![[EdCert previous]](../../edcert/images/prev.gif)
![[EdCert next]](../../edcert/images/next.gif)
![[EdCert top]](../../edcert/images/top.gif)
For a recommended review of file permissions, directory permissions, and how to change them please go to File and Directory Permissions, Determining Permission and Changing Permission.
Also by way of review chgrp and chown can be used to change the owner and group connected to a file or directory.
chgrp (name of new group) (name of file or directory)
chown (name of new owner) (name of file or directory)
It is also worth noting that the basic r, w, and x permissions have slightly different meanings for directories than they do for files. If a directory is readable it means that a user can look into it and see what files are there. Write permission allows a user to add, delete or rename files in the directory. Directories cannot be executed in the same way that files can. Execute permission for directory is also referred to as search permission, as it controls the ability to cd through the directory structure. Any directory that contains material intended for publication on the World Wide Web must be searchable and readable by world in order for the information to reach the Web.
There are additional permissions that can occupy the spot normally kept for the execute bit. These are the set group or user ID bit (s), the sticky bit (t), and X. These permissions can be applied to directories or files. The sticky, SUID, or SGID bits can be set the same way other other file and directory permissions are set. Only root is permitted to turn the sticky bit on or off. In addition the sticky bit applies to anyone who accesses the file. The syntax for setting the sticky bit on the /tmp directory is as follows:
chmod +t /tmp
So the output of ls -l will look either like this,
drwxrwxrwt 5 sys sys 543 May 29 09:41 tmp
or like this.
drwxrwxrwT 5 sys sys 543 May 29 09:41 tmp
On some systems the sticky bit is listed in the file permissions as an upper case T. In either case it can be set using chmod +t.
As the SUID and SGID bit are both represented with an s, how the bit is used depends on who it is set for.
chmod u+s somestuff
This sets the SUID bit on the file somestuff. So the output of ls -l for the file will look like:
-rws-r--r-- 1 trsmith user 1178 Feb 29 15:17 somestuff
But entering:
chmod g+s somestuff
will set the SGID bit on the files somestuff and the output of ls -l for the file will look like:
-rwx-r-sr-- 1 trsmith user 1178 Feb 29 15:17 somestuff
The set group or user ID bit (s) takes the permissions of whoever owns the file and gives them to the program asking for the file rather than the user. Say user Zelda has a program named Ick. In order to run, Ick needs access to some data in the file Belch. This file is owned by Zelda and has no world permissions. Another user, Bufford, wants to execute Ick. Bufford and Zelda don't belong to any of the same groups. Bufford can't run Ick because he doesn't have permission to access Belch. Zelda doesn't want to make Belch world readable. If the set user ID bit is turned on for world then Zelda's permissions as owner of Belch will be given to Belch itself. This means that Bufford can run Ick, because Ick will have access to the data in Belch that it needs. Bufford however, cannot read or write to Belch. He has access to it only through Ick.
When the sticky bit (t) is turned on for a directory users can have read and/or write permissions for that directory, but they can only remove or rename files that they own. The sticky bit on a file tells the operating system that the file will be executed frequently. Files like this are kept in swap space even when they aren't being executed. Although this takes up swap space it greatly reduces the time it takes to execute the program. Programs such as vi have the sticky bit turned on by default.
X is used to reverse the the status of the execute bit. The same effect can be achieved by simply removing the execute bit. The advantage of X is that it can be used to change the status of a file without knowing what the current status is. This can be useful for such things as editing a file that contains a shell script, where X can prevent anyone from executing the script while it is being edited.