Difference between revisions of "File permissions and attributes"

From ArchWiki
Jump to: navigation, search
m (What the columns mean)
(Numeric method: Changed "1 to 7" to "0 to 7" because you are allowed to deny all permissions.)
 
(72 intermediate revisions by 17 users not shown)
Line 1: Line 1:
 
[[Category:File systems]]
 
[[Category:File systems]]
==Viewing permissions==
+
[[ja:ファイルのパーミッションと属性]]
In order to use chmod to change permissions of a file or directory, you will first need to know what the current mode of access is. You can view the contents of a directory in the terminal by "cd" to that directory and then using:
+
{{Related articles start}}
 +
{{Related|Users and groups}}
 +
{{Related|umask}}
 +
{{Related|Access Control Lists}}
 +
{{Related|Capabilities}}
 +
{{Related articles end}}
  
$ ls -l
+
[[File systems]] use [[w:File system permissions|permissions]] and [[w:File attribute|attributes]] to regulate the level of interaction that system processes can have with files and directories.
  
The '''-l''' switch is important because using '''ls''' without it will only display the names of files or folders in the directory.
+
{{Warning|When used for security purposes, permissions and attributes only defend against attacks launched from the booted system. To protect the stored data from attackers with physical access to the machine, one must also implement [[disk encryption]].}}
  
Below is an example of using '''ls -l''' on my home directory:
+
== Viewing permissions ==
  
[ben@ben ~]$ ls -l
+
Use the [[ls]] command's {{ic|-l}} option to view the permissions (or '''file mode''') set for the contents of a directory, for example:
total 128
+
-rw-r--r-- 1 ben users  832 Jul  6 17:22 #chmodwiki#
+
drwxr-xr-x 2 ben users  4096 Jul  5 21:03 Desktop
+
drwxr-xr-x 6 ben users  4096 Jul  5 17:37 Documents
+
drwxr-xr-x 2 ben users  4096 Jul  5 13:45 Downloads
+
drwxr-xr-x 2 ben users  4096 Jun 24 03:36 Movies
+
drwxr-xr-x 2 ben users  4096 Jun 24 03:38 Music
+
-rw-r--r-- 1 ben users 57047 Jun 24 13:57 Namoroka_wallpaper.png
+
drwxr-xr-x 2 ben users  4096 Jun 26 00:09 Pictures
+
drwxr-xr-x 3 ben users  4096 Jun 24 05:03 R
+
-rw-r--r-- 1 ben users  354 Jul  6 17:15 chmodwiki
+
-rw-r--r-- 1 ben users  5120 Jun 27 08:28 data
+
-rw-r--r-- 1 ben users  3339 Jun 27 08:28 datadesign
+
-rw-r--r-- 1 ben users  2048 Jul  6 12:56 dustprac
+
-rw-r--r-- 1 ben users  1568 Jun 27 14:11 dustpracdesign
+
-rw-r--r-- 1 ben users  1532 Jun 27 14:07 dustpracdesign~
+
-rw-r--r-- 1 ben users  229 Jun 27 14:01 ireland.R
+
-rw-r--r-- 1 ben users  570 Jun 27 17:02 noattach.R
+
-rw-r--r-- 1 ben users  588 Jun  5 15:35 noattach.R~
+
  
===What the columns mean===
+
{{hc|$ ls -l /path/to/directory|
The first column is the permissions of each file. if it begins with a '''-''' it is a normal file, if it begins with a '''d''', then it is a directory i.e. a folder containing other files or folders. The letters after that are the permissions, this first column is what we will be most interested in. The second one is how many links there are in a file, we can safely ignore it. The third column has two values/names: The first one (in my example 'ben') is the name of the user that owns the file. The second value ('users' in the example) is the '''group''' that the owner belongs to (Read more about [[groups]]).
+
total 128
 +
drwxr-xr-x 2 archie users  4096 Jul  5 21:03 Desktop
 +
drwxr-xr-x 6 archie users  4096 Jul  5 17:37 Documents
 +
drwxr-xr-x 2 archie users  4096 Jul  5 13:45 Downloads
 +
-rw-rw-r-- 1 archie users  5120 Jun 27 08:28 customers.ods
 +
-rw-r--r-- 1 archie users 3339 Jun 27 08:28 todo
 +
-rwxr-xr-x 1 archie users  2048 Jul  6 12:56 myscript.sh
 +
}}
  
The next column is the size of the file or directory in bytes and information after that are the dates and times the file or directory was last modified, and of course the name of the file or directory.
+
The first column is what we must focus on. Taking an example value of {{ic|drwxrwxrwx+}}, the meaning of each character is explained in the following tables:
  
===What the permissions mean===
+
{| class="wikitable"
The first three letters, after the first '''-''' or '''d''', are the permissions the owner has. The next three letters are permissions that apply to the group. The final three letters are the permissions that apply to everyone else. Each set of three letters is made up of '''r w''' and '''x'''. '''r''' is always in the first position, '''w''' is always in the second position, and '''x''' is always in the third position. '''r''' is the read permission, '''w''' is the write permission, and '''x''' is the execute permission. If there is a hyphen ('''-''') in the place of one of these letters it means the permission is not granted, and if the letter is present then it is granted.
+
|- style="text-align:center;"
 +
| {{ic|d}}
 +
| {{ic|rwx}}
 +
| {{ic|rwx}}
 +
| {{ic|rwx}}
 +
| {{ic|+}}
 +
|-
 +
| The file type, technically not part of its permissions. See {{ic|info ls -n "What information is listed"}} for an explanation of the possible values.
 +
| The permissions that the owner has over the file, explained below.
 +
| The permissions that the group has over the file, explained below.
 +
| The permissions that all the other users have over the file, explained below.
 +
| A single character that specifies whether an alternate access method applies to the file. When this character is a space, there is no alternate access method. A {{ic|.}} character indicates a file with a security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a {{ic|+}} character, for example in the case of [[Access Control Lists]].
 +
|}
  
====Folders====
+
Each of the three permission triads ({{ic|rwx}} in the example above) can be made up of the following characters:
In case of folders the mode bits can be interpreted as follows:
+
* '''r''' (read) stands for the ability to read the table of contents of the given directory,
+
* '''w''' (write) stands for the ability to write the table of contents of the given directory (create new files, folders; rename, delete existing files, folders) '''if and only if''' execute bit is set. Otherwise this permission is meaningless.
+
* '''x''' (execute) stands for the ability to enter the given directory with command {{ic|cd}} and access files, folders in that directory.
+
  
