To gain access to a Linux system, you must prove your identity. While the system administrator decides the security policy for the machine, usually one or more password challenges must be answered. A credentialed user should know the answer to a question that only that user would know: What is the password?

This process of proving your identity to the system is known as authentication. Many schemes are available to the system administrator for performing authentication. Once the system authenticates your login request, the kernel has enough information to determine what programs you can run and what files you can access.^[2].

After a successful authentication the system uses your uid and gid to control your access to system resources.

Every system resource, whether an application program, directory, or file, has a unique filename. A filename (including the directory path) is a unique identifier for that system resource. The part of Linux that manages these named system resources is known as the file system.

In addition to the file content itself, the file system keeps extra information about every file. This metadata includes the file's size, disk block locations, and modification and access timestamps. You can see most of this metadata using the ls(1) program:

ls -l /bin/mail
-rwxr-xr-x 1 root     mail     73588 Apr  4 07:03 /bin/mail

Consider two pieces of metadata for a file, its ownership and its access permissions. When a user creates a file, the user credentials are attached to the file, giving that user ownership of that file^[3]. In our example, /bin/mail is owned by user root and group mail.

The created file also gets a set of file access permissions that describe who may access that file and what kind of access they can get. There are exactly three types of access: read, write, or execute. These are usually abbreviated as rwx. Permissions for a file which could be read, but neither written nor executed, would be written as r--. Remember, the notation is positional and order matters.

Files actually have three sets of permissions. One set is for the file owner, one set is for members of the owner's group, and one set is for everyone else, in that order.

Before a user accesses any file, including running an application program, the kernel must validate the attempt against the file system. It uses a simple but very powerful method to determine whether access should be granted or denied. This algorithm is shown below:

if( u.uid == f.uid ) { rwx = perms.owner; }
	  else if( u.gid == f.gid ) { rwx = perms.group; } else { rwx =
	  perms.world; } if( !accessok( access_wanted, rwx ) ) { errno = EPERM;
	  return( -1 ); } do_access();

Assuming the following definitions:

The key point here is that, although there are three sets of file access permissions associated with the file, exactly one set is used to arbitrate the file access. Emphatically, the sets are not tried in sequence until the access is granted or we run out of sets: you get one and only one try at accessing the file.

If you are the owner of the file, the system uses the file owner permissions. If you are not the owner, but a member of the same group as the file, the system uses the group permissions. If you are neither of these, the system checks against the world permissions.