| @c File mode bits |
|
|
| @c Copyright (C) 1994 |
|
|
| @c Permission is granted to copy, distribute and/or modify this document |
| @c under the terms of the GNU Free Documentation License, Version 1.3 or |
| @c any later version published by the Free Software Foundation; with no |
| @c Invariant Sections, with no Front-Cover Texts, and with no Back-Cover |
| @c Texts. A copy of the license is included in the ``GNU Free |
| @c Documentation License'' file as part of this distribution. |
|
|
| Each file has a set of @dfn{file mode bits} that control the kinds of |
| access that users have to that file. They can be represented either in |
| symbolic form or as an octal number. |
|
|
| @menu |
| * Mode Structure:: Structure of file mode bits. |
| * Symbolic Modes:: Mnemonic representation of file mode bits. |
| * Numeric Modes:: File mode bits as octal numbers. |
| * Operator Numeric Modes:: ANDing, ORing, and setting modes octally. |
| * Directory Setuid and Setgid:: Set-user-ID and set-group-ID on directories. |
| @end menu |
|
|
| @node Mode Structure |
| @section Structure of File Mode Bits |
|
|
| The file mode bits have two parts: the @dfn{file permission bits}, |
| which control ordinary access to the file, and @dfn{special mode |
| bits}, which affect only some files. |
|
|
| There are three kinds of permissions that a user can have for a file: |
|
|
| @enumerate |
| @item |
| @cindex read permission |
| permission to read the file. For directories, this means permission to |
| list the contents of the directory. |
| @item |
| @cindex write permission |
| permission to write to (change) the file. For directories, this means |
| permission to create and remove files in the directory. |
| @item |
| @cindex execute/search permission |
| permission to execute the file (run it as a program). For directories, |
| this means permission to access files in the directory. |
| @end enumerate |
|
|
| There are three categories of users who may have different permissions |
| to perform any of the above operations on a file: |
|
|
| @enumerate |
| @item |
| the file's owner; |
| @item |
| other users who are in the file's group; |
| @item |
| everyone else. |
| @end enumerate |
|
|
| @cindex owner, default |
| @cindex group owner, default |
| Files are given an owner and group when they are created. Usually the |
| owner is the current user and the group is the group of the directory |
| the file is in, but this varies with the operating system, the |
| file system the file is created on, and the way the file is created. You |
| can change the owner and group of a file by using the @command{chown} and |
| @command{chgrp} commands. |
|
|
| In addition to the three sets of three permissions listed above, the |
| file mode bits have three special components, which affect only |
| executable files (programs) and, on most systems, directories: |
|
|
| @table @asis |
| @item The @dfn{set-user-ID bit} (@dfn{setuid bit}). |
| @cindex set-user-ID |
| @cindex setuid |
| On execution, set the process's effective user ID to that of the file. |
| For directories on a few systems, give files created in the directory |
| the same owner as the directory, no matter who creates them, and set |
| the set-user-ID bit of newly-created subdirectories. |
|
|
| @item The @dfn{set-group-ID bit} (@dfn{setgid bit}). |
| @cindex set-group-ID |
| @cindex setgid |
| On execution, set the process's effective group ID to that of the file. |
| For directories on most systems, give files created in the directory |
| the same group as the directory, no matter what group the user who |
| creates them is in, and set the set-group-ID bit of newly-created |
| subdirectories. |
|
|
| @item The @dfn{restricted deletion flag} or @dfn{sticky bit}. |
| @cindex sticky |
| @cindex swap space, saving text image in |
| @cindex text image, saving in swap space |
| @cindex restricted deletion flag |
| Prevent unprivileged users from removing or renaming a file in a directory |
| unless they own the file or the directory; this is commonly |
| found on world-writable directories like @file{/tmp}. |
| For regular files on some older systems, save the program's text image on the |
| swap device so it will load more quickly when run, so that the image |
| is ``sticky''. |
| @end table |
|
|
| In addition to the file mode bits listed above, there may be file attributes |
| specific to the file system, e.g., access control lists (ACLs), whether a |
| file is compressed, whether a file can be modified (immutability), and whether |
