Permissions Based on Lowest Level
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
0
down vote
favorite
My user account, samjaques
, belongs to a group sams
. I have two folders, both in the sams
group. Folder 1 is owned by root, Folder 2 by samjaques
. Both have permissions set as ---rwx---
. From the terminal (running as samjaques
and sams
), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied
).
My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?
In general, is it pointless/bad practice to have group permissions higher than user permissions?
permissions chmod
add a comment |Â
up vote
0
down vote
favorite
My user account, samjaques
, belongs to a group sams
. I have two folders, both in the sams
group. Folder 1 is owned by root, Folder 2 by samjaques
. Both have permissions set as ---rwx---
. From the terminal (running as samjaques
and sams
), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied
).
My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?
In general, is it pointless/bad practice to have group permissions higher than user permissions?
permissions chmod
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
My user account, samjaques
, belongs to a group sams
. I have two folders, both in the sams
group. Folder 1 is owned by root, Folder 2 by samjaques
. Both have permissions set as ---rwx---
. From the terminal (running as samjaques
and sams
), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied
).
My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?
In general, is it pointless/bad practice to have group permissions higher than user permissions?
permissions chmod
My user account, samjaques
, belongs to a group sams
. I have two folders, both in the sams
group. Folder 1 is owned by root, Folder 2 by samjaques
. Both have permissions set as ---rwx---
. From the terminal (running as samjaques
and sams
), I can only open Folder 1 but not Folder 2 (Folder 2 gives Permission denied
).
My guess is that the system is checking permissions of the user, then the group, then other, and denies permission if the user is denied without checking the group. Is this the expected behaviour, and is there a reason for it?
In general, is it pointless/bad practice to have group permissions higher than user permissions?
permissions chmod
asked 2 days ago
Sam Jaques
1263
1263
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.
It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)
But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup
, with permissions rw----r--
, members of somegroup
can't access it, but anyone not a member of somegroup
can read the file.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.
It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)
But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup
, with permissions rw----r--
, members of somegroup
can't access it, but anyone not a member of somegroup
can read the file.
add a comment |Â
up vote
2
down vote
accepted
Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.
It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)
But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup
, with permissions rw----r--
, members of somegroup
can't access it, but anyone not a member of somegroup
can read the file.
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.
It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)
But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup
, with permissions rw----r--
, members of somegroup
can't access it, but anyone not a member of somegroup
can read the file.
Yes, if the EUID of the accessing process matches the owning user, only the user permissions are checked. If not, but the process's GIDs match the owning group, then the group permissions are checked. Otherwise the "other" permissions are used. The ball stops at the first identity that matches.
It doesn't make much sense for the user to have less access than the group, since usually the owning user could just change the permissions and give themselves whatever access they like. (barring stuff like SELinux etc.)
But in the case of group vs others, it can sort of make sense: you can deny access to a particular group, while allowing it to everyone else. E.g. for a file owned by someuser:somegroup
, with permissions rw----r--
, members of somegroup
can't access it, but anyone not a member of somegroup
can read the file.
answered 2 days ago
ilkkachu
47.3k668130
47.3k668130
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f460555%2fpermissions-based-on-lowest-level%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password