Standard Linux Text Book

7.2 File Mode

We can set access rights to all files/directories on three levels, i.e. owner, group user and other users.

There are three access rights(readable/writable/executable) to each level. These access rights, which are called file mode, can be changed by chmod command.

7.2.1 File Mode

There are three access rights(readable/writable/executable) as file mode. We can apply this control mode to owner, group users and other users separately.

The 1st column of output of ls command with -l option indicates this file mode. The 1st column means as follows.

Figure 7-1:File Mode

1st character	directory(d), symbolic(l) and file(-)
2nd to 4th characters	Owner’s assess rights (read/write/execute) (rwx)
5th to 7th characters	Access rights of group users except owner(rwx)
8th to 10th characters	Access rights of other users (rwx) Table 7-

Table 7-1: Meanings of File Mode by columns

r	Readable
w	Writable
x	eXecutable (if directory, can go into its directory)

Table 7-2: Meanings of RWX

rwx can be applied to owner, group users and other users. 'r' is meanings readable, 'w' is meanings writable and 'x' is meanings executable. If it is a directory, 'x' allows specified user to move into its directory.

Practice : Check File Mode

Please check file mode of a file. Please check file mode of system directory.

$ ls -l .bashrc ↵
-rw-r--r-- 1 penguin linux 124 Feb 6 02:44 .bashrc # owner can read/write, group/other can read only
$ ls -l /usr
Total 272 # all user can read/execute everything under /usr, but only owner(root) can write them.
drwxr-xr-x 3 root root 4096 Feb 6 01:45 X11R6
drwxr-xr-x 2 root root 4096 Feb 8 13:07 arc
drwxr-xr-x 2 root root 69632 Feb 9 04:02 bin
drwxr-xr-x 2 root root 4096 Mar 30 2007 etc
drwxr-xr-x 2 root root 4096 Mar 30 2007 games
drwxr-xr-x 84 root root 12288 Feb 6 02:04 include
drwxr-xr-x 6 root root 4096 Nov 11 11:39 kerberos
drwxr-xr-x 108 root root 69632 Feb 7 11:41 lib
drwxr-xr-x 13 root root 4096 Feb 9 04:02 libexec
drwxr-xr-x 11 root root 4096 Feb 6 01:43 local
drwxr-xr-x 2 root root 16384 Feb 7 11:41 sbin
drwxr-xr-x 226 root root 12288 Feb 6 02:05 share
drwxr-xr-x 5 root root 4096 Feb 6 08:52 src
lrwxrwxrwx 1 root root 10 Feb 6 01:43 tmp -> ../var/tmp

7.2.2 Change File Mode

The chmod command is used for changing the file mode.

Format

chmod mode[,mode]... directory
chmod mode[,mode]... file
chmod mode_by_octal_number directory
chmod mode_by_octal_number file

This command sets the file mode for owner, group users and other users.

There are two ways to specify the file mode as follows.

Use mode format (described below)
Use Octal number

Options

-R
This option is for directories. The directories and files in a specified directory are changed recursively.

Figure 7-2: Mode setting by octal value

The mode format has 3 types users (u:owner, g:group users, o:other users), 3 access control(r:readable, w:witable, x:executable) and operation(+:add, -:delete). If you want to specify all type of users, you can use character 'a'.

Practice：Change File Mode

First, check the file mode of user's file. Next, change the file mode and check it again.

If you want to change "-rw-r--r--" to "rw-rw-r--", you specify "g+w" to add writable access right to group users. If you want to change "-rw-rw-r-" to "--w-rw-rw-", you specify "u-r,o+w" to remove readable access right from owner and to add writable access right to other users.

If you want to change "--w-rw-rw-" to "--w-rwxrwx", you specify "go+x" to add executable access right to group users and other users.

$ touch chownfile ↵          Create a file.
$ chmod u+rw-x,go+r-wx chownfile ↵ Change file mode to ’rw-r--r—‘
$ ls -l chownfile ↵          Display file mode
-rw-r--r-- 1 penguin lpic 124 Mar 27 19:09 chownfile
$ chmod g+w chownfile ↵       Add writable right(w) to group users
$ ls -l chownfile ↵          Display file mode
-rw-rw-r-- 1 penguin lpic 124 Mar 27 19:09 chownfile
$ chmod u-r,o+w chownfile ↵
Remove readable right(r) from owner, add writable right(w)to other user
$ ls -l chownfile ↵          Display file mode
--w-rw-rw- 1 penguin lpic 124 Mar 27 19:09 chownfile
$ chmod go+x chownfile ↵    Add executable right(x) to group users and other users
$ ls -l chownfile ↵          Display file mode
--w-rwxrwx 1 penguin lpic 124 Mar 27 19:09 chownfile

Practice : Change File Mode by octal number

First, check the file mode of user's file. Next, change the file mode and check it again.

If you want to set access right to "rw-r--r--(644 by octal)", you specify "644".