| a file can be dumped. These are usually set using programs |
| specific to the file system. For example: |
| @c should probably say a lot more about ACLs... someday |
|
|
| @table @asis |
| @item ext2 |
| On GNU and GNU/Linux the file attributes specific to |
| the ext2 file system are set using @command{chattr}. |
|
|
| @item FFS |
| On FreeBSD the file flags specific to the FFS |
| file system are set using @command{chflags}. |
| @end table |
|
|
| Even if a file's mode bits allow an operation on that file, |
| that operation may still fail, because: |
|
|
| @itemize |
| @item |
| the file-system-specific attributes or flags do not permit it; or |
|
|
| @item |
| the file system is mounted as read-only. |
| @end itemize |
|
|
| For example, if the immutable attribute is set on a file, |
| it cannot be modified, regardless of the fact that you |
| may have just run @code{chmod a+w FILE}. |
|
|
| @node Symbolic Modes |
| @section Symbolic Modes |
|
|
| @cindex symbolic modes |
| @dfn{Symbolic modes} represent changes to files' mode bits as |
| operations on single-character symbols. They allow you to modify either |
| all or selected parts of files' mode bits, optionally based on |
| their previous values, and perhaps on the current @code{umask} as well |
| (@pxref{Umask and Protection}). |
|
|
| The format of symbolic modes is: |
|
|
| @example |
| @r{[}ugoa@dots{}@r{][}-+=@r{]}@var{perms}@dots{}@r{[},@dots{}@r{]} |
| @end example |
|
|
| @noindent |
| where @var{perms} is either zero or more letters from the set |
| @samp{rwxXst}, or a single letter from the set @samp{ugo}. |
|
|
| The following sections describe the operators and other details of |
| symbolic modes. |
|
|
| @menu |
| * Setting Permissions:: Basic operations on permissions. |
| * Copying Permissions:: Copying existing permissions. |
| * Changing Special Mode Bits:: Special mode bits. |
| * Conditional Executability:: Conditionally affecting executability. |
| * Multiple Changes:: Making multiple changes. |
| * Umask and Protection:: The effect of the umask. |
| @end menu |
|
|
| @node Setting Permissions |
| @subsection Setting Permissions |
|
|
| The basic symbolic operations on a file's permissions are adding, |
| removing, and setting the permission that certain users have to read, |
| write, and execute or search the file. These operations have the following |
| format: |
|
|
| @example |
| @var{users} @var{operation} @var{permissions} |
| @end example |
|
|
| @noindent |
| The spaces between the three parts above are shown for readability only; |
| symbolic modes cannot contain spaces. |
|
|
| The @var{users} part tells which users' access to the file is changed. |
| It consists of one or more of the following letters (or it can be empty; |
| @pxref{Umask and Protection}, for a description of what happens then). When |
| more than one of these letters is given, the order that they are in does |
| not matter. |
|
|
| @table @code |
| @item u |
| @cindex owner of file, permissions for |
| the user who owns the file; |
| @item g |
| @cindex group, permissions for |
| other users who are in the file's group; |
| @item o |
| @cindex other permissions |
| all other users; |
| @item a |
| all users; the same as @samp{ugo}. |
| @end table |
|
|
| The @var{operation} part tells how to change the affected users' access |
| to the file, and is one of the following symbols: |
|
|
| @table @code |
| @item + |
| @cindex adding permissions |
| to add the @var{permissions} to whatever permissions the @var{users} |
| already have for the file; |
| @item - |
| @cindex removing permissions |
| @cindex subtracting permissions |
| to remove the @var{permissions} from whatever permissions the |
| @var{users} already have for the file; |
| @item = |
| @cindex setting permissions |
| to make the @var{permissions} the only permissions that the @var{users} |
| have for the file. |
| @end table |
|
|
| The @var{permissions} part tells what kind of access to the file should |
| be changed; it is normally zero or more of the following letters. As with the |
| @var{users} part, the order does not matter when more than one letter is |
| given. Omitting the @var{permissions} part is useful only with the |
| @samp{=} operation, where it gives the specified @var{users} no access |
| at all to the file. |
|
|
| @table @code |
| @item r |
| @cindex read permission, symbolic |
| the permission the @var{users} have to read the file; |
| @item w |
| @cindex write permission, symbolic |
| the permission the @var{users} have to write to the file; |
| @item x |
