newbie: changing permissions with chmod and octal
date: 1.10.98 original
8.3.99 updated
What: 'chmod' is a utility to set the mode (chmod = CHange MODe)
of a file or directory. The 'mode' dictates who on the system
may access a file. The mode is also known as 'permissions'.
literal syntax: "Set the mode of that file to..."
"What are the permissions on that directory?"
Why: Many people don't fully understand the importance of file permissions
on a Unix system. Furthermore, using Alpha notation may cause
incorrect permissions because you are not fully qualifying the
permissions of the file, only adding or removing permissions.
Over time, or via the use of scripts and utilities, these
permissions can be set to undesirable modes that may not be suitable
for a secure environment.
Info: CHMOD(1V) is used to change the permissions (mode) of a file or
files. Only the owner of a file (or the super-user) may change
its mode.
Lets start out by looking at a common directory entry in unix. We are
going to use "ls -alF" to obtain the list. (More on 'ls' in a later file).
-rw-r--r-- 1 jericho 2520 Jan 9 09:46 .plan
lrwxrwxrwx 1 root 9 Oct 1 19:42 .rhosts -> /dev/null
drwx------ 4 jericho 4096 Jan 9 10:29 bin/
-rw------- 1 jericho 1349 Jan 6 14:49 header.file.2
Above are 4 different kinds of entries we may find. The first part of each
entry is the file permissions associated with that file. It determines who
can read, write, or execute a file. There are 10 flags for each file, as
listed below:
---------------------------------------------------
| ft | ur | uw | ux | gr | gw | gx | or | ow | ox |
---------------------------------------------------
ft - file type. This tells you what kind of 'file' you are listing. Take
into account the word 'file' is vague, and does not necessarily mean "text
file" necessarily. Unix treats everything as a file (directories, links,
etc), and denotes these special permissions to differentiate one from
another. Common file types:
- regular file
d directory
l symbolic link
c character device
b block device
s socket device
Character devices, Block devices, and Sockets are frequently found in
the /dev directory, and will be talked about later. The kinds
of files we will look at for now are regular files, directories, and take
a brief look at symbolic links.
For the other nine entries, you have different combinations of the following:
u = user r = read
g = group w = write
o = other x = execute
Permissions control access for a file or directory by breaking
it down into three access categories: user, group, and
other.
User: Controlls access for the owner of the file.
Group: Controlls access for all members of the group that
owns the file.
Other: Controlls access to anyone else on the system,
regardless of them owning the file or being in a
group that owns a file.
In the syntax above, read means the ability to read the contents of that
file, write means modifying, removing, or appending to a file, and execute
means 'running' the file (or if it is a directory, the ability to enter it).
When using chmod to set or change file permissions, there
are two notations that are recognized:
Alpha: Use of the + and - operators to change one of
the three types of access for each category.
r, w, and x which represent read, write and
execute respectively. Alpha notation is also known
as 'Symbolic Mode'. For example:
chmod u+rw,g+r,o+r filename
Octal: Use of a three or four digit octal number to
change the absolute permissions of a file. Using
octal notation sets all access permissions each
time it is used. Octal notation is also known
as 'Absolute Mode'. For example:
chmod 644 filename
Changing the permissions: (we will get to the 'why' after this)
Many people that are new to unix will use Alpha representation to change the
permission of a file. Lets say we have a file called 'readme' with
permissions of -rw-r--r-- .. that means I (user) can read/write, while
people in the group or other can only read it. Using alpha notation, I
may do the following:
chmod go-r readme
What we are saying here is to remove the 'read' ability for 'group' and
'other'. That changes the file from -rw-r--r-- to -rw------- . If we
were to do:
chmod go+rx readme
We are now adding read and execute privilege for group and other. So now it
would go from -rw------- to -rw-r-xr-x . This would make it so even though
we own the file, we can't execute it ourselves. This little oversight would
cause us to have to chmod again. While this doesn't sound particularly bad,
consider it from a security standpoint. If an admin uses alpha notation, it
would be easy for him to overlook permissions that could lead to problems.
Because of the chance for accidentally setting incorrect permissions, it
is a good idea to learn and use Octal Notation whenever possible. Why is it
called "absolute mode"? Because every time you set the mode of the file,
you are fully qualifying the permissions. Instead of adding or removing
permissions, you are giving the file its new permissions, as if from scratch.