Let's see some examples to clarify, taking one directory from above:
+
{| class="wikitable"
 +
! scope="col" style="width: 10%;" |
 +
! scope="col" style="width: 10%;" | Character
 +
! scope="col" style="width: 30%;" | Effect on files
 +
! scope="col" style="width: 50%;" | Effect on directories
 +
|-
 +
! rowspan="2" style="text-align:left;" | Read permission (first character)
 +
| style="text-align:center;" | {{ic|-}}
 +
| The file cannot be read.
 +
| The directory's contents cannot be shown.
 +
|-
 +
| style="text-align:center;" | {{ic|r}}
 +
| The file can be read.
 +
| The directory's contents can be shown.
 +
|-
 +
! rowspan="2" style="text-align:left;" | Write permission (second character)
 +
| style="text-align:center;" | {{ic|-}}
 +
| The file cannot be modified.
 +
| The directory's contents cannot be modified.
 +
|-
 +
| style="text-align:center;" | {{ic|w}}
 +
| The file can be modified.
 +
| The directory's contents can be modified (create new files or folders; rename or delete existing files or folders); requires the execute permission to be also set, otherwise this permission has no effect.
 +
|-
 +
! rowspan="6" style="text-align:left;" | Execute permission (third character)
 +
| style="text-align:center;" | {{ic|-}}
 +
| The file cannot be executed.
 +
| The directory cannot be accessed with [[cd]].
 +
|-
 +
| style="text-align:center;" | {{ic|x}}
 +
| The file can be executed.
 +
| The directory can be accessed with [[cd]]; this is the only permission bit that in practice can be considered to be "inherited" from the ancestor directories, in fact if ''any'' folder in the path does not have the {{ic|x}} bit set, the final file or folder cannot be accessed either, regardless of its permissions; see {{ic|man 7 path_resolution}} for more information.
 +
|-
 +
| style="text-align:center;" | {{ic|s}}
 +
| colspan="2" | The [[w:setuid|setuid]] bit when found in the '''u'''ser triad; the '''setgid''' bit when found in the '''g'''roup triad; it is not found in the '''o'''thers triad; it also implies that {{ic|x}} is set. 
 +
|-
 +
| style="text-align:center;" | {{ic|S}}
 +
| colspan="2" | Same as {{ic|s}}, but {{ic|x}} is not set; rare on regular files, and useless on folders.
 +
|-
 +
| style="text-align:center;" | {{ic|t}}
 +
| colspan="2" | The [[w:sticky bit|sticky]] bit; it can only be found in the '''o'''thers triad; it also implies that {{ic|x}} is set.
 +
|-
 +
| style="text-align:center;" | {{ic|T}}
 +
| colspan="2" | Same as {{ic|t}}, but {{ic|x}} is not set; rare on regular files, and useless on folders.
 +
|}
  
{{bc|
+
See {{ic|info Coreutils -n "Mode Structure"}} and {{ic|man 1 chmod}} for more details.
# Ben has full access to the Documents directory.
+
# He can list, create files and rename, delete any file in Documents,
+
# regardless of file permissions.
+
# His ability to access a file depends on the file's permission.
+
'''drwx------ 6''' ben users  4096 Jul  5 17:37 Documents
+
  
# Ben has full access except he can not create, rename, delete
+
==== Examples ====
# any file.
+
# He can list the files and (if file's permission empowers)
+
# may access an existing file in Documents.
+
'''dr-x------ 6''' ben users  4096 Jul  5 17:37 Documents
+
  
# Ben can not do 'ls' in Documents but if he knows
+
Let us see some examples to clarify:
# the name of an existing file then he may list, rename, delete or
+
# (if file's permission empowers him) access it.
+
# Also, he is able to create new files.
+
'''d-wx------ 6''' ben users  4096 Jul  5 17:37 Documents
+
  
# Ben is only capable of (if file's permission empowers him)
+
'''drwx------''' 6 archie users  4096 Jul  5 17:37 Documents
# access those files in Documents which he knows of.
+
# He can not list already existing files or create, rename,
+
# delete any of them.
+
'''d--x------ 6''' ben users  4096 Jul  5 17:37 Documents
+
}}
+
  
You should keep in mind that we elaborate on directory permissions and it has nothing to do with the individual file permissions. When you create new file it is the directory what changes, that is why you need write permission to the directory.
+
Archie has full access to the Documents directory. He can list, create files and rename, delete any file in Documents, regardless of file permissions. His ability to access a file depends on the file's permission.  
{{Note|to keep out graphical file managers, you ought to remove '''r''', not '''x'''.}}
+
  
====Files====
+
  '''dr-x------''' 6 archie users  4096 Jul 5 17:37 Documents
Let's look at another example, this time of a file, not a directory:
+
  '''-rw-r--r--''' 1 ben users  5120 Jun 27 08:28 data
+
   
+
'''- rw- r-- r--''' 1 ben users 5120 Jun 27 08:28 data (Split the permissions coloumn again for easier interpretation)
+
Here we can see the first letter is not '''d''' but '''-'''. So we know it is a file, not a directory. Next the owners permissions are '''rw-''' so the owner has the ability to read and write but not execute. This may seem odd that the owner does not have all three permissions, but the x permission is not needed as it is a text/data file, to be read by a text editor such as Gedit, EMACS, or software like R, and not an executable in it's own right (if it contained something like python programming code then it very well could be). The group's permssions are set to '''r--''', so the group has the ability to read the file but not write/edit it in any way - it is essentially like setting something to Read-Only. We can see that the same permissions apply to everyone else as well.
+
  
==Changing permissions using the chmod command==
+
Archie has full access except he can not create, rename, delete any file. He can list the files and (if file's permission empowers) may access an existing file in Documents.
chmod is a command in Linux and other Unix-like operating systems. It allows you to '''ch'''ange the permissions (or access '''mod'''e) of a file or directory.
+
  
===Text method===
+
'''d-wx------''' 6 archie users  4096 Jul  5 17:37 Documents
To change the permissions-or ''access mode''-of a file, we use the chmod command in a terminal. Below is the command's general structure:
+
 
 +
Archie can not do 'ls' in Documents but if he knows the name of an existing file then he may list, rename, delete or (if file's permission empowers him) access it. Also, he is able to create new files.
 +
 
 +
'''d--x------''' 6 archie users  4096 Jul  5 17:37 Documents
 +
 
 +
Archie is only capable of (if file's permission empowers him) access those files in Documents which he knows of. He can not list already existing files or create, rename, delete any of them.
 +
 
 +
You should keep in mind that we elaborate on directory permissions and it has nothing to do with the individual file permissions. When you create a new file it is the directory that changes. That is why you need write permission to the directory.
 +
 
