Manipulating Linux Filesystem Permissions
This is the second part in a series on Linux filesystem permissions.
The Basics of Linux Filesystem Permissions discussed file types and permissions. This
article will dive into the commands used to maniuplate filesystem
permissions.
Ownership
The chown command is used to set file and group ownership. It has the
following syntax:
chown [OPTION]... [OWNER][:[GROUP]] FILE...
chown [OPTION]... --reference=RFILE FILE...
For the first form, there are three possible options:
- If only owner is specified, change the owner of the given file(s) only
- If owner is given followed by just a colon, then change the owner of the
given file(s) and also set the group to match the primary group of the user
running the
chown. - If a colon and a group are given then change the given file(s) group only.
For the second form, the user and group are copied from RFILE to the given
file(s).
While there are several options for the chmod command, the only option
typically used is the -R or recursive option. When this option is used
and the FILE is a directory, recursively change the ownership of all files
and directories below the given directory.
Permissions
In Linux, the chmod command is used to change the permissions of a file or
directory, or or other file-like object. It has the following syntax:
chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
chmod [OPTION]... --reference=RFILE FILE...
While there are several OPTIONS than can be specified, the -R option is by
far the most common and is used to set the permissions recursively on files
and directories.
Symbolic Mode Setting
The first form of this command uses a symbolic representation of the permissions to set permissions on a file.
The MODE is made up of one of the letters ugoa followed by one of +-=' followed by letters from the set rwxXstor exactly one ofugo`. MODE can be
given multiple times, separated by commas, Let’s explore this a bit.
The first letter determines which permissions get set:
| Letter | Definition |
|---|---|
| u | owner permissions |
| g | group permissions |
| o | Other permissions (anyone not the owner or in the group) |
| a | All permissions |
The second item determines how the permissions will be applied, either +
added, - subtracted, = or set exactly.
The first set of letters determines what permissions get set:
| Letter | Definition |
|---|---|
| r | Read |
| w | Write |
| x | Execute (Search/Traverse for Directories) |
| X | Execute but only if the file already has some execute permissions |
| s | setuid/setgid |
| t | Sticky/Restricted Delete |
The sybolic form allows for very complex manipulation of permissions since you can use multiple instances of MODE for each file. For example:
chmod u=rwx,g+rx,o-rwx test.sh
Would give the owner read, write, execute, give the group read and execute (but wouldn’t modify its write permission), and remove all permissions from everyone else.
If the letter after the -+= position is one of ugo then the permissions are
copied, so:
chmod g=u test.sh
Would give the group the exact same permissions the owner has.
Using the a All option
When setting permissions using a then the owner, group and other permissions
will be set the same. There is a special case though, where you can omit the
a and while all the permissions will be set, they will be masked according
to the umask. For for example:
If the umask is ‘0022` (Group write and other write are masked out)
$ chmod a=rwx test.sh
$ ls -l test.sh
-rwxrwxrwx 1 adam adam 16 Feb 20 14:56 test.sh
results in owner, group and other having all permissions, but without the a:
$ chmod =rwx test.sh
$ ls -l test.sh
-rwxr-xr-x 1 adam adam 16 Feb 20 14:56 test.sh
The write bits are not set on the group and other because they are masked by the umask.
The set all permissions, respecitng umask is used quite often. You may have
seen things like chmod +x test.sh a lot in online docs on downloading and
running a binary, for example.
Octel Mode Setting
Instead of using the the symbolic form, you can use the octel (numeric) representation of the permissions. The octel number is made up of 4 digits. The first digit represents, setuid, setgid and sticky bits. The next three digits represent the owner, group and other permissions repsectively. The value for each position is computed by adding up the values for each bit in that position
| Position | Value | Definition |
|---|---|---|
| First | 4 | Setuid |
| 2 | Setgid | |
| 1 | Sticky | |
| 0 | None | |
| Second to Third | 4 | Read |
| 2 | Write | |
| 1 | Execute | |
| 0 | None |
See the following examples of symolic vs. octel.
| Octel | Symbolic |
|---|---|
| 644 | u=rw,g=r,o=r |
| 750 | u=rwx,g=rw,o= |
| 1770 | u=rwx,g=rwx,o=t |
Note that left leading 0’s as in the first 3 examples, can be omitted.
Copying from another File
Using the third form of the chmod command will copy permissions from the file
given by --reference
Assignment and setuid/setgid
chmodwill clear setgid on regular files if the user running the command is not in the files’ group (or not root).- When assigning permissions either with
=or a numeric assignment,
setuid/setgid bits are not modified on directories unless they are specified explicitely.- It is not possible to clear setuid/setgid with a numeric assigment