Table 4-14. Relative symbolic notation used by chmod
| Notation | Description |
|---|---|
| u+w | Adds write permission for the user. |
| o-rwx | Removes read, write, and execute permission for others. |
| ug+r,o-r | Adds read permission for the user and the group; removes read permission for others. |
| a-x, ugo-x | Removes execute permission for all users. |
| u=rw,go=r | Sets exactly read and write permission for the user, and only read permission for group and others. The difference between = and + is that = will disable other permissions (such as execute for the user in this example), while + will leave other permissions at their previous value. |
Special permissions are specified based on their appearance in ls -l output:
SUID is specified as u+s .
SGUID is specified as g+s .
Sticky is specified as o+t .
Octal notation uses a multidigit number, where each digit represents one community (in u g o order). The digit is the sum of values representing each enabled permission:
4 for read permission
2 for write permission
1 for execute permission
Therefore, the octal permission 764 represents read/write/execute for the user (4+2+1=7), read/write for the group (4+2=6), and read for others (4): rwxrw-r-- .
When using octal notation, special permissions are given as a fourth digit placed in front of the others; the value of this fourth digit is the sum of 4 for SUID, 2 for SGID, and 1 for Sticky. Octal permission 2770 represents rwxrws--- .
To change a permission with chmod , specify the permission as the first argument and one or more filenames as the remaining arguments:
$ ls -l oreilly
-rw-rw-r-- 1 chris chris 40 Oct 12 17:18 oreilly
$ chmod g-w,o= oreilly
$ ls -l oreilly
-rw-r----- 1 chris chris 40 Oct 12 17:18 oreilly
$ chmod 764 oreilly
$ ls -l oreilly
-rwxrw-r-- 1 chris chris 40 Oct 12 17:18 oreilly
The -R option causes chmod to recursively process subdirectories. To remove write permission for others on all files and subdirectories within your home directory, execute:
$ chmod -R o-w ~
4.8.1.5. Using group permissions
Users can belong to more than one group, which enables documents to be shared according to group roles.
Previously, we used Richard in group examples; he's a member of the groups richard , it , toronto , acmeproposal , christmas , soccer , and audit . Richard's primary group is richard , as that is the group listed in his entry in /etc/passwd . When Richard logs in, the shell starts with its group identity set to the primary group, so any new files or directories created have richard as the group owner.
The group identity can be changed at any time using the newgrp command, and verified with the id command:
richard$ id
uid=503(richard) gid=503(richard) groups=503(richard),504(audit),505(soccer), 506(toronto),511(acmeproposal),512(christmas),608(it)
richard$ newgrp audit
richard$ id
uid=503(richard) gid=504(audit) groups=503(richard),504(audit),505(soccer), 506(toronto),511(acmeproposal),512(christmas),608(it)
The current group identity (also called real group ID ) affects only the creation of files and directories; existing files and directories keep their existing group, and a user can access files accessible to any group to which she belongs.
In this case, Richard can access any file that is readable by, say, the acmeproposal group, even when his current real group ID is audit . However, any files he creates will be owned by the group audit and won't be accessible to the acmeproposal group.
chgrp modifies the group ownership of an existing file. The group name is given as the first argument, and all other arguments are filenames:
$ ls -l report.txt
-rw-r--r-- 1 richard richard 3078 Oct 12 19:35 report.txt
$ chgrp audit report.txt
$ ls -l report.txt
-rw-r--r-- 1 richard audit 3078 Oct 12 19:35 report.txt
A normal user can set the group ownership only to one of the groups to which he belongs, and can change the group ownership only of files that he owns. The root user can set the group ownership of any file to any group. Like chmod , chgrp accepts the -R (recursive) option.
Using chgrp and newgrp is cumbersome. A much better solution is to use the SGID permission on directories, which automatically sets the group ownership.
Richard could create a directory named game_scores in his home directory, change the group ownership to soccer , and change the permission to rwxrws--- :
richard$ mkdir game_scores
richard$ chgrp soccer game_scores
richard$ chmod u=rwx,g=rwxs,o= game_scores
richard$ ls -ld game_scores
drwxrws--- 2 richard soccer 4096 Oct 12 19:46 game_scores
Everyone in the soccer group can access that directory. Because the SGID permission is set, any file created in that directory is automatically owned by the group soccer and can be accessed by other group membersexactly what is needed for collaboration within a group. The SGID permission is automatically applied to any directory created within games_scores , too.