File permissions mechanism on OS level

Question

Might be a duplicate of (Are file permissions set in Unix/Linux effective in Windows or Any other OS?) but...

Let's assume we have a file (preferably in Linux/Unix OS but I believe this applies to windows as well).

I understand that file permissions are kept within the file itself, written ultimately on some of its bits.

Now let's assume I have set a read-only file (chmod 744) when another user connected on my "host" OS opens it and tries to write it, does the OS check the file's permission info (the actual bits in it) and decides what to do next?

If so, would a "customized" OS prevented from doing these checks be able to actually access it?

Answer 1

I understand that file permissions are kept within the file itself, written ultimately on some of its bits.

They are not. File permissions, like ownership and permissions to read, write or execute for owner, group and others, are not part of the file but of the file system. This is true also for the name of the file. The permissions are not implicitly transferred if the file is transferred, instead the application doing these operations must make specific efforts to transfer these meta information too.

These meta information about the file are interpreted by the file system layer in the OS and are only enforced by the OS. Thus they can be bypassed by using a modified OS or sometimes even by mounting the file system with special options.

If you really want to protect the contents of a file then you need to encrypt it.

Answer 2

Yes it is only the operating system enforcing file permissions.

Remember that the physical disk drive just gives the operating system one big block of memory to read and write to. It's the job of the operating system to break this big block into separate files. Logically, any permissions on a file are then only enforced by the operating system.

If you unplug a disk and put it in another machine, it can do anything it likes with it. It can completely ignore all file permissions. Actually it's pretty easy to mount a disk in Linux with so that the actual permissions are ignored.

That is why the only way to secure a disk is to encrypt it. With encryption you can prevent another machine understanding what is written on the disk entirely and therefore prevent another machine from changing the contents (except wiping it and starting again).

---

I understand that file permissions are kept within the file itself, written ultimately on some of its bits.

This isn't technically true. They are stored in the meta data for a file, not its content. But you have the right idea: permissions are packaged with a file on the same file system, not controlled elsewhere.

Answer 3

The OS ultimately decides whether access controls are enforced. For network file systems, the server typically enforces permissions.

If the file system is on local disk the OS has full access on, the running OS can do whatever it wants regarding permissions. In extreme case by writing directly to the raw device instead of accessing the file via file system.

If the file is on a remote file system, the server usually enforces access controls. Even if the client decided to ignore known permissions (for example by trying to write to read-only file), the server can decide not to perform that operation and return an error instead.