mirror/findutils
1
0
Fork 0
mirror of https://https.git.savannah.gnu.org/git/findutils.git synced 2026-01-26 15:39:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated prem.texi from coreutils

Browse Source
This commit is contained in:
James Youngman 2007-12-09 23:10:25 +00:00
parent 9023511d12
commit 0f60fe62f9
2 changed files with 71 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -1,5 +1,7 @@
2007-12-09 James Youngman <jay@gnu.org>
* doc/perm.texi: Updated from the upstream source.
* po/nl.po: Updated from the Translation Project.
2007-12-08 James Youngman <jay@gnu.org>

234
doc/perm.texi
View File

@ -1,32 +1,16 @@
@c File mode bits
@c Copyright (C) 1994, 1996, 1999, 2000, 2001, 2003, 2004, 2005, 2006
@c Free Software Foundation, Inc.
@c Permission is granted to copy, distribute and/or modify this document
@c under the terms of the GNU Free Documentation License, Version 1.2 or
@c any later version published by the Free Software Foundation; with no
@c Invariant Sections, with no Front-Cover Texts, and with no Back-Cover
@c Texts. A copy of the license is included in the ``GNU Free
@c Documentation License'' file as part of this distribution.
Each file has a set of @dfn{file mode bits} that control the kinds of
access that users have to that file. They can be represented either in
Each file has a set of @dfn{permissions} that control the kinds of
access that users have to that file. The permissions for a file are
also called its @dfn{access mode}. They can be represented either in
symbolic form or as an octal number.
@menu
* Mode Structure:: Structure of file mode bits.
* Symbolic Modes:: Mnemonic representation of file mode bits.
* Numeric Modes:: File mode bits as octal numbers.
* Directory Setuid and Setgid:: Set-user-ID and set-group-ID on directories.
* Mode Structure:: Structure of file permissions.
* Symbolic Modes:: Mnemonic permissions representation.
* Numeric Modes:: Permissions as octal numbers.
@end menu
@node Mode Structure
@section Structure of File Mode Bits
The file mode bits have two parts: the @dfn{file permission bits},
which control ordinary access to the file, and @dfn{special mode
bits}, which affect only some files.
@section Structure of File Permissions
There are three kinds of permissions that a user can have for a file:
@ -40,7 +24,7 @@ list the contents of the directory.
permission to write to (change) the file. For directories, this means
permission to create and remove files in the directory.
@item
@cindex execute/search permission
@cindex execute permission
permission to execute the file (run it as a program). For directories,
this means permission to access files in the directory.
@end enumerate
@ -66,66 +50,58 @@ file system the file is created on, and the way the file is created. You
can change the owner and group of a file by using the @command{chown} and
@command{chgrp} commands.
In addition to the three sets of three permissions listed above, the
file mode bits have three special components, which affect only
executable files (programs) and, on most systems, directories:
In addition to the three sets of three permissions listed above, a
file's permissions have three special components, which affect only
executable files (programs) and, on some systems, directories:
@enumerate
@item
@cindex set-user-ID
@cindex setuid
Set the process's effective user ID to that of the file upon execution
(called the @dfn{set-user-ID bit}, or sometimes the @dfn{setuid bit}).
For directories on a few systems, give files created in the directory
the same owner as the directory, no matter who creates them, and set
the set-user-ID bit of newly-created subdirectories.
(called the @dfn{setuid bit}). No effect on directories.
@item
@cindex set-group-ID
@cindex setgid
Set the process's effective group ID to that of the file upon execution
(called the @dfn{set-group-ID bit}, or sometimes the @dfn{setgid bit}).
For directories on most systems, give files created in the directory
the same group as the directory, no matter what group the user who
creates them is in, and set the set-group-ID bit of newly-created
subdirectories.
(called the @dfn{setgid bit}). For directories on some systems, put
files created in the directory into the same group as the directory, no
matter what group the user who creates them is in.
@item
@cindex sticky
@cindex swap space, saving text image in
@cindex text image, saving in swap space
@cindex restricted deletion flag
Prevent unprivileged users from removing or renaming a file in a directory
prevent users from removing or renaming a file in a directory
unless they own the file or the directory; this is called the
@dfn{restricted deletion flag} for the directory, and is commonly
found on world-writable directories like @file{/tmp}.
For regular files on some older systems, save the program's text image on the
@dfn{restricted deletion flag} for the directory.
For regular files on some systems, save the program's text image on the
swap device so it will load more quickly when run; this is called the
@dfn{sticky bit}.
@end enumerate
In addition to the file mode bits listed above, there may be file attributes
specific to the file system, e.g., access control lists (ACLs), whether a
file is compressed, whether a file can be modified (immutability), and whether
In addition to the permissions listed above, there may be file attributes
specific to the file system, e.g: access control lists (ACLs), whether a
file is compressed, whether a file can be modified (immutability), whether
a file can be dumped. These are usually set using programs
specific to the file system. For example:
@c should probably say a lot more about ACLs... someday
@table @asis
@item ext2
On @acronym{GNU} and @acronym{GNU}/Linux the file attributes specific to
On @acronym{GNU} and @acronym{GNU}/Linux the file permissions
(``attributes'') specific to
the ext2 file system are set using @command{chattr}.
@item FFS
On FreeBSD the file flags specific to the FFS
file system are set using @command{chflags}.
On FreeBSD the file permissions (``flags'') specific to the FFS
file system are set using @command{chrflags}.
@end table
Even if a file's mode bits allow an operation on that file,
Although a file's permission ``bits'' allow an operation on that file,
that operation may still fail, because:
@itemize
@item
the file-system-specific attributes or flags do not permit it; or
the file-system-specific permissions do not permit it;
@item
the file system is mounted as read-only.
@ -139,9 +115,9 @@ may have just run @code{chmod a+w FILE}.
@section Symbolic Modes
@cindex symbolic modes
@dfn{Symbolic modes} represent changes to files' mode bits as
@dfn{Symbolic modes} represent changes to files' permissions as
operations on single-character symbols. They allow you to modify either
all or selected parts of files' mode bits, optionally based on
all or selected parts of files' permissions, optionally based on
their previous values, and perhaps on the current @code{umask} as well
(@pxref{Umask and Protection}).
@ -161,7 +137,7 @@ symbolic modes.
@menu
* Setting Permissions:: Basic operations on permissions.
* Copying Permissions:: Copying existing permissions.
* Changing Special Mode Bits:: Special mode bits.
* Changing Special Permissions:: Special permissions.
* Conditional Executability:: Conditionally affecting executability.
* Multiple Changes:: Making multiple changes.
* Umask and Protection:: The effect of the umask.
@ -172,7 +148,7 @@ symbolic modes.
The basic symbolic operations on a file's permissions are adding,
removing, and setting the permission that certain users have to read,
write, and execute or search the file. These operations have the following
write, and execute the file. These operations have the following
format:
@example
@ -237,12 +213,11 @@ the permission the @var{users} have to read the file;
@cindex write permission, symbolic
the permission the @var{users} have to write to the file;
@item x
@cindex execute/search permission, symbolic
the permission the @var{users} have to execute the file,
or search it if it is a directory.
@cindex execute permission, symbolic
the permission the @var{users} have to execute the file.
@end table
For example, to give everyone permission to read and write a regular file,
For example, to give everyone permission to read and write a file,
but not to execute it, use:
@example
@ -300,42 +275,38 @@ it to mode 666 (@samp{rw-rw-rw-}). If the file had started out as mode
(@samp{rwxr--r-x}). The @samp{-} and @samp{=} operations work
analogously.
@node Changing Special Mode Bits
@subsection Changing Special Mode Bits
@node Changing Special Permissions
@subsection Changing Special Permissions
@cindex changing special mode bits
In addition to changing a file's read, write, and execute/search permissions,
you can change its special mode bits. @xref{Mode Structure}, for a
summary of these special mode bits.
@cindex changing special permissions
In addition to changing a file's read, write, and execute permissions,
you can change its special permissions. @xref{Mode Structure}, for a
summary of these permissions.
