Chmod

From LQWiki
Jump to: navigation, search

In Unix and Unix-like operating systems, a file has associated with it a number of security properties that control what the owner of the file and other users can do to the file. These properties are known as permissions, and the chmod command modifies them.

Permissions

Unix recognizes three groups of users who may want to access the file and bases the permissions accordingly. These groups are:

  • the owner of the file (who created it)
  • the group of that user - that is, other users who belong in the same group as the owner
  • all other users.

These three groups are often abbreviated u, g, and o respectively.

Based on these three groups, a file can be

  • readable - allow a file to be viewed
  • writable - allow a file to be edited
  • executable - allow a binary file to be run,

and are abbreviated r, w, and x respectively.

Other attributes for a file include a

  • suid or sgid property, abbreviated s
  • a sticky bit, abbreviated t (seldom used)

Notation

The chmod command can be used to set permissions on a directory or its files. However, how can we tell chmod how to apply the permissions?

Chmod accepts two notations, an alphabetic-based notation using the abbreviations mentioned above, and an octal, numeric based notation. It is possible to perform every operation using alphabetic notation as you can in octal, and vice versa. For new users, they may only need to learn the alphabetic notation.


Alphabetic notation

Say we want to set a file to have read and write access by the group the user is in. The notation for this permission is

g+rw

Or, say a file is set read-write-execute for all users, and we wish to limit the access to all other users, the permission is

o-rwx

In general, the permission is notated with the character of the user type first, + to set and - to clear, and then the characters representing the permissions to set.

Numeric permissions

Numeric permissions work by a group of octal numbers. Recall firstly that each digit in a hexadecimal number represents a block of 4 binary digits - similarly, for octal numbers, each digit represents a block of 3 binary digits.

Recall also that when a ls -l command is issued for a file, the permissions are listed in the form similar to

-rwxr-xr-x    1 yourusername     yourgroup           19 Oct 22 09:25 yourfile

The permisssion list, -rwxr-xr-x is treated as a block of binary digits, a bitfield. Translating this into octal, we would get 0755, which is 0111101101 base 2.

We can then represent each permission for each user type by a single octal digit (plus an extra digit for the first bit).

  • 400 -r-------- read by owner
  • 040 ----r----- read by group
  • 004 -------r-- read by anybody (other)
  • 200 --w------- write by owner
  • 020 -----w---- write by group
  • 002 --------w- write by anybody
  • 100 ---x------ execute by owner
  • 010 ------x--- execute by group
  • 001 ---------x execute by anybody
  • 4000 s--------- suid
  • 2000 s--------- sgid
  • 1000 t--------- sticky

These permissions on their own may not be very useful, but we can add the octal numbers to get a combination of permissions. For example, 4, which corresponds to r-- (for some user type), and 2, which corresponds to -w- (for some user type), can be added to get 6, 110 in binary, which corresponds to rw-, read and write. Note also that in a group of three octal digits, the "place" of the digit signifies where we assign the permission. 600 octal, in binary is 0110000000, so we are setting read and write permissions for us, but not the group or other users. 060 octal, in binary however is 0000110000, and sets it for the group only, and likewise.

So, for example, if we want to set read and write for ourselves and the group, and have no permissions whatsoever for the other users, we could use the permission 660.

For the extra bit at the front, if the fourth digit is omitted, chmod will leave the current setting. To clear the suid, sgid, and sticky bits, you must specify a 0 firstly to zero out the bit.

Using chmod

chmod is used by specifying the permissions, then the file to be operated on, for example:

chmod g+rwx filename

grants the group read/write/execute permissions to that file, or

chmod 755 filename

Writing 755 octal into binary would give us 0111101101, which translated into the usal permission notation would be -rwxr-xr-x, which gives all users the ability to read and execute the file, but neither the group nor any other users can write to the file.


chmod can be used to reCurse down a directory tree - that is apply the same permissions to all files in a directory and its subdirectories by using the -R flag. For example,

chmod -R 755 *

sets all files in the current directory to the same permission above.

Case study

LTSP environment, students were able to view other students' work.

cd /home; chmod -R 750 *

Worked like a charm so that only owner can view and edit files.

Provided by

Most (all?) Linux distributions incorporate this from the GNU Coreutils: man page

Related Commands

  • chgrp- Changes group ownership of a file
  • chown- Changes user/group ownership of a file
  • ls - Lists files
  • touch - update timestamps

See also