6.3 chmod: Changing a File's Permissions
When you create a file, its initial permissions depend on your umask value (which is discussed later). You can change a file's permissions with the chmod command or the chmod( ) system call. You can change a file's permissions only if you are the file's owner. The one exception to this rule is the superuser: if you are logged in as the superuser, you can change the permissions of any file.[7]
[7] That is, any file that is not mounted using NFS or another distributed filesystem, or that is mounted read-only. See Chapter 15 for details.
In its simplest form, the chmod command lets you specify which of a file's permissions you wish to change. This usage is called symbolic form. The symbolic form of the chmod command[8] has the form:
[8] The Unix kernel actually supports two system calls for changing a file's mode: chmod( ), which changes the mode of a file, and fchmod( ), which changes the mode of a file associated with an open file descriptor.
chmod [-Rfh] [agou][+-=][rwxXstugol] filelist
This command changes the permissions of filelist, which can be either a single file or a group of files. The letters agou specify whose privileges are being modified. You may provide none, one, or more, as shown in Table 6-7.
|
Letter |
Meaning |
|---|---|
|
a |
Modifies privileges for all users |
|
g |
Modifies group privileges |
|
o |
Modifies others' privileges |
|
u |
Modifies the owner's privileges |
The symbols specify what is supposed to be done with the privilege. You must type only one symbol, as shown in Table 6-8.
|
Symbol |
Meaning |
|---|---|
|
+ |
Adds to the current privilege |
|
- |
Removes from the current privilege |
|
= |
Replaces the current privilege |
The last letters specify which privilege will be modified, as shown in Table 6-9.
|
Letter |
Meaning |
|---|---|
|
Options for all versions of Unix |
|
|
r |
Read access |
|
w |
Write access |
|
x |
Execute access |
|
s |
SUID or SGID |
|
t |
Sticky bit[9] |
|
Options for BSD-derived versions of Unix only |
|
|
X |
Sets execute only if the file is a directory or already has some other execute bit set |
|
u |
Takes permissions from the user permissions |
|
g |
Takes permissions from the group permissions |
|
o |
Takes permissions from other permissions |
|
Option for System V-derived versions of Unix only |
|
|
l |
Enables mandatory locking on file |
[9] The sticky bit is discussed in detail later in this chapter. On most systems, only the superuser can set the sticky bit on a non-directory filesystem entry.
In versions that support it, the -R option causes the chmod command to run recursively. If you specify a directory in filelist, that directory's permissions change, as do all of the files contained in that directory. If the directory contains any subdirectories, the process is repeated.
In versions that support it, the -f option prevents chmod from reporting any errors encountered. This processing is sometimes useful in shell scripts if you don't know whether the filelist exists or if you don't want to generate an error message.
The -h option is specified in some systems to change how chmod works with symbolic links. If the -h option is specified and one of the arguments is a symbolic link, the permissions of the file or directory pointed to by the link are not changed.
The symbolic form of the chmod command is useful if you only want to add or remove a specific privilege from a file. For example, if Sian wanted to give everybody in her group write permission to the file notes, she could issue the command:
% ls -l notes -rw-r--r-- 1 sian biochem 4320 Feb 9 13:20 notes % chmod g+w notes % ls -l notes -rw-rw-r-- 1 sian biochem 4320 Feb 9 13:20 notes %
To change this file further so people who aren't in her group can't read it, she could use the command:
% chmod o-r notes % ls -l notes -rw-rw---- 1 sian biochem 4320 Feb 9 13:20 notes %
To change the permissions of the invoice file so nobody else on the system can read or write it, Sian could use the command:
% chmod go= invoice % ls -l invoice -rw------- 1 sian user 4320 Feb 9 13:20 invoice % date Sun Feb 10 00:32:55 EST 1991 %
Notice that changing a file's permissions does not change its modification time (although it will alter the inode's ctime).
6.3.1 Setting a File's Permissions
You can also use the chmod command to set a file's permissions, without regard to the settings that existed before the command was executed. This format is called the absolute form of the chmod command. The absolute form of chmod has the syntax:[10]
[10] Note that some versions of Unix support additional flags covering cases of symbolic links in hierarchies and special file types. See your manuals.
% chmod [-Rfh] mode filelist
in which the options have the following meanings:
- -R
-
As described earlier
- -f
-
As described earlier
- -h
-
As described earlier
- mode
-
The mode to which you wish to set the file, expressed as an octal[11] value
[11] Octal means "base 8." Normally, we use base 10, which uses the digits 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9. The octal system uses the digits 0, 1, 2, 3, 4, 5, 6, and 7. If you are confused, don't be. For most purposes, you can pretend that the numbers are in decimal notation and never know the difference.
- filelist
-
The list of the files whose modes you wish to set
To use this form of the chmod command, you must calculate the octal value of the file permissions that you want. The next section describes how to do this.
