command: chmod

this is perfectly said .. many combinations are possible but in practice , we use very few in basic file permissions
744 -- i tend to use this at home rather than 777 , i dont really know why , feels right
777
766

Basically, if all numbers are the same, it can never be the objective as the whole idea is to have different permissions between User and Other. So, 777 and 666 and such should not exist, just for that concept alone. Ideally, 777 should never be used. Check it out, if a file has 777, it's almost always wrongly granted. I use 777 when I'm lazy and don't want to think. Then again, use it only on files that don't matter anyway. Note that group permissions depend on how users and groups are setup. If these are setup wrong, the whole system doesn't work. That may happen if you see very few groups being used, and users having very little other groups being granted. Also some admins try to fix this "problem" by running everything as one user. Sure, simple systems may have that setup, but Linux is not designed to have 1 user run 3 processes in total. That's not what servers were meant to do.
 
Last edited:


Basically, if all numbers are the same, it can never be the objective as the whole idea is to have different permissions between User and Other. So, 777 and 666 and such should not exist, just for that concept alone. Ideally, 777 should never be used. Check it out, if a file has 777, it's almost always wrongly granted. I use 777 when I'm lazy and don't want to think. Then again, use it only on files that don't matter anyway. Note that group permissions depend on how users and groups are setup. If these are setup wrong, the whole system doesn't work. That may happen if you see very few groups being used, and users having very little other groups being granted. Also some admins try to fix this "problem" by running everything as one user. Sure, simple systems may have that setup, but Linux is not designed to have 1 user run 3 processes in total. That's not what servers were meant to do.
I totally agree - permissions are to limit / grant access according to need and for security. for the most part since it is only myself on a laptop the permissions are generally not an issue other than certain things for the system
which might be created while in a sudo mode and permissions set only for root access ..

In a server / mutil-user environment permissions are obviously much more critical.
 
I have a few points I'd like to add here.

The system /tmp directory and the system /var/tmp directory both use 01777. You should always start an octal number with a leading 0. Using execute permission for a directory grants search access thus allowing a user to search for and run a command in that directory without having read access to the directory. Allowing read access to a directory allows the user to use the ls command to see what's in the directory. Only search access to the directory itself is required when running a command if that command is in that directory. The user will still need execute access to the command itself as well. ACLs can be used to fine tune this to specific users on the system, or even specific groups.

It is likely that your "group" will be unique to you, unless you use the chgrp command on the file in question to set it to something like users, otherwise setting group permissions won't do much. You can use the groups command to find out what groups you are a member of. You can use the newgrp command, if you are able to access it which is the default, to set a new default group. Doing this will create a subshell which will use the new group, provided you are allowed to be in the specified group. This way any files that you create will use that new group name by default. Let's say you and a few friends were working on a project and each of you were in the "project" group. You could use the newgrp project command to use the project group by default instead of your own group that should be unique to you. You would want to set a suitable umask value as well to make sure the files you create have proper group access granted to the other members of your project group. See the man page for umask for more information on using umask.

chmod goes a step further. It can be used to set the setuid, setgid, and sticky bits. I would strongly recommend against using setuid unless you really know what you are doing. setgid is commonly used by games in Linux to allow updating high score lists and other such things. The sticky bit is used in directories that allow write access to everyone. A user can normally remove someone else's file if they own the directory the file is in. The idea is that the sticky bit prevents one user from removing another user's file in a directory like /tmp which uses 01777. Setting the setuid, setgid, and sticky bits uses an extra number. Let's say you wanted to use setuid for your own compiled program called mygame. You would use chmod 04711 mygame to set permissions to -rws--x--x which means the owner can read, write, and run this file, the group can only run, but cannot read or write, and other users on the system can only run, but cannot read or write. It also causes the program to run with your euid when another user runs it. It will still have their uid, egid, and gid, but will use your euid. This can cause security problems, especially when using setuid to a privileged user like root. You set use setgid this way: chmod 02711 mygame to set permissions to -rwx--s--x which will cause the program to be run with your egid, but with other things being more or less the same as my previous example. If you see something like -rwx--S--- this means that the program will use setgid to the egid to the named group that owns the file, referring to group ownership here, but only the owner of the file may run it.

You can set a directory to use setuid and/or setgid to cause newly created files in that directory to use the same owner name and/or group name as the directory itself.

A file system may be mounted using the nosuid option which will tell the kernel to ignore the setuid bit. It might also ignore the setgid and sticky bit as well, though I'm really now sure since I haven't researched or tested that.

The world or all or everyone permission means all other local users on the computer, not the whole planet, like the whole Internet.

Clearly Rob, bless his soul, intended for his post to be read by beginners rather than more advanced users. I applaud his effort to help Linux users learn and grow on their journey to mastering Linux.

Signed,

Matthew Campbell
 
Last edited:
@Rob Was I out of line by adding my comment to your post? It seems to have been totally ignored. My intent was to be helpful. Please let me know if my comments were not.

Signed,

Matthew Campbell
 
Our lead admin is very busy and manages to get by because they've successfully delegated the various needs to us volunteers. He seldom has time to respond to individual posts.

As you can see, this thread is quite old. It is also a tutorial.

As such, you may not get a reply. It isn't anything personal, it's just that our lead admin has more important things to do than responding to comments on old tutorial threads.

As for if your comment is bad or good, did you add benefit by tacking a comment that's thee pages deep in a tutorial thread? From a logistics and statistics point of view, and this isn't anything personal, the answers is "probably not".

It's nothing against you. It's that people behave in predictable ways, The average user is unlikely to wade through three pages of comments. They're barely likely to skim the original post. They'll look for things that are highlighted in their formatting, like code blocks and bold text.

You obviously didn't break any rules. If you had, we'd have dealt with that.

I'm not sure how helpful it is to respond to old threads.
 
I am wading through all that myself ,.. been using linux for many years
but i need to be less laze a delve deeper even if much doesnt apply
to just a home linux box -- it is good to learn when family and friends
begin to drop .. lets say "other OS" for linux , then it will be good to be
aware that these permission handling functions are available
i am grateful that others on here ave been understanding of my higher than
beginner but lower than intermediate status -- lol
 


Top