|Previous||Table of Contents||Next|
To obtain the set of permissions desired, add up the numbers for a given class. For example, if you want read and write permissions, you would add 4 (read) and 2 (write) to get 6 (read, write).
The following table defines the numbers to obtain each mix of permissions:
Thus to set the modes of a file to -rwxr-xr- you would type
chmod 754 file
The symbolic mode consists of three parts. They are:
|who string||Who is affected (user, group or other)|
|operator||What actions are to be taken (add, remove, or absolute)|
|permissions||The permissions to add, remove, or absolute|
The general format is:
chmod [ who_string ][ operator ][ permissions ] file_list chmod [ who_string ][ operator ][ permissions ] directory_list
For example, the following command removes the write permission for all other users:
chmod o-w file
The o refers to other users, the - implies remove, and w is for write permission. No spaces are allowed in the symbolic mode strings.
Who string The who string controls which set of permissions are changed by the chmod command. Any combination of the following letters can be used for the who string:
|u||The user (owner) of the file or directory|
|g||The users in the group that the file is associated|
|o||All other users on the system|
|a||All of the above (same as "ugo"). All user classes.|
|If no who string is used, then the a is assumed. All user classes are affected.|
Operators The operator controls what effect the permission strings will have on the permissions of the files or directories. The possible operators are:
|-||Remove the specified permissions from the file or directory.|
|+||Add the specified permissions to the file or directory.|
|=||Assign the absolute permissions as specified. Permissions not specified are removed.|
The = operator assigns the given permissions. It is the same as performing a chmod 000 file or a chmod a-rwx file, then performing the chmod to add the permissions specified after the = operator. For example, if you had a file with the following permissions:
rwxr--- - 1 mylogin ts 5 Feb 2 afile
and you typed
the file permissions would change to
r-xr-xr-x 1 mylogin ts 5 Feb 2 afile
Permission String The permission string contains the permissions you want to add or remove from the current permissions. You can combine the following letters to create the permission string:
|l||Mandatory file locking during file access|
|s||Set-user-ID if used with the o who string or set-group-ID if used with the g who string|
|t||Sticky bit, hold text in memory until space is needed|
|u||Indicate that permission is to be taken away from the current user|
|g||Indicate that permission is to be taken away from the current group|
|o||Indicate that permission is to be taken away from the current others|
Multiple symbolic modes can be used on the same command line. Separate each set of symbolic modes with commas (,). For example,
chmod o+r,g-w myfile
would add read access for other users and remove write permission for group members.
More than one operator and permission sequence may be used for each who string. For instance,
chmod g+r-w myfile
would add read access for members of the group and remove write permissions.
You can remove all permissions by using the = operator and no permission string. For example,
chmod = myfile
removes all permissions for all users.
The set-user-ID, set-group-ID, sticky bit, and file locking modes are special modes providing more flexibility in how UNIX handles the execution of a file.
The set-user-ID is reflected in the user execute position. The set-user-ID allows a different user to assume the user-ID of the file. Thus you execute the file (program) as if logged in as the owner of the file. For example, the following file belongs to the user "luwis":
-rwsr-xr-x 1 luwis ts 1 Jan 20 17:11 testprog
If you execute the testprog file, you will execute it as though the user luwis was executing it. This is useful to provide access to secure data via controlled program environments.
The set-group-ID works on the same principal as the set_user_ID, except when you execute it, the group-ID of the file is assumed, not the user-ID. The set-group-ID is displayed as the group execute position as shown in the following example:
-rwxr-sr-x 1 luwis ts 1 Jan 20 17:11 testprog
If either position is occupied by a capital S instead of a lowercase s, then you can access the file as though you are the owner but you cannot execute the file.
If the sticky bit is enabled, a lowercase t is placed in the other's execute position. The sticky bit informs the system to keep the program text of the file loaded in memory. For example, assume you execute the testprog program; when you exit from it the system will not unload the testprog from memory.
-rwxr-xr-t 1 luwis ts 1 Jan 20 17:11 testprog
If a capital T is present, then the file is not executable and can never be loaded into memory. Therefore, it is an undefined permission or state of the file. Only the super-user can set the sticky bit.
File locking is enabled if the group execute position is set to lowercase l. The l represents mandatory file and record locking. If file locking is enabled, then a file is temporarily unavailable to all other users while it is being accessed. The following example shows the position of the l in the modes:
-rwxr-lr-x 1 luwis ts 1 Jan 20 17:11 testprog
Refer to the chgrp, chown, and ls commands described in modules 16, 18, and 84, respectively.
You can use the chmod command to allow or deny access to a file or directory. By removing read and write permissions for other users, you deny all users not in your group access to the file. If you removed the read and write permissions from the group permissions, then only you could access the data. In some cases you may want to remove your write permissions so you cannot accidentally remove or overwrite the file.
Using the chmod command to set the execute permissions allows you to execute a file that contains a shell script. You can also set the permission to l (lowercase L) for file locking. Then only one program or user can access the file at any given time.
The absolute mode is used to set all modes at once. It is generally used by programmers that like terse syntax. The symbolic mode is easier to understand and remember. It is also more useful for adding and removing only one or two specific modes.
In this activity you use the chmod command to change the modes of a directory. Begin at the shell prompt.
cj> ls -ld memos drwx---- 2 mylogin ts 512 Feb 11 16:25 letters
|Previous||Table of Contents||Next|