[Prev][Next][Index][Thread]
Re: your mail
On Wed, 28 Aug 1996, Ira Abramov wrote:
>On Wed, 28 Aug 1996, Marc A. Volovic wrote:
>> On Wed, 28 Aug 1996, borik the Boris Yati Beletsky wrote:
>>> so i am looking for permissions howto ( chmod <n> )
>>
>> Look in almost _ANY_ book on system administration or system programming.
>no, he is right, it IS a problem. I have looked it up many times and
>nobody on Unix Unleashed, Linux Networking, Unix admins for dummies and
>all the rest, REALLY explains the sticky bit, or what a sgid bit on a
>directory does... all from asking Army unix gurus (I didn't know you
>University smarties at the time!)
From the Solaris man pages for chmod(1) and chmod(2). It is a bit
long and, of course, copyright of Sun Microsystems
I will prefer Linux over Solaris/x86 anytime of the day, but some of
the Sun man pages is quite good. Their AnswerBooks are also quite
pleasant to use though often superficial.
-----------------------------------
chmod(1) User Commands chmod(1)
NAME
chmod - change the permissions mode of a file
SYNOPSIS
chmod [ -fR ] <absolute-mode> file...
chmod [ -fR ] <symbolic-mode-list> file...
AVAILABILITY
SUNWcsu
DESCRIPTION
chmod changes or assigns the mode of a file. The mode of a
file specifies its permissions and other attributes. The
mode may be absolute or symbolic.
Absolute mode
An absolute mode is specified using octal numbers:
chmod nnnn file ...
where:
n a number from 0 to 7. An absolute mode is
constructed from the OR of any of the follow-
ing modes:
4000 Set user ID on execution.
20#0 Set group ID on execution if # is
7, 5, 3, or 1.
Enable mandatory locking if # is 6,
4, 2, or 0.
For directories, files are created
with BSD semantics for propagation
of the group ID. With this option,
files and subdirectories created in
the directory inherit the group ID
of the directory, rather than of
the current process. It may be
cleared only by using symbolic
mode.
1000 Turn on sticky bit. See chmod(2).
0400 Allow read by owner.
0200 Allow write by owner.
0100 Allow execute (search in directory)
by owner.
0700 Allow read, write, and execute
(search) by owner.
0040 Allow read by group.
0020 Allow write by group.
0010 Allow execute (search in directory)
by group.
0070 Allow read, write, and execute
(search) by group.
0004 Allow read by others.
0002 Allow write by others.
0001 Allow execute (search in directory)
by others.
0007 Allow read, write, and execute
(search) by others.
Note that the setgid bit cannot be set (or cleared) in abso-
lute mode; it must be set (or cleared) in symbolic mode
using g+s (or g-s).
Symbolic mode
A symbolic mode specification has the following format:
chmod <symbolic-mode-list> file...
where: <symbolic-mode-list> is a comma-separated list (with
no intervening whitespace) of symbolic mode expressions of
the form:
[who] operator [permissions]
Operations are performed in the order given. Multiple per-
missions letters following a single operator cause the
corresponding operations to be performed simultaneously.
who zero or more of the characters u, g, o, and a
specifying whose permissions are to be
changed or assigned:
u user's permissions
g group's permissions
o others' permissions
a all permissions (user, group, and
other)
If who is omitted, it defaults to a, but the
setting of the file mode creation mask (see
umask in sh(1) or csh(1) for more informa-
tion) is taken into account. When who is
omitted, chmod will not override the restric-
tions of your user mask.
operator either +, -, or =, signifying how permissions
are to be changed:
+ Add permissions.
If permissions is omitted, nothing
is added.
If who is omitted, add the file
mode bits represented by permis-
sions, except for the those with
corresponding bits in the file mode
creation mask.
If who is present, add the file
mode bits represented by the per-
missions.
- Take away permissions.
If permissions is omitted, do noth-
ing.
If who is omitted, clear the file
mode bits represented by permis-
sions, except for those with
corresponding bits in the file mode
creation mask.
If who is present, clear the file
mode bits represented by permis-
sions.
