newbie: changing permissions with chmod and octal
date: 1.10.98 original
      8.3.99 updated


What: 'chmod' is a utility to set the mode (chmod = CHange MODe)
      of a file or directory. The 'mode' dictates who on the system
      may access a file. The mode is also known as 'permissions'.

      literal syntax: "Set the mode of that file to..."
                      "What are the permissions on that directory?"

Why: Many people don't fully understand the importance of file permissions
     on a Unix system. Furthermore, using Alpha notation may cause
     incorrect permissions because you are not fully qualifying the 
     permissions of the file, only adding or removing permissions.
     Over time, or via the use of scripts and utilities, these
     permissions can be set to undesirable modes that may not be suitable
     for a secure environment.


Info: CHMOD(1V) is used to change the permissions (mode) of a file or 
      files. Only the owner of a file (or the super-user) may change
      its mode.


Lets start out by looking at a common directory entry in unix. We are 
going to use "ls -alF" to obtain the list. (More on 'ls' in a later file).

-rw-r--r--  1 jericho      2520 Jan  9 09:46 .plan
lrwxrwxrwx  1 root            9 Oct  1 19:42 .rhosts -> /dev/null
drwx------  4 jericho      4096 Jan  9 10:29 bin/
-rw-------  1 jericho      1349 Jan  6 14:49 header.file.2

Above are 4 different kinds of entries we may find. The first part of each 
entry is the file permissions associated with that file. It determines who
can read, write, or execute a file. There are 10 flags for each file, as 
listed below:

---------------------------------------------------     
| ft | ur | uw | ux | gr | gw | gx | or | ow | ox |
---------------------------------------------------

ft - file type. This tells you what kind of 'file' you are listing. Take
into account the word 'file' is vague, and does not necessarily mean "text
file" necessarily. Unix treats everything as a file (directories, links,
etc), and denotes these special permissions to differentiate one from
another. Common file types:

			-       regular file
			d   	directory
			l	symbolic link
			c	character device
			b	block device
			s	socket device

Character devices, Block devices, and Sockets are frequently found in
the /dev directory, and will be talked about later. The kinds
of files we will look at for now are regular files, directories, and take
a brief look at symbolic links.

For the other nine entries, you have different combinations of the following:

	u  =  user			r  =  read
	g  =  group			w  =  write
	o  =  other			x  =  execute

Permissions control access for a file or directory by breaking
it down into three access categories: user, group, and
other.

User: Controlls access for the owner of the file.

Group: Controlls access for all members of the group that
              owns the file.

Other: Controlls access to anyone else on the system,
              regardless of them owning the file or being in a
              group that owns a file.

In the syntax above, read means the ability to read the contents of that
file, write means modifying, removing, or appending to a file, and execute
means 'running' the file (or if it is a directory, the ability to enter it).


      When using chmod to set or change file permissions, there
      are two notations that are recognized:

      Alpha: Use of the + and - operators to change one of
                    the three types of access for each category.
                    r, w, and x which represent read, write and
                    execute respectively. Alpha notation is also known
                    as 'Symbolic Mode'. For example:
                    chmod u+rw,g+r,o+r filename

      Octal: Use of a three or four digit octal number to
                    change the absolute permissions of a file. Using
                    octal notation sets all access permissions each
                    time it is used. Octal notation is also known
                    as 'Absolute Mode'. For example:
                    chmod 644 filename
      

Changing the permissions:	(we will get to the 'why' after this)

Many people that are new to unix will use Alpha representation to change the 
permission of a file. Lets say we have a file called 'readme' with
permissions of  -rw-r--r-- .. that means I (user) can read/write, while
people in the group or other can only read it. Using alpha notation, I
may do the following:

	chmod go-r readme

What we are saying here is to remove the 'read' ability for 'group' and
'other'. That changes the file from   -rw-r--r--  to  -rw------- . If we
were to do:

	chmod go+rx readme

We are now adding read and execute privilege for group and other. So now it 
would go from  -rw-------  to  -rw-r-xr-x . This would make it so even though 
we own the file, we can't execute it ourselves. This little oversight would 
cause us to have to chmod again. While this doesn't sound particularly bad,
consider it from a security standpoint. If an admin uses alpha notation, it 
would be easy for him to overlook permissions that could lead to problems.
Because of the chance for accidentally setting incorrect permissions, it
is a good idea to learn and use Octal Notation whenever possible. Why is it 
called "absolute mode"? Because every time you set the mode of the file,
you are fully qualifying the permissions. Instead of adding or removing 
permissions, you are giving the file its new permissions, as if from scratch.

