newbie: changing permissions with chmod and octal date: 1.10.98 original 8.3.99 updated What: 'chmod' is a utility to set the mode (chmod = CHange MODe) of a file or directory. The 'mode' dictates who on the system may access a file. The mode is also known as 'permissions'. literal syntax: "Set the mode of that file to..." "What are the permissions on that directory?" Why: Many people don't fully understand the importance of file permissions on a Unix system. Furthermore, using Alpha notation may cause incorrect permissions because you are not fully qualifying the permissions of the file, only adding or removing permissions. Over time, or via the use of scripts and utilities, these permissions can be set to undesirable modes that may not be suitable for a secure environment. Info: CHMOD(1V) is used to change the permissions (mode) of a file or files. Only the owner of a file (or the super-user) may change its mode. Lets start out by looking at a common directory entry in unix. We are going to use "ls -alF" to obtain the list. (More on 'ls' in a later file). -rw-r--r-- 1 jericho 2520 Jan 9 09:46 .plan lrwxrwxrwx 1 root 9 Oct 1 19:42 .rhosts -> /dev/null drwx------ 4 jericho 4096 Jan 9 10:29 bin/ -rw------- 1 jericho 1349 Jan 6 14:49 header.file.2 Above are 4 different kinds of entries we may find. The first part of each entry is the file permissions associated with that file. It determines who can read, write, or execute a file. There are 10 flags for each file, as listed below: --------------------------------------------------- | ft | ur | uw | ux | gr | gw | gx | or | ow | ox | --------------------------------------------------- ft - file type. This tells you what kind of 'file' you are listing. Take into account the word 'file' is vague, and does not necessarily mean "text file" necessarily. Unix treats everything as a file (directories, links, etc), and denotes these special permissions to differentiate one from another. Common file types: - regular file d directory l symbolic link c character device b block device s socket device Character devices, Block devices, and Sockets are frequently found in the /dev directory, and will be talked about later. The kinds of files we will look at for now are regular files, directories, and take a brief look at symbolic links. For the other nine entries, you have different combinations of the following: u = user r = read g = group w = write o = other x = execute Permissions control access for a file or directory by breaking it down into three access categories: user, group, and other. User: Controlls access for the owner of the file. Group: Controlls access for all members of the group that owns the file. Other: Controlls access to anyone else on the system, regardless of them owning the file or being in a group that owns a file. In the syntax above, read means the ability to read the contents of that file, write means modifying, removing, or appending to a file, and execute means 'running' the file (or if it is a directory, the ability to enter it). When using chmod to set or change file permissions, there are two notations that are recognized: Alpha: Use of the + and - operators to change one of the three types of access for each category. r, w, and x which represent read, write and execute respectively. Alpha notation is also known as 'Symbolic Mode'. For example: chmod u+rw,g+r,o+r filename Octal: Use of a three or four digit octal number to change the absolute permissions of a file. Using octal notation sets all access permissions each time it is used. Octal notation is also known as 'Absolute Mode'. For example: chmod 644 filename Changing the permissions: (we will get to the 'why' after this) Many people that are new to unix will use Alpha representation to change the permission of a file. Lets say we have a file called 'readme' with permissions of -rw-r--r-- .. that means I (user) can read/write, while people in the group or other can only read it. Using alpha notation, I may do the following: chmod go-r readme What we are saying here is to remove the 'read' ability for 'group' and 'other'. That changes the file from -rw-r--r-- to -rw------- . If we were to do: chmod go+rx readme We are now adding read and execute privilege for group and other. So now it would go from -rw------- to -rw-r-xr-x . This would make it so even though we own the file, we can't execute it ourselves. This little oversight would cause us to have to chmod again. While this doesn't sound particularly bad, consider it from a security standpoint. If an admin uses alpha notation, it would be easy for him to overlook permissions that could lead to problems. Because of the chance for accidentally setting incorrect permissions, it is a good idea to learn and use Octal Notation whenever possible. Why is it called "absolute mode"? Because every time you set the mode of the file, you are fully qualifying the permissions. Instead of adding or removing permissions, you are giving the file its new permissions, as if from scratch. Instead of the r/w/x and u/g/o method described above, we use numbers and placement to determine the new mode. Below are the basic modes and their Octal representation. While this looks like a lot to remember, I will show how it is actually easier and more efficient than Alpha. 