Maintaining system security

Discretionary access control (DAC): permission bits

In the first field of the ls -l output, the first character indicates the type of file:

The next nine characters are interpreted as three sets of three bits each.

Within each set, the three characters show, respectively, permission

For a directory, ``execute'' permission is interpreted to mean permission to search the directory for a specified file.

One additional character may appear at the end of the permission bit characters. A plus sign ( +) is displayed to show that additional access permissions, beyond those shown by the three sets of three bits, have been granted or denied through the ACL mechanism. ACLs and their relation to permission bits are discussed in ``Discretionary access control (DAC): access control lists''.

The permissions are displayed by ls as follows:

Symbol Meaning
r file is readable
w file is writable
x file is executable
-- no permission
l mandatory locking will occur during access (setgid bit is on and the group execution bit off)
s setuid or setgid bit is on and the corresponding user or group execution bit is also on
S setuid bit is on and the user execution bit is off
t sticky and execution bits for other are on
T sticky bit is turned on, and the execution bit for other is off

File access permissions

Symbol Meaning
r directory is readable
w directory is writable
x directory is serachable
t file removal from a writable directory is limited to the owner of the directory or file unless the file is writable

Directory access permissions

For more information, refer to ls(C), chmod(C), getacl(C), setacl(C), and ``Discretionary access control (DAC): access control lists''.

Next topic: Discretionary access control (DAC): access control lists
Previous topic: The owner and group attributes

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005