Developer's Blog

About the ever-confusing [file permissions] – 3 and 4 digit permissions?

If you own your own site then you probably have come across [file permissions] at some point.

Set standard HTML files to 644,
CGI files to 755,
if you do not set the CGI file to 700 when using the *** rental server *** plan, operations will not work,
and so on, there really does seem a lot of [set rules] that you need to learn off by heart.

So, what do you think the permission 2775 is used for? How about 1777?

This topic is probably not often covered on beginner sites, so today I want to talk a little bit about [4 digit file permissions].

File permissions are a combination of 3 classes and 3 types of basic permissions.

In file permissions, permissions for that file are set by deciding the type(read, write or execute) for each of the classes(owner, group, all).
The displayed values 655 and 755 are octal numbers.
This is covered on beginner sites so I will not go into detail.

Class

100 unit digit 10 unit digit 1 unit digit
Owner Group All

Permissions

Readable 4
Writable 2
Executable 1

Example: Permission 644

  • Owner Readable and writable (4+2=6)
  • Group Readable (4)
  • All Readable (4)

Special permissions settings

So on to today’s topic. Using the 4th digit, it is possible to set a special permission that can not be set by just using the 3 basic permissions(read/write/execute).

setuid 4
setgid 2
stickybit 1

[setuid] for when the owner of the executed file performs the execution.

For example, let us take the case where CGI has been set up, the permissions set to 755, and the file has then been accessed from a web browser.
It is the WEB server that executes the file. Most of the time, The WEB server uses a programmed called “apache”, and the default settings:

User: apache
Group: apache

are used, so a user called “apache” executes the CGI program. In other words, it is necessary that the user “apache” can also read and write from the program to the file.
This is the reason why when permission settings are not working as wanted, changing the directory permissions to 777 magically works!

If you really want to execute using another user’s permissions, then you should set up [setuid].
To set it up:

$ chmod u+s <file>

or,

$ chmod 4755 <file>

Just input a [4] for the 4th digit.
By doing this, when the program executes the file, if the owner of the file is [Kawabata], then the file is executed using the permissions of kawabata, so any files that can be read or written by Kawabata becomes readable and writable by that program as well.

So, what kind of files exist in reality?

$ find /bin/ -perm +4000 -ls
 65361   40 -rwsr-xr-x   1 root     root        37312 Sep 27  2009 /bin/ping
 65414   28 -rwsr-xr-x   1 root     root        28336 Jul 22  2011 /bin/su
 65346   40 -rwsr-xr-x   1 root     root        40592 Mar 10  2011 /bin/umount
 65362   32 -rwsr-xr-x   1 root     root        32736 Sep 27  2009 /bin/ping6
 65478   64 -rwsr-xr-x   1 root     root        60432 Mar 10  2011 /bin/mount

In CentOS, the files in /bin/ are executed as root regardless of who executes them.

Use setgid when you want to inherit groups

At first glance setuid seems useful, but there are probably not many times when you intentionally want to do this. I feel the one you have chance to use most is [setgid].

When updating a site with multiple names,

# groupadd web
# usermod -a -G web person-a
# usermod -a -G web person-b
# chgrp -R web /var/www/html/contents/
# chmod -R g+w /var/www/html/contents/

if you modify the code like above, any files in lower directories than contents/ can be edited by both [person-a] and [person-b] in group [web].

In log-in shell,

umask 002

if you modify the code like above, newly created files will also become so that provide write permission to groups, but what happens more often than you would expect is forgetting to set newly created file groups as [web], making it impossible for other people to update files!

In this case, by modifying the code like

$ chmod g+s /var/www/html/contents/

or

$ chmod 2775 /var/www/html/contents/

any groups of file/directory created in lower directories than contents/ are all set to [web] just like with contents/.

The slightly special sticky bit

Any last of all, sticky bit. This is probably the most special of the lot.

/tmp/ of Linux etc. is a place where anybody can write to. The permissions are set to 777…but this is not 0777 but actually 1777.

$ ls -ld /tmp 
drwxrwxrwt 4 root root 4096 Feb  1 13:15 /tmp/

Usually, when you set permissions to 777 it becomes [drwxrwxrwx], but in this situation in becomes [drwxrwxrwt].
This is the [sticky bit state]. Doing this does the following.

Anybody can create files in directories lower than /tmp/
If file permissions for directories lower than /tmp/ are set to 666, anybody can write to created files
Deletion and name editing of files in directories lower than /tmp/ can only be performed by the author of the file, regardless of the permissions.

Setting with the usual [777] lets anybody delete the files, but setting(chmod o+t) to [1777] prevents people other than the author of the file from deleting files as one pleases.

And so that is my introduction to 4 digit permissions.
Thank you for taking your time to read my article.

Please join us on Facebook for Sleipnir for Windows!


Please follow us on Twitter!

Facebook Comments