To change the file mode bits to set the user ID on execution, use
To change a file's permission to set the user ID on execution, use
@samp{u} in the @var{users} part of the symbolic mode and
@samp{s} in the @var{permissions} part.
To change the file mode bits to set the group ID on execution, use
To change a file's permission to set the group ID on execution, use
@samp{g} in the @var{users} part of the symbolic mode and
@samp{s} in the @var{permissions} part.
To set both user and group ID on execution, omit the @var{users} part
of the symbolic mode (or use @samp{a}) and use @samp{s} in the
@var{permissions} part.
To change the file mode bits to set the restricted deletion flag or sticky bit,
omit the @var{users} part of the symbolic mode (or use @samp{a}) and use
To change a file's permission to set the restricted deletion flag or sticky bit,
omit the @var{users} part of the symbolic mode (or use @samp{a}) and put
@samp{t} in the @var{permissions} part.
For example, to set the set-user-ID mode bit of a program,
For example, to add set-user-ID permission to a program,
you can use the mode:
@example
u+s
@end example
To remove both set-user-ID and set-group-ID mode bits from
To remove both set-user-ID and set-group-ID permission from
it, you can use the mode:
@example
a-s
ug-s
@end example
To set the restricted deletion flag or sticky bit, you can use
@ -349,8 +320,8 @@ The combination @samp{o+s} has no effect. On @acronym{GNU} systems
the combinations @samp{u+t} and @samp{g+t} have no effect, and
@samp{o+t} acts like plain @samp{+t}.
The @samp{=} operator is not very useful with special mode bits.
For example, the mode:
The @samp{=} operator is not very useful with special permissions; for
example, the mode:
@example
o=t
@ -358,18 +329,15 @@ o=t
@noindent
does set the restricted deletion flag or sticky bit, but it also
removes all read, write, and execute/search permissions that users not in the
removes all read, write, and execute permissions that users not in the
file's group might have had for it.
@xref{Directory Setuid and Setgid}, for additional rules concerning
set-user-ID and set-group-ID bits and directories.
@node Conditional Executability
@subsection Conditional Executability
@cindex conditional executability
There is one more special type of symbolic permission: if you use
@samp{X} instead of @samp{x}, execute/search permission is affected only if the
@samp{X} instead of @samp{x}, execute permission is affected only if the
file is a directory or already had execute permission.
For example, this mode:
@ -388,7 +356,7 @@ anyone could execute them before.
@cindex multiple changes to permissions
The format of symbolic modes is actually more complex than described
above (@pxref{Setting Permissions}). It provides two ways to make
multiple changes to files' mode bits.
multiple changes to files' permissions.
The first way is to specify multiple @var{operation} and
@var{permissions} parts after a @var{users} part in the symbolic mode.
@ -402,7 +370,7 @@ og+rX-w
@noindent
gives users other than the owner of the file read permission and, if
it is a directory or if someone already had execute permission
to it, gives them execute/search permission; and it also denies them write
to it, gives them execute permission; and it also denies them write
permission to the file. It does not affect the permission that the
owner of the file has for it. The above mode is equivalent to
the two modes:
@ -428,7 +396,7 @@ u=rwx,g=rx,o=
@end example
@noindent
sets all of the permission bits for the file explicitly. (It
sets all of the non-special permissions for the file explicitly. (It
gives users who are not in the file's group no permission at all for
it.)
@ -440,7 +408,7 @@ a+r,g+x-w
@noindent
gives all users permission to read the file, and gives users who are in
the file's group permission to execute/search it as well, but not permission
the file's group permission to execute it, as well, but not permission
to write to it. The above mode could be written in several different
ways; another is:
@ -489,116 +457,52 @@ the file to all users.
@section Numeric Modes
@cindex numeric modes
@cindex file mode bits, numeric
@cindex file permissions, numeric
@cindex octal numbers for file modes
As an
alternative to giving a symbolic mode, you can give an octal (base 8)
number that represents the mode.
number that represents the new mode.