= Assign permissions absolutely.
If who is omitted, clear all file
mode bits; if who is present, clear
the file mode bits represented by
who.
If permissions is omitted, do noth-
ing else.
If who is omitted, add the file
mode bits represented by permis-
sions, except for the those with
corresponding bits in the file mode
creation mask.
If who is present, add the file
mode bits represented by permis-
sions.
Unlike other symbolic operations, = has an
absolute effect in that it resets all other
bits represented by who. Omitting permis-
sions is useful only with = to take away all
permissions.
permission
any compatible combination of the following
letters:
r read permission
w write permission
x execute permission
l mandatory locking
s user or group set-ID
t sticky bit
u,g,o indicate that permission is to be
taken from the current user, group
or other mode respectively.
Permissions to a file may vary depending on
your user identification number (UID) or
group identification number (GID). Permis-
sions are described in three sequences each
having three characters:
User Group Other
rwx rwx rwx
This example (user, group, and others all
have permission to read, write, and execute a
given file) demonstrates two categories for
granting permissions: the access class and
the permissions themselves.
The letter s is only meaningful with u or g,
and t only works with u.
Mandatory file and record locking (l) refers
to a file's ability to have its reading or
writing permissions locked while a program is
accessing that file.
In a directory which has the set-group-ID bit
set (reflected as either -----s--- or -----
l--- in the output of 'ls -ld'), files and
subdirectories are created with the group-ID
of the parent directory-not that of current
process.
It is not possible to permit group execution
and enable a file to be locked on execution
at the same time. In addition, it is not
possible to turn on the set-group-ID bit and
enable a file to be locked on execution at
the same time. The following examples,
therefore, are invalid and elicit error mes-
sages:
chmod g+x,+l file
chmod g+s,+l file
Only the owner of a file or directory (or the
super-user) may change that file's or
directory's mode. Only the super-user may
set the sticky bit on a non-directory file.
If you are not super-user, chmod will mask
the sticky-bit but will not return an error.
In order to turn on a file's set-group-ID
bit, your own group ID must correspond to the
file's and group execution must be set.
OPTIONS
The following options are supported:
-f Force. chmod will not complain if it fails to
change the mode of a file.
-R Recursively descend through directory arguments,
setting the mode for each file as described above.
When symbolic links are encountered, the mode of
the target file is changed, but no recursion takes
place.
OPERANDS
The following operands are supported:
mode Represents the change to be made to the file mode
bits of each file named by one of the file
operands; see DESCRIPTION.
file A path name of a file whose file mode bits are to
be modified.
EXAMPLES
Deny execute permission to everyone:
example% chmod a-x file
Allow only read permission to everyone:
example% chmod 444 file
Make a file readable and writable by the group and others:
example% chmod go+rw file
example% chmod 066 file
Cause a file to be locked during access:
example% chmod +l file
Allow everyone to read, write, and execute the file and turn
on the set group-ID.
example% chmod a=rwx,g+s file
example% chmod 2777 file
ENVIRONMENT
See environ(5) for descriptions of the following environment
variables that affect the execution of chmod: LC_CTYPE,
LC_MESSAGES, and NLSPATH.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
SEE ALSO
ls(1), chmod(2), environ(5)
NOTES
Absolute changes don't work for the set-group-ID bit of a
directory. You must use g+s or g-s.
chmod permits you to produce useless modes so long as they
are not illegal (for instance, making a text file execut-
able). chmod does not check the file type to see if manda-
tory locking is meaningful.
If the filesystem is mounted with the nosuid option, setuid
execution is not allowed.
----------------------------------------------------
chmod(2) System Calls chmod(2)
NAME
chmod, fchmod - change access permission mode of file
SYNOPSIS
#include <sys/types.h>
#include <sys/stat.h>
int chmod(const char *path, mode_t mode);
int fchmod(int fildes, mode_t mode);
MT-LEVEL
chmod() is Async-Signal-Safe
DESCRIPTION
chmod() and fchmod() set the access permission portion of
the mode of the file whose name is given by path or refer-
enced by the open file descriptor fildes to the bit pattern
contained in mode. Access permission bits are interpreted
as follows:
S_ISUID 04000 Set user ID on execution.