If you want to set access right to " rw-rw-r-- (266 by octal)", you specify "644".

If you want to set access right to "--w-rw-rw- (277 by octal)", you specify "644".

$ touch chownfile ↵          Create a file.
$ chmod u+rw-x,go+r-wx chownfile ↵    Change file mode to ’rw-r--r—‘
$ ls -l chownfile ↵          Display file mode
-rw-r--r-- 1 penguin lpic 124 Mar 27 19:09 chownfile
$ chmod 664 chownfile ↵          Change file mode to 664
$ ls -l chownfile ↵          Display file mode
-rw-rw-r-- 1 penguin lpic 124 Mar 27 19:09 chownfile
$ chmod 266 chownfile ↵          Change file mode to 266
$ ls -l chownfile ↵          Display file mode
--w-rw-rw- 1 penguin lpic 124 Mar 27 19:09 chownfile
$ chmod 277 chownfile ↵          Change file mode to 277
$ ls -l chownfile ↵          Display file mode
--w-rwxrwx 1 penguin lpic 124 Mar 27 19:09 chownfile

Regarding file mode, there are 3 special atributes called setuid bit, setgid bit and sticky bit. If the program has 'setuid bit', it executes as if it is performed by file owner. If the program has 'setgid bit', it executes as if it is performed by group users. For examples, if the root's program has 'setuid bit', even if it is performed by a general user, it executes as if it is performed by root user.

If the program has the sticky bit, as nobody except owner can get rid of it, it remains on memory after running.

As for a setuid bit and a setguid bit, they will become valid by +s, and invalid by -s. Regarding sticky bit, it will become valid by +t, and invalid by -t.

Practice: Change and Check setuid, setgid, and sticky bits

Let's change and check setuid bit, setgid bit and sticky bit by using user file.

$ touch idbitfile ↵            Create a file.
$ chmod u+rw-x,go+r-wx idbitfile ↵    Change file mode to ’rw-r--r—‘
$ ls -l idbitfile ↵            Display file mode of idbitfile
-rw-r--r-- 1 penguin lpic 0 Mar 28 07:58 idbitfile
$ chmod u+s idbitfile ↵            Add setuid bit
$ ls -l idbitfile ↵            Display file mode of idbitfile
-rwSr--r-- 1 penguin lpic 0 Mar 28 07:58 idbitfile
$ chmod u-s,g+s idbitfile ↵            Remove setuidbit, and add setgid bit
$ ls -l idbitfile ↵            Display file mode of idbitfile
-rw-r-Sr-- 1 penguin lpic 0 Mar 28 07:58 idbitfile
$ chmod +t idbitfile ↵            Add sticky bit
$ ls -l idbitfile ↵            Display file mode of idbitfile
-rw-r-Sr-T 1 penguin lpic 0 Mar 28 07:58 idbitfile

7.2.3 File Creation Mode

Regarding files which are created by shell's internal command, we can restrict their file mode. The umask command restricts the mode of a creation file.

Format

umask [mode_mask _by_octal_number]

Display the Mode

The masking value which restricts file mode when creating the file is displayed. If no value specified, the present masking value is displayed.

Set the Mode

Specify the masking value which restricts file mode when creating the file by octal number. The value which carried out the AND operation to the reversed mask and the mode of file creation, will be the mode of created file.

Figure 7-3:umask and Actual mode of created file

Practice: Change umask and create files

After checking umask, please make a file.

After setting umask to 070, please make a file.

After setting umask to 072, please make a file.

Finally, please check the mode of the created files.

$ umask ↵    Display current mask value
0022
$ touch umask0022 ↵    Make a file
$ umask 070 ↵       Change mask value into 070
$ touch umask0070 ↵    Make a file
$ umask 072 ↵       Change mask value into 072
$ touch umask0072 ↵    Make a file
$ ls -l umask00* ↵    Check mode of the created file
-rw-r--r-- 1 penguin lpic 0 Mar 22 13:49    umask0022
-rw----rw- 1 penguin lpic 0 Mar 22 13:50    umask0070
-rw----r-- 1 penguin lpic 0 Mar 22 13:50    umask0072

Although touch command tried to make a file with 0666 mode, the file has been created with abovementioned mode because of umask.

When displaying or setting up the mode, we are able to use human intelligible form instead of octal numbers by using -S option.

$ umask -S↵       Display current mask value
u=rwx,g=rx,o=rx
$ touch umask0022 ↵       Make a file
$ umask -S u=rw,g=,o=rw ↵       Change mask value into 070
u=rw,g=,o=rw
$ touch umask0070 ↵       Make a file
$ ls -l umask00* ↵       Check mode of the created file
-rw-r--r-- 1 penguin lpic 0 Mar 22 13:49 umask0022
-rw----rw- 1 penguin lpic 0 Mar 22 13:50 umask0070

Don't forget that the effect of the umask command is limited only within the shell which executed the umask command.The default mode is normally set up within login shell, such as bashrc.