6.3.1.1 Calculating octal file permissions
chmod allows you to specify a file's permissions with a four-digit octal number. You calculate the number by adding[12] the permissions. Use Table 6-10 to determine the octal number that corresponds to each file permission.
[12] Technically, we are OR-ing the values together, but as there is no carry, it's the same as adding.
|
Octal number |
Permission |
|---|---|
|
4000 |
Set user ID on execution (SUID) |
|
2000 |
Set group ID on execution (SGID) |
|
1000 |
"Sticky bit" |
|
0400 |
Read by owner |
|
0200 |
Written by owner |
|
0100 |
Executed by owner |
|
0040 |
Read by group |
|
0020 |
Written by group |
|
0010 |
Executed by group |
|
0004 |
Read by other |
|
0002 |
Written by other |
|
0001 |
Executed by other |
Thus, a file with the permissions "-rwxr-x?-" has a mode of 0750, calculated as follows:
|
0400 |
Read by owner |
|
0200 |
Written by owner |
|
0100 |
Executed by owner |
|
0040 |
Read by group |
|
0010 |
Executed by group |
|
0750 |
Result |
Table 6-11 contains some common file permissions and their uses.
|
Octal number |
File |
Permission |
|---|---|---|
|
0755 |
/bin/ls |
Anybody can copy or run the program; the file's owner can modify it. |
|
0711 |
$HOME |
Locks a user's home directory so that no other users on the system can display its contents, but allows other users to access files or subdirectories contained within the directory if they know the names of the files or directories. |
|
0700 |
$HOME |
Locks a user's home directory so that no other users on the system can access its contents, or the contents of any subdirectory. |
|
0600 |
/usr/mail/$USER and other mailboxes |
The user can read or write the contents of the mailbox, but no other users (except the superuser) may access it. |
|
0644 |
Any file |
The file's owner can read or modify the file; everybody else can only read it. |
|
0664 |
groupfile |
The file's owner or anybody in the group can modify the file; everybody else can only read it. |
|
0666 |
writable |
Anybody can read or modify the file. |
|
0444 |
readable |
Anybody can read the file; only the superuser can modify it without changing the permissions. |
Table 6-12 contains some common directory permissions and their uses.
|
Octal number |
Directory |
Permission |
|---|---|---|
|
0755 |
/ |
Anybody can view the contents of the directory, but only the owner or superuser can make changes. |
|
1777 |
/tmp |
Any user can create a file in the directory, but a user cannot delete another user's files. |
|
0700 |
$HOME |
A user can access the contents of his home directory, but nobody else can. |
6.3.1.2 Using octal file permissions
After you have calculated the octal file permission that you want, you can use the chmod command to set the permissions of files you own.
For example, to make all of the C language source files in a directory writable by the owner and readable by everybody else, type the command:
% chmod 644 *.c % ls -l *.c -rw-r--r-- 1 kevin okisrc 28092 Aug 9 9:52 cdrom.c -rw-r--r-- 1 kevin okisrc 5496 Aug 9 9:52 cfs_subr.c -rw-r--r-- 1 kevin okisrc 5752 Aug 9 9:52 cfs_vfsops.c -rw-r--r-- 1 kevin okisrc 11998 Aug 9 9:53 cfs_vnodeops.c -rw-r--r-- 1 kevin okisrc 3031 Aug 9 9:53 load_unld.c -rw-r--r-- 1 kevin okisrc 1928 Aug 9 9:54 Unix_rw.c -rw-r--r-- 1 kevin okisrc 153 Aug 9 9:54 vers.c %
To change the permissions of a file so it can be read or modified by anybody in the file's group, but can't be read or written by anybody else in the system, type the command:
% chmod 660 memberlist % ls -l memberlist -rw-rw---- 1 kevin okisrc 153 Aug 10 8:32 memberlist %
6.3.2 Access Control Lists
ACLs are a mechanism for providing fine-grained control over the access to files. Without ACLs, the only way that you can grant permission to a single person or a group of people to access a specific file or directory is to create a group for that person or group of people. With ACLs you can grant the access directly. For example, you can allow four different groups to a read a file without making it world-readable, or allow two users to create files in a directory without putting them in a group together.
Many Unix vendors (most notably IBM and HP) developed their own proprietary ACL implementations in the mid to early 1990s. In the 1990s the POSIX 1.e committee developed a working draft for a standard ACL implementation. Unfortunately, after 13 years of work, the IEEE/PASC/SEC working group formally withdrew the POSIX 1.e draft from the standards process on January 15, 1998. You can read the last draft at http://wt.xpilot.org/publications/posix.1e/.
Despite the decision to withdraw the draft, it continues to serve as a basis for adding ACLs to the Unix operating system. Parts of this implementation were implemented in the Solaris and FreeBSD operating systems. Although ACL support is not yet in the standard Linux kernel, a set of patches for implementing it has been written by Andreas Grünbacher, and is available at http://acl.bestbits.at/.
