How Permissions Are Represented

When users log in to a Solaris system, they enter a user name and a password. This mechanism establishes the user's identity and results in the user being awarded a specific user ID (UID) and a group ID (GID) as part of his or her credentials.

When we run the ls -l command in a directory containing files, we see that each file (or directory) also has a UID (the third column) and a GID (the fourth column):

 hydrogen# ls -l total 476 drwxrwxr-x   5 adm    adm        512 Jul  7 17:47 acct -rw-------   1 uucp   bin          0 Jul  7 15:39 aculog -r--r--r--   1 root   root        28 Aug 22 21:52 lastlog drwxr-xr-x   2 adm    adm        512 Jul  7 15:38 log -rw-r--r--   1 root   root    101744 Aug 22 21:52 messages drwxr-xrwx   2 adm    adm        512 Jul  7 15:38 passwd drwxrwxr-x   2 adm    sys        512 Jul  7 17:47 sa drwxr-xr-x   2 root   sys        512 Jul  7 16:35 sm.bin drwxr-xr-x   2 root   sys        512 Jul  7 15:38 streams -rw-------   1 root   root       139 Aug 14 23:15 sulog -rw-r--r--   1 root   bin       3348 Aug 22 22:56 utmpx -rw-r--r--   1 adm    adm     103788 Aug 22 21:52 wtmpx hydrogen# 

The left-most column of the above output shows the file's permissions. These permissions, along with both the file and user's credentials, specify what the user may do with that file.

The permissions themselves consist of a 10-digit string of characters; the first digit actually represents the file type, so only the remaining nine are used to protect the file. This split is shown in the Table 4.1.

The different file types are described in Chapter 6, "The Filesystem and Its Contents." The remaining nine characters are split into three columns of three characters each. Each column represents a class of user, and three characters dictate what users belonging to that class may do with or to the file (or directory). The three classes are owner, group, and other. Within each class the three digits will normally consist of any of the characters "r," "w," "x," or "-." The first position is for reading the file, the second for writing to it, and the third for executing the file. If any position contains a dash, it means that class of user may not perform that action.

The owner class, obviously, can only contain one user, the group class contains any user who belongs to the same group as the file, and the other class contains all users who do not belong to either of the first two classes.

If the file is a directory, it may also have the "x" permission set, but in this case it means that the users belonging to that class are able to change into that directory (using the cd command). It also means they may run other programs that could try to change into the directory (e.g., find).

The user root has permission to do anything to any file regardless of the actual permissions, apart from being able to execute files that do not have execute permissions. This is to prevent a text file that happens to contain the names of Solaris commands accidentally being interpreted by the shell as if it were a shell script.