Documentation< Previous | Contents | Next >
3.4.2. The tools
3.4.2.1. The chmod command
A normal consequence of applying strict file permissions, and sometimes a nuisance, is that access rights will need to be changed for all kinds of reasons. We use the chmod command to do this, and eventually to chmod has become an almost acceptable English verb, meaning the changing of the access mode of a file. The chmod command can be used with alphanumeric or numeric options, whatever you like best.
The example below uses alphanumeric options in order to solve a problem that commonly occurs with new users:
asim:~> ./hello
bash: ./hello: bad interpreter: Permission denied
asim:~> cat hello
#!/bin/bash
echo "Hello, World"
asim:~> ls -l hello
-rw-rw-r-- 1 asim asim 32 Jan 15 16:29 hello asim:~> chmod u+x hello
asim:~> ./hello
Hello, World
asim:~> ls -l hello
-rwxrw-r-- 1 asim asim 32 Jan 15 16:29 hello*
asim:~> ./hello
bash: ./hello: bad interpreter: Permission denied
asim:~> cat hello
#!/bin/bash
echo "Hello, World"
asim:~> ls -l hello
-rw-rw-r-- 1 asim asim 32 Jan 15 16:29 hello asim:~> chmod u+x hello
asim:~> ./hello
Hello, World
asim:~> ls -l hello
-rwxrw-r-- 1 asim asim 32 Jan 15 16:29 hello*
The + and - operators are used to grant or deny a given right to a given group. Combinations separated by commas are allowed. The Info and man pages contain useful examples. Here's another one, which makes the file from the previous example a private file to user asim:
asim:~> chmod u+rwx,go-rwx hello
asim:~> ls -l | hello | ||
-rwx------ | 1 asim | asim | 32 Jan 15 16:29 hello* |
The kind of problem resulting in an error message saying that permission is denied somewhere is usually a problem with access rights in most cases. Also, comments like, "It worked yesterday," and "When I run this as root it works," are most likely caused by the wrong file permissions.
When using chmod with numeric arguments, the values for each granted access right have to be counted together per group. Thus we get a 3-digit number, which is the symbolic value for the settings chmod has to make. The following table lists the most common combinations:
Table 3-9. File protection with chmod
Command | Meaning |
chmod 400 file | To protect a file against accidental overwriting. |
chmod 500 directory | To protect yourself from accidentally removing, renaming or moving files from this directory. |
chmod 600 file | A private file only changeable by the user who entered this command. |
chmod 644 file | A publicly readable file that can only be changed by the issuing user. |
chmod 660 file | Users belonging to your group can change this file, others don't have any access to it at all. |
chmod 700 file | Protects a file against any access from other users, while the issuing user still has full access. |
chmod 755 directory | For files that should be readable and executable by others, but only changeable by the issuing user. |
chmod 775 file | Standard file sharing mode for a group. |
chmod 777 file | Everybody can do everything to this file. |
If you enter a number with less than three digits as an argument to chmod, omitted characters are replaced with zeros starting from the left. There is actually a fourth digit on Linux systems, that precedes the first three and sets special access modes. Everything about these and many more are located in the Info pages.
3.4.2.2. Logging on to another group
When you type id on the command line, you get a list of all the groups that you can possibly belong to, preceded by your user name and ID and the group name and ID that you are currently connected with. However, on many Linux systems you can only be actively logged in to one group at the time. By default, this active or primary group is the one that you get assigned from the /etc/passwd file. The fourth field of this file holds users' primary group ID, which is looked up in the /etc/group file. An example:
asim:~> id
uid=501(asim) gid=501(asim) groups=100(users),501(asim),3400(web)
asim:~> grep asim /etc/passwd
asim:x:501:501:Asim El Baraka:/home/asim:/bin/bash
asim:~> grep 501 /etc/group
asim:x:501:
asim:~> id
uid=501(asim) gid=501(asim) groups=100(users),501(asim),3400(web)
asim:~> grep asim /etc/passwd
asim:x:501:501:Asim El Baraka:/home/asim:/bin/bash
asim:~> grep 501 /etc/group
asim:x:501:
The fourth field in the line from /etc/passwd contains the value "501", which represents the group asim in the above example. From /etc/group we can get the name matching this group ID. When initially connecting to the system, this is the group that asim will belong to.
User private group scheme
In order to allow more flexibility, most Linux systems follow the so-called user private group scheme, that assigns each user primarily to his or her own group. This group is a group that only contains this particular user, hence the name "private group". Usually this group has the same name as the user login name, which can be a bit confusing.
Apart from his own private group, user asim can also be in the groups users and web. Because these are secondary groups to this user, he will need to use the newgrp to log into any of these groups (use gpasswd for setting the group password first). In the example, asim needs to create files that are owned by the group web.
asim:/var/www/html> newgrp web
asim:/var/www/html> id
uid=501(asim) gid=3400(web) groups=100(users),501(asim),3400(web)
asim:/var/www/html> newgrp web
asim:/var/www/html> id
uid=501(asim) gid=3400(web) groups=100(users),501(asim),3400(web)
When asim creates new files now, they will be in group ownership of the group web instead of being owned by the group asim:
asim:/var/www/html> touch test
asim:/var/www/html> ls -l test
-rw-rw-r-- 1 asim web 0 Jun 10 15:38 test
asim:/var/www/html> touch test
asim:/var/www/html> ls -l test
-rw-rw-r-- 1 asim web 0 Jun 10 15:38 test
Logging in to a new group prevents you from having to use chown (see Section 3.4.2.4) or calling your system administrator to change ownerships for you.
See the manpage for newgrp for more information.
3.4.2.3. The file mask
When a new file is saved somewhere, it is first subjected to the standard security procedure. Files without permissions don't exist on Linux. The standard file permission is determined by the mask for new file creation. The value of this mask can be displayed using the umask command:
bert:~> umask
0002
bert:~> umask
0002
Instead of adding the symbolic values to each other, as with chmod, for calculating the permission on a new file they need to be subtracted from the total possible access rights. In the example above, however, we see 4 values displayed, yet there are only 3 permission categories: user, group and other. The first zero is part of the special file attributes settings, which we will discuss in Section 3.4.2.4 and Section 4.1.6. It might just as well be that this first zero is not displayed on your system when entering the umask command, and that you only see 3 numbers representing the default file creation mask.
Each UNIX-like system has a system function for creating new files, which is called each time a user uses a program that creates new files, for instance, when downloading a file from the Internet, when saving a new text document and so on. This function creates both new files and new directories. Full read, write and execute permission is granted to everybody when creating a new directory. When creating a new file, this function will grant read and write permissions for everybody, but set execute permissions to none for all user categories. This, before the mask is applied, a directory has permissions 777 or rwxrwxrwx, a plain file 666 or rw-rw-rw-.
The umask value is subtracted from these default permissions after the function has created the new file or directory. Thus, a directory will have permissions of 775 by default, a file 664, if the mask value is (0)002. This is demonstrated in the example below:
bert:~> mkdir newdir
bert:~> ls -ld newdir
drwxrwxr-x 2 bert bert
4096 Feb 28 13:45 newdir/
bert:~> mkdir newdir
bert:~> ls -ld newdir
drwxrwxr-x 2 bert bert
bert:~> touch newfile
bert:~> ls -l newfile
-rw-rw-r-- 1 bert bert
0 Feb 28 13:52 newfile
bert:~> touch newfile
bert:~> ls -l newfile
-rw-rw-r-- 1 bert bert
Files versus directories
A directory gets more permissions by default: it always has the execute permission. If it wouldn't have that, it would not be accessible. Try this out by chmodding a directory 644!
If you log in to another group using the newgrp command, the mask remains unchanged. Thus, if it is set to 002, files and directories that you create while being in the new group will also be accessible to the other members of that group; you don't have to use chmod.
The root user usually has stricter default file creation permissions:
[root@estoban root]# umask 022
[root@estoban root]# umask 022
These defaults are set system-wide in the shell resource configuration files, for instance /etc/bashrc or
/etc/profile. You can change them in your own shell configuration file, see Chapter 7 on customizing your shell environment.
3.4.2.4. Changing user and group ownership
When a file is owned by the wrong user or group, the error can be repaired with the chown (change owner) and chgrp (change group) commands. Changing file ownership is a frequent system administrative task in environments where files need to be shared in a group. Both commands are very flexible, as you can find out by using the --help option.
The chown command can be applied to change both user and group ownership of a file, while chgrp only changes group ownership. Of course the system will check if the user issuing one of these commands has sufficient permissions on the file(s) she wants to change.