| @cindex execute/search permission, symbolic |
| the permission the @var{users} have to execute the file, |
| or search it if it is a directory. |
| @end table |
|
|
| For example, to give everyone permission to read and write a regular file, |
| but not to execute it, use: |
|
|
| @example |
| a=rw |
| @end example |
|
|
| To remove write permission for all users other than the file's |
| owner, use: |
|
|
| @example |
| go-w |
| @end example |
|
|
| @noindent |
| The above command does not affect the access that the owner of |
| the file has to it, nor does it affect whether other users can |
| read or execute the file. |
|
|
| To give everyone except a file's owner no permission to do anything with |
| that file, use the mode below. Other users could still remove the file, |
| if they have write permission on the directory it is in. |
|
|
| @example |
| go= |
| @end example |
|
|
| @noindent |
| Another way to specify the same thing is: |
|
|
| @example |
| og-rwx |
| @end example |
|
|
| @node Copying Permissions |
| @subsection Copying Existing Permissions |
|
|
| @cindex copying existing permissions |
| @cindex permissions, copying existing |
| You can base a file's permissions on its existing permissions. To do |
| this, instead of using a series of @samp{r}, @samp{w}, or @samp{x} |
| letters after the |
| operator, you use the letter @samp{u}, @samp{g}, or @samp{o}. For |
| example, the mode |
|
|
| @example |
| o+g |
| @end example |
|
|
| @noindent |
| adds the permissions for users who are in a file's group to the |
| permissions that other users have for the file. Thus, if the file |
| started out as mode 664 (@samp{rw-rw-r |
| it to mode 666 (@samp{rw-rw-rw-}). If the file had started out as mode |
| 741 (@samp{rwxr |
| (@samp{rwxr |
| analogously. |
|
|
| @node Changing Special Mode Bits |
| @subsection Changing Special Mode Bits |
|
|
| @cindex changing special mode bits |
| In addition to changing a file's read, write, and execute/search permissions, |
| you can change its special mode bits. @xref{Mode Structure}, for a |
| summary of these special mode bits. |
|
|
| To change the file mode bits to set the user ID on execution, use |
| @samp{u} in the @var{users} part of the symbolic mode and |
| @samp{s} in the @var{permissions} part. |
|
|
| To change the file mode bits to set the group ID on execution, use |
| @samp{g} in the @var{users} part of the symbolic mode and |
| @samp{s} in the @var{permissions} part. |
|
|
| To set both user and group ID on execution, omit the @var{users} part |
| of the symbolic mode (or use @samp{a}) and use @samp{s} in the |
| @var{permissions} part. |
|
|
| To change the file mode bits to set the restricted deletion flag or sticky bit, |
| omit the @var{users} part of the symbolic mode (or use @samp{a}) and use |
| @samp{t} in the @var{permissions} part. |
|
|
| For example, to set the set-user-ID mode bit of a program, |
| you can use the mode: |
|
|
| @example |
| u+s |
| @end example |
|
|
| To remove both set-user-ID and set-group-ID mode bits from |
| it, you can use the mode: |
|
|
| @example |
| a-s |
| @end example |
|
|
| To set the restricted deletion flag or sticky bit, you can use |
| the mode: |
|
|
| @example |
| +t |
| @end example |
|
|
| The combination @samp{o+s} has no effect. On GNU systems |
| the combinations @samp{u+t} and @samp{g+t} have no effect, and |
| @samp{o+t} acts like plain @samp{+t}. |
|
|
| The @samp{=} operator is not very useful with special mode bits. |
| For example, the mode: |
|
|
| @example |
| o=t |
| @end example |
|
|
| @noindent |
| does set the restricted deletion flag or sticky bit, but it also |
| removes all read, write, and execute/search permissions that users not in the |
| file's group might have had for it. |
|
|
| @xref{Directory Setuid and Setgid}, for additional rules concerning |
| set-user-ID and set-group-ID bits and directories. |
|
|
| @node Conditional Executability |
| @subsection Conditional Executability |
|
|
| @cindex conditional executability |
| There is one more special type of symbolic permission: if you use |
| @samp{X} instead of @samp{x}, execute/search permission is affected only if the |
| file is a directory or already had execute permission. |
|
|
| For example, this mode: |
|
|
| @example |
| a+X |
| @end example |
|
|
| @noindent |
| gives all users permission to search directories, or to execute files if |
| anyone could execute them before. |
|
|
| @node Multiple Changes |
| @subsection Making Multiple Changes |
|
|
| @cindex multiple changes to permissions |
