Permissions Based on Lowest Level

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
0
down vote

favorite












My user account, samjaques, belongs to a group sams. I have two folders, both in the sams group. Folder 1 is owned by root, Folder 2 by samjaques. Both have permissions set as ---rwx---. From the terminal (running as samjaques and sams), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied).



My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?



In general, is it pointless/bad practice to have group permissions higher than user permissions?







share|improve this question

























    up vote
    0
    down vote

    favorite












    My user account, samjaques, belongs to a group sams. I have two folders, both in the sams group. Folder 1 is owned by root, Folder 2 by samjaques. Both have permissions set as ---rwx---. From the terminal (running as samjaques and sams), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied).



    My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?



    In general, is it pointless/bad practice to have group permissions higher than user permissions?







    share|improve this question





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      My user account, samjaques, belongs to a group sams. I have two folders, both in the sams group. Folder 1 is owned by root, Folder 2 by samjaques. Both have permissions set as ---rwx---. From the terminal (running as samjaques and sams), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied).



      My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?



      In general, is it pointless/bad practice to have group permissions higher than user permissions?







      share|improve this question











      My user account, samjaques, belongs to a group sams. I have two folders, both in the sams group. Folder 1 is owned by root, Folder 2 by samjaques. Both have permissions set as ---rwx---. From the terminal (running as samjaques and sams), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied).



      My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?



      In general, is it pointless/bad practice to have group permissions higher than user permissions?









      share|improve this question










      share|improve this question




      share|improve this question









      asked 2 days ago









      Sam Jaques

      1263




      1263




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.



          It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)



          But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup, with permissions rw----r--, members of somegroup can't access it, but anyone not a member of somegroup can read the file.






          share|improve this answer





















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f460555%2fpermissions-based-on-lowest-level%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote



            accepted










            Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.



            It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)



            But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup, with permissions rw----r--, members of somegroup can't access it, but anyone not a member of somegroup can read the file.






            share|improve this answer

























              up vote
              2
              down vote



              accepted










              Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.



              It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)



              But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup, with permissions rw----r--, members of somegroup can't access it, but anyone not a member of somegroup can read the file.






              share|improve this answer























                up vote
                2
                down vote



                accepted







                up vote
                2
                down vote



                accepted






                Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.



                It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)



                But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup, with permissions rw----r--, members of somegroup can't access it, but anyone not a member of somegroup can read the file.






                share|improve this answer













                Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.



                It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)



                But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup, with permissions rw----r--, members of somegroup can't access it, but anyone not a member of somegroup can read the file.







                share|improve this answer













                share|improve this answer



                share|improve this answer











                answered 2 days ago









                ilkkachu

                47.3k668130




                47.3k668130






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f460555%2fpermissions-based-on-lowest-level%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?