In the last module, we examined the permissions that may be set on a file. To set the desired permissions, use the command chmod
The general structure of the chmod is :
chmod [options] permissions file_list
The "file_list" is a space delimited list of one or more filenames.
chmod works on most files as long as the user owns it.
However, if chmod is applied to a symbolic link, a type of filename alias, the command will follow the link and set the permissions on the linked file.
chmod supports several options. The most useful is the -R option, recursive, which when used against a directory file will cause chmod to not only change permissions on the directory file but also any files it lists including other directory files and any files they list.
Without the -R, only permissions on the directory file itself will be affected.
The "permissions" or file mode argument is a single string (no spaces) designating the permissions to set. This argument may target all permission fields of a file or just a limited subset of permissions.
The normal permission flags (read, write, and execute for user, group, and others) are stored in a 9 bit flag (3x3) in the file's inode. Each bit is either set to on (1) or off (0).
For example, we have a file with read, write, and execute permissions for the owner (user), read and execute only for the group members, and no permissions for all others. The flag settings would look like :
user group other r w x r w x r w x 1 1 1 1 0 1 0 0 0Obviously, working with permissions as a set of zeros and ones is not an ideal situation. However, binary values can be represented as octal values if grouped into 3 bit sets. A 3 bit octal number can have a value of 0-7.
binary = octal 0 0 0 = 0 0 0 1 = 1 0 1 0 = 2 0 1 1 = 3 1 0 0 = 4 1 0 1 = 5 1 1 0 = 6 1 1 1 - 7
We can convert a binary to an octal value by adding numbers by the power of 2.
1 0 1
* 2^2 2^1 2^0
1*4 0*2 1*1 = 4 + 0 + 1 = 5
So our file permission example above becomes :
user group other r w x r w x r w x 1 1 1 1 0 1 0 0 0 Flags * 4 2 1 4 2 1 4 2 1 positional value ---------------------------- 4 2 1 4 0 1 0 0 0 4+2+1=7 4+1=5 0=0 750 octalTo set the access permissions of a file to these, use the chmod with the desired permissions.
chmod 750 target_file
chmod supports a symbolic representation for each user type and file mode (permissions) field and operators to modify them. The symbolic representation can target all flag bits or just specific ones.
Available user type symbolic representations : u user (owner) g group assigned to file o all other users a all three user types. Available file mode symbolic representations : r read access w write access x execute access s SUID or SGID bit t sticky bit Available operators for changing : + turn on target bit[s] - turn off target bit[s] = set target bits to exact value
For our example above (u = read,write,execute, group = read,execute, other = none), here is the chmod using the symbolic representation :
chmod u=rwx,g=rx,o= target_file
The o= followed by nothing is a valid option.
First notice that the permissions argument is a single comma delimited string with no spaces. The order of the user type is not critical, but the practice is user,group,other.
The chmod above indicates that the read, write, and execute bits for the user permissions are all on, the read and execute bits for the group permissions are on but the write bit is off because the w was not specified, and all bits for other's permissions should be off because none were specified.
Using symbolic permissions also allows us to target only certain permission subsets. chmod a=r target_file will turn on read permissions for user, group, and other, and turn off all other permissions.
While chmod a=rx target_file will turn both read and execute for the owner(user) and leave group and other untouched.
We can also target more than one user type (ugo). In the previous examples, we only targeted the owner. The following command targets both the owner and the group permissions : chmod u=rx,g=rx target_file, while ignoring others.
Because the = affects all three access fields (r,w,x), it still requires extra work if we are targeting one or two specific access fields. To make targeting specific flags easier, chmod uses + and - with the specific user and access flags to target. It will leave all untargeted flags in their current state.
chmod g-w,o-rwx target_file
In the above example, we have turned off the write bit for the group and all bits for others. The rwx bits for user were untouched, and neither were the read and execute bits for the group. We could have also used chmod g-w,o= target_file.
In the same way, the + will only turn on the bits targeted. So chmod a+x target_file will turn on execute permissions for user, group, and other without affecting in any other permission flags.
Additional flags. Besides the read, write, and execute bits (rwx), each file has the SUID, GUID, and sticky bits explained previously. These bits are also set with chmod.
