Setting and Changing Permissions

Although "permissions" means different things for files than for directories, you use the same command to set permissions for both files and directories.

Only the user who owns a file may change its permissions (but see the " sudo the Mac OS X way of using root" section in Chapter 11, on how to use the sudo command to override this limitation).

You use the chmod ( change mode ) command to set the permissions of files.

The general form of a command line for chmod is

chmod mode file

where mode is the permission setting, and file is a filename or even multiple filenames.

The mode argument is in one of two forms: symbolic or absolute .

Symbolic modes are best used to make changes to permissions on a file when you want to alter some of its permissions but leave others unchanged.

Absolute modes are used to set all of the permissions for a file at once.

So if you want to add read permission to a file without disturbing any of the other permissions on the file, you use a symbolic mode. An example of this would be adding read permission to a file for the owning group without changing the permissions for the user or others.

On the other hand, if you want a file to have a specific set of permissions for the user, the group, and others all at once, then you should use an absolute mode. An example of this would be if you wanted to set a file to be readable and writable by the owning user, and only readable by the owning group and others.

Changing permissions with symbolic modes

The basic syntax of a symbolic mode is

who operator what .

For example,

ug+w

would appear in a command line as

chmod ug+w file

The ug are the "who" (user and group), the + is the "operator" (add), and the w is the "what" (write permission). Many combinations are possible. Table 8.1 shows the meanings of each of the characters .

Table 8.1. Symbolic Mode Changes

Here are a few tasks that use symbolic modes to change permissions.

To add read permission to a file for the owning group:

• chmod g+r file
  
  For example,
  
  chmod g+r myfile.txt
  
  Figure 8.14 shows the permissions before and after using this command line.
  
  

  Figure 8.14. Comparing permissions before and after adding read permission for the group with chmod g+r .

   localhost:~ vanilla$  ls -l myfile.txt  -rw-------     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod g+r myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-r-----     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

  
  

To remove read permission on a file for the owning group:

• chmod g-r file
  
  For example,
  
  chmod g-r myfile.txt
  
  Figure 8.15 shows the before and after for this command line.
  
  

  Figure 8.15. Comparing permissions before and after removing read permission for the group with chmod g-r .

   localhost:~ vanilla$  ls -l myfile.txt  -rw-r-----     1 vanilla    staff      29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod g-r myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-------     1 vanilla    staff      29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

  
  

To add read permission for the group and others:

• chmod go+r file
  
  For example:
  
  chmod go+r myfile.txt
  
  Figure 8.16 shows the before and after for this command line.
  
  

  Figure 8.16. Comparing permissions before and after adding read permission for the group and others with chmod go+r .

   localhost:~ vanilla$  ls -l myfile.txt  -rw-------     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod go+r myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-r--r--     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

  
  

To add write permission for the group and others:

• chmod go+w file
  
  For example,
  
  chmod go+w myfile.txt
  
  Figure 8.17 shows the before and after for this command line.
  
  

  Figure 8.17. Comparing permissions before and after adding write permission for the group and others with chmod go+w .

   localhost:~ vanilla$  ls -l myfile.txt  -rwxr--r--     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod go+w myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-rw-rw-     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

  
  

To remove write permission for the group and others:

• chmod go-w file
  
  For example,
  
  chmod go-w myfile.txt
  
  Figure 8.18 shows the before and after for this command line.
  
  

  Figure 8.18. Comparing permissions before and after removing write permission for the group and others with chmod go-w .

   localhost:~ vanilla$  ls -l myfile.txt  -rw-rw-rw-     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod go-w myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-r--r--     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

  
  Notice how changing the permissions does not change the file's modification time.
  
  

Changing permissions with absolute modes

An absolute mode consists of a three- or four-digit number, such as 644 or 2775.

In practice you use these modes in this fashion:

chmod 644 file

That would set the permissions on file to be read and write (6) for the user, and read-only (4) for the group and others.

Most of the time you use three-digit numbers for absolute modes, so we address those first.

Each digit in a three-digit absolute mode represents the permissions for the user, the group, and others, in that order. The value of each digit is based on adding up the values of the kinds of permissions being assigned.

• Read permission has a value of 4.

• Write permission has a value of 2.

• Execute permission has a value of 1.

Figure 8.19 shows the values for the absolute modes for each type of permission. Add up the columns to get the modefor instance, for the user to have all permissions, add 4+2+1 to get 7 for the first column; for the group to have read and execute permissions, the value is 4+1, and so on.

Table 8.2 shows the meanings of each of the eight possible mode values (07) for each digit in an absolute mode. Some of you might be thinking this looks like a base-8 (octal) numbering system. You would be correct.