This number is always interpreted in octal; you do not have to add a
leading @samp{0}, as you do in C. Mode @samp{0055} is the same as
mode @samp{55}.
leading 0, as you do in C. Mode 0055 is the same as mode 55.
A numeric mode is usually shorter than the corresponding symbolic
mode, but it is limited in that normally it cannot take into account the
previous file mode bits; it can only set them absolutely.
(As discussed in the next section, the set-user-ID and set-group-ID
bits of directories are an exception to this general limitation.)
mode, but it is limited in that it cannot take into account a file's
previous permissions; it can only set them absolutely.
The permissions granted to the user,
to other users in the file's group,
and to other users not in the file's group each require three
bits, which are represented as one octal digit. The three special
mode bits also require one bit each, and they are as a group
permissions also require one bit each, and they are as a group
represented as another octal digit. Here is how the bits are arranged,
starting with the lowest valued bit:
@example
Value in Corresponding
Mode Mode Bit
Mode Permission
Other users not in the file's group:
1 Execute/search
1 Execute
2 Write
4 Read
Other users in the file's group:
10 Execute/search
10 Execute
20 Write
40 Read
The file's owner:
100 Execute/search
100 Execute
200 Write
400 Read
Special mode bits:
Special permissions:
1000 Restricted deletion flag or sticky bit
2000 Set group ID on execution
4000 Set user ID on execution
@end example
For example, numeric mode @samp{4755} corresponds to symbolic mode
@samp{u=rwxs,go=rx}, and numeric mode @samp{664} corresponds to symbolic mode
@samp{ug=rw,o=r}. Numeric mode @samp{0} corresponds to symbolic mode
For example, numeric mode 4755 corresponds to symbolic mode
@samp{u=rwxs,go=rx}, and numeric mode 664 corresponds to symbolic mode
@samp{ug=rw,o=r}. Numeric mode 0 corresponds to symbolic mode
@samp{a=}.
@node Directory Setuid and Setgid
@section Directories and the Set-User-ID and Set-Group-ID Bits
On most systems, if a directory's set-group-ID bit is set, newly
created subfiles inherit the same group as the directory, and newly
created subdirectories inherit the set-group-ID bit of the parent
directory. On a few systems, a directory's set-user-ID bit has a
similar effect on the ownership of new subfiles and the set-user-ID
bits of new subdirectories. These mechanisms let users share files
more easily, by lessening the need to use @command{chmod} or
@command{chown} to share new files.
These convenience mechanisms rely on the set-user-ID and set-group-ID
bits of directories. If commands like @command{chmod} and
@command{mkdir} routinely cleared these bits on directories, the
mechanisms would be less convenient and it would be harder to share
files. Therefore, a command like @command{chmod} does not affect the
set-user-ID or set-group-ID bits of a directory unless the user
specifically mentions them in a symbolic mode, or sets them in
a numeric mode. For example, on systems that support
set-group-ID inheritance:
@example
# These commands leave the set-user-ID and
# set-group-ID bits of the subdirectories alone,
# so that they retain their default values.
mkdir A B C
chmod 755 A
chmod 0755 B
chmod u=rwx,go=rx C
mkdir -m 755 D
mkdir -m 0755 E
mkdir -m u=rwx,go=rx F
@end example
If you want to try to set these bits, you must mention them
explicitly in the symbolic or numeric modes, e.g.:
@example
# These commands try to set the set-user-ID
# and set-group-ID bits of the subdirectories.
mkdir G H
chmod 6755 G
chmod u=rwx,go=rx,a+s H
mkdir -m 6755 I
mkdir -m u=rwx,go=rx,a+s J
@end example
If you want to try to clear these bits, you must mention them
explicitly in a symbolic mode, e.g.:
@example
# This command tries to clear the set-user-ID
# and set-group-ID bits of the directory D.
chmod a-s D
@end example
This behavior is a @acronym{GNU} extension. Portable scripts should
not rely on requests to set or clear these bits on directories, as
@acronym{POSIX} allows implementations to ignore these requests.