Copyright (C) D Goel, 2003, 2004, 2005, onwards.
Author: D Goel
u = user, g = group, o = others. (and a = all)
| . | +r | +w | +x |
|---|---|---|---|
| DIRECTORY | can ls | can make new files | can cd to directory |
| FILE | Can read | can modify | Can execute |
[10] Other DANGEROUS things: If your directory is o+w, anyone can DELETE any of your files in that directory, even if file in question is marked o-w.
| . | SETUID | SETGID | STICKY BIT |
|---|---|---|---|
| DIRECTORY | no effect | new files get group, new dirs get setgid 2 | only owners can delete files3 |
| NONEXECUTABLE FILE | no effect | no effect | no effect |
| EXECUTABLE FILE | executed as if owner7 | executed as if were in that group8 | no effect |
| chmod | u+s | g+s | o+t |
| Example (when ALSO executable in that bit) | -rwsr-xr-x | -rwxr-sr-x | drwxr-xr-t |
| Example (when NOT executable in that bit) | -rwSr-xr-x | -rwxr-Sr-x | drwxr-xr-T |
[2]
a. New files in this directory get the SAME group as that of the directory, even though the owner may have a different primary group. Useful for sharing such things as /usr/local among the staff group.
b. To ensure recursivity, new directories in such a directory automatically get setgid too. (unless you manually override it, of course).
[3] This is an exception to (10) above. If a directory has o+w, everyone can delete files in that directory. But, if the sticky bit is set, then only the owners of the particular files can delete their own directories. Useful for, for example, /tmp, where anyone can create any files, but only the files' owners can delete their own files.
[7] executed as if owner: The program is run with all the rights that the owner of the program had. HENCE DANGEROUS. BTW, To execute, the person executing also, of course, needs the +x bit. Thus, if you want "others" to be able to execute a file as if they were you, you want to grant both those permissions: o+x and u+s.
[8] executed as if in that group: the program is run with all the group rights that the group of the program has. HENCE DANGEROUS
Of course, you can also chmod by giving the exact numbers, like: chmod 755 filename. For number conversion, write out 1 or 0 in each bit depending on whether that bit is checked. The resulting binary can be expressed in base 8 to get the base 8 code. The setuid, setgid and sticky bit form the base to the left. Thus, the binary numeric code looks like:
" [setuid setgid sticky] [user-readable user-writable user-executable] [group-readable group-writable group-executable] [others-readable others-writable others-executable]"
While listing the above binary code, I put square brackets around sets of 3, read off the numbers in the square brackets to read the octal code. So, the prescription is: Arrange the bits in the above order, write down the corresponding binary, and then convert it to octal. In practice, of course, you will do all that in your head, and skip writing out the binary part.
The following table illustrates the building blocks:
| . | Building Blocks | binary code | octal code |
|---|---|---|---|
| . | --S------ | 100 000 000 000 | 4000 |
| . | -----S--. | 010 000 000 000 | 2000 |
| . | --------T | 001 000 000 000 | 1000 |
| . | r-------- | 000 100 000 000 | 0400 |
| . | -w------- | 000 010 000 000 | 0200 |
| . | --x------ | 000 001 000 000 | 0100 |
| . | ---r----- | 000 000 100 000 | 0040 |
| . | ----w---- | 000 000 010 000 | 0020 |
| . | -----x--- | 000 000 001 000 | 0010 |
| . | ------r-- | 000 000 000 100 | 0004 |
| . | -------w- | 000 000 000 010 | 0002 |
| . | --------x | 000 000 000 001 | 0001 |
The above "building block" permissions seldom occur in practice, except perhaps for the 400 permission. Next, we list a few combinations made from the above building blocks:
| Description | Combinations | Octal Code |
|---|---|---|
| world/group readable/executable | rwxr-xr-x | 0755 |
| Setuid, world executable | rwsr-xr-x | 4755 |
| everything for self, nothing for others | rwx------ | 0700 |
We should clearly spell out what umask does.
A file's actual permission = (Intended permission) AND (NOT umask).
What is +/-X?
'chmod u+X file' makes the target +x executable by you only if the target is a directory. Thus, 'chmod -R u+X .' recursively makes all subdirectories executable, while leaving files alone. Making a directory executable means that you can now cd to it.
The material on this page may be freely distributed under the terms of GFDL.