Instead of the r/w/x and u/g/o method described above, we use numbers
and placement to determine the new mode. Below are the basic modes
and their Octal representation. While this looks like a lot to remember,
I will show how it is actually easier and more efficient than Alpha.
400 Read by owner.
200 Write by owner.
100 Execute (search in directory) by owner.
040 Read by group.
020 Write by group.
010 Execute (search) by group.
004 Read by others.
002 Write by others.
001 Execute (search) by others.
4000 Set user ID on execution. (SUID)
2000 Set group ID on execution (SGID)
1000 Sticky bit, (see chmod(2V) for more information).
We will go into SUID, SGID, and sticky bit in the future. As a user, you
will have little need to set those yourself. As an admin, they will
become very important to functionality and security of your system.
Whenever you set the mode with Octal notation, you will always use either
three or four numbers to do so. The only time you use four is if you are
dealing with a special mode like SUID or SGID. In all other cases, you
are using three. The first number deals with r/w/x privs for the user, the
second number deals with r/w/x privs for group, and the third for other.
Look at the above list and see how they form together with the examples
below:
444 = -r--r--r-- (readable to everyone)
110 = ---x--x--- (executable to user/group)
421 = -r---w---x (read/user, write/group, execute/other)
Now, we need to look at setting multiple flags for a single category. What
if we want the user to read AND write? If you notice the numbers used,
you may have noticed they skipped the use of 3. Why? Because any combination
of adding 1, 2, and 4 will create new numbers with no duplication. 1+2 = 3,
1+4 = 5, 2+4 = 6, and 1+2+4 = 7. By adding the base 1/2/4 numbers, we
obtain the numeric representation for assigning multiple attributes
to a file. For example, if we want read and write, we add 4 and 2,
and apply that.
644 = -rw-r--r-- (read/write user, read group/other)
If we want to give read/write/exec to user, we add up 4, 2, and 1 and apply
that.
755 = -rwxr-xr-x (r/w/x user, r/x for group and other)
Other: There are other options with chmod that are nice to know. Take into
account that not all versions of chmod will conform to the options
I will describe. You can "man chmod" on your system to see what
those options are.
-f Force. chmod will not complain if it fails to change
the mode of a file.
-R Recursively descend through directory arguments, set-
ting the mode for each file as described above. When
symbolic links are encountered, their mode is not
changed and they are not traversed.
(remember, unix is case sensitive. 'R' is not 'r')
If you use wildcards, most implementations of chmod will not set permissions
of files that contain a . at the beginning of the file name if you use
wildcards. For instance, 'chmod 755 *' would set the permissions on all
the files in the current directory to -rwxr-xr-x EXCEPT files containing
a . at the beginning of their name. In order to wildcard chmod these files,
you would have to 'chmod 755 .*'
So when is it good to know alpha notation? You may not know the current
permissions when writing a script that calls chmod to perform a mode change.
This would make it awkward to reset the permissions via Octal notation. Making
chmod add or remove permissions would then be more efficient. For example:
chmod u-x readme Remove execute permissions for user.
chmod go-rwx readme Remove all right for group/other.
What does this have to do with system penetration? First and foremost,
every unix user and security professional should know how to use the
system they are attacking or securing. You can not effectively
test or secure a unix box if you don't know how to use it as a standard
user would. Second, when you compile programs or run scripts on a system,
you have to be able to permission them in order to run them.
Carole Fennelly writes in reminding us that there are a few times where
alpha notation may be the better option. There is an option to chmod (-R)
that will traverse a directory structure to change the modes of all files
and subdirectories in the tree. For example, if you are in the directory
/usr/local/httpd, you could enter:
chmod -R 755 *
Which will go through and make every file and subdirectory under
/usr/local/httpd "rwxr-xr-x" . This may not be what you want. If you only want
to make sure that there is no file or directory that is world writable and you
want to preserve the other permissions, it is better to use the command:
chmod -R o-w *
For large directory trees, it is unlikely that every file and subdirectory
should have the same permission and the octal (absolute) value could cause
problems.
Hopefully this covers basic use of 'chmod', and helps you use it more
effectively.
Additional Reference:
'man chmod'
O'Reilly Unix in a Nutshell (ISBN 1-56592-001-5 $9.99)
jericho@attrition.org
(c) copyright 1998, 1999 Brian Martin
Special thanks to Carole Fennelly for her input and review!