Permissions

NOTE: Currently, this document covers only UNIX-style permissions.

Permissions are used to restrict access to data. In POSIX systems, the most common form of permissions (sometimes called a file's 'mode'), is by specifying who the owning user and group is, and then defining what access the owning user, group and "other" are. This is specified in a 9-byte string which can be described using a 3-digit number.

To note; this string will appear to be 10-bytes, but the first byte describes the file type ('-' for a file, 'd' for a directory, 's' for a symlink, etc). The 3-byte digit may also be expressed as four or five-digits as well, which describes certain special characteristics of the file. For now though, we'll keep it simple.

So, using this as an example (simplified string):

 <permission>  <user>   <group>    <file name>
 -rw-rw-r--    www-data digimer    README

• This shows a file owned by the user 'www-data' and group 'digimer'.
• The file name is 'README'
• This file's permission string is '-rw-rw-r--'.

The permission string is made up of four parts;

* 1) first byte is the file type (as mentioned above), we will ignore this for now.
* 2) 3-bytes showing the 'read', 'write and 'execute' writes of the owning user.
* 3) 3-bytes showing the 'read', 'write and 'execute' writes of the owning group.
* 4) 3-bytes showing the 'read', 'write and 'execute' writes of everyone else.

When a value is not present (not allowed), it is shown as a hyphen (-). So then:

 -rw-rw-r--
 |\_/\_/\_/
 | |  |  \--- 'Other' (everyone else), can 'read the file, but not 'write to the file or
 | |  |       'execute' the file (which means to run it, if it was a program).
 | |  \------ 'Group', users who are a members of this group are allowed to 'read' and 'write' the file.
 | \--------- 'User', The owning user is allowed to 'read' and 'write' to this file.
 \----------- File type; being a hyphen indicates that this is a normal file. Ignore for now.

Because writing out that string is tedious to humans, a short-form was developed to describe the permissions. Following the example of binary, each section of three bytes was assigned a value, from right to left.

 rwx
 ||\- 1
 |\-- 2
 \--- 4

By adding up the values of the "true" or set bytes, the permissions can be describe. So to use our example above, the permission could have been listed as:

 664

Where:

 Note: A 'hyphen' indicated that the permission is not granted (not 'true' or 'set'), so it is not added.
 
 rw-rw-r-- = (rwx)(rwx)(rwx) = (4+2+0)(4+2+0)(4+0+0) = (6)(6)(4) = 644
 ||||||||\- 0 \
 |||||||\-- 0  |-> Permissions for "everyone else".
 ||||||\--- 4 /
 |||||\---- 0 \
 ||||\----- 2  |-> Permissions for people in the owning group.
 |||\------ 4 /
 ||\------- 0 \
 |\-------- 2  |-> Permissions for the owner directly.
 \--------- 4 /