linux-chmod.html

Linus guide, Linus guide, Linus guide,

<HTML>
<HEAD>
<TITLE>
	Using 'chmod'
</TITLE>

	<META NAME="Author" CONTENT="jbm">
	<META NAME="Description" CONTENT="Information on using chmod to set file permissions, focusing on use under Linux.">
	<META NAME="Keywords" CONTENT="Linux, chmod, file permissions, permissions, 0755, howto, how to, help, setting up, setup, linux">
</HEAD>

  <BODY BGCOLOR="#FFFFFF" TEXT="#000000">

    <H2><A NAME="0">Using <TT>chmod</TT></A></H2>
    <FONT SIZE="-1"><B>Author: <A HREF="mailto:jbm@intertek.net">jbm</A></B></FONT><BR>
    <FONT SIZE="-1"><B>Created on: August 27, 1998</B></FONT><BR>
    <FONT SIZE="-1"><B>Last modified: September 18, 1999</B></FONT><BR>
    <FONT SIZE="-1"><B>Status: Stable</B></FONT><BR>
    
    <P><TT><B>chmod</B></TT> has a bit of a bad reputation for being
    confusing. I'll be honest with you: at first, it makes very little
    sense.  You just have to be patient and try to understand the
    basics. This document aims to help you in gaining that
    understanding.</P>
      
    <H3><A NAME="1">Basic Unix Filesystem Security (UID, GID, and permissions)</A></H3>
    
    <P>Knowing the basic Unix filesystem security issues will help you
    dramatically. Explained here are concepts to make your
    understanding of these issues skyrocket. Well, that's what we'll
    try to do, anyway.</P>

    <H4><A NAME="2">UID/GID</A></H4>

    <P>In Unix, every user is a member of a group. For example, when
    you add a user, that user is normally a member of the group
    <TT><B>users</B></TT>.  Almost all users are members of the group
    <TT><B>users</B></TT>. Notable exceptions are normally members of
    <TT><B>wheel</B></TT> or <TT><B>admin</B></TT>, the administrative
    groups. Note that the computer doesn't &quot;see&quot; the
    username when it does anything, but it sees a user ID. A user ID
    is (technically) a number, while a username is a string associated
    with that number (in pseudo-C, it's char *usernames[userid]). The
    same holds true for groups and group IDs. User ID is normally
    abbreviated &quot;uid&quot; and group ID is normally abbreviated
    &quot;GID&quot;. I'll use these abbreviations throughout this
    document.</P>

    <H4><A NAME="3">Ownership</A></H4>

    <P>Each file in the directory structure is owned by a user. Each
    user is owned by a group. To keep things flexible, each file is
    <I>also</I> owned by a group - by default it's owned by the group
    that owns the user.</P>

    <H4><A NAME="4">Why This Stuff is Important: Permissions</A></H4>

    <P>Permissions define what users of various groups can do with the
    file.  There are three basic things you can do with any file: read
    from it, write to it, and execute it. Permissions is based on this
    concept, combined with UID/GID, and the hierarchy of
    users/groups.</P>

    <P>You set permissions using the <TT><B>chmod</B></TT> command,
    and you can do it one of two ways: with letters or with
    numbers. Numbers is the preferred method (fairly easy to use, once
    you get the hang of it). In fact, I feel that letters are about
    useless, unless you are doing advanced tasks (and by the time you
    know enough to need such functionality, you should be able to read
    man pages). Understand that I'm simplifying things a bit - for a
    better reference see <TT><B>man chmod</B></TT> - but this
    information should be enough to get you through most normal
    maintenance tasks.</P>

    <H3><A NAME="5"><TT>chmod</TT> by the Numbers</A></H3>

    <P>The basic format for chmod is <TT><B>chmod xyz
    file.foo</B></TT>. x, y, and z are each a number between 0 and
    7. Each number represents the permissions of a group - x is for
    the user that owns the file, y is for the group that owns the file
    (normally the user's group), and z is for everybody else. To
    determine the actual values for each number, you use the following
    method: start with x = 0.  If you want to be able to read from the
    file, add four. x can be 0 or 4 at this point in time. If you want
    to be able to write to the file, add two. x can now be 0, 2 (a
    write-only file??), 4 (read-only file), or 6 (read/write file). If
    you want to be able to execute the program, add one. You now have
    a full range of possible numbers:

    <PRE>
     Number  | Permissions
   ----------+---------------------------------------------------------------
       0     |   None - cannot read or write or execute 
       1     |   Can execute, but cannot read or write
       2     |   Write-only, cannot read or execute (??)
       3     |   Write-able/executable
       4     |   Read-only, cannot write to or execute
       5     |   Read-only executable, cannot write to
       6     |   Readable Writeable file, but not executable (ie: text file)
       7     |   Readable Writeable Executable file - most programs are this
    </PRE>

    <P>You use the same process to determine the number representing
    the permissions for the group that owns the file (y) and for the
    rest of the world (z). It's typically a bad idea to <TT><B>chmod
    777</B></TT> any file, as it allows the world to replace the
    program with whatever they'd like.</P>

    <P>Note that root can mess with files however they darn well
    please. When root uses <TT><B>chmod</B></TT> on a file, the
    ownerships do not change, but the permissions are changed. If you
    want to keep a user from accessing a file that they own, you must
    change the ownership to root (or anyone else, for that
    matter). You can change ownership using <TT><B>chown</B></TT>.</P>

    <P>Setting execute for a directory allows that directory to be
    read. That is, you can see what's in it. That is, if <TT>user</TT>
    does not have execute permissions for <TT>dir/</TT>, when
    <TT>user</TT> does <TT><B>ls dir/</B></TT>, <TT><B>ls</B></TT>
    will return an error and not list the files in that
    directory.</P>

    <H3><A NAME="6">chown</A></H3>

    <P><TT><B>chown</B></TT> is a lot simpler than
    <TT><B>chmod</B></TT>. You simply do <TT><B>chown
    new-owner. filename.foo</B></TT> as root and &quot;new-owner&quot;
    now owns the file and the file's group is set to new-owner's
    group. If you'd rather keep the group ownership the same, drop off
    the &quot;.&quot; after &quot;new-owner&quot;. You can change only
    group ownership with this, too: <TT><B>chown new-owner.new-group
    filename.foo</B></TT>. To just change the group ownership do
    <TT><B>chown <TT>.new-group</TT> filename.foo</B></TT> and it will
    leave the user ownership alone, while changing the group
    ownership.</P>

    <H3><A NAME="7">Security Considerations</A></H3>

    <P>Be careful. Don't give the world write access to anything
    executable and just generally &quot;think before you
    do&quot;. Neither I, the Guide, or anybody else takes
    responsibility if for some reason this document messes things up,
    either by my stupidity, <I>your stupidity</I>, or freak accident.
    Those <I>italics</I> are to emphasize that you should be careful
    to avoid stupid mistakes with chmod - it can and probably will
    create some small security holes, especially if misused or used
    carelessly. So be cautious.  End of security ramble.</P>

    <HR>

    <P><B><FONT SIZE="-1">Copyright (c)1998-9 <A
    HREF="mailto:jbm@intertek.net">jbm (jbm@intertek.net)</A>. All
    rights reserved. Permission to use, distribute, and copy this
    document is hereby granted. You may modify this document as long
    as credit to me is given.</FONT></B></P>

  </BODY>
</HTML>