| The format of symbolic modes is actually more complex than described |
| above (@pxref{Setting Permissions}). It provides two ways to make |
| multiple changes to files' mode bits. |
|
|
| The first way is to specify multiple @var{operation} and |
| @var{permissions} parts after a @var{users} part in the symbolic mode. |
|
|
| For example, the mode: |
|
|
| @example |
| og+rX-w |
| @end example |
|
|
| @noindent |
| gives users other than the owner of the file read permission and, if |
| it is a directory or if someone already had execute permission |
| to it, gives them execute/search permission; and it also denies them write |
| permission to the file. It does not affect the permission that the |
| owner of the file has for it. The above mode is equivalent to |
| the two modes: |
|
|
| @example |
| og+rX |
| og-w |
| @end example |
|
|
| The second way to make multiple changes is to specify more than one |
| simple symbolic mode, separated by commas. For example, the mode: |
|
|
| @example |
| a+r,go-w |
| @end example |
|
|
| @noindent |
| gives everyone permission to read the file and removes write |
| permission on it for all users except its owner. Another example: |
|
|
| @example |
| u=rwx,g=rx,o= |
| @end example |
|
|
| @noindent |
| sets all of the permission bits for the file explicitly. (It |
| gives users who are not in the file's group no permission at all for |
| it.) |
|
|
| The two methods can be combined. The mode: |
|
|
| @example |
| a+r,g+x-w |
| @end example |
|
|
| @noindent |
| gives all users permission to read the file, and gives users who are in |
| the file's group permission to execute/search it as well, but not permission |
| to write to it. The above mode could be written in several different |
| ways; another is: |
|
|
| @example |
| u+r,g+rx,o+r,g-w |
| @end example |
|
|
| @node Umask and Protection |
| @subsection The Umask and Protection |
|
|
| @cindex umask and modes |
| @cindex modes and umask |
| If the @var{users} part of a symbolic mode is omitted, it defaults to |
| @samp{a} (affect all users), except that any permissions that are |
| @emph{set} in the system variable @code{umask} are @emph{not affected}. |
| The value of @code{umask} can be set using the |
| @code{umask} command. Its default value varies from system to system. |
|
|
| @cindex giving away permissions |
| Omitting the @var{users} part of a symbolic mode is generally not useful |
| with operations other than @samp{+}. It is useful with @samp{+} because |
| it allows you to use @code{umask} as an easily customizable protection |
| against giving away more permission to files than you intended to. |
|
|
| As an example, if @code{umask} has the value 2, which removes write |
| permission for users who are not in the file's group, then the mode: |
|
|
| @example |
| +w |
| @end example |
|
|
| @noindent |
| adds permission to write to the file to its owner and to other users who |
| are in the file's group, but @emph{not} to other users. In contrast, |
| the mode: |
|
|
| @example |
| a+w |
| @end example |
|
|
| @noindent |
| ignores @code{umask}, and @emph{does} give write permission for |
| the file to all users. |
|
|
| @node Numeric Modes |
| @section Numeric Modes |
|
|
| @cindex numeric modes |
| @cindex file mode bits, numeric |
| @cindex octal numbers for file modes |
| As an |
| alternative to giving a symbolic mode, you can give an octal (base 8) |
| number that represents the mode. |
|
|
| The permissions granted to the user, |
| to other users in the file's group, |
| and to other users not in the file's group each require three |
| bits: one bit for read, one for write, and one for execute/search permission. |
| These three bits are represented as one octal digit; |
| for example, if all three are present, the resulting 111 (in binary) |
| is represented as the digit 7 (in octal). The three special |
| mode bits also require one bit each, and they are as a group |
| represented as another octal digit. Here is how the bits are arranged, |
| starting with the highest valued bit: |
|
|
| @example |
| Value in Corresponding |
| Mode Mode Bit |
|
|
| Special mode bits: |
| 4000 Set user ID |
| 2000 Set group ID |
| 1000 Restricted deletion flag or sticky bit |
|
|
| The file's owner: |
| 400 Read |
| 200 Write |
| 100 Execute/search |
|
|
| Other users in the file's group: |
| 40 Read |
| 20 Write |
| 10 Execute/search |
|
|
| Other users not in the file's group: |
| 4 Read |
| 2 Write |
| 1 Execute/search |
| @end example |
|
|
| For example, numeric mode @samp{4751} corresponds to symbolic mode |
