Setting and Changing Permissions

Setting and Changing Permissions

Although "permissions" means different things for files than for directories, you use the same command to set permissions for both files and directories.

Only the user who owns a file may change its permissions (but see the " sudo the Mac OS X way of using root" section in Chapter 11, on how to use the sudo command to override this limitation).

You use the chmod ( change mode ) command to set the permissions of files.

The general form of a command line for chmod is

chmod mode file

where mode is the permission setting, and file is a filename or even multiple filenames.

The mode argument is in one of two forms: symbolic or absolute .

Symbolic modes are best used to make changes to permissions on a file when you want to alter some of its permissions but leave others unchanged.

Absolute modes are used to set all of the permissions for a file at once.

So if you want to add read permission to a file without disturbing any of the other permissions on the file, you use a symbolic mode. An example of this would be adding read permission to a file for the owning group without changing the permissions for the user or others.

On the other hand, if you want a file to have a specific set of permissions for the user, the group, and others all at once, then you should use an absolute mode. An example of this would be if you wanted to set a file to be readable and writable by the owning user, and only readable by the owning group and others.

Changing permissions with symbolic modes

The basic syntax of a symbolic mode is

who operator what .

For example,

ug+w

would appear in a command line as

chmod ug+w file

The ug are the "who" (user and group), the + is the "operator" (add), and the w is the "what" (write permission). Many combinations are possible. Table 8.1 shows the meanings of each of the characters .

Table 8.1. Symbolic Mode Changes

(T HIS IS A PARTIAL LIST .)

S YMBOLS FOR THE "W HO " P ART

S YMBOL

M EANING

u

Applies change to the owning user.

g

Applies change to the owning group.

o

Applies change to all others.

a

Applies change to all (user, group, and others).

S YMBOLS FOR THE "O PERATOR " P ART

S YMBOL

M EANING

+

Adds the following permissions.

-

Removes the following permissions.

S YMBOLS FOR THE "W HO " P ART

S YMBOL

M EANING

r

Read permission.

w

Write permission.

x

Execute permission.


Here are a few tasks that use symbolic modes to change permissions.

To add read permission to a file for the owning group:

  • chmod g+r file

    For example,

    chmod g+r myfile.txt

    Figure 8.14 shows the permissions before and after using this command line.

    Figure 8.14. Comparing permissions before and after adding read permission for the group with chmod g+r .
     localhost:~ vanilla$  ls -l myfile.txt  -rw-------     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod g+r myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-r-----     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

To remove read permission on a file for the owning group:

  • chmod g-r file

    For example,

    chmod g-r myfile.txt

    Figure 8.15 shows the before and after for this command line.

    Figure 8.15. Comparing permissions before and after removing read permission for the group with chmod g-r .
     localhost:~ vanilla$  ls -l myfile.txt  -rw-r-----     1 vanilla    staff      29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod g-r myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-------     1 vanilla    staff      29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

To add read permission for the group and others:

  • chmod go+r file

    For example:

    chmod go+r myfile.txt

    Figure 8.16 shows the before and after for this command line.

    Figure 8.16. Comparing permissions before and after adding read permission for the group and others with chmod go+r .
     localhost:~ vanilla$  ls -l myfile.txt  -rw-------     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod go+r myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-r--r--     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

To add write permission for the group and others:

  • chmod go+w file

    For example,

    chmod go+w myfile.txt

    Figure 8.17 shows the before and after for this command line.

    Figure 8.17. Comparing permissions before and after adding write permission for the group and others with chmod go+w .
     localhost:~ vanilla$  ls -l myfile.txt  -rwxr--r--     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod go+w myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-rw-rw-     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

To remove write permission for the group and others:

  • chmod go-w file

    For example,

    chmod go-w myfile.txt

    Figure 8.18 shows the before and after for this command line.

    Figure 8.18. Comparing permissions before and after removing write permission for the group and others with chmod go-w .
     localhost:~ vanilla$  ls -l myfile.txt  -rw-rw-rw-     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$  chmod go-w myfile.txt  localhost:~ vanilla$  ls -l myfile.txt  -rw-r--r--     1 vanilla    staff     29 Jan 24 11:30 myfile.txt localhost:~ vanilla$ 

    Notice how changing the permissions does not change the file's modification time.

Changing permissions with absolute modes

An absolute mode consists of a three- or four-digit number, such as 644 or 2775.

In practice you use these modes in this fashion:

chmod 644 file

That would set the permissions on file to be read and write (6) for the user, and read-only (4) for the group and others.

Most of the time you use three-digit numbers for absolute modes, so we address those first.

Each digit in a three-digit absolute mode represents the permissions for the user, the group, and others, in that order. The value of each digit is based on adding up the values of the kinds of permissions being assigned.

  • Read permission has a value of 4.

  • Write permission has a value of 2.

  • Execute permission has a value of 1.

Figure 8.19 shows the values for the absolute modes for each type of permission. Add up the columns to get the modefor instance, for the user to have all permissions, add 4+2+1 to get 7 for the first column; for the group to have read and execute permissions, the value is 4+1, and so on.

Figure 8.19. Diagram showing the values for the absolute modes for each type of permission.


Table 8.2 shows the meanings of each of the eight possible mode values (07) for each digit in an absolute mode. Some of you might be thinking this looks like a base-8 (octal) numbering system. You would be correct.

Table 8.2. Value of Each Digit in a Three-Digit Absolute Mode

V ALUE

M EANING

No permission granted to this owner.

1

Execute permission only.

2

Write permission only.

3

Execute permission and write permission (1 + 2 = 3).

