Unix File System Access Control

operating-systems security

Definition

Unix File System Access Control

The Unix file system uses owner, group, and permission metadata to enforce file-system access control. Every file has an owner and a group, and its basic permissions are stored as three triads: one for the owner, one for the group, and one for all other users.

Permission triads

Permission triads

Unix file permissions are represented by three ordered triads:

• owner permissions apply if the accessing user is the file owner;
• group permissions apply if the accessing user belongs to the file group and is not the owner;
• other permissions apply to all other users.

Each triad contains the rights read r, write w, and execute x. Missing rights are written as -.

Only the file owner and the superuser can change file permissions.

Superuser

Root

The superuser is the special account with full system privileges. It is usually called root and has user identifier 0.

The superuser can perform file-system operations regardless of ordinary file permissions.

Many systems disallow direct login as root. Authorised users instead run selected commands with root privileges using sudo. The file /etc/sudoers lists these users and can restrict which commands each user may run.

Notation

Symbolic notation

Symbolic notation writes each permission triad as three characters. For example:

rwx r-x ---

This means:

• owner: read, write, execute;
• group: read, execute;
• others: no rights.

This is the notation shown by commands such as ls -l.

Octal notation

Octal notation represents each triad by one digit. Each allowed right contributes a value:

• read: 4;
• write: 2;
• execute: 1.

For example, 750 means:

• owner: 7 = 4 + 2 + 1, so read, write, execute;
• group: 5 = 4 + 1, so read and execute;
• others: 0, so no rights.

Octal notation is commonly used with chmod.

Resolution

Permission resolution

Unix decides which triad applies in this order:

1. if the user is the file owner, use owner permissions;
2. otherwise, if the user belongs to the file group, use group permissions;
3. otherwise, use other permissions.

If the user is both the owner and a member of the file group, owner permissions apply, even when group permissions would be less restrictive.

User identifiers

Process user identifiers

Each process has three main user identifiers:

• real user ID (RUID): the user who started the process;
• effective user ID (EUID): the user identity used for access control checks;
• saved user ID (SUID): a stored previous effective user ID, used when privileges are changed at runtime.

Processes also have real, effective, and saved group IDs, used analogously for group-based checks.

The RUID is normally inherited from the parent process. The EUID is also inherited unless the executed program has the setuid bit set.

Setuid and setgid

Delegation bits

The setuid and setgid bits implement controlled delegation for executable binary files.

If setuid is set, executing the file sets the process’s effective user ID to the file owner. If setgid is set, executing the file sets the process’s effective group ID to the file group.

These bits are not set for scripts on traditional Unix systems because old implementations had race-condition problems.

In symbolic notation:

• s in the owner execute position means setuid is set and the file is executable;
• S in the owner execute position means setuid is set but the file is not executable;
• s or S in the group execute position has the analogous meaning for setgid.

passwd

The file /etc/shadow can be read and modified only by root:

-rw------- 1 root root 651 Jul 8 14:20 /etc/shadow

Ordinary users still need to change their own passwords. The program /usr/bin/passwd is owned by root and has the setuid bit set:

-rwsr-xr-x 1 root root 45604 May 10 15:24 /usr/bin/passwd

When a user executes passwd, the program runs with root privileges. The program is designed to allow ordinary users to change only their own password, while root can change any user’s password.

Changing user IDs

Processes can inspect their user IDs with system calls such as getuid, geteuid, and getresuid.

They can also change user IDs:

• seteuid(newId) changes the effective user ID;
• for privileged processes, newId may be any user ID;
• for unprivileged processes, newId must be the current RUID, EUID, or SUID;
• setuid(newId) is similar, but for privileged processes it also changes the real and saved user IDs.

Once a privileged process drops root privileges with setuid, it cannot reacquire them through the saved ID. Similar calls exist for group IDs, such as getgid, setgid, and setegid.

Directory permissions

Files and directories

The meaning of a permission bit depends on whether it is applied to a file or a directory.

Bit	File meaning	Directory meaning
r	file can be read	directory contents can be listed
w	file can be modified	entries can be created, deleted, or renamed if x is also set
x	file can be executed	directory can be traversed
s or S	binary executes with owner or group privileges	on the group triad, new entries inherit the directory group
t	ignored on ordinary files	sticky bit: entries may be deleted or renamed only by root, the directory owner, or the file owner

Examples

ls -l

Consider this output:

-rwxr-x--- 1 mauro sp 43416 Sep 5 2019 foo

The file foo is owned by user mauro and group sp. Its permissions are rwxr-x---.

Therefore:

• mauro has read, write, and execute rights;
• a user in group sp, but not mauro, has read and execute rights;
• any other user has no rights.