Describe Three Levels of Access Control

In the Unix operating system, access to a file or other resource is based on permissions that are given or removed at the owner, group, and other levels. Every file and directory (and, as usual, every other resource managed through the file mechanism) has a basic set of 9 access permission bits, each of which can be true or false. For each level of access control (user, group, other), the 3 bits correspond to three permission types. For regular files, these 3 bits control read access, write access, and execute permission. For directories and other file types, the 3 bits have slightly different interpretations.

Permission bits are a crucial aspect of access control primitives on a Unix system, as they determine the accessibility of files and directories for users and groups. Unix employs a set of three permission bits for each file or directory, representing the access rights granted to the owner, group, and other users. These permission bits play a vital role in maintaining the security, integrity, and privacy of data on Unix systems. The following sections describe the ways in which permission bits are necessary for files using access control primitives on a Unix system:

1. Read (r): The read permission bit determines whether a user or group can read the contents of a file or list the contents of a directory. Granting the read permission is necessary to allow users to view and open files, while restricting read access can protect sensitive data from unauthorized access.
2. Write (w): The write permission bit controls the ability to modify a file's content or create, rename, or delete files within a directory. Write permissions are essential for enabling users to create, edit, and delete files, but should be carefully managed to prevent unauthorized modification or deletion of critical data.
3. Execute (x): The execute permission bit governs the ability to execute a file as a program or script or access the contents of a directory. For executable files, this permission is necessary to allow users to run programs or scripts. In the case of directories, the execute permission allows users to traverse the directory structure and access subdirectories, even if they cannot list the directory contents.

Permission bits are typically represented using a combination of the letters 'r', 'w', and 'x' for each category of user (owner, group, and others). For example, a file with the permission string '-rwxr-xr--' indicates that the owner has read, write, and execute permissions, the group has read and execute permissions, and others have only read permission. The importance of permission bits in access control primitives on a Unix system can be summarized as follows:

1. Security: Permission bits are vital for maintaining the security of a Unix system by restricting unauthorized access to sensitive data and preventing accidental or malicious modification of critical files.
2. Data Integrity: By controlling write access, permission bits help maintain data integrity by preventing unauthorized users from modifying files, which could result in data corruption or loss.
3. Privacy: Read permissions enable administrators to protect the privacy of users' personal data by restricting access to specific files and directories.
4. System Stability: Execute permissions allow administrators to control which users can run executable files or scripts, ensuring that only authorized users can execute programs and preventing potential system instability caused by unauthorized execution.

In conclusion, permission bits are an essential aspect of access control primitives on a Unix system, serving to maintain security, data integrity, privacy, and system stability by granting or restricting access to files and directories based on user and group permissions.

The permission bits have the following significance for files:

1. Read (r) permission means that the file contents may be read.
2. Write (w) permission means that the file contents may be altered (so that, for example, the file may be appended to, overwritten, or truncated). Note that deleting a file involves write permission on the directory, not the file itself.
3. Execute (x) permission means that the file may be loaded and executed (assuming that it is a program file).

The permission bits have the following significance for directories:

1. Read (r) permission means thatthe directory contents may be read from the disk. Therefore, the filenames in the directory can be listed.
2. Write (w) permission means that the directory may be altered. In particular, you can delete files from the directory or rename files in the directory.
3. Execute (x) permission means you can make this directory your current directory. More important, execute permission means that you can search the directory. You cannot access a directory at all unless you have execute permission for every directory higher in the path of a given directory. Without execute permission in the given directory, you can list only the filenames in the directory.

The ls –l command output shows the state of the permission bits for files and directories. The permission bits are listed as a file type, followed by three blocks of three letters. The first block represents the user permission bits, the second block represents the group permission bits, and the last block represents the other permission bits. These 9 characters are collectively referred to as the access mode.

1. file type: The file type is the first character in the access mode column of the ls -l listing. The most common file types are - for a regular file and d for a directory.
2. user permission: User permissions are the first set of read/write/execute permissions in an access mode. User permissions apply to the file owner.
3. group permission: Group permissions are the second set of read/write/execute permissions in an access mode. Group permissions apply to users that are members of the file's group.
4. other permission: Other permissions are the third set of read/write/execute permissions in an access mode. Other permissions apply to everyone besides the file owner and the group members.

The following diagram contains an examination of the access mode displayed when the

ls -l

command is executed.

1. The file type - means this file is not a directory.
2. The file has the read permission and write permission bits set for the owner. The execute bit is not set for the owner.
3. The group has the read permission bit set, but not the write or execute bits.
4. The other permission bits are set so that read is set for everyone else (excluding the owner and the group), but write and execute are not.
5. This file has read and write permissions set for the owner, and no other permissions set.
6. This file has read and write permissions set for the user and the group, but only read permissions for everyone else.
7. This file is a directory, as indicated by the d in the first slot. This file has read, write, and execute permissions set for the owner, and execute-only permission set for the group and everyone else.

chmod [options] mode files

Question: How can you change the access mode of one or more files?
Only the owner of a file or a privileged user may change its mode. Create mode by concatenating the characters from who, opcode, and permission. who is optional (if omitted, default is a); choose only one opcode.
Common Options

1. -f, --quiet, --silent
   Do not print error messages about files that cannot be changed.

2. -R, --recursive
   

   
   Recursively descend through the directory, including subdirectories and symbolic links, setting the specified group ID as it proceeds.
   The last of -H, -L, and -P takes effect when used with -R.

The permission bits are used in granting or denying access to the file or other resource. Requests for access come from processes^[1], which we will discuss in a later module. As you will see, each process has a group and an owner. When the process requests access to a file, the operating system:

1. Compares the owner of the file with the owner of the process; if they agree, it checks that the desired permission is available at the user level. If the permission is not available, the system denies access.
2. Checks the groups of the process and the file if the owners are different. If they agree, it checks that the desired permission is available at the group level. If it is not, access is denied.
3. Checks to see if the desired permission is available at the other level if neither the group nor the owner of the file and process is the same. If it is not, the system denies access.

For the balance of this module, you may assume that the permissions for file access are checked against your login ID and your default group because you own all commands that you run from a shell.

Click the Quiz link below to take a short multiple-choice quiz on access permissions.
Basic Directory Access - Quiz

[1]process: A UNIX process is a running program.