6.3 chmod: Changing a File's Permissions
When you create a file, its initial permissions depend on your
umask value (which is discussed later). You can
change a file's permissions with the
chmod command or the chmod(
) system call. You can change a file's
permissions only if you are the file's owner. The
one exception to this rule is the
superuser: if you are logged in as
the superuser, you can change the permissions of any file.
In
its simplest form, the chmod command lets you
specify which of a file's permissions you wish to
change. This usage is called symbolic form.
The symbolic form of the chmod command has the form:
chmod [-Rfh] [agou][+-=][rwxXstugol] filelist
This command changes the permissions of
filelist, which can be either a single
file or a group of files. The letters agou
specify whose privileges are being modified. You may provide none,
one, or more, as shown in Table 6-7.
Table 6-7. Whose privileges are being modified?
a
|
Modifies privileges for all users
|
g
|
Modifies group privileges
|
o
|
Modifies others' privileges
|
u
|
Modifies the owner's privileges
|
The symbols specify what is supposed to be done with the privilege.
You must type only one symbol, as shown in Table 6-8.
Table 6-8. What to do with privilege
+
|
Adds to the current privilege
|
-
|
Removes from the current privilege
|
=
|
Replaces the current privilege
|
The last letters specify which privilege will be modified, as shown
in Table 6-9.
Table 6-9. Which privileges are being changed?
Options for all versions of Unix
|
r
|
Read
access
|
w
|
Write
access
|
x
|
Execute
access
|
s
|
SUID or SGID
|
t
|
Sticky bit
|
Options for BSD-derived versions of Unix
only
|
X
|
Sets execute only if the file is a directory or already has some
other execute bit set
|
u
|
Takes permissions from the user permissions
|
g
|
Takes permissions from the group permissions
|
o
|
Takes permissions from other permissions
|
Option for System V-derived
versions of Unix only
|
l
|
Enables
mandatory locking on file
|
In versions that support it, the -R option
causes the chmod command to run recursively. If
you specify a directory in filelist, that
directory's permissions change, as do all of the
files contained in that directory. If the directory contains any
subdirectories, the process is repeated.
In versions that support it, the -f option
prevents chmod from reporting any errors
encountered. This processing is sometimes useful in shell scripts if
you don't know whether the
filelist exists or if you don't
want to generate an error message.
The -h option is specified in some systems to
change how chmod works with symbolic links. If
the -h option is specified and one of the
arguments is a symbolic link, the permissions of the file or
directory pointed to by the link are not
changed.
The symbolic form of the chmod command is useful
if you only want to add or remove a specific privilege from a file.
For example, if Sian wanted to give everybody in her group write
permission to the file notes, she could issue
the command:
% ls -l notes
-rw-r--r-- 1 sian biochem 4320 Feb 9 13:20 notes
% chmod g+w notes
% ls -l notes
-rw-rw-r-- 1 sian biochem 4320 Feb 9 13:20 notes
%
To change this file further so people who aren't in
her group can't read it, she could use the command:
% chmod o-r notes
% ls -l notes
-rw-rw---- 1 sian biochem 4320 Feb 9 13:20 notes
%
To change the permissions of the invoice file so
nobody else on the system can read or write it, Sian could use the
command:
% chmod go= invoice
% ls -l invoice
-rw------- 1 sian user 4320 Feb 9 13:20 invoice
% date
Sun Feb 10 00:32:55 EST 1991
%
Notice that changing a file's permissions does
not change its modification time (although it
will alter the inode's
ctime).
6.3.1 Setting a File's Permissions
You
can also use the chmod command to set a
file's permissions, without regard to the settings
that existed before the command was executed. This format is called
the absolute form of the
chmod command. The absolute form of
chmod has the syntax:
% chmod [-Rfh] mode filelist
in which the options have the following meanings:
- -R
-
As described earlier
- -f
-
As described earlier
- -h
-
As described earlier
- mode
-
The mode to which you wish to set the file, expressed as an
octal
value
- filelist
-
The list of the files whose modes you wish to set
To use this form of the chmod command, you must
calculate the octal value of the file permissions that you want. The
next section describes how to do this.
6.3.1.1 Calculating octal file permissions
chmod
allows you to specify a file's permissions with a
four-digit octal number. You calculate the number by adding the permissions. Use Table 6-10 to
determine the octal number that corresponds to each file permission.
Table 6-10. Octal numbers and permissions
4000
|
Set user ID on execution (SUID)
|
2000
|
Set group ID on execution (SGID)
|
1000
|
"Sticky bit"
|
0400
|
Read by owner
|
0200
|
Written by owner
|
0100
|
Executed by owner
|
0040
|
Read by group
|
0020
|
Written by group
|
0010
|
Executed by group
|
0004
|
Read by other
|
0002
|
Written by other
|
0001
|
Executed by other
|
Thus, a file with the permissions
"-rwxr-x—-" has a mode of
0750, calculated as follows:
0400
|
Read by owner
|
0200
|
Written by owner
|
0100
|
Executed by owner
|
0040
|
Read by group
|
0010
|
Executed by group
|
0750
|
Result
|
Table 6-11 contains some common file permissions
and their uses.
Table 6-11. Common file permissions
0755
|
/bin/ls
|
Anybody can copy or run the program; the file's
owner can modify it.
|
0711
|
$HOME
|
Locks a user's home directory so that no other users
on the system can display its contents, but allows other users to
access files or subdirectories contained within the directory if they
know the names of the files or directories.
|
0700
|
$HOME
|
Locks a user's home directory so that no other users
on the system can access its contents, or the contents of any
subdirectory.
|
0600
|
/usr/mail/$USER and other mailboxes
|
The user can read or write the contents of the mailbox, but no other
users (except the superuser) may access it.
|
0644
|
Any file
|
The file's owner can read or modify the file;
everybody else can only read it.
|
0664
|
groupfile
|
The file's owner or anybody in the group can modify
the file; everybody else can only read it.
|
0666
|
writable
|
Anybody can read or modify the file.
|
0444
|
readable
|
Anybody can read the file; only the superuser can modify it without
changing the permissions.
|
Table 6-12 contains some common directory
permissions and their
uses.
Table 6-12. Common directory permissions
0755
|
/
|
Anybody can view the contents of the directory, but only the owner or
superuser can make changes.
|
1777
|
/tmp
|
Any user can create a file in the directory, but a user cannot delete
another user's files.
|
0700
|
$HOME
|
A user can access the contents of his home directory, but nobody else
can.
|
6.3.1.2 Using octal file permissions
After you have calculated the octal file permission that you want,
you can use the chmod command to set the
permissions of files you own.
For example, to make all of the C language source files in a
directory writable by the owner and readable by everybody else, type
the command:
% chmod 644 *.c
% ls -l *.c
-rw-r--r-- 1 kevin okisrc 28092 Aug 9 9:52 cdrom.c
-rw-r--r-- 1 kevin okisrc 5496 Aug 9 9:52 cfs_subr.c
-rw-r--r-- 1 kevin okisrc 5752 Aug 9 9:52 cfs_vfsops.c
-rw-r--r-- 1 kevin okisrc 11998 Aug 9 9:53 cfs_vnodeops.c
-rw-r--r-- 1 kevin okisrc 3031 Aug 9 9:53 load_unld.c
-rw-r--r-- 1 kevin okisrc 1928 Aug 9 9:54 Unix_rw.c
-rw-r--r-- 1 kevin okisrc 153 Aug 9 9:54 vers.c
%
To change the permissions of a file so it can be read or modified by
anybody in the file's group, but
can't be read or written by anybody else in the
system, type the command:
% chmod 660 memberlist
% ls -l memberlist
-rw-rw---- 1 kevin okisrc 153 Aug 10 8:32 memberlist
%
6.3.2 Access Control Lists
ACLs are a mechanism for providing
fine-grained control over the access to files. Without ACLs, the only
way that you can grant permission to a single person or a group of
people to access a specific file or directory is to create a group
for that person or group of people. With ACLs you can grant the
access directly. For example, you can allow four different groups to
a read a file without making it world-readable, or allow two users to
create files in a directory without putting them in a group together.
Many Unix vendors (most notably IBM and HP) developed their own
proprietary ACL implementations in the mid to early 1990s. In the
1990s the POSIX 1.e committee developed a working draft for a
standard ACL implementation. Unfortunately, after 13 years of work,
the IEEE/PASC/SEC working group formally withdrew the POSIX 1.e draft
from the standards process on January 15, 1998. You can read the last
draft at http://wt.xpilot.org/publications/posix.1e/.
Despite the decision to withdraw the draft, it continues to serve as
a basis for adding ACLs to the Unix operating system. Parts of this
implementation were implemented in the
Solaris and FreeBSD operating systems.
Although ACL support is not yet in the standard
Linux kernel, a set of patches for
implementing it has been written by
Andreas Grünbacher, and is
available at http://acl.bestbits.at/.
|