Next: About this document ... Up: Access Control Previous: Attribute-based access control (ABAC)
An Inode contains control structires with key informatin needed for a particular file.
Directories are structured in a hierarchical tree, each may contain file / subdirectories, and pointers to associated inodes.
Each object has 12 protection bits attached to it, the first three for a single user designated as the owner, the second set for the group, and the third for others. The remaining 3 bits are for other flags, which are often not used and as such most commonly set to 0. The owner, group ID, and protection bits are part of the file's inode.
SetUID, and SetGID, these flags allow the system to temporarily use the rights of the file owner / group in addition to the real user's rightrs. This enables privilged programs to access files / resources which are not generally accessible.
The sticky bit is applied to a directory, it specifies that only the owner of any file in the directory can rename, move, or delete that file.
The superuser however is exempt from access control restrictions and has system-wide access.
An Access Control List assigns a list of user IDs and groups to a file, each with their own set of protection bits. A file does not necessarily need to have an ACL, and an additional protection bit must be included to indicate whether the file has an extended ACL.