chmod
What is chmod?
On unix-like systems, chmod
is a system-level command that stands for "change-mode" and allows you to manually change the permission settings of a file/directory.
Not to be confused with chown
, which is another system-level command on unix-like systems that stands for "change owner" and lets you assign ownership of a file to another user, or chgrp
, which stands for "change group" and assigns a file to a different group. These are important to know, but not as commonly used.
How to use chmod
The basics of Linux file permissions
Every file has an owner, which determines the file's "user class". Every file also has a group which determines the file's "group class". Any system user who isn't the owner and doesn't belong in the same group is determined to be the others.
All files on unix-like systems have permissions assigned to all 3 classes (user, group, others) and these determine which actions can be taken by said classes for the given file/directory.
The 3 actions available on unix-like system are : read, write, execute
read : Ability to open and view the contents of the file/directory
write : Ability to open and modify the contents of a file
execute : Ability to run the file as an executable program.
The permissions can be set for the 3 classes (user, group, others)
Basic example
Lets say the permission on a file is as follows:
Now we can split this up in the following 3 classes:
This means itβs a regular file with read, write, and execute permissions for the owner; read and execute permissions for the group; and only read permissions for everyone else.
Tip: with the command ls -l, all permissions of files/directories become visible, also make sure to checkout ls page.
Numeric notation
The second format is called numeric notation, which is a string of three digits that each represent user, group, and other permissions, respectively. Each digit can range from 0 to 7, and each digitβs value is obtained by summing the classβs permissions:
0 means no permissions allowed.
+1 if the class can execute the file.
+2 if the class can write to the file.
+4 if the class can read the file.
In other words, the meaning of each digit value ends up being:
0: No permission
1: Execute
2: Write
3: Write and execute
4: Read
5: Read and execute
6: Read and write
7: Read, write, and execute
So the above example (-rwxr-xr--
) would be 754 in numeric notation.
Advanced linux file permissions : setuid, setgid, sticky bit
Introduction
Normally, on a unix-like operating system, the ownership of files and directories is based on the default uid
(user-id) and gid
(group-id) of the user who created them. The same thing happens when a process is launched: it runs with the effective user-id and group-id of the user who started it, and with the corresponding privileges. This behavior can be modified by using special permissions.
in short
if
setuid
is set --> execute a file as the owner of the file (4xxx
ORu+s
)if
setgid
is set --> execute a file as the group owner of the file (2xxx
ORg+s
)if
sticky bit
is set (can only be set on directory) --> only the owner of the directory can delete files within this directory (1xxx
OR+t
), example of this is /tmp directory.
examples
What is Setuid?
Setuid is a Linux file permission setting that allows a user to execute that file or program with the permission of the owner of that file. This is primarily used to elevate the privileges of the current user. If a file is βsetuidβ and is owned by the user βrootβ then a user that has the ability to execute that program will do so as the user root instead of themselves. The most common example of this in Linux is βsudoβ. In this example, the user βtestβ located the executable βsudoβ and did a full listing of it with the βls -lβ command.
If you look at the permissions level of the βsudoβ executable, you can see the βsβ in the permissions for the user where normally there would be an βxβ. Also, notice that this file is owned by the user βrootβ (the super-user) and that the file is executable by the world (the last βxβ in the permissions). This indicates that when a user executes this program, the operating system will execute that file not as the user βtestβ, but as the user βrootβ. In the matter of using the βsudoβ command, this allows a normal user to perform elevated system functions without having to log in as the root user.
How Do I Set Up Setuid?
Setting the βsetuidβ permission is as simple as setting any other permission in Linux. The file ownership is modified using the command. An example command to set this would be as follows.
In this example, we will create a file called βmyfileβ using the command βtouchβ and then we will examine its permissions with the βls -lβ command.
Notice that the file does not have the execute permissions for user, group, or world. We will add the setuid bit as seen below.
This output looks a little different from what we were expecting. The lowercase βsβ we were looking for is the now a capital βS.β This signifies that the setuid IS set, but the user that owns the file does not have execute permissions. We can add that permission using the βchmod u+xβ command.
What is Setgid?
Setgid, when used on files, is very similar to setuid. A process, when executed, will run as the group that owns the file. A typical example of a file that uses this is the βcrontabβ command.
How Do I Set Up Setgid?
Similar to βsetuid,β βsetgidβ is inserted with the βchmod g+sβ command. Letβs create a new file called βmyfile2β.
Now we will run the βchmod g+sβ command and review the results.
Again we see the capital βSβ is set, but we can modify that.
Setgid on Directories
Applying the setgid permission on a directory has as different behavior. A directory that has βsetgidβ on it will cause all files that are created in that directory to be owned by the group of the directory as opposed to the group of the owner. First, we create a directory.
Then we change the group ownership of the directory by using the βchgrpβ command, and then we can add the βsetgidβ permission like before.
Letβs test it out by creating a file in that directory. All other files in this tutorial were created this way and had βtestβ as the group. Because βsetgidβ is set on the directory and it is owned by group βtest2β, this file will get βtest2β as its group.
What Is A Sticky Bit?
The final special permission is the βsticky bit.β When this is set on a directory, the files in that directory can only be removed by the owner. A typical use of this is β/tmp/.β The /tmp directory can be written to by any user, but other users cannot delete the files of others.
Notice that /tmp can be written to by everyone but has the βtβ in place of the βxβ at the end of the permissions list. This means it has the sticky bit.
How Do I Set Up A Sticky Bit?
The sticky bit is set with βchmod +tβ command.
Setting Special Permissions With Number Notation
You may remember from the definitions above that permissions can be set with a series of three numbers. The numbers represent the permissions for owner, group, and world, respectively. To determine the number you want to set, you can use x=1, w=2, and r=4. You add the numbers together to get the permission number. If we wanted to have read, write, and execute permissions, we would use 7. Read and write would be 6. Just read is 4. An example to set the file to read, write, and execute for owner, read and execute for group and world would look like this:
For the special permissions, you prepend these numbers with another number where 4 is setuid, 2 is setgid, and 1 is the sticky bit. The following commands are all the same (assuming the file has the permissions we set above).
Removing Special Permissions
To remove special permissions, we can use the same chmod commands with a βββ instead of a β+.β
Conclusion
All in all, these special permissions are very useful for separating the ability of a user or group to read, write or execute a file or affect a change on a folder.
On what do setuid/setgid bits work?
Reference(s)
Last updated
Was this helpful?