Linux File Permissions & Access Control Query

Let's say I am user bob in group users. There's this file:

-rw----r--  1 root users     4 May  8 22:34 testfile

First question:
Why can't bob read the file as it's readable by others? Is it simply that if you are denied by group, then you are auto-blacklisted for others? I always assumed that the final 3 bits too precedence over user/group permission bits, guess I was wrong...

Second question:
How is this implemented? I suppose it's linked to the first query, but how does this work in relation to Access Control, is it related to how ACLs work / are queried? Just trying to understand how these 9 permission bits are actually implemented/used in Linux.

Thanks alot.


The answer is that the most specific permission which apply to a user take precedence.

  • User bits govern if they apply to the user requesting access.
  • Group bits apply if the user is not the owner but is in the group.
  • Other bits apply only if the first two sets do not.

So it's not the union of the permissions but rather a precedence from specific to generic.


Quite simply we have to break up the permissions into 3 chunks.

  1. Owner: rw-

  2. Group (users): ---

  3. Everyone: r--

To the owner we grant read and write access. To the group we explicitly provide no access. To everyone we provide read access.

The problem here is that you have explicitly denied the users of the group the file belongs to (group: users) access in any form to the file. In Linux these permissions aren't part of a hierarchy, it is a flat structure here. You need to change your permissions to rw-r--r-- for everybody including your "users" group to read the file.