Classic Shell Scripting - Arnold Robbins [240]
Permissions
Unix filesystem permissions are of three types: read, write, and execute. Each requires only a single bit in the inode data structure, indicating the presence or absence of the permission. There is one such set for each of user, group, and other. File permissions are shown with the verbose forms of the ls command, and are changed with the chmod command. Because each set of permissions requires only three bits, it can be represented by a single octal [20] digit, and the chmod command accepts either a three or four-octal-digit argument, or a symbolic form.
* * *
chmod
Usage
chmod [ options ] mode file(s)
Major options
-f
Force changes if possible (and don't complain if they fail).
-R
Apply changes recursively through directories.
Purpose
Change file or directory permissions.
Behavior
The mandatory mode argument is either an absolute permission mask of three or four octal digits, or a symbolic one with one or more letters a (all, same as ugo), g (group), o (other),or u (user), followed by = (set), + (add), or - (subtract), followed by one or more of r (read), w (write), or x (execute). Multiple symbolic settings may be given, provided that they are separated by commas. Thus, modes of 755 and u=rwx,go=rx and a=rx,u+w and a=rwx,go-w are equivalent.
Caveats
The recursive form is dangerous: use it with extreme caution! It may take a file-tree restore from backup media to recover from a mistaken application of chmod -R.
* * *
* * *
Tip
Some operating systems support additional permissions. One useful permission that Unix does not supply is append permission:[21] it is particularly handy for log files, to ensure that data can only be added to them, but existing data can never be altered. Of course, if such a file can be deleted, it could be replaced by a copy with altered data, so append permission may only give the illusion of security.
* * *
Default permissions
A set of default permissions is always applied to newly created files: they are controlled by the umask command, which sets the default when given an argument, and otherwise shows the default. The umask value is three octal digits that represent permissions to be taken away: a common value is 077, which says that the user is given all permissions (read, write, execute), and group and other have them all taken away. The result is that access to newly created files is restricted to just the user who owns them.
It is now time for some experiments with file permissions:
$ umask
Show the current permission mask
2
$ touch foo
Create an empty file
$ ls -l foo
List information about the file
-rw-rw-r-- 1 jones devel 0 2002-09-21 16:16 foo
$ rm foo
Delete the file
$ ls -l foo
List information about the file again
ls: foo: No such file or directory
Initially, the permission mask is 2 (really 002), meaning that write permission should be removed for other. The touch command simply updates the last-write timestamp of a file, creating it if necessary. The ls -l command is a common idiom for asking for a verbose file listing. It reports a file type of - (ordinary file), and a permission string of rw-rw-r-- (that is, read-write permission for user and group, and read permission for other).
When we re-create the file after changing the mask to 023, to remove write access from the group and write and execute access from other, we see that the permission string is reported as rw-r--r--, with write permissions for group and other removed as expected:
$ umask 023
Reset the permission mask
$ touch foo
Create an empty file
$ ls -l foo
List information about the file
-rw-r--r-- 1 jones devel 0 2002-09-21 16:16 foo
Permissions in action
What about the execute permission?