Previous Table of Contents Next


To obtain the set of permissions desired, add up the numbers for a given class. For example, if you want read and write permissions, you would add 4 (read) and 2 (write) to get 6 (read, write).

The following table defines the numbers to obtain each mix of permissions:

Thus to set the modes of a file to -rwxr-xr- you would type

     chmod 754 file

Symbolic Modes

The symbolic mode consists of three parts. They are:

who string Who is affected (user, group or other)
operator What actions are to be taken (add, remove, or absolute)
permissions The permissions to add, remove, or absolute

The general format is:

     chmod [ who_string ][ operator ][ permissions ] file_list
     chmod [ who_string ][ operator ][ permissions ] directory_list

For example, the following command removes the write permission for all other users:

     chmod o-w file

The o refers to other users, the - implies remove, and w is for write permission. No spaces are allowed in the symbolic mode strings.

Who string    The who string controls which set of permissions are changed by the chmod command. Any combination of the following letters can be used for the who string:

u The user (owner) of the file or directory
g The users in the group that the file is associated
o All other users on the system
a All of the above (same as "ugo"). All user classes.
If no who string is used, then the a is assumed. All user classes are affected.

Operators    The operator controls what effect the permission strings will have on the permissions of the files or directories. The possible operators are:

- Remove the specified permissions from the file or directory.
+ Add the specified permissions to the file or directory.
= Assign the absolute permissions as specified. Permissions not specified are removed.

The = operator assigns the given permissions. It is the same as performing a chmod 000 file or a chmod a-rwx file, then performing the chmod to add the permissions specified after the = operator. For example, if you had a file with the following permissions:

     rwxr--- - 1  mylogin   ts     5 Feb  2 afile

and you typed

     chmod a=rx

the file permissions would change to

     r-xr-xr-x 1  mylogin  ts   5 Feb  2 afile

Permission String    The permission string contains the permissions you want to add or remove from the current permissions. You can combine the following letters to create the permission string:

l Mandatory file locking during file access
r Read permission
s Set-user-ID if used with the o who string or set-group-ID if used with the g who string
t Sticky bit, hold text in memory until space is needed
w Write permission
x Execute permission
u Indicate that permission is to be taken away from the current user
g Indicate that permission is to be taken away from the current group
o Indicate that permission is to be taken away from the current others

Multiple symbolic modes can be used on the same command line. Separate each set of symbolic modes with commas (,). For example,

     chmod o+r,g-w myfile

would add read access for other users and remove write permission for group members.

More than one operator and permission sequence may be used for each who string. For instance,

     chmod g+r-w myfile

would add read access for members of the group and remove write permissions.

You can remove all permissions by using the = operator and no permission string. For example,

     chmod = myfile

removes all permissions for all users.

Special Modes

The set-user-ID, set-group-ID, sticky bit, and file locking modes are special modes providing more flexibility in how UNIX handles the execution of a file.

The set-user-ID is reflected in the user execute position. The set-user-ID allows a different user to assume the user-ID of the file. Thus you execute the file (program) as if logged in as the owner of the file. For example, the following file belongs to the user "luwis":

     -rwsr-xr-x   1  luwis     ts     1 Jan 20 17:11 testprog

If you execute the testprog file, you will execute it as though the user luwis was executing it. This is useful to provide access to secure data via controlled program environments.

The set-group-ID works on the same principal as the set_user_ID, except when you execute it, the group-ID of the file is assumed, not the user-ID. The set-group-ID is displayed as the group execute position as shown in the following example:

     -rwxr-sr-x   1  luwis     ts     1 Jan 20 17:11 testprog

If either position is occupied by a capital S instead of a lowercase s, then you can access the file as though you are the owner but you cannot execute the file.

If the sticky bit is enabled, a lowercase t is placed in the other's execute position. The sticky bit informs the system to keep the program text of the file loaded in memory. For example, assume you execute the testprog program; when you exit from it the system will not unload the testprog from memory.

     -rwxr-xr-t   1 luwis      ts     1 Jan 20 17:11 testprog

If a capital T is present, then the file is not executable and can never be loaded into memory. Therefore, it is an undefined permission or state of the file. Only the super-user can set the sticky bit.

File locking is enabled if the group execute position is set to lowercase l. The l represents mandatory file and record locking. If file locking is enabled, then a file is temporarily unavailable to all other users while it is being accessed. The following example shows the position of the l in the modes:

     -rwxr-lr-x   1  luwis     ts      1 Jan 20 17:11 testprog

RELATED COMMANDS

Refer to the chgrp, chown, and ls commands described in modules 16, 18, and 84, respectively.

APPLICATIONS

You can use the chmod command to allow or deny access to a file or directory. By removing read and write permissions for other users, you deny all users not in your group access to the file. If you removed the read and write permissions from the group permissions, then only you could access the data. In some cases you may want to remove your write permissions so you cannot accidentally remove or overwrite the file.

Using the chmod command to set the execute permissions allows you to execute a file that contains a shell script. You can also set the permission to l (lowercase L) for file locking. Then only one program or user can access the file at any given time.

The absolute mode is used to set all modes at once. It is generally used by programmers that like terse syntax. The symbolic mode is easier to understand and remember. It is also more useful for adding and removing only one or two specific modes.

TYPICAL OPERATION

In this activity you use the chmod command to change the modes of a directory. Begin at the shell prompt.

1.  Type chmod 700 letters and press Return to change the permissions of the letters directory to read, write, and execute for you the owner only.
2.  List the new permissions by typing ls -ld letters and pressing Return. Notice the dashes in the six right-hand positions of the permissions field. Only you have access to the letters directory, with exception to the super-user.
     cj> ls -ld memos
     drwx---- 2 mylogin    ts    512 Feb 11 16:25 letters
3.  Turn to Module 146 to continue the learning sequence.


Previous Table of Contents Next