April 11, 2011, 4:52 p.m.
posted by sussel
chmod: Changing a File's Permissions
When you create a file, its initial permissions depend on your umask value (which is discussed later). You can change a file's permissions with the chmod command or the chmod( ) system call. You can change a file's permissions only if you are the file's owner. The one exception to this rule is the superuser: if you are logged in as the superuser, you can change the permissions of any file.
In its simplest form, the chmod command lets you specify which of a file's permissions you wish to change. This usage is called symbolic form. The symbolic form of the chmod command has the form:
chmod [-Rfh] [agou][+-=][rwxXstugol] filelist
This command changes the permissions of filelist, which can be either a single file or a group of files. The letters agou specify whose privileges are being modified. You may provide none, one, or more, as shown in Figure.
The symbols specify what is supposed to be done with the privilege. You must type only one symbol, as shown in Figure.
The last letters specify which privilege will be modified, as shown in Figure.
In versions that support it, the -R option causes the chmod command to run recursively. If you specify a directory in filelist, that directory's permissions change, as do all of the files contained in that directory. If the directory contains any subdirectories, the process is repeated.
In versions that support it, the -f option prevents chmod from reporting any errors encountered. This processing is sometimes useful in shell scripts if you don't know whether the filelist exists or if you don't want to generate an error message.
The -h option is specified in some systems to change how chmod works with symbolic links. If the -h option is specified and one of the arguments is a symbolic link, the permissions of the file or directory pointed to by the link are not changed.
The symbolic form of the chmod command is useful if you only want to add or remove a specific privilege from a file. For example, if Sian wanted to give everybody in her group write permission to the file notes, she could issue the command:
% ls -l notes -rw-r--r-- 1 sian biochem 4320 Feb 9 13:20 notes % chmod g+w notes % ls -l notes -rw-rw-r-- 1 sian biochem 4320 Feb 9 13:20 notes %
To change this file further so people who aren't in her group can't read it, she could use the command:
% chmod o-r notes % ls -l notes -rw-rw---- 1 sian biochem 4320 Feb 9 13:20 notes %
To change the permissions of the invoice file so nobody else on the system can read or write it, Sian could use the command:
% chmod go= invoice % ls -l invoice -rw------- 1 sian user 4320 Feb 9 13:20 invoice % date Sun Feb 10 00:32:55 EST 1991 %
1 Setting a File's Permissions
You can also use the chmod command to set a file's permissions, without regard to the settings that existed before the command was executed. This format is called the absolute form of the chmod command. The absolute form of chmod has the syntax:
% chmod [-Rfh] mode filelist
in which the options have the following meanings:
To use this form of the chmod command, you must calculate the octal value of the file permissions that you want. The next section describes how to do this.
1.1 Calculating octal file permissions
chmod allows you to specify a file's permissions with a four-digit octal number. You calculate the number by adding the permissions. Use Figure to determine the octal number that corresponds to each file permission.
Thus, a file with the permissions "-rwxr-x—-" has a mode of 0750, calculated as follows:
Figure contains some common file permissions and their uses.
Figure contains some common directory permissions and their uses.
1.2 Using octal file permissions
After you have calculated the octal file permission that you want, you can use the chmod command to set the permissions of files you own.
For example, to make all of the C language source files in a directory writable by the owner and readable by everybody else, type the command:
% chmod 644 *.c % ls -l *.c -rw-r--r-- 1 kevin okisrc 28092 Aug 9 9:52 cdrom.c -rw-r--r-- 1 kevin okisrc 5496 Aug 9 9:52 cfs_subr.c -rw-r--r-- 1 kevin okisrc 5752 Aug 9 9:52 cfs_vfsops.c -rw-r--r-- 1 kevin okisrc 11998 Aug 9 9:53 cfs_vnodeops.c -rw-r--r-- 1 kevin okisrc 3031 Aug 9 9:53 load_unld.c -rw-r--r-- 1 kevin okisrc 1928 Aug 9 9:54 Unix_rw.c -rw-r--r-- 1 kevin okisrc 153 Aug 9 9:54 vers.c %
To change the permissions of a file so it can be read or modified by anybody in the file's group, but can't be read or written by anybody else in the system, type the command:
% chmod 660 memberlist % ls -l memberlist -rw-rw---- 1 kevin okisrc 153 Aug 10 8:32 memberlist %
2 Access Control Lists
ACLs are a mechanism for providing fine-grained control over the access to files. Without ACLs, the only way that you can grant permission to a single person or a group of people to access a specific file or directory is to create a group for that person or group of people. With ACLs you can grant the access directly. For example, you can allow four different groups to a read a file without making it world-readable, or allow two users to create files in a directory without putting them in a group together.
Many Unix vendors (most notably IBM and HP) developed their own proprietary ACL implementations in the mid to early 1990s. In the 1990s the POSIX 1.e committee developed a working draft for a standard ACL implementation. Unfortunately, after 13 years of work, the IEEE/PASC/SEC working group formally withdrew the POSIX 1.e draft from the standards process on January 15, 1998. You can read the last draft at http://wt.xpilot.org/publications/posix.1e/.
Despite the decision to withdraw the draft, it continues to serve as a basis for adding ACLs to the Unix operating system. Parts of this implementation were implemented in the Solaris and FreeBSD operating systems. Although ACL support is not yet in the standard Linux kernel, a set of patches for implementing it has been written by Andreas Grünbacher, and is available at http://acl.bestbits.at/.