 +
Let us look at another example, this time of a file, not a directory:
 +
 
 +
'''-rw-r--r--''' 1 archie users  5120 Jun 27 08:28 foobar
 +
 
 +
Here we can see the first letter is not {{ic|d}} but {{ic|-}}. So we know it is a file, not a directory. Next the owner's permissions are {{ic|rw-}} so the owner has the ability to read and write but not execute. This may seem odd that the owner does not have all three permissions, but the {{ic|x}} permission is not needed as it is a text/data file, to be read by a text editor such as Gedit, EMACS, or software like R, and not an executable in its own right (if it contained something like python programming code then it very well could be). The group's permssions are set to {{ic|r--}}, so the group has the ability to read the file but not write/edit it in any way — it is essentially like setting something to read-only. We can see that the same permissions apply to everyone else as well.
 +
 
 +
== Changing permissions ==
 +
 
 +
[[Wikipedia:chmod|chmod]] is a command in Linux and other Unix-like operating systems that allows to ''ch''ange the permissions (or access ''mod''e) of a file or directory.
 +
 
 +
=== Text method ===
 +
 
 +
To change the permissions or ''access mode'' — of a file, use the ''chmod'' command in a terminal. Below is the command's general structure:
  
 
  chmod ''who''=''permissions'' ''filename''
 
  chmod ''who''=''permissions'' ''filename''
  
Where ''Who'' is any from a range of letters, and each signifies who you are going to give the permission to. They are as follows:
+
Where {{ic|''who''}} is any from a range of letters, each signifying who is being given the permission. They are as follows:
  
u - The '''u'''ser that own the file.
+
* {{ic|u}}: the [[user]] that owns the file.
g - The '''g'''roup the file belongs to.
+
* {{ic|g}}: the [[group]] that the file belongs to.
o - The '''o'''ther users i.e. everyone else.
+
* {{ic|o}}: the '''o'''ther users, i.e. everyone else.
a - '''a'''ll of the above - use this instead of having to type '''ugo'''.
+
* {{ic|a}}: '''a'''ll of the above; use this instead of typing {{ic|ugo}}.
  
The permissions are the same as already discussed ('''r, w,''' and '''x''').
+
The permissions are the same as discussed in [[#Viewing permissions]] ({{ic|r}}, {{ic|w}} and {{ic|x}}).
  
Lets have a look at some exaples now using this command. Suppose I became very protective of my Documents directory and wanted to deny everybody but myself permissions to read, write, and execute (or in this case search/look) in it:
+
Now have a look at some examples using this command. Suppose you became very protective of the Documents directory and wanted to deny everybody but yourself, permissions to read, write, and execute (or in this case search/look) in it:
  
Before: drwxr-xr-x 6 ben users  4096 Jul  5 17:37 Documents
+
Before: {{ic|drwxr-xr-x 6 archie users  4096 Jul  5 17:37 Documents}}
  
  Command 1: chmod g= Documents
+
  $ chmod g= Documents
  Command 2: chmod o= Documents
+
  $ chmod o= Documents
  
After: drwx------ 6 ben users  4096 Jul  6 17:32 Documents
+
After: {{ic|drwx------ 6 archie users  4096 Jul  6 17:32 Documents}}
  
Here, because I want to deny permissions, I do not put any letter after the '''=''' where permissions would be entered. Now you can see that only the owners permissions are '''rwx''' and all other permissions are '''-''''s.  
+
Here, because you want to deny permissions, you do not put any letters after the {{ic|1==}} where permissions would be entered. Now you can see that only the owner's permissions are {{ic|rwx}} and all other permissions are {{ic|-}}.  
  
This can be reverted back again:
+
This can be reverted with:
  
Before: drwx------ 6 ben users  4096 Jul  6 17:32 Documents
+
Before: {{ic|drwx------ 6 archie users  4096 Jul  6 17:32 Documents}}
  
  Command 1: chmod g=rx Documents
+
  $ chmod g=rx Documents
  Command 2: chmod o=rx Documents
+
  $ chmod o=rx Documents
  
After: drwxr-xr-x 6 ben users  4096 Jul  6 17:32 Documents
+
After: {{ic|drwxr-xr-x 6 archie users  4096 Jul  6 17:32 Documents}}
  
This time I wanted to grant read and execute permissions to the group, and other users, so I put the letters for the permissions ('''r''' and '''x''') after the '''=''', with no spaces.
+
In the next example, you want to grant read and execute permissions to the group, and other users, so you put the letters for the permissions ({{ic|r}} and {{ic|x}}) after the {{ic|1==}}, with no spaces.
  
You can simplify this to put more than one '''who''' letter in the same command e.g:
+
You can simplify this to put more than one {{ic|''who''}} letter in the same command, e.g:
  
  chmod go=rx Documents
+
  $ chmod go=rx Documents
  
'''Note: It does not matter which order you put the who letters or the permission letters in a chmod command: you could have ''chmod go=rx File'' or ''chmod og=xr File''. It's all the same.'''
+
{{Note|1=It does not matter in which order you put the {{ic|''who''}} letters or the permission letters in a {{ic|chmod}} command: you could have {{ic|1=chmod go=rx file}} or {{ic|1=chmod og=xr file}}. It is all the same.}}
  
Now let's consider a second example, say I wanted to change my data file so as I have read and write permissions and fellow users in my group '''users''' who may be colleagues working with me on '''data''' can also read an write to it, but other users can only read it:
+
Now let us consider a second example, suppose you want to change a {{ic|foobar}} file so that you have read and write permissions, and fellow users in the group {{ic|users}} who may be colleagues working on {{ic|foobar}}, can also read and write to it, but other users can only read it:
  
Before: -rw-r--r-- 1 ben users  5120 Jun 27 08:28 data
+
Before: {{ic|-rw-r--r-- 1 archie users  5120 Jun 27 08:28 foobar}}
  
  Command1: chmod g=rw data
+
  $ chmod g=rw foobar
  
After: -rw-rw-r-- 1 ben users  5120 Jun 27 08:28 data
+
After: {{ic|-rw-rw-r-- 1 archie users  5120 Jun 27 08:28 foobar}}
  
This is exactly like the first example, but with a data file, not a directory, and I granted a write permission (Just so as to give an example of granting every permission).
+
This is exactly like the first example, but with a file, not a directory, and you grant write permission (just so as to give an example of granting every permission).
  
====Text method shortcuts====
+
==== Text method shortcuts ====
  
The chmod command lets us add and subtract permissions from an existing set using + or minus instead of =. This is different to the above commands, which essentially re-write the permissions (i.e. to change a permission from '''r--''' to '''rw-''', you still need to include '''r''' as well as '''w''' after the = in the chmod command. If you missed out '''r''', it would take away the '''r''' permission as they are being re-written with the '''='''. Using '''+''' and '''-''' avoid this by adding or taking away from the ''current'' set of permissions).
+
The ''chmod'' command lets add and subtract permissions from an existing set using {{ic|+}} or {{ic|-}} instead of {{ic|1==}}. This is different from the above commands, which essentially re-write the permissions (e.g. to change a permission from {{ic|r--}} to {{ic|rw-}}, you still need to include {{ic|r}} as well as {{ic|w}} after the {{ic|1==}} in the ''chmod'' command invocation. If you missed out {{ic|r}}, it would take away the {{ic|r}} permission as they are being re-written with the {{ic|1==}}. Using {{ic|+}} and {{ic|-}} avoids this by adding or taking away from the ''current'' set of permissions).
  
Lets try this '''+''' and '''-''' method with the previous example of adding write permissions to the group:
+
Let us try this {{ic|+}} and {{ic|-}} method with the previous example of adding write permissions to the group:
  
Before: -rw-r--r-- 1 ben users 5120 Jun 27 08:28 data
+
Before: {{ic|-rw-r--r-- 1 archie users 5120 Jun 27 08:28 foobar}}
 
   
 
   
  Command: chmod g+w data
+
  $ chmod g+w foobar
  
After: -rw-rw-r-- 1 ben users  5120 Jun 27 08:28 data
+
After: {{ic|-rw-rw-r-- 1 archie users  5120 Jun 27 08:28 foobar}}
  
Heres another example, denying write permissions to all ('''a'''):
+
Another example, denying write permissions to all ('''a'''):
  
Before: -rw-rw-r-- 1 ben users  5120 Jun 27 08:28 data
+
Before: {{ic|-rw-rw-r-- 1 archie users  5120 Jun 27 08:28 foobar}}
 
   
 
   
  Command: chmod a-w data
+
  $ chmod a-w foobar
  
After: -r--r--r-- 1 ben users  5120 Jun 27 08:28 data
+
After: {{ic|-r--r--r-- 1 archie users  5120 Jun 27 08:28 foobar}}
  
====Copying permissions====
+
A different shortcut is the special {{ic|X}} mode: this is not an actual file mode, but it is often used in conjunction with the {{ic|-R}} option to set the executable bit only for directories, and leave it unchanged for regular files, for example:
It is possible to tell chmod to copy the permissions from one class, say the owner, and give those same permissions to group or even all. To do this, instead of putting '''r''', '''w''', or '''x''' after the '''=''', we put another '''who''' letter. e.g:
+
  
  Before: -rw-r--r-- 1 ben users 5120 Jun 27 08:28 data
+
  $ chmod -R a+rX ./data/
  
Command: chmod g=u data
+
==== Copying permissions ====
  
After: -rw-rw-r-- 1 ben users 5120 Jun 27 08:28 data
+
It is possible to tell ''chmod'' to copy the permissions from one class, say the owner, and give those same permissions to group or even all. To do this, instead of putting {{ic|r}}, {{ic|w}}, or {{ic|x}} after the {{ic|1==}}, put another ''who'' letter. e.g:
  
This command essentially translates to "change the permissions of group ('''g='''), to have the same as owning user ('''=u'''). Note that you can't copy a set of permissions as well as grant new ones e.g.:
+
Before: {{ic|-rw-r--r-- 1 archie users 5120 Jun 27 08:28 foobar}}
  
  chmod g=wu data
+
  $ chmod g=u foobar
  
Because chmod will have a small fit and throw you an error.
+
After: {{ic|-rw-rw-r-- 1 archie users 5120 Jun 27 08:28 foobar}}
  
===Numeric method===
+
This command essentially translates to "change the permissions of group ({{ic|1=g=}}), to be the same as the owning user ({{ic|1==u}}). Note that you cannot copy a set of permissions as well as grant new ones e.g.:
chmod can also set permissions using numbers.
+
 
 +
$ chmod g=wu foobar
 +
 
 +
In that case ''chmod'' throw an error.
 +
 
 +
=== Numeric method ===
 +
 
 +
''chmod'' can also set permissions using numbers.
  
 
Using numbers is another method which allows you to edit the permissions for all three owner, group, and others at the same time. This basic structure of the code is this:
 
Using numbers is another method which allows you to edit the permissions for all three owner, group, and others at the same time. This basic structure of the code is this:
  
  ''chmod xxx file/directory''
+
  $ chmod ''xxx'' ''filename''
  
Where '''xxx''' is a 3 digit number where each digit can be anything from 1 to 7. The first digit applies to permissions for owner, the second digit applies to permissions for group, and the third digit applies to permissions for all others.
+
Where {{ic|'''xxx'''}} is a 3-digit number where each digit can be anything from 0 to 7. The first digit applies to permissions for owner, the second digit applies to permissions for group, and the third digit applies to permissions for all others.
  
In this number notation, the values r, w, and x have their own number value:
+
In this number notation, the values {{ic|r}}, {{ic|w}}, and {{ic|x}} have their own number value:
  
 
  r=4
 
  r=4
Line 187: Line 234:
 
  x=1
 
  x=1
  
To come up with a three digit number you need to consider what permissions you want owner, group, and user to have, and then total their values up. For example, say I wanted to grant the owner of a directory read write and execution permissions, and I wanted group and everyone else to have just read and execute permissions. I would come up with the numerical values like so:
+
To come up with a 3-digit number you need to consider what permissions you want owner, group, and user to have, and then total their values up. For example, if you want to grant the owner of a directory read write and execution permissions, and you want group and everyone else to have just read and execute permissions, you would come up with the numerical values like so:
  
Owner: rwx = 4+2+1=7
+
* Owner: {{ic|rwx}}=4+2+1=7
Group: r-x = 4+0+1=5 (or just 4+1=5)
+
* Group: {{ic|r-x}}=4+0+1=5
Other: r-x = 4+0+1=5 (or just 4+1=5)
+
* Other: {{ic|r-x}}=4+0+1=5
  
  Final number = 755
+
  $ chmod 755 ''filename''
 
+
Command: ''chmod 755 filename''
+
  
 
This is the equivalent of using the following:  
 
This is the equivalent of using the following:  
  
  chmod u=rwx filename
+
  $ chmod u=rwx ''filename''
  chmod go=rx filename
+
  $ chmod go=rx ''filename''
  
Most folders/directories are set to '''755''' to allow reading and writing and execution to the owner, but deny writing to everyone else, and files are normally '''644''' to allow reading and writing for the owner but just reading for everyone else, refer to the last note on the lack of '''x''' permissions with non executable files - its the same deal here.  
+
Most folders and directories are set to {{ic|755}} to allow reading, writing and execution to the owner, but deny writing to everyone else, and files are normally {{ic|644}} to allow reading and writing for the owner but just reading for everyone else; refer to the last note on the lack of {{ic|x}} permissions with non executable files: it is the same thing here.  
  
To see this in action with examples consider the previous example I've been using but with this numerical method applied instead:
+
To see this in action with examples consider the previous example that has been used but with this numerical method applied instead:
  
Before: -rw-r--r-- 1 ben users  5120 Jun 27 08:28 data
+
Before: {{ic|-rw-r--r-- 1 archie users  5120 Jun 27 08:28 foobar}}
  
  Command: chmod 664 data
+
  $ chmod 664 foobar
  
After: -rw-rw-r-- 1 ben users  5120 Jun 27 08:28 data
+
After: {{ic|-rw-rw-r-- 1 archie users  5120 Jun 27 08:28 foobar}}
  
If this were an executable the number would be '''774''' if I wanted to grant executable permission to the owner and group. Alternatively if I wanted everyone to only have read permission the number would be '''444'''. Treating '''r''' as '''4''', '''w''' as '''2''', and '''x''' as '''1''' is probably the easiest way to work out the numerical values for using '''chmod xxx filename''', but there is also a binary method, where each permission has a binary number, and then that is in turn converted to a number. It is a bit more convoluted, but I include it for completeness.
+
If this were an executable the number would be {{ic|774}} if you wanted to grant executable permission to the owner and group. Alternatively if you wanted everyone to only have read permission the number would be {{ic|444}}. Treating {{ic|r}} as 4, {{ic|w}} as 2, and {{ic|x}} as 1 is probably the easiest way to work out the numerical values for using {{ic|chmod ''xxx'' ''filename''}}, but there is also a binary method, where each permission has a binary number, and then that is in turn converted to a number. It is a bit more convoluted, but here included for completeness.
  
 
Consider this permission set:
 
Consider this permission set:
  
'''- rwx r-x r--'''
+
-rwxr-xr--
  
 
If you put a 1 under each permission granted, and a 0 for every one not granted, the result would be something like this:
 
If you put a 1 under each permission granted, and a 0 for every one not granted, the result would be something like this:
  
  '''- rwx rwx r-x'''
+
  -rwxrwxr-x
   '''111 111 101''' 
+
   111111101
+
 
 
You can then convert these binary numbers:
 
You can then convert these binary numbers:
  
Line 230: Line 275:
 
  011=3     111=7
 
  011=3     111=7
  
The value of the above would therefore be '''775'''.  
+
The value of the above would therefore be 775.  
  
 
Consider we wanted to remove the writable permission from group:
 
Consider we wanted to remove the writable permission from group:
  
  '''- rwz r-x r-x'''
+
  -rwzr-xr-x
   '''111 101 101'''
+
   111101101
  
The value would therefore be '''755''' and you would use '''chmod 755 filename''' to remove the writable permission. You will notice you get the same three digit number no matter which method you use. Whether you use text or numbers will depend on personal preference and typing speed. When you want to restore a directory or file to default permissions i.e. read and write (and execute) permission to the owner but deny write permission to everyone else, it may be faster to use '''chmod 755/644 directory/filename'''. But if you are changing the permissions to something out of the norm, it may be simpler and quicker to use the text method as opposed to trying to convert it to numbers, which may lead to a mistake. It could be argued that there isn't any real significant difference in the speed of either method for a user that only needs to use chmod on occasion.
+
The value would therefore be 755 and you would use {{ic|chmod 755 ''filename''}} to remove the writable permission. You will notice you get the same three digit number no matter which method you use. Whether you use text or numbers will depend on personal preference and typing speed. When you want to restore a directory or file to default permissions e.g. read and write (and execute) permission to the owner but deny write permission to everyone else, it may be faster to use {{ic|chmod 755/644 ''filename''}}. However if you are changing the permissions to something out of the norm, it may be simpler and quicker to use the text method as opposed to trying to convert it to numbers, which may lead to a mistake. It could be argued that there is not any real significant difference in the speed of either method for a user that only needs to use ''chmod'' on occasion.
  
===Selective chmod===
+
=== Bulk chmod ===
  
Since folders should be chmod to 755 and files to 644 in PHP-.Nuke, you need a means of applying the above command only to files, or only to folders. No problem with pipes, just do
+
Generally directories and files should not have the same permissions. If it is necessary to bulk modify a directory tree, use [[find]] to selectively modify one or the other.
Code:
+
  
find directory/ -type d -print0 | xargs -0 chmod 755
+
To ''chmod'' only directories to 755:
  
  find directory/ -type f -print0 | xargs -0 chmod 644
+
  $ find ''directory'' -type d -exec chmod 755 {} +
  
The "/" after the directory name is important here. The "-type" option selects the appropriate file type (directory of file), the "-print0" option terminates the names wih a zero, so that filenames with blanks are recognized properly (since filename terminator is now a zero and not a blank). xargs applies the following command (chmod) to any arguments passed to it by the pipe, -0 indicates again that the argument separator is a zero and not a blank.
+
To ''chmod'' only files to 644:
  
If you use some Windows program, search for some settings. I know that WS_FTP has a graphical interface to chmod, see for example How to chmod using WS_FTP. Just select all the files you want the change to apply to and follow the instructions in that link.
+
$ find ''directory'' -type f -exec chmod 644 {} +
  
==Changing ownership using the chown command==  
+
== Changing ownership ==
Whilst this is an article dedicated to chmod, chown deserves mention as well. Where chmod changes the access mode of a file or directory, chown changes the owner of a file or directory, which is quicker and easier than altering the permissions in some cases, but do be careful when you do so.
+
  
Consider the following example, making a new partition with GParted for backup data. Gparted for may does this all as root so everything belongs to root. This is all well and good but when it came to writing data to the mounted partition, permission was denied.  
+
[[Wikipedia:chown|chown]] changes the owner of a file or directory, which is quicker and easier than altering the permissions in some cases.  
  
brw-rw----  1 root disk      8,   9 Jul  6 16:02 sda9
+
Consider the following example, making a new partition with [[GParted]] for backup data. Gparted does this all as root so everything belongs to root. This is all well and good but when it came to writing data to the mounted partition, permission was denied.
drwxr-xr-x 5 root root 4096 Jul  6 16:01 Backup
+
  
As you can see the device in '''/dev''' is owned by '''root''', as is where it is mounted ('''/media/Backup'''). To change the owner of where it is mounted one can do the following:
+
brw-rw---- 1 root disk 8,   9 Jul  6 16:02 sda9
 +
drwxr-xr-x 5 root root    4096 Jul  6 16:01 Backup
  
Before: drwxr-xr-x 5 root root 4096 Jul  6 16:01 Backup
+
As you can see the device in {{ic|/dev}} is owned by root, as is where it is mounted ({{ic|/media/Backup}}). To change the owner of where it is mounted one can do the following:
  
  Command: chown ben Backup (cd'd to /media first)
+
Before: {{ic|drwxr-xr-x 5 root root 4096 Jul  6 16:01 Backup}}
  
  After drwxr-xr-x 5 ben  root 4096 Jul  6 16:01 Backup
+
  # chown archie /media/Backup
  
Now the partition can have backup data written to it as instead of altering the permissions, as the owner already has '''rwx''' permissions, the owner has been altered to the user ben. Alternatives would be to alter the permissions for everyone else (undesirable as it's a backup permission) or adding the user to the group '''root'''.
+
After: {{ic|drwxr-xr-x 5 archie  root 4096 Jul  6 16:01 Backup}}
  
==Reference table==
+
Now the partition can have backup data written to it as instead of altering the permissions, as the owner already has {{ic|rwx}} permissions, the owner has been altered to the user archie. Alternatives would be to alter the permissions for everyone else (undesirable as it is a backup permission) or adding the user to the group {{ic|root}}.
{| border="1"
+
 
! Who !! Permission !! Numbers
+
== Access Control Lists ==
|-
+
 
| u - owning user || r - read || 4 - read
+
[[Access Control Lists]] provides an additional, more flexible permission mechanism for file systems by allowing to set permissions for any user or group to any file.
|-
+
 
| g - group || w - write || 2 - write
+
== File attributes ==
|-
+
 
| o - others || x - execute/search || 1 - execute
+
Apart from the file mode bits that control [[Users and groups|user and group]] read, write and execute permissions, several [[file systems]] support file attributes that enable further customization of allowable file operations. This section describes some of these attributes and how to work with them.
|-
+
 
| a - all || ||                               
+
{{Warning|By default, file attributes are not preserved by [[cp]], [[rsync]], and other similar programs.}}
|-
+
 
|}
+
=== chattr and lsattr ===
 +
 
 +
For ext2 and [[ext3]] file systems, the {{Pkg|e2fsprogs}} package contains the programs [[Wikipedia:lsattr|lsattr]] and [[Wikipedia:chattr|chattr]] that list and change a file's attributes, respectively. Though some are not honored by all file systems, the available attributes are:
 +
 
 +
* {{ic|a}}: append only
 +
* {{ic|c}}: compressed
 +
* {{ic|d}}: no dump
 +
* {{ic|e}}: extent format
 +
* {{ic|i}}: immutable
 +
* {{ic|j}}: data journalling
 +
* {{ic|s}}: secure deletion
 +
* {{ic|t}}: no tail-merging
 +
* {{ic|u}}: undeletable
 +
* {{ic|A}}: no atime updates
 +
* {{ic|C}}: no copy on write
 +
* {{ic|D}}: synchronous directory updates
 +
* {{ic|S}}: synchronous updates
 +
* {{ic|T}}: top of directory hierarchy
 +
 
 +
For example, if you want to set the immutable bit on some file, use the following command:
 +
 
 +
# chattr +i ''/path/to/file''
 +
 
 +
To remove an attribute on a file just change {{ic|+}} to {{ic|-}}.
 +
 
 +
== Extended attributes ==
 +
 
 +
From {{ic|attr(5)}}: "Extended attributes are name:value pairs associated permanently with files and directories". There are four extended attribute classes: security, system, trusted and user.
 +
 
 +
{{Warning|By default, extended attributes are not preserved by [[cp]], [[rsync]], and other similar programs.}}
 +
 
 +
=== User extended attributes ===
 +
 
 +
User extended attributes can be used to store arbitrary information about a file. To create one:
 +
 
 +
$ setfattr -n user.checksum -v "3baf9ebce4c664ca8d9e5f6314fb47fb" foo.bar
 +
 
 +
Use getfattr to display extended attributes:
 +
 
 +
$ getfattr -d foo.bar
 +
# file: foo.bar
 +
user.checksum="3baf9ebce4c664ca8d9e5f6314fb47fb"
 +
 
 +
=== Capabilities ===
 +
 
 +
Extended attributes are also used to set [[Capabilities]].
 +
 
 +
== Tips and tricks ==
  
==Extended file attributes==
+
=== Preserve root ===
Apart from the file mode bits that control [[Users and Groups|user and group]] read, write and execute permissions, several [[File Systems|file systems]] support extended file attributes that enable further customization of allowable file operations. This section describes some of these attributes and how to work with them.
+
  
===chattr and lsattr===
+
Use the {{ic|--preserve-root}} flag to prevent {{ic|chmod}} from acting recursively on {{ic|/}}. This can, for example, prevent one from removing the executable bit systemwide and thus breaking the system. To use this flag every time, set it within an [[alias]]. See also [https://www.reddit.com/r/linux/comments/4ni3xe/tifu_sudo_chmod_644/].
For ext2 and [[ext3]] file systems, the {{Pkg|e2fsprogs}} package contains the programs {{ic|lsattr}} and {{ic|chattr}} that list and change a file's attributes, respectively. Though some are not honored by all file systems, the available attributes are:
+
  
*a : append only
+
== See also ==
*c : compressed
+
*d : no dump
+
*e : extent format
+
*i : immutable
+
*j : data journalling
+
*s : secure deletion
+
*t : no tail-merging
+
*u : undeletable
+
*A : no atime updates
+
*C : no copy on write
+
*D : synchronous directory updates
+
*S : synchronous updates
+
*T : top of directory hierarchy
+
  
==See also==
 
 
* [[wikipedia:Chattr]]
 
* [[wikipedia:Chattr]]
* [[Umask]]
+
* [http://www.hackinglinuxexposed.com/articles/20030417.html Linux File Permission Confusion]
 +
* [http://www.hackinglinuxexposed.com/articles/20030424.html Linux File Permission Confusion part 2]
 +
* [[wikipedia:Extended file attributes#Linux]]
 +
* [http://www.lesbonscomptes.com/pages/extattrs.html Extended attributes: the good, the not so good, the bad.]
 +
* [http://www.concrete5.org/documentation/how-tos/designers/backup-and-restore-file-permissions-in-linux/ Backup and restore file permissions in Linux]

Latest revision as of 05:43, 23 September 2016

File systems use permissions and attributes to regulate the level of interaction that system processes can have with files and directories.

Warning: When used for security purposes, permissions and attributes only defend against attacks launched from the booted system. To protect the stored data from attackers with physical access to the machine, one must also implement disk encryption.

Viewing permissions

Use the ls command's -l option to view the permissions (or file mode) set for the contents of a directory, for example:

$ ls -l /path/to/directory
total 128
drwxr-xr-x 2 archie users  4096 Jul  5 21:03 Desktop
drwxr-xr-x 6 archie users  4096 Jul  5 17:37 Documents
drwxr-xr-x 2 archie users  4096 Jul  5 13:45 Downloads
-rw-rw-r-- 1 archie users  5120 Jun 27 08:28 customers.ods
-rw-r--r-- 1 archie users  3339 Jun 27 08:28 todo
-rwxr-xr-x 1 archie users  2048 Jul  6 12:56 myscript.sh

The first column is what we must focus on. Taking an example value of drwxrwxrwx+, the meaning of each character is explained in the following tables:

d rwx rwx rwx +
The file type, technically not part of its permissions. See info ls -n "What information is listed" for an explanation of the possible values. The permissions that the owner has over the file, explained below. The permissions that the group has over the file, explained below. The permissions that all the other users have over the file, explained below. A single character that specifies whether an alternate access method applies to the file. When this character is a space, there is no alternate access method. A . character indicates a file with a security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a + character, for example in the case of Access Control Lists.

