More info on Unix permissions.

(This used to be commit f8762d3308e142dbd5462be876df5a3e400c763d)

1 files changed, 99 insertions, 1 deletions

diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml
index f7445bdb4a..16057411e2 100644
--- a/docs/docbook/projdoc/AccessControls.xml
+++ b/docs/docbook/projdoc/AccessControls.xml
@@ -261,7 +261,105 @@ at how Samba helps to bridge the differences.
 	<title>File and Directory Access Control</title>
 
 	<para>
-	Explain the anatomy of a directory listing, permissions and what they mean.
+	The network administrator is strongly advised to read foundational training manuals and reference materials
+	regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions
+	without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
+	Attributes (EAs).
+	</para>
+
+	<para>
+	Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set.
+	A Unix file listing looks as follows:-
+
+	<programlisting>
+	jht@frodo:~/stuff> ls -la
+	total 632
+	drwxr-xr-x   13 jht   users      816 2003-05-12 22:56 .
+	drwxr-xr-x   37 jht   users     3800 2003-05-12 22:29 ..
+	d---------    2 jht   users       48 2003-05-12 22:29 muchado00
+	d--x--x--x    2 jht   users       48 2003-05-12 22:29 muchado01
+	dr-xr-xr-x    2 jht   users       48 2003-05-12 22:29 muchado02
+	drwxrwxrwx    2 jht   users       48 2003-05-12 22:29 muchado03
+	drw-rw-rw-    2 jht   users       48 2003-05-12 22:29 muchado04
+	d-w--w--w-    2 jht   users       48 2003-05-12 22:29 muchado05
+	dr--r--r--    2 jht   users       48 2003-05-12 22:29 muchado06
+	drwxrwxrwt    2 jht   users       48 2003-05-12 22:29 muchado07
+	drwsrwsrwx    2 jht   users       48 2003-05-12 22:29 muchado08
+	----------    1 jht   users     1242 2003-05-12 22:31 mydata00.lst
+	---x--x--x    1 jht   users     1674 2003-05-12 22:33 mydata01.lst
+	--w--w--w-    1 jht   users     7754 2003-05-12 22:33 mydata02.lst
+	--wx-wx-wx    1 jht   users   260179 2003-05-12 22:33 mydata03.lst
+	-r--r--r--    1 jht   users    21017 2003-05-12 22:32 mydata04.lst
+	-r-xr-xr-x    1 jht   users   206339 2003-05-12 22:32 mydata05.lst
+	-rw-rw-rw-    1 jht   users    41105 2003-05-12 22:32 mydata06.lst
+	-rwxrwxrwx    1 jht   users    19312 2003-05-12 22:32 mydata07.lst
+	jht@frodo:~/stuff>
+	</programlisting>
+	</para>
+
+	<para>
+	The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name.
+	</para>
+
+	<para>
+	The permissions field is made up of:
+
+	<programlisting>
+	[ type  ] [ users ] [ group ] [ others ]   [File, Directory Permissions]
+	[ d | l ] [ r w x ] [ r w x ] [ r w x  ]
+	  |   |     | | |     | | |     | | |
+	  |   |     | | |     | | |     | | |-----> Can Execute, List files
+	  |   |     | | |     | | |     | |-------> Can Write,   Create files
+	  |   |     | | |     | | |     |---------> Can Read,    Read files
+	  |   |     | | |     | | |---------------> Can Execute, List files
+	  |   |     | | |     | |-----------------> Can Write,   Create files
+	  |   |     | | |     |-------------------> Can Read,    Read files
+	  |   |     | | |-------------------------> Can Execute, List files
+	  |   |     | |---------------------------> Can Write,   Create files
+	  |   |     |-----------------------------> Can Read,    Read files
+	  |   |-----------------------------------> Is a symbolic Link
+	  |---------------------------------------> Is a directory
+	</programlisting>
+	</para>
+
+	<para>
+	Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
+	<programlisting>
+	<title>Example File</title>
+		-rwxr-x---   Means: The owner (user) can read, write, execute
+		                    the group can read and execute
+		                    everyone else can NOT do anything with it
+	</programlisting>
+	</para>
+
+	<para>
+	Additional posibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
+	</para>
+
+	<para>
+	The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
+	execute  only  if  the  file  is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
+	sticky (t).
+	</para>
+
+	<para>
+	When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. 
+	Without the sticky  bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
+	directories, such as /tmp, that are world-writable.
+	</para>
+
+	<para>
+	When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
+	group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that
+	all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
+	to be exclusively owned by a user who's primary group is not the group that all such users belong to.
+	</para>
+
+	<para>
+	When a directory is set <command>drw-r-----</command> this means that the owner can read and create (write) files in it, but because
+	the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
+	directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
+	group members will be able to write to (or delete) them.
 	</para>
 
 	</sect2>