Most modern file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users affected to view or make changes to the contents of the file system.

Differences between operating systems

Unix-like and otherwise POSIX-compliant systems, including Linux-based systems and all Mac OS X versions, have a simple system for managing individual file permissions, which in this article are called "traditional Unix permissions". Most of these systems also support some kind of access control lists, either proprietary (old HP-UX ACLs, for example), or POSIX.1e ACLs, based on early POSIX draft that was abandoned, or NFSv4 ACLs, which are the part of NFSv4 standard.

DOS variants (including the Microsoft products MS-DOS, Windows 95, Windows 98, and Windows Me) do not have permissions. There is a "read-only" attribute that can be set or unset on a file by any user or program.

Windows 2000 and Windows XP have better access control list.

VMS and OpenVMS as well as Microsoft Windows NT and its derivatives (including Windows 2000 and Windows XP), use access control lists (ACLs) to administer a more complex and varied set of permissions.

Mac OS X, beginning with version 10.4 ("Tiger"), supports the use of NFSv4 ACLs. It also supports "traditional Unix permissions" as used in previous versions of Mac OS X, and the Apple Mac OS X Server version 10.4+ File Services Administration Manual recommends using only traditional Unix permissions if possible. It also still supports the Mac OS Classic's "Protected" attribute.

Traditional Unix permissions

Permissions on Unix-like systems are managed in three distinct classes. These classes are known as user, group, and others. In effect, Unix permissions are a simplified form of access control lists (ACLs).

When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it.

Classes

On Unix file systems, every file and directory is owned by a specific user. The owner of an object comprises its user class. Permissions assigned to the user class only apply to that specific user.

A file or directory is also assigned a group, which comprises its group class. Permissions assigned to the group class only apply to members of that group (other than the owner). It is not necessary that the owner be a member of the file's group. While a particular file can be assigned to only one group, a particular user can be a member of any number of groups, and a group can include any number of users. The "groups" command lists all the groups that include a user; the "members" command lists all the users that are the member of a particular group (Stutz 2004). The system administrator uses "addgroup" to add a user to a group.