Understanding file protection

Discretionary access control (DAC): permission bits

In the first field of the ls -l output, the first character indicates the type of file:

- for a regular file
d for a directory file
b for a block special device file
c for a character special device file
l for a symbolic link

The next nine characters are interpreted as three sets of three bits each.

The first set refers to the owner's permissions.
The second set refers to permissions of the file's group class (this will consist only of the owning group, unless additional ACL entries are present).
The third set refers to the permissions for everyone else.

Within each set, the three characters show, respectively, permission

to read
to write
to execute the file as a program

For a directory, ``execute'' permission is interpreted to mean permission to search the directory for a specified file.

One additional character may appear at the end of the permission bit characters. A plus sign ( +) is displayed to show that additional access permissions, beyond those shown by the three sets of three bits, have been granted or denied through the ACL mechanism. ACLs and their relation to permission bits are discussed in ``Discretionary access control (DAC): access control lists''.

The permissions are displayed by ls as follows:

Symbol Meaning

r file is readable

w file is writable

x file is executable

-- no permission

l mandatory locking will occur during access (setgid bit is on and the group execution bit off)

s setuid or setgid bit is on and the corresponding user or group execution bit is also on

S setuid bit is on and the user execution bit is off

t sticky and execution bits for other are on

T sticky bit is turned on, and the execution bit for other is off

Symbol	Meaning
r	file is readable
w	file is writable
x	file is executable
--	no permission
l	mandatory locking will occur during access (setgid bit is on and the group execution bit off)
s	setuid or setgid bit is on and the corresponding user or group execution bit is also on
S	setuid bit is on and the user execution bit is off

t	sticky and execution bits for other are on
T	sticky bit is turned on, and the execution bit for other is off

File access permissions

Symbol Meaning

r directory is readable

w directory is writable

x directory is serachable

t file removal from a writable directory is limited to the owner of the directory or file unless the file is writable

Symbol	Meaning
r	directory is readable
w	directory is writable
x	directory is serachable
t	file removal from a writable directory is limited to the owner of the directory or file unless the file is writable

Directory access permissions

For more information, refer to ls(1), getacl(1), chmod(1), setacl(1), and ``Discretionary access control (DAC): access control lists''.