| @samp{u=srwx,g=rx,o=x}, and numeric mode @samp{664} corresponds to symbolic mode |
| @samp{ug=rw,o=r}. Numeric mode @samp{0} corresponds to symbolic mode |
| @samp{a=}. |
|
|
| A numeric mode is usually shorter than the corresponding symbolic |
| mode, but it is limited in that normally it cannot take into account the |
| previous file mode bits; it can only set them absolutely. |
| The set-user-ID and set-group-ID bits of directories are an exception |
| to this general limitation. @xref{Directory Setuid and Setgid}. |
| Also, operator numeric modes can take previous file mode bits into |
| account. @xref{Operator Numeric Modes}. |
|
|
| Numeric modes are always interpreted in octal; you do not have to add a |
| leading @samp{0}, as you do in C@. Mode @samp{0055} is the same as |
| mode @samp{55}. However, modes of five digits or more, such as |
| @samp{00055}, are sometimes special (@pxref{Directory Setuid and Setgid}). |
|
|
| @node Operator Numeric Modes |
| @section Operator Numeric Modes |
|
|
| An operator numeric mode is a numeric mode that is prefixed by a |
| @samp{-}, @samp{+}, or @samp{=} operator, which has the same |
| interpretation as in symbolic modes. For example, @samp{+440} enables |
| read permission for the file's owner and group, @samp{-1} disables |
| execute permission for other users, and @samp{=600} clears all |
| permissions except for enabling read-write permissions for the file's |
| owner. Operator numeric modes can be combined with symbolic modes by |
| separating them with a comma; for example, @samp{=0,u+r} clears all |
| permissions except for enabling read permission for the file's owner. |
|
|
| The commands @samp{chmod =755 @var{dir}} and @samp{chmod 755 |
| @var{dir}} differ in that the former clears the directory @var{dir}'s |
| setuid and setgid bits, whereas the latter preserves them. |
| @xref{Directory Setuid and Setgid}. |
|
|
| Operator numeric modes are a GNU extension. |
|
|
| @node Directory Setuid and Setgid |
| @section Directories and the Set-User-ID and Set-Group-ID Bits |
|
|
| On most systems, if a directory's set-group-ID bit is set, newly |
| created subfiles inherit the same group as the directory, and newly |
| created subdirectories inherit the set-group-ID bit of the parent |
| directory. On a few systems, a directory's set-user-ID bit has a |
| similar effect on the ownership of new subfiles and the set-user-ID |
| bits of new subdirectories. These mechanisms let users share files |
| more easily, by lessening the need to use @command{chmod} or |
| @command{chown} to share new files. |
|
|
| These convenience mechanisms rely on the set-user-ID and set-group-ID |
| bits of directories. If commands like @command{chmod} and |
| @command{mkdir} routinely cleared these bits on directories, the |
| mechanisms would be less convenient and it would be harder to share |
| files. Therefore, a command like @command{chmod} does not affect the |
| set-user-ID or set-group-ID bits of a directory unless the user |
| specifically mentions them in a symbolic mode, or uses an operator |
| numeric mode such as @samp{=755}, or sets them in a numeric mode, or |
| clears them in a numeric mode that has five or more octal digits. |
| For example, on systems that support |
| set-group-ID inheritance: |
|
|
| @example |
| |
| |
| |
| mkdir A B C |
| chmod 755 A |
| chmod 0755 B |
| chmod u=rwx,go=rx C |
| mkdir -m 755 D |
| mkdir -m 0755 E |
| mkdir -m u=rwx,go=rx F |
| @end example |
|
|
| If you want to try to set these bits, you must mention them |
| explicitly in the symbolic or numeric modes, e.g.: |
|
|
| @example |
| |
| |
| mkdir G |
| chmod 6755 G |
| chmod +6000 G |
| chmod u=rwx,go=rx,a+s G |
| mkdir -m 6755 H |
| mkdir -m +6000 I |
| mkdir -m u=rwx,go=rx,a+s J |
| @end example |
|
|
| If you want to try to clear these bits, you must mention them |
| explicitly in a symbolic mode, or use an operator numeric mode, or |
| specify a numeric mode with five or more octal digits, e.g.: |
|
|
| @example |
| |
| |
| chmod a-s D |
| chmod -6000 D |
| chmod =755 D |
| chmod 00755 D |
| @end example |
|
|
| This behavior is a GNU extension. Portable scripts should |
| not rely on requests to set or clear these bits on directories, as |
| POSIX allows implementations to ignore these requests. |
| The GNU behavior with numeric modes of four or fewer digits |
| is intended for scripts portable to systems that preserve these bits; |
| the behavior with numeric modes of five or more digits is for scripts |
| portable to systems that do not preserve the bits. |
|
|