Table 8.2. Value of Each Digit in a Three-Digit Absolute Mode

To set a file's permissions using absolute mode:

• chmod mode file
  
  For example,
  
  chmod 644 myfile.txt
  
  sets myfile.txt to be readable and writable by the owning user (4 + 2 = 6), and readable by the group and others.
  
  chmod 755 myscript.sh
  
  makes myscript.sh readable, writable, and executable (4 + 2 + 1 = 7) by the user, and readable and executable (4 + 1 = 5) by the group and others. These same permissions (755) are the standard permissions for nonprivate scripts and programs, as well as nonprivate directories ( Table 8.3 ).
  
  

  Table 8.3. Common Permission Modes

  M ODE	C OMMON U SE
  644	For files. Readable and writable by owning user, readable by everyone else.
  755	For directories and programs (commands, scripts, and so on). For directories, this mode allows owning user to create and delete files in the directory, allows everyone to list directory contents and cd into or through the directory. For files, allows owning user to alter the file, allows everyone to read and to execute the program.
  664	Same as 644 but also allows owning group to alter the file. Used for files that are part of a group project.
  775	For program files (scripts, commands, and so on). Same as 755 but also gives write permission to the owning group so that anyone in the group may alter the file.
  2775	Like 775 but adding the 2 at the beginning "sets the group id bit" and means that for directories any file or directory created inside this directory is owned by the same group that owns the parent directory, and for executable files the script or program will run with the group permissions of this file.
  600	For private files. The owning user has read and write permission. No one else has any permissions.
  700	For private directories or private executable files. The owning user has read, write, and execute permission. No one else has any permissions.

  
  Table 8.3 shows the most common permission settings using absolute mode. This table includes some four-digit modes. When a four-digit mode is used, the first digit has a different set of meanings from the other three. Table 8.4 and Table 8.5 ( next page) show the meanings of the values for each of the positions in three- or four-digit mode for files (Table 8.4) and for directories (Table 8.5). Table 8.6 shows the options for the chmod command.
  
  

  Table 8.4. Mode Values for File Permissions

  P ERMISSION	M ODE	W HY AND W HEN
  User read	0400	So that the owning user may read it.
  User write	0200	So that the owning user may change it.
  User execute	0100	So that the owning user may execute it.
  Group read	0040	So that the owning group may read it.
  Group write	0020	So that the owning group may change it.
  Group execute	0010	So that the owning group may execute it.
  Others read	0004	So that all others may read it.
  Others write	0002	So that all others may change it.
  Others execute	0001	So that all others may execute it.
  Setuid	4000	Execute file as owning user ("Set user id on execution"). This property is removed and must be reset each time the file is changed (edited).
  Setgid	2000	Execute file as owning group ("Set group id on execution"). This property is removed and must be reset each time the file is changed (edited).
  Sticky bit	1000	A directory whose sticky bit is set has special restrictions on file deletion. In order to delete or rename a file inside a sticky directory, a user must have write permission on the directory or own the directory, and must also own the file. The root user is not restricted by sticky directories. The /private/tmp directory in Mac OS X is a sticky directory (and /tmp is a symbolic link to it). See man sticky for more on the sticky bit.

  
  

  Table 8.5. Mode Values for Directory Permissions

  P ERMISSION	M ODE	W HY AND W HEN
  User read	0400	So that the owning user may list contents.
  User write	0200	So that the owning user may create and delete files inside it.
  User execute	0100	So that the owning user may cd into or through it.
  Group read	0040	So that the owning group may list contents.
  Group write	0020	So that the owning group may create and delete files inside it.
  Group execute	0010	So that the owning user may cd into or through it.
  Others read	0004	So that all others may list contents.
  Others write	0002	So that all others may create and delete files inside it.
  Others execute	0001	So that all others may cd into or through it.
  Setuid	4000	No effect.
  Setgid	2000	Any files or directories created inside this directory are owned by the same group that owns this directory.

  
  

  Table 8.6. Options for the chmod Command

  O PTION	M EANING
  -R	Makes changes recursively. Used when changing permissions on a directory and everything it contains. The next three options only work in combination with the -R option. Only one of the following may be used. If more than one is used, the last one on the command line takes precedence.
  -H	If the -R option is specified, symbolic links on the command line are followed. (Symbolic links encountered in the directory traversal are not followed.) See Chapter 5 for more on symbolic links.
  -L	If the -R option is specified, all symbolic links are followed.
  -P	If the -R option is specified, no symbolic links are followed.