Changing File Permissions

Use the chmod (Change Mode) command to change the permissions for a file. Permission can be defined on the chmod command line in either numeric or symbolic formats. For example:

-rw-r--r-- 1 craig craig 1349 May 3 2000 trace.txt $ chmod g+w,o-r trace.txt $ ls -l trace.txt

-rw-rw---- 1 craig craig 1349 May 3 2000 trace.txt

The first ls command shows the current permissions assigned to the file trace.txt, which are owner read/write, group read, and world read. The chmod command uses the symbolic format for defining permissions. g+w tells chmod to use the current group permissions and add write permission, and o-r tells chmod to use the current world (or other) permissions and subtract read permission. The second ls command shows the effect that this chmod command has on the trace.txt file permissions.

The symbolic chmod format has three fields. The first defines whether the permission is being set for the owner, group, world, or all three. u sets permission for the owner, which is also called the user. g sets permission for the group. o sets permission for the world, which is also called other. And a sets permissions for the owner, group, and world.

The second field defines how the permissions are applied. Permission can be added to existing permission by placing a + in the second field, they can be subtracted from existing permissions by using a -, or they can replace the existing permissions by using an = in the second field.

The third field defines the specific permissions. r, w, and x are read, write, and execute, respectively. s is used for SetUID and SetGID permissions. t sets the sticky bit. (See the sidebar "Hidden Bits" for more information about these permissions.) Additionally, the permissions that are already defined for the owner, group, or world can be assigned to one of the other groupings by using u, g, or o in the permission field. For example, g=u would set the group permissions to exactly the same values that were previously defined for the owner permissions.

Of course, chmod permissions do not have to be defined symbolically. Numeric permission can also be used. For example:

-rwxrwxrwx 1 craig users 16513 May 18 14:22 test.pl

In this example, the permission is changed to 777, which grants read, write, and execute permissions to the owner, to the group, and to the world. The ls -l command illustrates what this full array of permissions looks like in a directory listing. It is unlikely, however, that you will want to grant such liberal permissions. It is more likely that you will want to offer less than the 644 you saw earlier, particularly if you don't want everyone who logs in to the system to be able to read your private files. To prevent those outside your group from reading your report before it is released, you might use the following setting:

$ chmod 640 report.txt $ ls -l report.txt

-rw-r----- 1 craig users 16513 May 18 14:22 report.txt

This setting permits the owner to read and write the file and the other members of the group to read the file, but it blocks general users from accessing the file at all. This is better, but it is still not enough. The problem is that the group to which this file is assigned is too broad.

Hidden Bits

So far, this discussion of file permissions is limited to user file permissions. Read, write, and execute are types of permission granted to various classes of users. There are also some permissions that are used to grant special privileges to executable files. These permissions are the following:

• Sticky bit, which permits the program to remain in memory after execution. The Sticky bit is an artifact of an earlier age; programs don't really need to stay in memory anymore. A more common use for the Sticky bit is to use it with directories instead of files. When used with a directory, users may delete only files for which they have specific write permission, even if they have directory write permission.

• SetGID, which permits the program to set the group ID it runs under on execution. When used on a directory, SetGID means that all files created in the directory belong to the directory's group by default.

• SetUID, which permits the program to set the user ID it runs under on execution.

These three permissions create another group of three permission bits. The Sticky bit is set by the value 1 (binary 001), the SetGID permission is set by value 2 (binary 010), and the SetUID permission is set by value 4 (binary 100). All are set by placing a fourth digit at the beginning of the file permission value. Therefore, to grant a file SetUID permission; read, write, and execute permissions for the owner and the group; and execute permission for the world, you would use the value 4771 with the chmod command. 4 sets the SetUID permission, the first 7 sets the owner permission, the second 7 sets the group permission, and the 1 sets the world permission.

At first glance, these permissions don't appear to have a place in the three-character display (rwx) shown in Listing 9.1. But that's not really true. ls shows all of these permissions as alternate values in the execution bit:

• If the Sticky bit is set, an uppercase letter "T" appears in the world execute permission field.

• If both world execute and the Sticky bit are set, a lowercase letter "t" appears in the world execute permission field.

• If SetGID is set, an uppercase letter "S" appears in the group execute permission field.

• If both group execute and the SetGID bit are set, a lowercase letter "s" appears in the group execute permission field.

• If SetUID is set, an uppercase letter "S" appears in the owner execute permission field.

• If both owner execute and the SetUID bit are set, a lowercase letter "s" appears in the owner execute permission field.

Be careful when granting programs SetUID and SetGID permissions. If these programs are owned by the root user, they can have a great deal of power over the system. If the programs are incorrectly written, they can be exploited by an intruder and compromise your entire system.

Was this article helpful?

0 0

Post a comment