Vim & Vision

[ #57 ] chmod and umask Gotchas (Got Me Anyway) Permalink

Shell, Linux Added a year and a bit ago and last edited a year and a bit ago

Every file in unix has a set of permissions. They are (r)ead, (w)rite, and e(x)ecute for each of these three types of people: (u)ser who owns the file, members of the (g)roup that own the file and (o)ther people on the system.

Mnemonic: RWX = running with scissors (X is a pair of scissors, right???)

$ ls -hl
total 0
-rw-r--r-- 1 frank users 0 2009-02-04 15:47 one
-rw-r--r-- 1 frank users 0 2009-02-04 15:47 three
-rw-r--r-- 1 frank users 0 2009-02-04 15:47 two
d123456789    a      b

d = ignore for the time being (will tell you if it's a directory or not)
1 = (r)ead bit for (u)ser
2 = (w)rite bit for (u)ser
3 = e(x)ecute bit for (u)ser
4 = (r)ead bit for (g)roup
5 = (w)rite bit for (g)roup
6 = e(x)ecute bit for (g)roup
7 = (r)ead bit for (o)ther
8 = (w)rite bit for (o)ther
9 = e(x)ecute bit for (o)ther
a = frank = user who owns the file
b = users = name of group that owns the file

Note: e(x)ecute means it's a binary or a script that you can run like this: ./scriptname -or- if the 'file' is a directory it means you can cd into it and look around.

If you are on a shared hosting environment, and you have nothing to do with anyone else on the system, and have heaps of files you don't want publicly visible, you could do one of two things:

Method (1) Use chmod to remove all (o)ther permissions on all your files -or-

Method (2) Use chmod to remove the e(x)ecutable bit of the (o)ther permission on your home directory only

The first option is natural enough, let's walk through it: You are user frank. Another user on your shared hosting environment is user bill. You have three files in your home directory, /home/frank called one, two and three. To make sure all the (o)ther permissions on these files are removed (so that bill can neither (r)ead, (w)rite or e(x)ecute those three files), do something like this:

$ chmod o-rwx one two three

The o means other, the - means remove, the rwx is the list of permissions to remove.

Let's examine the second option:

$ chmod o-x /home/frank

If any directory on the way to a file is o-x then others can not list, view, change or execute that file.

But wait: what if the file one was owned by the user frank and owned by the group users? And let's say that bill is in the group users too... well, bill can still see one until the (g)roup permissions are removed from it or the (g)roup e(x)ecutable is removed from a containing directory. Because in this case, bill is not an (o)ther user - he is a (g)roup user (a user in the same group as that which owns the file.)

Confusing?

A note about method 2: If you are frank, in the group users, and you have a directory in your home directory named htdocs that is owned by apache:apache (and obviously is used to serve web pages) then this method will break your webserver! Why? Because in the chain /home/frank/htdocs there is an o-x (on /home/frank) which means that (o)thers (like apache) can not read the htdocs dir. So this is not a good method if you have a setup like this.

umask is the utility that tells you what permissions a file has when you first create it (and don't specifically chmod it.) Sometimes you'll get a umask like this:

$ umask
  0022

The last three numbers mean what is taken away (subtracted) from 7 from each of the three types, (u) (g) and (o). What has 7 got to do with it? Well:

(r)ead = 4
(w)rite = 2
e(x)ecute = 1

If a file has all bits set for, say, the (u)ser type then the (u)ser will be able to read, write and execute the file.

7 = 4 + 2 + 1 = rwx
6 = 4 + 2 = rw
5 = 4 + 1 = rx
4 = 4 = r
3 = 2 + 1 = wx
2 = w
1 = x

So if your umask is 0022 (ignore the first number for this exercise, only take notice of 022) then by default your files are going to be created like this:

(u) : 7 - 0 = 7 = rwx
(g) : 7 - 2 = 5 = rx
(o) : 7 - 2 = 5 = rx

But here's the twist: the (x) only takes effect if the 'file' you've just created is a directory. Otherwise ignore it. So with the above umask of 022 it would be ugo = 755 for a newly created dir and ugo = 644 for a newly created file.

Ever seen someone chmod a file with numbers like this?

$ chmod 640 three

They have just made the file named three: (r)eadable and (w)riteable by the (u)ser (r + w = 4 + 2 = 6), (r)eadable by the owning (g)roup (4 = w), and neither (r)eadable, (w)riteable or e(x)ecutable by (o)thers (0 = no permissions.)

A umask of 027 is a better way to go than 022. Set it like this:

$ umask 0027

I will keep re-reading this post to see if there are any errors in it - it is a confusing topic :-)

Colophon

Django Python 960.gs Git Vim NetBSD Nginx

The Author

This is the blog of Brad Willis, a software engineer living in Brisbane.

Links

ChoppingBoard, DaveMisc, Project365, RageQuit

Vim & Vision

[ #57 ] chmod and umask Gotchas (Got Me Anyway) Permalink

Colophon

The Author

Meta

Recent Entries

Links