Access protection for files and directories is implemented with the following protection mechanisms in POSIX:
User IDs
Passwords for user IDs
Combining user IDs for groups
Permission bits for files and directories
These protection mechanisms prevent a user from reading and modifying the files and directories of another user without authorization.
Access protection by user ID, password and group number
Anyone who wishes to use POSIX must have a user ID created by the BS2000 system administrator on the corresponding BS2000 computer. Users themselves can define or change a password in order to protect their user IDs against unauthorized access.
See also section “Access protection for access via remote computer”.
Users can be combined to form groups. Consequently, files and directories can be made accessible to all members of a given group. For this purpose, the system administrator must allocate a group number to every user. Users with the same group number belong to the same group (see section “Administering BS2000 and POSIX groups”).
Access protection with permission bits
Each file and directory is automatically assigned permission bits and the user and group number of the generating process when it is created. These permission bits are preset as a default for specific accesses. Permission bits are available for the following three user classes:
owner of the file
group to which the owner belongs
other
Each of these user classes has one permission bit for read permission (read), write permission (write) and execute permission (execute).
Example
Owner: |
|
Group: |
|
Other: |
|
The permission bits apply exclusively to their user class. If, for example, only the owner has access permission for a file, neither the user class group nor the user class others may work with this file.
Access permissions have different meanings for files and directories:
Access permission | File | Directory |
read | read | Read entries |
write | write | Delete/create entries (files) |
execute | execute | Execute/scan |
Before the first permission bit for the owner, there is an identifier, which is assigned automatically. It has the following meaning:
- | file |
b | block-oriented device |
c | character-oriented device |
d | directory |
| symbolic link |
The permission bits can be modified by means of the POSIX command chmod. A user with the user number 0 can modify the permission bits of all files and directories, whereas the owner can only modify his/her own files and directories. Even if someone from the user class group or other has full access rights to a file or directory, he/she cannot change the permission bits.
The permission bits for the user class group are assigned in accordance with the group membership of the owner. When creating a new file, the group number and thus the group membership of the current directory is accepted.
The currently valid permission bit mask can be output or modified by means of the POSIX command umask. This permission bit mask determines which access rights the files and directories which you can now create in the current shell or in one of your subshells are to receive.
If you modify the permission bit mask using umask, this modification is valid either until you define a new value with umask or until you terminate the shell in which you called umask.
POSIX administrators can define the value of the permission bit mask by means of umask in the /etc/profile file. Since the /etc/profile file is executed by every login shell, the defined access rights are valid for every user logged onto the system.
For further information on the POSIX commands chmod and umask, please refer to the "POSIX Commands" [1] manual.