What is chmod?

chmod is a Unix command that lets you tell the system how much (or little) access it should permit to a file. Your File Permissions Lets take a closer look at the first column. As we said on the previous page, the first letter tells you whether youre dealing with a regular file or a directory. The next letters tell the system what access is permitted for this file; hence the name permissions. In the listing below, weve eliminated some columns and added spaces to the permissions column to make it easier to read. - rwx r-xr-x joe The first set three letters after the file type tell what you, the owner of the acctg archive.sh file, have permission to do. - rw- rw-r-- joe An r in the first position means you are permitted to read the file. A w in acctg orgchart.gif the second position means you may write the file. This includes the - rw- rw-r-- joe ability to delete a file. An x in the third position means you may execute acctg personnel.txt the file. - rw- r--r-- joe A hyphen in any position means that you dont have that particular acctg publicity.html permission. d rwx rwxr-x joe acctg sales - rw- r----- joe acctg topsecret.inf - rwx r-xr-x joe acctg wordmatic

As you can see above, joe, the user who owns the file, can read and write all the files. He can execute the shell script archive.sh and the programwordmatic. But whats the x doing on the sales directory? When a directory has the x set, this takes the special meaning of permitted to search this directory. Group Permissions The next three letters after the user's permission are the group's permissions. -rwx r-x r-x joe acctg archive.sh -rw- rw- r-- joe acctg orgchart.gif -rw- rw- r-- joe acctg personnel.txt -rw- r-- r-- joe acctg publicity.html drwx rwx r-x joe acctg sales -rw- r-- --- joe acctg topsecret.inf -rwx r-x r-x joe acctg wordmatic Other people in the acctg group can not write the archive.sh script, publicity.html and topsecret.inf files, or wordmatic program. They may write the orgchart.gif and personnel.txt, files, as well as the sales directory. They may execute archive.sh and wordmatic, and search the sales directory. Others Permissions

The last three letters in the permissions column tell us what everyone else in the world, the others may do. -rwxr-x r-x joe acctg archive.sh -rw-rw- r-- joe acctg orgchart.gif -rw-rw- r-- joe acctg personnel.txt -rw-r-- r-- joe acctg publicity.html drwxrwx r-x joe acctg sales -rw-r-- --- joe acctg topsecret.inf -rwxr-x r-x joe acctg wordmatic The others lead highly restricted lives. They cant write any files or directories, and they have absolutely no access to the topsecret.inf file. They may still run the archive.sh script and the wordmatic program, and they may search the sales directory. However, things are not as we should like. We dont want anyone outside our group to execute archive.sh (although they can read it to learn how to write a good shell script). We want to restrict topsecret.inf so that its closed off to everyone except user Joe. We also want to deny access to the sales directory to outsiders. Finally, the publicity.html file contains press releases, and it should be open to anyone in the company to change. The chmod Command We use the chmod command to change the access mode of a file. This command comes in many flavors, but we'll be talking primarily about one of them. chmod who=permissions filename This gives who the specified permissions for a given filename. Who The who is a list of letters that specifies whom youre going to be giving permissions to. These may be specified in any order. Letter Meaning u The user who owns the file (this means you.) g The group the file belongs to. o The other users a all of the above (an abbreviation for ugo)

Permissions Of course, the permissions are the same letters that you see in the directory listing: r Permission to read the file. w Permission to write (or delete) the file. x Permission to execute the file, or, in the case of a directory, search it.

Note: Do not put blanks around the equal sign, or your command will not work! chmod Examples Lets change some of the permissions as we discussed a couple of pages ago. Heres the way our files are now: -rwxr-xr-x joe acctg archive.sh -rw-rw-r-- joe acctg orgchart.gif -rw-rw-r-- joe acctg personnel.txt -rw-r--r-- joe acctg publicity.html drwxrwxr-x joe acctg sales -rw-r----- joe acctg topsecret.inf -rwxr-xr-x joe acctg wordmatic First, lets prevent outsiders from executing archive.sh Before: -rwxr-xr-x archive.sh Command: chmod o=r archive.sh After: -rwxr-xr-- archive.sh

Take away all permissions for the group for topsecret.inf We do this by leaving the permissions part of the command empty. Before: -rw-r----- topsecret.inf Command: chmod g= topsecret.inf After: -rw------- topsecret.inf

Open up publicity.html for reading and writing by anyone. Before: -rw-r--r-- publicity.html Command: chmod og=rw publicity.html After: -rw-rw-rw- publicity.html

chmod Shortcuts Lets say we have these files: -rwxrwxrwx joe acctg wordmatic -r--r--r-- joe acctg calcmatic

Wed like to remove write permission for the group and others on wordmatic, and add write and execute permission for all users on calcmatic. Rather than try to figure out what the new permissions are and do these commands: chmod go=rx wordmatic chmod a=rwx calcmatic The chmod command literally lets us add and subtract permissions from an existing set by using + or - instead of =. Thus, we can take away the first files write permission for the group and others with this command: chmod go-w wordmatic ...and we can add write and execute permission to the second file for all users with: chmod a+wx calcmatic

Copying Permissions As one other shortcut, its possible to tell chmod give users of one class the same permissions that some other class has. Lets say we have these files: d------rwx joe acctg sales -rw-r--r-- joe acctg info.dat The other users have full permissions on the sales directory. Wed like to say the user and group should be assigned (=) the permissions belonging to others. That translates to: chmod ug=o Similarly, to make info.dat readable and writable to the group, we can say: chmod g=u info.dat (you can read this as the group is assigned (=) the permissions currently held by the user.) You may also use + and - to add and subtract the permissions that currently belong to a different class of user. You cant mix the standard permissions (r, w, and x) with the coyping shortcuts. chmod will protest if you give it something like this: chmod g=wu info.dat A New Problem Michele in the Marketing department would also like to use the summary program to find out whos buying the product. Steve does this: chmod og+rx summarize Now his permissions look like this: -rw------- steve sales customers.dat -rwxr-xr-x steve sales summarize Now everyone can execute the summary program, but the customer file is still protected, Steve thinks. Well, unfortunately, it is. Lets see what happens when Michele tries to run the program. Event Linux says Michele types /home/steve/summarize You are user michele of group mktg. You are other.

You want to execute file /home/steve/summarize. Permission granted. Program begins. Program asks to read file /home/steve/customers.dat --You are user michele of group mktg. You are other. You want to read file /home/steve/customers.dat. Permission denied.

Steve has a problem. If he says: chmod og+r customers.dat then the customer file is open to anyone at any time. If only Steve could say, Give Michele the same permissions that I havebut only if shes running my program. Set UID Of course, there is a way to let Steve give Michele the same permissions that he has when shes running the summarize program. Steve types this: chmod u+s summarize This means Add the Set User ID capability for the user who owns the file to summarize. Now his permissions look like this: -rw------- steve sales customers.dat -rwsr-xr-x steve sales summarize Now lets see what happens when Michele runs the program: Event Linux says Michele types /home/steve/summarize You are user michele of group mktg. You are other. You want to execute file /home/steve/summarize. Permission granted. Set User ID is in effect. Alakabaud! I have changed your user ID. You are now user steve for as long as this program runs. You are user steve. You want to read file /home/steve/customers.dat. Permission granted.

Program begins.

Program asks to read file /home/steve/customers.dat

The problem is now solved! Steve can let Michele run his program. His program temporarily changes Micheles user ID to Steves so that the customer file becomes readable. If Michele tries to get to the customer file from any other program, the permissions will keep her out. You may also use a construction like this to give the groups permissions to anyone who runs the

program. chmod g+s summarize Note: Alakabaud! is a registered trademark of Vadic, the Modem Magician. chmod Quick Reference Summary The general form of the chmod command: chmod options file The options are constructed by choosing one from each of these columns, with no blank between them: Who Operation Permission A combination of: Permissions are: u user (file owner) = assigned g group + added o others - subtracted a all (same as ugo) A combination of: r read w write x execute or one of the following to copy permissions: u user g group o other or, to set user id: s

Note: Set User ID is usually used only with programs. You may set the s permission for the user or group; people who run the program will then adopt the identity of that user or group for the duration of the program. < chown - change the owner of a file > You can change the owner and group of a file or a directory with the chown command. Please, keep in mind you can do this only if you are the root user or the owner of the file. Set the file's owner: $ chown username somefile After giving this command, the new owner of a file called somefile will be the user username. The file's group owner will not change. Instead of a user name, you can also give the user's numeric ID here if you want. You can also set the file's group at the same time. If the user name is followed by a colon and a group name, the file's group will be changed as well. $ chown username:usergroup somefile After giving this command, somefile's new owner would be user username and the group usergroup. You can set the owner of a directory exactly the same way you set the owner of a file: $ chown username somedir Note that after giving this command, only the owner of the directory will change. The owner of the files inside of the directory won't change. In order to set the ownership of a directory and all the files in that directory, you'll need the -R option:

$ chown -R username somedir Here, R stands for recursive because this command will recursively change the ownership of directories and their contents. After issuing this example command, the user username will be the owner of the directory somedir, as well as every file in that directory. Tell what happens: $ chown -v username somefile changed ownership of 'somefile' to username Here, v stands for verbose. If you use the -v option, chown will list what it did (or didn't do) to the file. The verbose mode is especially useful if you change the ownership of several files at once. For example, this could happen when you do it recursively: $ chown -Rv username somedir changed ownership of 'somedir/' to username changed ownership of 'somedir/boringfile' to username changed ownership of 'somedir/somefile' to username As you can see, chown nicely reports to you what it did to each file. < chgrp - change the group ownership of a file > In addition to chown, you can also use the chgrp command to change the group of a file or a directory. You must, again, be either the root user or the owner of the file in order to change the group ownership. chgrp works pretty much the same way as chown does, except it changes the file's user group instead of the owner, of course. $ chgrp usergroup somefile After issuing this command, the file somefile will be owned by a user group usergroup. Although the file's group has changed tousergroup, the file's owner will still be the same. The options of using chgrp are the same as using chown. So, for example, the -R and -v options will work with it just like they worked with chown: $ chgrp -Rv usergroup somedir changed group of 'somedir/' to usergroup changed group of 'somedir/boringfile' to usergroup changed group of 'somedir/somefile' to usergroup chown nicely reports to you what it did to each file.