Mandalika's scratchpad [ Work blog @Oracle | My Music Compositions ]

Old Posts: 09.04  10.04  11.04  12.04  01.05  02.05  03.05  04.05  05.05  06.05  07.05  08.05  09.05  10.05  11.05  12.05  01.06  02.06  03.06  04.06  05.06  06.06  07.06  08.06  09.06  10.06  11.06  12.06  01.07  02.07  03.07  04.07  05.07  06.07  08.07  09.07  10.07  11.07  12.07  01.08  02.08  03.08  04.08  05.08  06.08  07.08  08.08  09.08  10.08  11.08  12.08  01.09  02.09  03.09  04.09  05.09  06.09  07.09  08.09  09.09  10.09  11.09  12.09  01.10  02.10  03.10  04.10  05.10  06.10  07.10  08.10  09.10  10.10  11.10  12.10  01.11  02.11  03.11  04.11  05.11  07.11  08.11  09.11  10.11  11.11  12.11  01.12  02.12  03.12  04.12  05.12  06.12  07.12  08.12  09.12  10.12  11.12  12.12  01.13  02.13  03.13  04.13  05.13  06.13  07.13  08.13  09.13  10.13  11.13  12.13  01.14  02.14  03.14  04.14  05.14  06.14  07.14  09.14  10.14  11.14  12.14  01.15  02.15  03.15  04.15  06.15  09.15  12.15  01.16  03.16  04.16  05.16  06.16  07.16  08.16  09.16  12.16  01.17  02.17  03.17  04.17  06.17  07.17  08.17  09.17  10.17  12.17  01.18  02.18  03.18  04.18  05.18  06.18  07.18  08.18  09.18  11.18  12.18  01.19  02.19  05.19  06.19  08.19  10.19  11.19  05.20  10.20  11.20  12.20  09.21  11.21  12.22 


Monday, October 18, 2004
 
UNIX/Linux: File Permissions (chmod)

A file's permissions are also known as its 'mode'; so to change them we need to use the 'chmod' command (change mode). There are two ways of specifying the new permissions using chmod: symbolic and absolute.

Absolute Mode
Absolute mode is the one with the numbers. You can use simple arithmetic to arrive at the permission you are looking for. Consider:

---------------------------------------------------------------------------

| owner | group | everyone |
---------------------------------------------------------------------------
| read | write | execute | read | write | execute | read | write | execute |
---------------------------------------------------------------------------
| 400 | 200 | 100 | 40 | 20 | 10 | 4 | 2 | 1 |
-----------------------------------------------------------------------------
So just add the appropriate mode numbers to arrive at the desired permission. It may be easier to consider each entity as a single digit, in the usual order (owner group other). As always, this theory is best understand with some examples. Let's imagine a hypothetical file named 'myscript'. 'myscript' is a shell script that we are writing that performs a useful function. When we first create it we don't want others to mess around with it, so we set some restrictive permissions while writing it:

[techno@Govinda]$ chmod 600 myscript
[techno@Govinda]$ ls -l myscript
-rw------- 1 techno users 192 Feb 6 14:55 myscript

Now let us imagine that we need some help with our script, so we make it available to our programmer friend, who just happens to belong to a group called 'web'. We need to change the group, and change the group permissions:

[techno@Govinda]$ chgrp web myscript
[techno@Govinda]$ chmod 660 myscript
[techno@Govinda]$ ls -l myscript
-rw-rw---- 1 techno web 192 Feb 6 14:55 myscript

Our script is now almost done, and we want to test it. We need it to be executable:

[techno@Govinda]$ chmod 770 myscript
[techno@Govinda]$ ls -l myscript
-rwxrwx--- 1 techno web 192 Feb 6 14:55 myscript

Our script is now perfect. We are going to make the script available for all users to run, and we want them to be able to see our handywork so we'll let everybody read and execute it. We don't want users changing it however, so they don't get write permission:

[techno@Govinda]$ chmod 775 myscript
[techno@Govinda]$ ls -l myscript
-rwxrwxr-x 1 techno web 192 Feb 6 14:55 myscript

SETUID

Normally, when a program is run it inherits all the rights/restrictions of the user that executed it. if a user can't read /var/log/messages, then neither can any program/script executed by that user. There is a way around this, we again use the chmod command but add a '4' at the beginning of the permission string, example:

chmod 4755 myscript

this would execute 'myscript' with the permissions of the files owner(such as root, if the file is own by root),and not the normal user executing 'myscript'. As you can imagine, this should be used sparingly if at all, as it defeats the normal permission structure,and can lead to security issues.

SETGID

The setgid bit works the same way, except instead of applying to the files owner, it is applied to the files group setting. the chmod command is used again prefixing a '2' as the first digit.

chmod 2755 myscript

Relative Mode
As the name implies, relative mode only changes permissions relative to the current permissions. That is, you can add or remove permissions from the existing ones. The format is pretty much the same as absolute mode: 'chmod [new_mode] file'. It is only the mode that is different.

We have three parts, which for lack of better terms, are '[entity][operator][permissions]'. The entities describe who gets the permissions. They are:

* 'u': user, the file's owner
* 'g': group, the file's group
* 'o': other, everybody else
* 'a': all, all three together

The operators decide whether we add, remove, or emulate absolute mode (ie: describe permissions from scratch). They are:

* '+' : add permissions
* '-': remove permissions
* '=': emulate absolute mode

The permissions we have seen already, they are nothing new:

* 'r' : read permission
* 'w': write permission
* 'x': execute permission

There are actually quite a few more options available, but they should not be necessary for casual use. Perhaps some more examples are in order.

chmod a+x filename # adds execute permissions to all
chmod u+x filename # adds execute permissions to the file's owner
chmod ug+w filename # adds write permissions to the file's owner and group
chmod o-rwx filename # removes read, write, and execute permissions from other
chmod a=rx filename # creates a 555 permission from scratch

As you can see pretty much any combination is valid as long as you follow the '[entity][operator][permissions]' formula.

THE STICKY BIT

UNIX/Linux directory access permissions say that if a user has write permissions on a directory, they can rename or remove files there,even if the files don't belong to them. When the owner of the directory sets the sticky bit, renames/removals are only allowed by the files owner, the directories owner and the root user.

chmod +t /tmp # to set the sticky bit
chmod -t /tmp # to remove the sticky bit
or
chmod 1755 /tmp # prefix a '1' to set the sticky bit

Setting the sticky bit on files was once used to force a copy of the file to stay in swap space, in an attempt to speed execution the next time the file was used. This hasn't been used in quite some time, due to advances in memory management. You can still set the sticky bit on a file, but the kernel will just ignore it.

Reference:
linuxquestions.org




Comments: Post a Comment



<< Home


2004-2019 

This page is powered by Blogger. Isn't yours?