In order to only change the user ownership of a file, use this syntax:
chown newuser file
If you use a colon after the user name (see the Info pages), group ownership will be changed as well, to the primary group of the user issuing the command. On a Linux system, each user has his own group, so this form can be used to make files private:
jacky:~> id
uid=1304(jacky) gid=(1304) groups=1304(jacky),2034(pproject)
jacky:~> ls -l my_report
-rw-rw-r-- 1 jacky project 29387 Jan 15 09:34 my_report jacky:~> chown jacky: my_report
jacky:~> chmod o-r my_report
jacky:~> ls -l my_report
-rw-rw---- 1 jacky jacky 29387 Jan 15 09:34 my_report
jacky:~> id
uid=1304(jacky) gid=(1304) groups=1304(jacky),2034(pproject)
jacky:~> ls -l my_report
-rw-rw-r-- 1 jacky project 29387 Jan 15 09:34 my_report jacky:~> chown jacky: my_report
jacky:~> chmod o-r my_report
jacky:~> ls -l my_report
-rw-rw---- 1 jacky jacky 29387 Jan 15 09:34 my_report
If jacky would like to share this file, without having to give everybody permission to write it, he can use the
chgrp command:
jacky:~> ls -l report-20020115.xls
-rw-rw---- 1 jacky jacky 45635 Jan 15 09:35 report-20020115.xls jacky:~> chgrp project report-20020115.xls
jacky:~> chmod o= report-20020115.xls
jacky:~> ls -l report-20020115.xls
-rw-rw---- 1 jacky project 45635 Jan 15 09:35 report-20020115.xls
jacky:~> ls -l report-20020115.xls
-rw-rw---- 1 jacky jacky 45635 Jan 15 09:35 report-20020115.xls jacky:~> chgrp project report-20020115.xls
jacky:~> chmod o= report-20020115.xls
jacky:~> ls -l report-20020115.xls
-rw-rw---- 1 jacky project 45635 Jan 15 09:35 report-20020115.xls
This way, users in the group project will be able to work on this file. Users not in this group have no business with it at all.
Both chown and chgrp can be used to change ownership recursively, using the -R option. In that case, all underlying files and subdirectories of a given directory will belong to the given user and/or group.
Restrictions
On most systems, the use of the chown and chgrp commands is restricted for non-privileged users. If you are not the administrator of the system, you can not change user nor group ownerships for security reasons. If the usage of these commands would not be restricted, malicious users could assign ownership of files to other users and/or groups and change behavior of those users' environments and even cause damage to other users' files.
3.4.2.5. Special modes
For the system admin to not be bothered solving permission problems all the time, special access rights can be given to entire directories, or to separate programs. There are three special modes:
• Sticky bit mode: After execution of a job, the command is kept in the system memory. Originally this was a feature used a lot to save memory: big jobs are loaded into memory only once. But these days memory is inexpensive and there are better techniques to manage it, so it is not used anymore for its optimizing capabilities on single files. When applied to an entire directory, however, the sticky bit has a different meaning. In that case, a user can only change files in this directory when she is the user owner of the file or when the file has appropriate permissions. This feature is used on directories like
/var/tmp, that have to be accessible for everyone, but where it is not appropriate for users to change or delete each other's data. The sticky bit is indicated by a t at the end of the file permission field:
mark:~> ls -ld /var/tmp
drwxrwxrwt 19 root root
8192 Jan 16 10:37 /var/tmp/
mark:~> ls -ld /var/tmp
drwxrwxrwt 19 root root
The sticky bit is set using the command chmod o+t directory. The historic origin of the "t" is in UNIX' save Text access feature.
• SUID (set user ID) and SGID (set group ID): represented by the character s in the user or group permission field. When this mode is set on an executable file, it will run with the user and group permissions on the file instead of with those of the user issuing the command, thus giving access to system resources. We will discuss this further in Chapter 4.
• SGID (set group ID) on a directory: in this special case every file created in the directory will have the same group owner as the directory itself (while normal behavior would be that new files are owned by the users who create them). This way, users don't need to worry about file ownership when sharing directories:
mimi:~> ls -ld /opt/docs
drwxrws--- 4 root users
4096 Jul 25 2001 docs/
mimi:~> ls -ld /opt/docs
drwxrws--- 4 root users
mimi:~> ls -l /opt/docs
-rw-rw---- 1 mimi users
345672 Aug 30 2001-Council.doc
mimi:~> ls -l /opt/docs
-rw-rw---- 1 mimi users
This is the standard way of sharing files in UNIX.
Existing files are left unchanged!
Files that are being moved to a SGID directory but were created elsewhere keep their original user and group owner. This may be confusing.
