Protection of Files and Directories
5.1 UNIX Protection
The UNIX protection scheme is based on owner and group IDs. Every file system object has associated with it an owner ID and a group ID. Every process has four IDs: a real
5.1.1
Protection Modes
Each file and directory has permissions for three categories of users: owner. group. and others. These permissions are represented as a UNIX mode. an octal number constructed from the logical OR of the following bits:
4000 set user ID on execution 2000 set group ID on execution 1000 sticky bit
0400 read by owner 0200 write by owner 0100 execute by owner 0040 read by group 0020 write by group 0010 execute by group 0004 read by others 0002 write by others 0001 execute by others
For example. mode 640 allows the owner to read and write. the group to read only. and others no access at all.
The UNIX command Is. when given the -I option. reports an object's octal mode in the form
-rwxrwxrwx
where each rwx sequence stands for the set of permissions available' to the owner. the group. and others. respectively. (The initial hyphen indicates that the object is an ordinary file. For a directory. the initial character is the letter "d"; for a symbolic link, it is the letter "1".) Mode 640. for example. appears as
-rw-r---Table 5-1 shows these rights and their meanings for files and directories.
Table 5-1. UNIX Permissions
File Directory
r Read List entries
w Write Add. delete. or change
entries
x Execute Search
5-2 Protection of Files and Directories
5.1.2 The setuid and setgid Bits
Th~ 4000, 2000, and 1000 bits in a protection mode have meaning only for executable files. They affect the behavior of a file when a user executes it.
The 4000 bit is the setuid bit. If you execute a file that has this bit on, the operating system sets the effective user ID of the process to the owner ID of the file. Similarly, the 2000 bit is the setgid bit. It sets the effective group ID to the group ID of the file.
The Is command reports the setuid (or setgid) bit with the letter "s" in place of the "x"
for execution by owner (or group). Though Is displays them in place of the "x," these bits do not affect permission to execute the file. The operating system always checks the "x"
bit.
For example, if a program has the protection mode 6711, the owner ID pooh, and the group ID bears, Is -I reports its protection as
-rws--s--x
The program always executes as though it were invoked by user pooh and group bears.
The 1000 bit is the sticky bit. On Domain systems, this bit has no effect.
5.1.3 Checking Permissions
When a process attempts to access a file system object, the operating system checks per-missions in order: first owner, then group, and finally others. The first matching permis-sions apply. Permispermis-sions for the owner apply to any process whose effective user ID matches the object's owner ID. Group permissions apply to any process whose effective group ID matches the object's group ID and whose user ID does not match the object's owner ID. Permissions for others apply to all other processes.
For example, suppose the file tarts has the owner ID jack, the group ID hearts, and the protection mode 640. With the -I and -g options, Is will show complete protection infor-mation for tarts:
% Is -lg tarts
-rw-r--- 1 jack hearts 3474 Feb 29 10:54 tarts
Processes with an effective user ID of jack will have both read and write permissions for tarts. Other processes will have read permission if their effective group ID is hearts and otherwise will have no access at all.
The /etc/passwd file specifies a default group for each user. Additional groups can be specified in the /etc/group file. Under SysV, users can invoke the newgrp command to
In Domain/OS, the PROJLIST environment variable determines which scheme for group membership applies. PROJLIST is set by default in the BSD operating environment. In other operating environments you can set it optionally. ( See Chapter 4, Subsection 4.2.4 for details.)
Because the operating system always applies the first matching permissions, it is possible for owner of a file to have fewer permissions than other users on the system. Mode 477, for instance, gives the owner read rights only, but gives everyone else all rights.
5.1.4 Assigning and Changing Pennissions
A newly created object inherits its owner and group IDs from the process that creates it.
(Except that under 4.3BSD, an object inherits the group ID from the parent directory, the directory where the object is created.)
The permissions for a newly created object can be specified by the creating process, through the mode argument to system calls such as mkdir or open. System calls that do not take a mode argument create objects with mode 777. In both cases, the permissions specified by the creating call are then filtered through the umask of the process. The umask is a bitmask that specifies permissions to be disallowed for any objects created by the process. For example, if a process with a umask of 022 creates an object via an open call with a mode of 770, the object will have a permissions mode of 750.
Only an object's owner or the super-user can change the IDs and permissions associated with the object. (The super-user, which we discuss in Subsection 5.4.1, has rights outside the normal protection model.) On vanilla 4.3BSD systems, only the super-user can change the owner ID of an object. However, Domain/OS BSD does not implement this restriction.
5.1.5 Utilities
This subsection surveys the UNIX utilities for inspecting and modifying protection. See the BSD Command Reference and the SysV Command Reference for detailed descriptions.
The umask command (built in to the Aegis shell as well as the UNIX shells) sets or displays the value of the umask. The chmod command changes the permissions mode of a file or directory; chown changes the owner ID, and chgrp command changes the group ID. To display the protection of an object, you can use Is with the -I and -g options.
Figure 5-1 illustrates the use of these utilities. In this example, files are created via the touch command, which uses the creat system call with a mode of 666.
5-4 Protection of Files and Directories
% umask
0
% touch magritte
% Is -Ig magritte
-rw-rw-rw- 1 mk none
o
Feb 5 14:48 magritte% umask 022
% touch dali
% Is -Ig dali
-rw-r--r-- 1 mk none
o
Feb 5 14:49 dali% chmod 664 dali
% chgrp dds dali
% Is -Ig dali
-rw-rw-r-- 1 mk dds
o
Feb 5 14:49 daliFigure 5-1. UNIX Protection Utilities
The BSD Programmer's Reference and the SysV Programmer's Reference describe system calls pertaining to protection, including stat, chmod, chown, and umask.