S_ISGID 020#0 Set group ID on execution
if # is 7, 5, 3, or 1.
Enable mandatory file/record locking
if # is 6, 4, 2, or 0.
S_ISVTX 01000 Save text image after execution.
S_IRWXU 00700 Read, write, execute by owner.
S_IRUSR 00400 Read by owner.
S_IWUSR 00200 Write by owner.
S_IXUSR 00100 Execute (search if a directory) by
owner.
S_IRWXG 00070 Read, write, execute by group.
S_IRGRP 00040 Read by group.
S_IWGRP 00020 Write by group.
S_IXGRP 00010 Execute by group.
S_IRWXO 00007 Read, write, execute (search) by others.
S_IROTH 00004 Read by others.
S_IWOTH 00002 Write by others.
S_IXOTH 00001 Execute by others.
Modes are constructed by OR'ing the access permission bits.
The effective user ID of the process must match the owner of
the file or the process must have the appropriate privilege
to change the mode of a file.
If the process is not a privileged process and the file is
not a directory, mode bit 01000 (save text image on execu-
tion) is cleared.
If neither the process is privileged, nor the file's group
is a member of the process's supplementary group list, and
the effective group ID of the process does not match the
group ID of the file, mode bit 02000 (set group ID on execu-
tion) is cleared.
If a directory is writable and has S_ISVTX (the sticky bit)
set, files within that directory can be removed or renamed
only if one or more of the following is true (see unlink(2)
and rename(2)):
o the user owns the file
o the user owns the directory
o the file is writable by the user
o the user is a privileged user
If a directory has the set group ID bit set, a given file
created within that directory will have the same group ID as
the directory, if that group ID is part of the group ID set
of the process that created the file. Otherwise, the newly
created file's group ID will be set to the effective group
ID of the creating process.
If the mode bit 02000 (set group ID on execution) is set and
the mode bit 00010 (execute or search by group) is not set,
mandatory file/record locking will exist on a regular file.
This may affect future calls to open(2), creat(2), read(2),
and write(2) on this file.
Upon successful completion, chmod() and fchmod() mark for
update the st_ctime field of the file.
RETURN VALUES
Upon successful completion, a value of 0 is returned. Oth-
erwise, a value of -1 is returned and errno is set to indi-
cate the error.
ERRORS
chmod() will fail and the file mode will be unchanged if one
or more of the following are true:
EACCES Search permission is denied on a com-
ponent of the path prefix of path.
EFAULT path points to an illegal address.
EINTR A signal was caught during execution of
the function.
EIO An I/O error occurred while reading from
or writing to the file system.
ELOOP Too many symbolic links were encountered
in translating path.
EMULTIHOP Components of path require hopping to
multiple remote machines and file system
type does not allow it.
ENAMETOOLONG The length of the path argument exceeds
{PATH_MAX}, or the length of a path com-
ponent exceeds {NAME_MAX} while
{_POSIX_NO_TRUNC} is in effect.
ENOENT Either a component of the path prefix,
or the file referred to by path does not
exist or is a null pathname.
ENOLINK fildes points to a remote machine and
the link to that machine is no longer
active.
ENOTDIR A component of the prefix of path is not
a directory.
EPERM The effective user ID does not match the
owner of the file and is not super-user.
EROFS The file referred to by path resides on
a read-only file system.
fchmod() will fail and the file mode will be unchanged if:
EBADF fildes is not an open file descriptor
EIO An I/O error occurred while reading from
or writing to the file system.
EINTR A signal was caught during execution of
the fchmod() function.
ENOLINK path points to a remote machine and the
link to that machine is no longer
active.
EPERM The effective user ID does not match the
owner of the file and the process does
not have appropriate privilege.
EROFS The file referred to by fildes resides
on a read-only file system.
SEE ALSO
chmod(1), chown(2), creat(2), fcntl(2), mknod(2), open(2),
Follow-Ups:
References: