Ok...I'm experimenting with different methods of granting and restricting file access (no particular use case just poking around to get better).

I've created a file 'test.txt'. I've assigned the file to be owned by root.

I then created a group called "RESTRICTED" and added myself to that group. I then chgrp to assign test.txt to the RESTRICTED group.

I set the permissions on the file to 700 - I cannot access the file.
I set the permissions on the file to 704 - I can now access the file.


ls -l output:
-rwx---r-- 1 root RESTRICTED 12 Dec 9 13:30 test.txt

If I am part of the RESTRICTED group I should't have access.
My understanding is this:

Root should have RWX
Members of RESTRICTED should have no access
All other users who are not root or members of RESTRICTED should have read only access.

Am I wrong in my understanding of permissions and how they work?

if i were to draw a ven diagram, root and the restricted users would exist in the set of all people in the world.

The last set of perms is 'other' ie 'world'.
The system starts from the left looking for any kind of access, so owner, then group, then other.
Your setup just means you can't access it via the group perms; it says you can access it via 'other' perms.
http://linux.die.net/man/1/chmod

That's where I'm a little confused - user (owner), group, others - seems that all others would include people not in group. Still not sure why users in the group would have access.

Like we both said other=world ie anyone/everyone AND perm sets (u, g, o) are considered separately(!).
You have access as part of the 'other' set.
Have a read of that link.

Thanks. I don't need the man page.

So there's no option but to create a group which has access and deny access to everyone else. Pretty inefficient when only certain people need to be excluded. In a group of 50, I would have to add 48 to a group with access while only 2 would be left in other. Rather, adding 2 to a restricted group would be more convenient and efficient.