400 Read by owner. 200 Write by owner. 100 Execute (search in directory) by owner. 040 Read by group. 020 Write by group. 010 Execute (search) by group. 004 Read by others. 002 Write by others. 001 Execute (search) by others. 4000 Set user ID on execution. (SUID) 2000 Set group ID on execution (SGID) 1000 Sticky bit, (see chmod(2V) for more information). We will go into SUID, SGID, and sticky bit in the future. As a user, you will have little need to set those yourself. As an admin, they will become very important to functionality and security of your system. Whenever you set the mode with Octal notation, you will always use either three or four numbers to do so. The only time you use four is if you are dealing with a special mode like SUID or SGID. In all other cases, you are using three. The first number deals with r/w/x privs for the user, the second number deals with r/w/x privs for group, and the third for other. Look at the above list and see how they form together with the examples below: 444 = -r--r--r-- (readable to everyone) 110 = ---x--x--- (executable to user/group) 421 = -r---w---x (read/user, write/group, execute/other) Now, we need to look at setting multiple flags for a single category. What if we want the user to read AND write? If you notice the numbers used, you may have noticed they skipped the use of 3. Why? Because any combination of adding 1, 2, and 4 will create new numbers with no duplication. 1+2 = 3, 1+4 = 5, 2+4 = 6, and 1+2+4 = 7. By adding the base 1/2/4 numbers, we obtain the numeric representation for assigning multiple attributes to a file. For example, if we want read and write, we add 4 and 2, and apply that. 644 = -rw-r--r-- (read/write user, read group/other) If we want to give read/write/exec to user, we add up 4, 2, and 1 and apply that. 755 = -rwxr-xr-x (r/w/x user, r/x for group and other) Other: There are other options with chmod that are nice to know. Take into account that not all versions of chmod will conform to the options I will describe. You can "man chmod" on your system to see what those options are. -f Force. chmod will not complain if it fails to change the mode of a file. -R Recursively descend through directory arguments, set- ting the mode for each file as described above. When symbolic links are encountered, their mode is not changed and they are not traversed. (remember, unix is case sensitive. 'R' is not 'r') If you use wildcards, most implementations of chmod will not set permissions of files that contain a . at the beginning of the file name if you use wildcards. For instance, 'chmod 755 *' would set the permissions on all the files in the current directory to -rwxr-xr-x EXCEPT files containing a . at the beginning of their name. In order to wildcard chmod these files, you would have to 'chmod 755 .*' So when is it good to know alpha notation? You may not know the current permissions when writing a script that calls chmod to perform a mode change. This would make it awkward to reset the permissions via Octal notation. Making chmod add or remove permissions would then be more efficient. For example: chmod u-x readme Remove execute permissions for user. chmod go-rwx readme Remove all right for group/other. What does this have to do with system penetration? First and foremost, every unix user and security professional should know how to use the system they are attacking or securing. You can not effectively test or secure a unix box if you don't know how to use it as a standard user would. Second, when you compile programs or run scripts on a system, you have to be able to permission them in order to run them. Carole Fennelly writes in reminding us that there are a few times where alpha notation may be the better option. There is an option to chmod (-R) that will traverse a directory structure to change the modes of all files and subdirectories in the tree. For example, if you are in the directory /usr/local/httpd, you could enter: chmod -R 755 * Which will go through and make every file and subdirectory under /usr/local/httpd "rwxr-xr-x" . This may not be what you want. If you only want to make sure that there is no file or directory that is world writable and you want to preserve the other permissions, it is better to use the command: chmod -R o-w * For large directory trees, it is unlikely that every file and subdirectory should have the same permission and the octal (absolute) value could cause problems. Hopefully this covers basic use of 'chmod', and helps you use it more effectively. Additional Reference: 'man chmod' O'Reilly Unix in a Nutshell (ISBN 1-56592-001-5 $9.99)
jericho@attrition.org (c) copyright 1998, 1999 Brian Martin Special thanks to Carole Fennelly for her input and review!