Each of the three permission triads (rwx in the example above) can be made up of the following characters:

Character Effect on files Effect on directories
Read permission (first character) - The file cannot be read. The directory's contents cannot be shown.
r The file can be read. The directory's contents can be shown.
Write permission (second character) - The file cannot be modified. The directory's contents cannot be modified.
w The file can be modified. The directory's contents can be modified (create new files or folders; rename or delete existing files or folders); requires the execute permission to be also set, otherwise this permission has no effect.
Execute permission (third character) - The file cannot be executed. The directory cannot be accessed with cd.
x The file can be executed. The directory can be accessed with cd; this is the only permission bit that in practice can be considered to be "inherited" from the ancestor directories, in fact if any folder in the path does not have the x bit set, the final file or folder cannot be accessed either, regardless of its permissions; see man 7 path_resolution for more information.
s The setuid bit when found in the user triad; the setgid bit when found in the group triad; it is not found in the others triad; it also implies that x is set.
S Same as s, but x is not set; rare on regular files, and useless on folders.
t The sticky bit; it can only be found in the others triad; it also implies that x is set.
T Same as t, but x is not set; rare on regular files, and useless on folders.

See info Coreutils -n "Mode Structure" and man 1 chmod for more details.

Examples

Let us see some examples to clarify:

drwx------ 6 archie users  4096 Jul  5 17:37 Documents

Archie has full access to the Documents directory. He can list, create files and rename, delete any file in Documents, regardless of file permissions. His ability to access a file depends on the file's permission.

dr-x------ 6 archie users  4096 Jul  5 17:37 Documents

Archie has full access except he can not create, rename, delete any file. He can list the files and (if file's permission empowers) may access an existing file in Documents.

d-wx------ 6 archie users  4096 Jul  5 17:37 Documents

Archie can not do 'ls' in Documents but if he knows the name of an existing file then he may list, rename, delete or (if file's permission empowers him) access it. Also, he is able to create new files.

d--x------ 6 archie users  4096 Jul  5 17:37 Documents

Archie is only capable of (if file's permission empowers him) access those files in Documents which he knows of. He can not list already existing files or create, rename, delete any of them.

You should keep in mind that we elaborate on directory permissions and it has nothing to do with the individual file permissions. When you create a new file it is the directory that changes. That is why you need write permission to the directory.

Let us look at another example, this time of a file, not a directory:

-rw-r--r-- 1 archie users  5120 Jun 27 08:28 foobar

Here we can see the first letter is not d but -. So we know it is a file, not a directory. Next the owner's permissions are rw- so the owner has the ability to read and write but not execute. This may seem odd that the owner does not have all three permissions, but the x permission is not needed as it is a text/data file, to be read by a text editor such as Gedit, EMACS, or software like R, and not an executable in its own right (if it contained something like python programming code then it very well could be). The group's permssions are set to r--, so the group has the ability to read the file but not write/edit it in any way — it is essentially like setting something to read-only. We can see that the same permissions apply to everyone else as well.

Changing permissions

chmod is a command in Linux and other Unix-like operating systems that allows to change the permissions (or access mode) of a file or directory.

Text method

To change the permissions — or access mode — of a file, use the chmod command in a terminal. Below is the command's general structure:

chmod who=permissions filename

Where who is any from a range of letters, each signifying who is being given the permission. They are as follows:

  • u: the user that owns the file.
  • g: the group that the file belongs to.
  • o: the other users, i.e. everyone else.
  • a: all of the above; use this instead of typing ugo.

The permissions are the same as discussed in #Viewing permissions (r, w and x).

Now have a look at some examples using this command. Suppose you became very protective of the Documents directory and wanted to deny everybody but yourself, permissions to read, write, and execute (or in this case search/look) in it:

Before: drwxr-xr-x 6 archie users 4096 Jul 5 17:37 Documents

$ chmod g= Documents
$ chmod o= Documents

After: drwx------ 6 archie users 4096 Jul 6 17:32 Documents

Here, because you want to deny permissions, you do not put any letters after the = where permissions would be entered. Now you can see that only the owner's permissions are rwx and all other permissions are -.

This can be reverted with:

Before: drwx------ 6 archie users 4096 Jul 6 17:32 Documents

$ chmod g=rx Documents
$ chmod o=rx Documents

After: drwxr-xr-x 6 archie users 4096 Jul 6 17:32 Documents

In the next example, you want to grant read and execute permissions to the group, and other users, so you put the letters for the permissions (r and x) after the =, with no spaces.

You can simplify this to put more than one who letter in the same command, e.g:

$ chmod go=rx Documents
Note: It does not matter in which order you put the who letters or the permission letters in a chmod command: you could have chmod go=rx file or chmod og=xr file. It is all the same.

Now let us consider a second example, suppose you want to change a foobar file so that you have read and write permissions, and fellow users in the group users who may be colleagues working on foobar, can also read and write to it, but other users can only read it:

Before: -rw-r--r-- 1 archie users 5120 Jun 27 08:28 foobar

$ chmod g=rw foobar

After: -rw-rw-r-- 1 archie users 5120 Jun 27 08:28 foobar

This is exactly like the first example, but with a file, not a directory, and you grant write permission (just so as to give an example of granting every permission).

Text method shortcuts

The chmod command lets add and subtract permissions from an existing set using + or - instead of =. This is different from the above commands, which essentially re-write the permissions (e.g. to change a permission from r-- to rw-, you still need to include r as well as w after the = in the chmod command invocation. If you missed out r, it would take away the r permission as they are being re-written with the =. Using + and - avoids this by adding or taking away from the current set of permissions).

Let us try this + and - method with the previous example of adding write permissions to the group:

Before: -rw-r--r-- 1 archie users 5120 Jun 27 08:28 foobar

$ chmod g+w foobar

After: -rw-rw-r-- 1 archie users 5120 Jun 27 08:28 foobar

Another example, denying write permissions to all (a):

Before: -rw-rw-r-- 1 archie users 5120 Jun 27 08:28 foobar

$ chmod a-w foobar

After: -r--r--r-- 1 archie users 5120 Jun 27 08:28 foobar

A different shortcut is the special X mode: this is not an actual file mode, but it is often used in conjunction with the -R option to set the executable bit only for directories, and leave it unchanged for regular files, for example:

$ chmod -R a+rX ./data/

Copying permissions

It is possible to tell chmod to copy the permissions from one class, say the owner, and give those same permissions to group or even all. To do this, instead of putting r, w, or x after the =, put another who letter. e.g:

Before: -rw-r--r-- 1 archie users 5120 Jun 27 08:28 foobar

$ chmod g=u foobar

After: -rw-rw-r-- 1 archie users 5120 Jun 27 08:28 foobar

This command essentially translates to "change the permissions of group (g=), to be the same as the owning user (=u). Note that you cannot copy a set of permissions as well as grant new ones e.g.:

$ chmod g=wu foobar

In that case chmod throw an error.

