Chmod

From LQWiki
Jump to navigation Jump to search

In Unix and Unix-like operating systems, a file has associated with it a number of security properties that control what the owner of the file and other users can do to the file. These properties are known as permissions, and the chmod command modifies them.

Permissions

Unix recognizes three groups of users who may want to access the file and bases the permissions accordingly. These groups are:

  • the owner of the file (who created it)
  • the group of that user - that is, other users who belong in the same group as the owner
  • all other users.

These three groups are often abbreviated u, g, and o respectively.

Based on these three groups, a file can be

  • readable - allow a file to be viewed
  • writable - allow a file to be edited
  • executable - allow a binary file to be run,

and are abbreviated r, w, and x respectively.

Other attributes for a file include a

  • suid or sgid property, abbreviated s
  • a sticky bit, abbreviated t (seldom used)

Notation

The chmod command can be used to set permissions on a directory or its files. However, how can we tell chmod how to apply the permissions?

Chmod accepts two notations, an alphabetic-based notation using the abbreviations mentioned above, and an octal, numeric based notation. It is possible to perform every operation using alphabetic notation as you can in octal, and vice versa. For new users, they may only need to learn the alphabetic notation.

Alphabetic notation

Say we want to set a file to have read and write access by the group the user is in. The notation for this permission is

g+rw

Or, say a file is set read-write-execute for all users, and we wish to limit the access to all other users, the permission is

o-rwx

In general, the permission is notated with the character of the user type first, + to set and - to clear, and then the characters representing the permissions to set.

Numeric permissions

Numeric permissions work by a group of octal numbers. Recall firstly that each digit in a hexadecimal number represents a block of 4 binary digits - similarly, for octal numbers, each digit represents a block of 3 binary digits.

Table of the permissions with their respective octal notation:

r 4
w 2
x 1

Recall also that when a ls -l command is issued for a file, the permissions are listed in the form similar to

-rwxr-xr-x    1 yourusername     yourgroup           19 Oct 22 09:25 yourfile

The permisssion list, -rwxr-xr-x is treated as a block of binary digits, a bitfield. Translating this into octal, we would get 0755, which is 0111101101 base 2.

We can then represent each permission for each user type by a single octal digit (plus an extra digit for the first bit).

  • 400 -r-------- read by owner
  • 040 ----r----- read by group
  • 004 -------r-- read by anybody (other)
  • 200 --w------- write by owner
  • 020 -----w---- write by group
  • 002 --------w- write by anybody
  • 100 ---x------ execute by owner
  • 010 ------x--- execute by group
  • 001 ---------x execute by anybody
  • 4000 s--------- suid
  • 2000 s--------- sgid
  • 1000 t--------- sticky

These permissions on their own may not be very useful, but we can add the octal numbers to get a combination of permissions. For example, 4, which corresponds to r-- (for some user type), and 2, which corresponds to -w- (for some user type), can be added to get 6, 110 in binary, which corresponds to rw-, read and write. Note also that in a group of three octal digits, the "place" of the digit signifies where we assign the permission. 600 octal, in binary is 0110000000, so we are setting read and write permissions for us, but not the group or other users. 060 octal, in binary however is 0000110000, and sets it for the group only, and likewise.

So, for example, if we want to set read and write for ourselves and the group, and have no permissions whatsoever for the other users, we could use the permission 660.

For the extra bit at the front, if the fourth digit is omitted, chmod will leave the current setting. To clear the suid, sgid, and sticky bits, you must specify a 0 firstly to zero out the bit.

Using chmod

chmod is used by specifying the permissions, then the file to be operated on, for example:

chmod g+rwx filename

grants the group read/write/execute permissions to that file, or

chmod 755 filename

Writing 755 octal into binary would give us 0111101101, which translated into the usal permission notation would be -rwxr-xr-x, which gives all users the ability to read and execute the file, but neither the group nor any other users can write to the file.

chmod can be used to reCurse down a directory tree - that is apply the same permissions to all files in a directory and its subdirectories by using the -R flag. For example,

chmod -R 755 *

sets all files in the current directory to the same permission above.

Examples

Let's say we had the following file called "foo" below, and we wanted to give the owning user read, write and execute permission.

----------  1 james james 0 Jan 23 00:25 foo

We can see above that the file called "foo" is owned by a user called "james" and the owning group is also called "james", but there is absolutely no permissions set on the file. Well, provided you are logged in as the owning user, or root, and you're sitting in the same directory in this case, you could type the following:

chmod u+rwx foo

Now we should have output from the ls command like this:

-rwx------ 1 james james 0 Jan 23 00:25 foo

Let's say we wanted to gave the owning user just read permission to a file called "foo" and no other permission. We could do just that with the following command:

chmod 400 foo

Assuming that the file "foo" has an owning user and group called "james", the ls -la command would display something similar to the following:

-r-------- 1 james james 0 Jan 23 01:35 foo

Let's say we wanted to give the owning user read permission and everyone else (including the owning user) "execute" permission for the file called "foo". We could use the following command:

chmod 511 foo

Notice how the output of the ls command has changed below:

-r-x--x--x 1 james james 0 Jan 23 01:35 foo

In one more example, we will give the owning user read, write and execute permission, and everyone else just read permission.

chmod 744 foo

Notice how the output of ls -la has changed once again:

-rwxr--r-- 1 james james 0 Jan 23 01:35 foo

Note: It's usually a very bad idea for security reasons to give everyone full read, write and execute permissions using chmod 777 So please try and avoid doing that wherever possible, as it defeats the purpose of permissions.

Case study

LTSP environment, students were able to view other students' work.

cd /home; chmod -R 750 *

Worked like a charm so that only owner can view and edit files.

Provided by

Most (all?) Linux distributions incorporate this from the GNU Coreutils: man page

Related Commands

  • chattr- Change attributes (Linux filesystems)
  • chgrp- Changes group ownership of a file
  • chown- Changes user/group ownership of a file
  • ls - Lists files
  • touch - update timestamps

See also