Instead of the r/w/x and u/g/o method described above, we use numbers
and placement to determine the new mode. Below are the basic modes
and their Octal representation. While this looks like a lot to remember,
I will show how it is actually easier and more efficient than Alpha.

      400    Read by owner.
      200    Write by owner.
      100    Execute (search in directory) by owner.

      040    Read by group.
      020    Write by group.
      010    Execute (search) by group.

      004    Read by others.
      002    Write by others.
      001    Execute (search) by others.

     4000    Set user ID on execution. (SUID)
     2000    Set group ID on execution (SGID)
     1000    Sticky bit, (see chmod(2V) for more information).

We will go into SUID, SGID, and sticky bit in the future. As a user, you 
will have little need to set those yourself. As an admin, they will 
become very important to functionality and security of your system.

Whenever you set the mode with Octal notation, you will always use either
three or four numbers to do so. The only time you use four is if you are 
dealing with a special mode like SUID or SGID. In all other cases, you
are using three. The first number deals with r/w/x privs for the user, the 
second number deals with r/w/x privs for group, and the third for other.

Look at the above list and see how they form together with the examples
below:
	444  =  -r--r--r--      (readable to everyone)
	110  =  ---x--x---	(executable to user/group)
	421  =  -r---w---x	(read/user, write/group, execute/other)


Now, we need to look at setting multiple flags for a single category. What
if we want the user to read AND write? If you notice the numbers used, 
you may have noticed they skipped the use of 3. Why? Because any combination
of adding 1, 2, and 4 will create new numbers with no duplication. 1+2 = 3,
1+4 = 5, 2+4 = 6, and 1+2+4 = 7. By adding the base 1/2/4 numbers, we
obtain the numeric representation for assigning multiple attributes
to a file. For example, if we want read and write, we add 4 and 2,
and apply that.

	644  =  -rw-r--r--	(read/write user, read group/other)

If we want to give read/write/exec to user, we add up 4, 2, and 1 and apply
that.

	755  =  -rwxr-xr-x	(r/w/x user, r/x for group and other)


Other: There are other options with chmod that are nice to know. Take into
       account that not all versions of chmod will conform to the options
       I will describe. You can "man chmod" on your system to see what
       those options are.

       -f   Force.  chmod will not complain if it fails  to  change
            the mode of a file.

       -R   Recursively descend through directory  arguments,  set-
            ting  the  mode for each file as described above.  When
            symbolic links  are  encountered,  their  mode  is  not
            changed and they are not traversed.

       (remember, unix is case sensitive. 'R' is not 'r')

If you use wildcards, most implementations of chmod will not set permissions
of files that contain a . at the beginning of the file name if you use
wildcards. For instance, 'chmod 755 *' would set the permissions on all
the files in the current directory to -rwxr-xr-x EXCEPT files containing
a . at the beginning of their name. In order to wildcard chmod these files,
you would have to 'chmod 755 .*'

So when is it good to know alpha notation? You may not know the current
permissions when writing a script that calls chmod to perform a mode change.
This would make it awkward to reset the permissions via Octal notation. Making 
chmod add or remove permissions would then be more efficient. For example:

	chmod u-x readme	Remove execute permissions for user.
	chmod go-rwx readme	Remove all right for group/other.

What does this have to do with system penetration? First and foremost,
every unix user and security professional should know how to use the
system they are attacking or securing. You can not effectively
test or secure a unix box if you don't know how to use it as a standard
user would. Second, when you compile programs or run scripts on a system,
you have to be able to permission them in order to run them.

Carole Fennelly writes in reminding us that there are a few times where
alpha notation may be the better option. There is an option to chmod (-R) 
that will traverse a directory structure to change the modes of all files 
and subdirectories in the tree. For example, if you are in the directory 
/usr/local/httpd, you could enter:

chmod -R 755 *

Which will go through and make every file and subdirectory under  
/usr/local/httpd "rwxr-xr-x" . This may not be what you want. If you only want 
to make sure that there is no file or directory that is world writable and you 
want to preserve the other permissions, it is better to use the command:

chmod -R o-w *

For large directory trees, it is unlikely that every file and subdirectory 
should have the same permission and the octal (absolute) value could cause 
problems. 


Hopefully this covers basic use of 'chmod', and helps you use it more 
effectively.

Additional Reference:      
	'man chmod'
	O'Reilly Unix in a Nutshell	(ISBN 1-56592-001-5   $9.99)



jericho@attrition.org (c) copyright 1998, 1999 Brian Martin Special thanks to Carole Fennelly for her input and review!