Remember that we viewed permissions as 3 sets of 3 bit flags. The SUID, GUID, and sticky bit can be viewed as an additional set of bits preceding the regular set.
user group other
s g t r w x r w x r w x
0 0 0 1 1 1 1 0 1 0 0 0
s = SUID
g = GUID
t = sticky
To set the permissions of a file to have rwx for user, and rx for the group and others and turn on SUID bit using the octal values, lay out the bits and convert to octal :
user group other
s g t r w x r w x r w x
1 0 0 1 1 1 1 0 1 1 0 1
4 0 0 4 2 1 4 0 1 4 0 1
4 7 5 5
chmod 4755 SUID_file
Luckily, chmod supports the symbolic notation for the SUID, GUID, and sticky bits. The same permissions can be specified as :
chmod u=rwxs,go=rx SUID_file
If all we need to do is turn on the SUID bit :
chmod u+s SUID_file
And to turn on the SUID bit :
chmod u-s SUID_file
For GUID, apply the change to the group permissions :
chmod g+s GUID_file
For the sticky bit, apply the change to the other permissions AND use a t rather than an s :
chmod o+t sticky_file
When we use ls -l, we can see the representation for read, write, and execute permissions for user, group, and other. But there is no fields for the SUID, GUID, and sticky bits. To display the status of these bits, the execute permission for each type of user does double duty. If the SUID bit is set, an s will appear in the x position for user, and if it is lower case, the execute bit is also on, if it is in caps, then the execute bit is off.
The same is true for the SGID bit. For the sticky bit, look for t lower or upper case in the other permission field. Lower case indicates that execute is set.
Below is the output of ls -l (comments in parenthesis are not part of the output)
-rwSrw-rw- 1 berezin work 0 2007-06-22 16:15 suid (user execute off) -rwsrwxrwx 1 berezin work 0 2007-06-22 16:15 suidx (user execute on) -rw-rwSrw- 1 berezin work 0 2007-06-22 16:15 guid (group execute off) -rwxrwsrwx 1 berezin work 0 2007-06-22 16:15 guidx (group execute on) -rw-rw-rwT 1 berezin work 0 2007-06-22 16:15 sticky (other execute off) -rwxrwxrwt 1 berezin work 0 2007-06-22 16:15 stickyx (other execute on)
When a file is created, unless the user has indicated some restriction, it receives the maximum possible access. For most files this means that read and write are enabled for users, groups, and others. For files that are meant to be executable, such as a file built by the gcc compiler, the execute permission will also be on in each user category.
However, most users prefer a more restrictive permission by default. Most command shells provide an internal command to set a mask that restricts the default permissions assigned to a file when it is created. This command is umask.
It instructs the shell as to what default permissions to block when a file is created. However, it cannot force a command to turn on permissions that the command wouldn't normally activate. It also does not affect files that already exist.
To change the permissions of existing files, we must used chmod.
On our system, the default shell is bash and we will look at this version of umask.
To see the current setting of umask, run the following :
umask
This will display a 4 octal digit value, the specific value will be based on the current umask settings. Because this is a mask, the values are inverted compared to chmod. This format follows the historical display of umask in the original Unix Bourne shell.
For example, if the output is : 0077
The 1st zero indicates that mask for the suid, SGID, and sticky bits is 0 and and setting these bits by a command won't be blocked. The mask for read, write, and execute permissions for user(owner) is 0 and a command creating a new file may turn those on.
But read, write, and execute masks for group and other are set to 1. This will block any new files from being created with those permissions on.
The bash version of umask has an option that generates a friendlier display of its settings.
umask -S
The 1st mode displays the which on our system is usually the bash shell.
chmod overrides the umask setting thus allowing the user to specifically set any permissions desired on an existing file.
To see the current umask settings, run the command :
-> umask077 -> umask
-> On our Linux system, this displays a four digit octal value. The first digit represents the 3 bits composing suid, guid, and the sticky bit, the next three represent the read, write, and execute bits for user, followed by the bits for group and finally the 3 bits for other.
Because umask When you first look at the values displayed by umask, it may be unclear where the values come from. Because umask is a mask, it represents the bits you want off by default.
To see how the value is determined, first decide which permissions you will allow by default. Let's say you will allow the the suid, guid, and sticky bit to be set along with allow all permissions for the user, but only read and execute permissions for group and other. Lay out the bits as if you were setting them. However, because this is a mask, you will invert the :
user group other s g t r w x r w x r w x 1 1 1 1 1 1 1 0 1 1 0 1 allowable permissions 0 0 0 0 0 0 0 1 0 0 1 0 inverted mask 0 0 0 0 0 0 0 2 0 0 2 0 powers of 2 0 0 2 2 octal representationTo set the umask, run umask at the prompt with the desired mask.
umask 0022
Lets say we want to set the mask so that no permissions are granted to groups or others, but the other access will remain the same.
user group other s g t r w x r w x r w x 1 1 1 1 1 1 0 0 0 0 0 0 allowable permissions 0 0 0 0 0 0 1 1 1 1 1 1 inverted mask 0 0 0 0 0 0 4 2 1 4 2 1 powers of 2 0 0 7 7 octal representationThis is the preferred umask for this class as it adds extra protection against some else copying your assignments. The umask is usually set in one of the configuration files read when the user first logs in. We will look at these in some detail in a later module. For now, if you are planning on creating several files during a login session, run umask with the desired mask at the prompt. You need to run umask only once during a login session unless you want to change the mask.
Some other things to know about umask :
umask 077
would be sufficient to set the mask desired.