Numeric method

chmod can also set permissions using numbers.

Using numbers is another method which allows you to edit the permissions for all three owner, group, and others at the same time. This basic structure of the code is this:

$ chmod xxx filename

Where xxx is a 3-digit number where each digit can be anything from 0 to 7. The first digit applies to permissions for owner, the second digit applies to permissions for group, and the third digit applies to permissions for all others.

In this number notation, the values r, w, and x have their own number value:

r=4
w=2
x=1

To come up with a 3-digit number you need to consider what permissions you want owner, group, and user to have, and then total their values up. For example, if you want to grant the owner of a directory read write and execution permissions, and you want group and everyone else to have just read and execute permissions, you would come up with the numerical values like so:

  • Owner: rwx=4+2+1=7
  • Group: r-x=4+0+1=5
  • Other: r-x=4+0+1=5
$ chmod 755 filename

This is the equivalent of using the following:

$ chmod u=rwx filename
$ chmod go=rx filename

Most folders and directories are set to 755 to allow reading, writing and execution to the owner, but deny writing to everyone else, and files are normally 644 to allow reading and writing for the owner but just reading for everyone else; refer to the last note on the lack of x permissions with non executable files: it is the same thing here.

To see this in action with examples consider the previous example that has been used but with this numerical method applied instead:

Before: -rw-r--r-- 1 archie users 5120 Jun 27 08:28 foobar

$ chmod 664 foobar

After: -rw-rw-r-- 1 archie users 5120 Jun 27 08:28 foobar

If this were an executable the number would be 774 if you wanted to grant executable permission to the owner and group. Alternatively if you wanted everyone to only have read permission the number would be 444. Treating r as 4, w as 2, and x as 1 is probably the easiest way to work out the numerical values for using chmod xxx filename, but there is also a binary method, where each permission has a binary number, and then that is in turn converted to a number. It is a bit more convoluted, but here included for completeness.

Consider this permission set:

-rwxr-xr--

If you put a 1 under each permission granted, and a 0 for every one not granted, the result would be something like this:

-rwxrwxr-x
 111111101

You can then convert these binary numbers:

000=0	    100=4
001=1	    101=5
010=2	    110=6
011=3	    111=7

The value of the above would therefore be 775.

Consider we wanted to remove the writable permission from group:

-rwzr-xr-x
 111101101

The value would therefore be 755 and you would use chmod 755 filename to remove the writable permission. You will notice you get the same three digit number no matter which method you use. Whether you use text or numbers will depend on personal preference and typing speed. When you want to restore a directory or file to default permissions e.g. read and write (and execute) permission to the owner but deny write permission to everyone else, it may be faster to use chmod 755/644 filename. However if you are changing the permissions to something out of the norm, it may be simpler and quicker to use the text method as opposed to trying to convert it to numbers, which may lead to a mistake. It could be argued that there is not any real significant difference in the speed of either method for a user that only needs to use chmod on occasion.

Bulk chmod

Generally directories and files should not have the same permissions. If it is necessary to bulk modify a directory tree, use find to selectively modify one or the other.

To chmod only directories to 755:

$ find directory -type d -exec chmod 755 {} +

To chmod only files to 644:

$ find directory -type f -exec chmod 644 {} +

Changing ownership

chown changes the owner of a file or directory, which is quicker and easier than altering the permissions in some cases.

Consider the following example, making a new partition with GParted for backup data. Gparted does this all as root so everything belongs to root. This is all well and good but when it came to writing data to the mounted partition, permission was denied.

brw-rw---- 1 root disk 8,    9 Jul  6 16:02 sda9
drwxr-xr-x 5 root root    4096 Jul  6 16:01 Backup

As you can see the device in /dev is owned by root, as is where it is mounted (/media/Backup). To change the owner of where it is mounted one can do the following:

Before: drwxr-xr-x 5 root root 4096 Jul 6 16:01 Backup

# chown archie /media/Backup

After: drwxr-xr-x 5 archie root 4096 Jul 6 16:01 Backup

Now the partition can have backup data written to it as instead of altering the permissions, as the owner already has rwx permissions, the owner has been altered to the user archie. Alternatives would be to alter the permissions for everyone else (undesirable as it is a backup permission) or adding the user to the group root.

Access Control Lists

Access Control Lists provides an additional, more flexible permission mechanism for file systems by allowing to set permissions for any user or group to any file.

File attributes

Apart from the file mode bits that control user and group read, write and execute permissions, several file systems support file attributes that enable further customization of allowable file operations. This section describes some of these attributes and how to work with them.

Warning: By default, file attributes are not preserved by cp, rsync, and other similar programs.

chattr and lsattr

For ext2 and ext3 file systems, the e2fsprogs package contains the programs lsattr and chattr that list and change a file's attributes, respectively. Though some are not honored by all file systems, the available attributes are:

  • a: append only
  • c: compressed
  • d: no dump
  • e: extent format
  • i: immutable
  • j: data journalling
  • s: secure deletion
  • t: no tail-merging
  • u: undeletable
  • A: no atime updates
  • C: no copy on write
  • D: synchronous directory updates
  • S: synchronous updates
  • T: top of directory hierarchy

For example, if you want to set the immutable bit on some file, use the following command:

# chattr +i /path/to/file

To remove an attribute on a file just change + to -.

Extended attributes

From attr(5): "Extended attributes are name:value pairs associated permanently with files and directories". There are four extended attribute classes: security, system, trusted and user.

Warning: By default, extended attributes are not preserved by cp, rsync, and other similar programs.

User extended attributes

User extended attributes can be used to store arbitrary information about a file. To create one:

$ setfattr -n user.checksum -v "3baf9ebce4c664ca8d9e5f6314fb47fb" foo.bar

Use getfattr to display extended attributes:

$ getfattr -d foo.bar
# file: foo.bar
user.checksum="3baf9ebce4c664ca8d9e5f6314fb47fb"

Capabilities

Extended attributes are also used to set Capabilities.

Tips and tricks

Preserve root

Use the --preserve-root flag to prevent chmod from acting recursively on /. This can, for example, prevent one from removing the executable bit systemwide and thus breaking the system. To use this flag every time, set it within an alias. See also [1].

See also