questions about unix permissions

Hello! Here are some questions & answers. The goal isn't to get all the questions "right". Instead, the goal is to learn something! If you find a topic you're interested in learning more about, I'd encourage you to look it up and learn more.

how many bits are file permissions?

12 bits!

it's 4 groups of 3 bits. For example, "4755" corresponds to 100 111 101 101. Here's what each of those sections corresponds to:

100: setuid, setgid, sticky bits
111: user  r/w/x bits
101: group r/w/x bits
101: other r/w/x bits
        

when you run ls -l, it displays the permissions like this: -rwxr-xr-x. what do r, w, and x stand for?

read, write, execute

there are 3 sets of read/write/execute permissions: for the user who owns the file, the group that owns the file, and for others

if a file's permissions are 0644, does that mean the "group can write to this file" bit is set to 1?

nope!

0644 in binary is 000 110 100 100. Let's break down what that means:

000
110 user can read/write
100 group can read
100 all can read
        

so anyone can read the file, but only the user who owns the file can write to it.

does the operating system kernel know/care what your username is?

nope!

the kernel does all permission checks based on user ID / group IDs -- usernames and group names only really exist to make it more usable by humans

what does it mean if the "read" bit is set to 1 on a directory?

it means you can list files in the directory!

for directories here's what the read/write/execute bit mean:

  • read: you can list files
  • write: you can create files
  • execute: you can cd into the directory & access files beneath it

if the permissions are set to 0666 on a file, does that mean anyone can read it?

not necessarily!

the read bit is set to 1, so you'll usually be able to read it. But! If any of the parent directories of that file have their execute bit set to 0, that will prevent you from reading any file underneath that directory (try it!).

if a file's permissions are set to 0000, does that mean that nobody can read it?

nope!

root can still read/write files with 0000 permissions.

does every process have a user id (UID)?

yes!

when you're logged in as a user, almost all the processes you start will have their UID set to your UID.

technically Unix processes have like 4 different UIDs but most of the time they're all the same

can a process have multiple group ids (GIDs)?

yes!

processes have a main GID and also a list of supplementary group IDs. file permission checks will check to see if any of the process's group IDs match the file's owner.

if you add a user to a group, do existing processes running as that user automatically get that GID added to their list of GIDs?

nope!

this is why if you're running a shell and you add yourself to a group in the middle, you won't have the new groups until you log out and login again.

what does the setuid bit do?

on an executable, it means the process will run with the UID of the file's owner!

for example, passwd (which changes your password) usually has the setuid bit set, because it needs to run as root to be able to write to the file that changes your password.

I've never used the sticky bit or the setgid bit so I'm not going to ask any questions about those :)

is it possible for an unprivileged process to change its UID?

nope!

you have to have superuser privileges (or CAP_SETUID on Linux) to change your UID.

why is it possible for sudo to let you run commands as root?

it has the setuid bit set!

sudo always runs as root, so it will start programs for you as root if the /etc/sudoers says you're allowed to