BSD DevCenter
oreilly.comSafari Books Online.Conferences.


FreeBSD Basics

An Introduction to Unix Permissions -- Part Two


In last week's article, we looked at the three base permissions and the three specialty permissions. This week, we'll be using chmod to change permissions. You might want to reread last week's article, as we'll be implementing the concepts it introduced.

But first, never, ever, ever change the default permissions on the files and directories that came with your FreeBSD system. The creators of FreeBSD understand permissions; unless you are a systems administrator or a security engineer with a good reason to change these defaults, please leave well enough alone.

Instead, we'll be creating test directories and test files to practice with. Once you're comfortable with setting permissions, you'll be able to create your own directories and set their permissions according to your needs.

Let's start by taking a look at the chmod command. There are two modes of operation for chmod: absolute mode (which uses numbers) and symbolic mode (which uses letters).

In absolute mode, chmod uses four numbers to represent the following four sets of permissions:

  • Specialty permissions (SUID, SGID, directory sticky bit)
  • Base permissions for the owner of the file (rwx)
  • Base permissions for the primary group of the file (rwx)
  • Base permissions for everybody else (rwx)

Instead of using the letters r, w, x, s, or t, it uses the numbers 4, 2, and 1 in this order:

421 421 421 421

In the first set of numbers, 4 = SUID, 2 = SGID, and 1 = directory sticky bit. In the next three sets of numbers, 4 = read, 2 = write, and 1 = execute; again the order is owner, group, and everyone else. If a permission is to be denied, a 0 is used, not the - symbol.

So, if I wanted to to set the SUID bit on a file, give its owner full access, and give the primary group and everyone else read and execute access, I would want permissions like this:

400 421 401 401

To set this using chmod, I must first total each set of permissions like so:

400 = 4+0+0 = 4
421 = 4+2+1 = 7
401 = 4+0+1 = 5
401 = 4+0+1 = 5

so I can tell chmod this:

chmod 4755 name_of_file

Let's try this and see if it works. As a regular user, cd into your home directory and create a test file. In this example, I am logged in as the user genisis; if I type cd without any arguments, I will be taken to genisis' home directory.

touch test
ls -la test

-rw-r--r--  1 genisis  wheel  0 Aug 19 11:27 test
chmod 4755 test
ls -la test

-rwsr-xr-x  1 genisis  wheel  0 Aug 19 11:27 test

Note that whoever creates a file becomes the owner of the file; the primary group of the file will be the primary group of the owner of the file. This is important as only the owner of the file (and root) can change the permissions of a file.

Now, how would you use chmod to change the file back to its original permissions? Let's see if we can do the math and get it to work. Our original permissions looked like this:

-rw-r--r--  1 genisis  wheel  0 Aug 19 11:27 test
There isn't an s, S, t, or T in the original permissions, so the first set will be 0 + 0 + 0 = 0.

The owner has rw which is 4 + 2 + 0 = 6.

The group has r which is 4 + 0 + 0 = 4.

Everyone else has r which is 4 + 0 + 0 = 4.

So let's see if the following works:

chmod 644 test
ls -la test
-rw-r--r--  1 genisis  wheel  0 Aug 19 11:27 test

Note that the following command would yield the same result:

chmod 0644 test

However, you can omit the 0 if it represents the specialty permissions.

Now let's try chmod in symbolic mode. The syntax for symbolic mode is a bit longer:

chmod who operator permission filename

where who can be:

  • u = user (owner)
  • g = group
  • o = others
  • a = all, or ugo

and operator can be:

  • + add this permission
  • - take away this permission
  • = make this permission equal to

and the permissions can be r, w, x, s, t, and X. Note that there is no capital S; if you want to keep the execute bit when you set the SUID or SGID bits, use both s and x. If you want to set the SUID bit, use s with a who of u; to set the SGID bit, use s with a who of g. To set the sticky bit, use t with a who of o.

Let's try our original example in symbolic mode. We started with:

-rw-r--r--  1 genisis  wheel  0 Aug 19 11:27 test

and want to end up with:

-rwsr-xr-x  1 genisis  wheel  0 Aug 19 11:27 test

so let's try this:

chmod a+sx test
ls -la test

-rwsr-sr-x  1 genisis  wheel  0 Aug 19 13:05 test

Close, but no cigar. Since we specified a who of a (or everyone), we set both the SUID and SGID bits. Let's try again:

rm test
touch test
chmod u+s go+x test

chmod: go+x: No such file or directory

We got a syntax error on that command because chmod expects the who, operator, and permissions to be a string of characters without any spaces. Whatever follows the space is interpreted as the name of the file whose permissions are being set. Let's try again:

chmod u+s,go+x test
ls -la test

-rwSr-xr-x  1 genisis  wheel  0 Aug 19 13:16 test

Almost there; we seem to have set the SUID bit and given everyone except the owner execute permission. One more try:

rm test
touch test
chmod u+sx,go+x test
ls -la test

-rwsr-xr-x  1 genisis  wheel  0 Aug 19 13:22 test

Success. You can see that it is a good idea to always doublecheck your permissions using ls -la after using the chmod command to make sure you actually set the permissions you intended.

Pages: 1, 2

Next Pagearrow

Sponsored by: