chmod
From NetBSD Wiki
The chmod(1) utility modifies the file mode bits of the listed files as specified by the mode operand. Modes may be absolute or symbolic. Absolute modes have following values:
Value Permission Directory Listing 0 no read, no write, no execute --- 1 no read, no write, EXECUTE --x 2 no read, WRITE, no execute -w- 3 no read, WRITE, EXECUTE -wx 4 READ, no write, no execute r-- 5 READ, no write, EXECUTE r-x 6 READ, WRITE, no execute rw- 7 READ, WRITE, EXECUTE rwx
List to see modes of your file and clear all of them:
# ls -l myfile.txt # -rw-r--r-- 1 root wheel 6678 Jan 12 12:15 myfile.txt # chmod 000 myfile.txt # ---------- 1 root wheel 6678 Jan 12 12:15 myfile.txt
For example, you can use absolute values to change mode only for user(e.g. owner):
# chmod 400 myfile.txt # -r-------- 1 root wheel 6678 Jan 12 12:16 myfile.txt # chmod 600 hisfile.txt # -rw------- 1 root wheel 6678 Jan 12 12:16 myfile.txt # chmod 700 herfile.txt # -rwx------ 1 root wheel 6678 Jan 12 12:16 myfile.txt
Or you can use absolute values to change modes for group only:
# chmod 070 myfile.txt # ----rwx--- 1 root wheel 6678 Jan 12 12:15 myfile.txt
You can also use absolute values to change mode for others (other users) only:
# chmod 007 myfile.txt # -------rwx 1 root wheel 6678 Jan 12 12:15 myfile.txt
If you need, you can change mode for user, group and others at the same time:
# chmod 777 myfile.txt # -rwxrwxrwx 1 root wheel 6678 Jan 12 12:16 myfile.txt # chmod 755 myfile.txt # -rwxr-xr-x 1 root wheel 6678 Jan 12 12:16 myfile.txt # chmod 640 hisfile.txt # -rw-r----- 1 root wheel 6678 Jan 12 12:16 myfile.txt # chmod 403 herfile.txt # -r------wx 1 root wheel 6678 Jan 12 12:16 myfile.txt
The meaning of these bits on directories is not exactly straightforward:
- Execute on a directory means a user is allowed to access anything below the directory. So even if a user has full read/write access on a file called /foo/bar, if he doesn't have execute access on /foo, the user can't write to /foo/bar.
- Read on a directory means a user is allowed to request directory listings on the directory. If you don't want people to know what's in /foo, but you want them to be able to access /foo/bar, you just make /foo execute-only and give them full access to /foo/bar.
- Write on a directory means a user is allowed to create files under it and remove files from it, regardless of ownership or permissions he has on the file. (but see the sticky bit, in the next section)
Contents |
Special modifiers
There are also "special permissions". These are the following:
Value Permission Directory Listing 0000 No special permissions --------- 1000 "sticky" (see below) --------T 2000 set group id -----S--- 3000 "sticky" and set group id -----S--T 4000 set user id --S------ 5000 "sticky" and set user id --S-----T 6000 set user and group id --S--S--- 7000 "sticky" and set user and group id --S--S--T
The characters are in caps when they are set alone, but when for example you have set user id plus execute access for user, it will display as --s------ instead of --S-------.
The meaning of these bits is as follows:
- sticky bit (aka "text bit"): On older Unixes, on binaries this meant "keep the text segment in memory after program quits". This meant often-run programs like the shell would stay in memory even if none was running to reduce start-up time (by eliminating disk search and read time). On directories it still has meaning: It means that only the owner of a file may delete it. This way, for example /tmp can be shared by everyone and some people can't destroy other people's files, even though they have write access.
- set group id (SGID). This makes binaries run with the given group as primary group, even if the person running it isn't in that group. For directories, this has a meaning in non-BSD unixes too: It means, create every file under the dir with its group set to the group of the directory. this is the default behaviour in BSD. In Linux, for example, the default behaviour is to create the file with the group set to the user's primary group.
- set user id (SUID). This makes binaries run as the given user. This means, for example, that any user can do whatever root can do if you run suid on the shell. Needless to say, use with extreme caution. Also, this does not work on hash-bang scripts because shellscripts are too easily hacked.
Note: writing to a file resets the SUID/SGID bits for added security.
Symbolic Permissions
Symbolic permissions, sometimes referred to as symbolic expressions, use characters in place of octal values to assign permissions to files or directories. Symbolic expressions use the syntax of
(who) (action) (permissions)
where the following values are available:
Option Letter Represents
(who) u User
(who) g Group owner
(who) o Other
(who) a All ("world")
(action) + Adding permissions
(action) - Removing permissions
(action) = Explicitly set permissions
(permissions) r Read
(permissions) w Write
(permissions) x Execute
(permissions) X Execute-on-directories
(permissions) t Sticky bit
(permissions) s Set UID or GID
Thus you can use symbolic sintax (who) (action) (permission) to set modes.
First, indicate who's permission you need to change, user's, group's or others by indicating u, g, o, a
# chmod go
Second, indicate what action needs to be done +, -, =
# chmod go+
Third, indicate permission you need r, w, x
# chmod go+rw myfile.txt # ----rw-rw- 1 root wheel 6678 Jan 12 12:16 myfile.txt
As you can see simbolic (letters) values are aslo applicable for chmod(1) command, you just have to use (who) (action) (permission) sintax. For an example, you could use the following command to block other users from accessing myfile.txt:
# chmod go= myfile.txt # -rwx------ 1 root wheel 6678 Jan 12 12:16 myfile.txt
If you would like to give other users read/execute access to all subdirectories under a certain tree, you don't want to give them execute access on files of course. For that, use the X option:
# chmod -R go+rX mydir
Additional Information
- Handbook Chapter 3.3: Permissions
Sometimes you may need to let users shutdown netbsd workstation. In this case you need to set proper mode for poweroff, here is example:
# chmod a=rx,ugo+s /sbin/poweroff # ls -l /sbin/poweroff # -r-sr-sr-x 3 wheel root 3 9648 Jan 18 12:10 /sbin/poweroff