4

Read permission only.

5

Execute and read permission (1 + 4 = 5).

6

Write permission and read permission (2 + 4 = 6).

7

Execute, read, and write permission (1 + 2 + 4 = 7).


To set a file's permissions using absolute mode:

  • chmod mode file

    For example,

    chmod 644 myfile.txt

    sets myfile.txt to be readable and writable by the owning user (4 + 2 = 6), and readable by the group and others.

    chmod 755 myscript.sh

    makes myscript.sh readable, writable, and executable (4 + 2 + 1 = 7) by the user, and readable and executable (4 + 1 = 5) by the group and others. These same permissions (755) are the standard permissions for nonprivate scripts and programs, as well as nonprivate directories ( Table 8.3 ).

    Table 8.3. Common Permission Modes

    M ODE

    C OMMON U SE

    644

    For files. Readable and writable by owning user, readable by everyone else.

    755

    For directories and programs (commands, scripts, and so on). For directories, this mode allows owning user to create and delete files in the directory, allows everyone to list directory contents and cd into or through the directory. For files, allows owning user to alter the file, allows everyone to read and to execute the program.

    664

    Same as 644 but also allows owning group to alter the file. Used for files that are part of a group project.

    775

    For program files (scripts, commands, and so on). Same as 755 but also gives write permission to the owning group so that anyone in the group may alter the file.

    2775

    Like 775 but adding the 2 at the beginning "sets the group id bit" and means that for directories any file or directory created inside this directory is owned by the same group that owns the parent directory, and for executable files the script or program will run with the group permissions of this file.

    600

    For private files. The owning user has read and write permission. No one else has any permissions.

    700

    For private directories or private executable files. The owning user has read, write, and execute permission. No one else has any permissions.


    Table 8.3 shows the most common permission settings using absolute mode. This table includes some four-digit modes. When a four-digit mode is used, the first digit has a different set of meanings from the other three. Table 8.4 and Table 8.5 ( next page) show the meanings of the values for each of the positions in three- or four-digit mode for files (Table 8.4) and for directories (Table 8.5). Table 8.6 shows the options for the chmod command.

    Table 8.4. Mode Values for File Permissions

    P ERMISSION

    M ODE

    W HY AND W HEN

    User read

    0400

    So that the owning user may read it.

    User write

    0200

    So that the owning user may change it.

    User execute

    0100

    So that the owning user may execute it.

    Group read

    0040

    So that the owning group may read it.

    Group write

    0020

    So that the owning group may change it.

    Group execute

    0010

    So that the owning group may execute it.

    Others read

    0004

    So that all others may read it.

    Others write

    0002

    So that all others may change it.

    Others execute

    0001

    So that all others may execute it.

    Setuid

    4000

    Execute file as owning user ("Set user id on execution"). This property is removed and must be reset each time the file is changed (edited).

    Setgid

    2000

    Execute file as owning group ("Set group id on execution"). This property is removed and must be reset each time the file is changed (edited).

    Sticky bit

    1000

    A directory whose sticky bit is set has special restrictions on file deletion. In order to delete or rename a file inside a sticky directory, a user must have write permission on the directory or own the directory, and must also own the file. The root user is not restricted by sticky directories. The /private/tmp directory in Mac OS X is a sticky directory (and /tmp is a symbolic link to it). See man sticky for more on the sticky bit.


    Table 8.5. Mode Values for Directory Permissions

    P ERMISSION

    M ODE

    W HY AND W HEN

    User read

    0400

    So that the owning user may list contents.

    User write

    0200

    So that the owning user may create and delete files inside it.

    User execute

    0100

    So that the owning user may cd into or through it.

    Group read

    0040

    So that the owning group may list contents.

    Group write

    0020

    So that the owning group may create and delete files inside it.

    Group execute

    0010

    So that the owning user may cd into or through it.

    Others read

    0004

    So that all others may list contents.

    Others write

    0002

    So that all others may create and delete files inside it.

    Others execute

    0001

    So that all others may cd into or through it.

    Setuid

    4000

    No effect.

    Setgid

    2000

    Any files or directories created inside this directory are owned by the same group that owns this directory.


    Table 8.6. Options for the chmod Command

    O PTION

    M EANING

    -R

    Makes changes recursively. Used when changing permissions on a directory and everything it contains.

    The next three options only work in combination with the -R option. Only one of the following may be used. If more than one is used, the last one on the command line takes precedence.

    -H

    If the -R option is specified, symbolic links on the command line are followed. (Symbolic links encountered in the directory traversal are not followed.) See Chapter 5 for more on symbolic links.

    -L

    If the -R option is specified, all symbolic links are followed.

    -P

    If the -R option is specified, no symbolic links are followed.


Tip

  • The most useful option for the chmod command is -R ( recursively ), which allows you to change the permissions on a directory and everything inside it all at once. For example,

    chmod -R go-rwx private_dir

    removes read, write, and execute permissions for group and others from the directory private_dir and everything inside it. But be careful. It would probably be a mistake to do something like

    chmod -R g+x mydirectory

    because that adds group execute permission to the directory and everything inside it. If the directory contained any files that were not actually scripts or programs, they would end up appearing as executable, and if someone tried to run one of them as a command, it could cause unpredictable results.




Unix for Mac OS X 10. 4 Tiger. Visual QuickPro Guide
Unix for Mac OS X 10.4 Tiger: Visual QuickPro Guide (2nd Edition)
ISBN: 0321246683
EAN: 2147483647
Year: 2004
Pages: 161
Authors: Matisse Enzer

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net