10 11:56 Applications drwxrwxr-x 17 root admin 578 Oct 13 2007 Applications (Mac OS 9) -rw-rw-r-- 1 root admin 196608 Jun 7 18:26 Desktop DB -rw-rw-r-- 1 root admin 1223010 Mar 1 14:55 Desktop DF drwxrwxr-x 2 root admin 68 Sep 26 2003 Desktop Folder drwxrwxr-x 17 root admin 578 Mar 14 2008 Developer drwxrwxr-t 49 root admin 1666 Jul 17 2006 Library drwxr-xr-x 1 root wheel 512 Jun 10 11:09 Network drwxr-xr-x 4 root wheel 136 Jun 10 11:08 System drwxrwxr-x 35 root admin 1190 Dec 1 2005 System Folder drwxr-xr-x 2 o admin 68 Nov 18 2005 TheVolumeSettingsFolder lrwxr-xr-x 1 root admin 60 Nov 9 2005 User Guides And Information -> /Library/Documentation/User Guides and Information.localized drwxrwxr-t 9 root admin 306 Jan 10 17:12 Users drwxrwxrwt 5 root admin 170 Jun 10 11:10 Volumes drwxr-xr-x 4 root admin 136 Nov 9 2005 automount drwxr-xr-x 40 root wheel 1360 May 13 08:50 bin drwxrwxr-t 3 root admin 102 Mar 25 2006 cores dr-xr-xr-x 2 root wheel 512 Jun 10 11:07 dev lrwxr-xr-x 1 root admin 11 Oct 8 2005 etc -> private/etc lrwxr-xr-x 1 root admin 9 Jun 10 11:07 mach -> /mach.sym -r--r--r-- 1 root admin 604360 Jun 10 11:07 mach.sym -rw-r--r-- 1 root wheel 4352200 Oct 17 2007 mach_kernel drwxr-xr-x 3 root wheel 102 Apr 14 2006 opt drwxr-xr-x 7 root wheel 238 Jun 10 11:07 private drwxr-xr-x 63 root wheel 2142 May 13 08:50 sbin -rw-r--r-- 1 xah admin 0 Jul 23 2008 siplog.txt drwxr-xr-x 12 root admin 408 Jul 9 2008 sw lrwxr-xr-x 1 root admin 11 Oct 8 2005 tmp -> private/tmp -rw-r--r-- 1 xah admin 23 Feb 27 22:09 url_history.xml drwxr-xr-x 11 root wheel 374 Nov 10 2005 usr lrwxr-xr-x 1 root admin 11 Oct 8 2005 var -> private/var
You can use tools like chmod, chown, chgrp, umask etc to set or change a file's permission. Their syntax, interface, complexity, flexibility, are a complete motherfuck.
The problem of which process can run or access what file, is also a complete motherfuck.
For some detail and further readings, see: File system permissions.
Windows's permission system for files access, is called Access Control List. It is simpler and more powerful. Here's the basics.
Basically, a file has a owner. Typically the person who created the file.
A file (or in general, a process, or “object”), has a list of access properties. This list specifies who can access the object, and what type of access. For example, a file will have a group or user names. Each element in the list is either a login account, or a group (similar to unix's notion of group, but is not a hard-coded per-machine system. The group can include users in a network). For a user or a group, there is a set of permissions. This set includes: Full control, modify, read & execute, list folder content, read, wite, special permissions.
In contrast to unix, the Windows system is not just one single owner and one single group for a file. A file can have several users and or several groups attached to it, and each of these is not a simple rwx bits, but a richer permissions. Also, the permissions can be inhereted. e.g. a subfolder created typically inheret its parent ACL. On unix, the there's no concept of perm inheritence. When a file is created, its perm is done by hardcoded so-called bitmask fuck.
For detail and reference, see: Access control list, AGDLP, User Account Control, MSDN Access Control Model: Source.
In unixes, you use chown, chgrp, chmod, together with “find”, to set perm to any possible bits for files or folders recursively.
I'm surprised, that in Windows, this is usually not done. For tools to do this, see: Cacls and SetACL.