4.5 of Advanced Programming in the UNIX programming has a very clear explanation for file access permissions.
Here is an experiment to show the explanation.
#include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> int main(int argc, const char *argv[]) { int fd; if ((fd = open("data", O_RDONLY)) < 0) { printf("open error\n"); return 1; } else { printf("open ok\n"); return 0; } }
$ gcc code.c
$ echo abc > data
$ ls -l
-rwxr-xr-x 1 jing jing 7174 2010-10-09 17:27 a.out
-rw-r--r-- 1 jing jing 302 2010-10-09 17:19 code.c
-rw-r--r-- 1 jing jing 4 2010-10-09 17:26 data
$ /a.out
open ok
$ chmod u-r data
$ /a.out
open error
$ id
uid=1000(jing) gid=1000(jing) groups=4(adm),20(dialout),24(cdrom),46(plugdev),104(lpadmin),115(admin),120(sambashare),121(vboxusers),125(kvm),126(libvirtd),1000(jing)
Here is the tricky part. If the effective user id is equal to the file owner id and it does not have the read permission, the permission is denied even the effective group id is equal to the file group id and does has the read permission.
$ sudo chown test data
$ ./a.out
open ok
$ sudo chown :kvm data
$ ./a.out
open ok
kvm is a supplementary group of the current user jing. So the file can be still opened after its group being set to kvm.
$ sudo chmod g-r data
$ ./a.out
open error
$ sudo chown :fax data
$ ./aout
open ok
$ sudo chmod o-r data
$ ./a.out
open error