chmod

NAME

chmod - change file access permissions

SYNOPSIS

chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
chmod [OPTION]... --reference=RFILE FILE...

DESCRIPTION

This manual page documents the GNU version of chmod. chmod changes the permissions of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new permissions.

The format of a symbolic mode is `[ugoa...][[+-=][rwxXstugo...]...][,...]'. Multiple symbolic operations can be given, separated by commas.

A combination of the letters `ugoa' controls which users' access to the file will be changed: the user who owns it (u), other users in the file's group (g), other users not in the file's group (o), or all users (a). If none of these are given, the effect is as if `a' were given, but bits that are set in the umask are not affected.

The operator `+' causes the permissions selected to be added to the existing permissions of each file; `-' causes them to be removed; and `=' causes them to be the only permissions that the file has.

The letters `rwxXstugo' select the new permissions for the affected users: read (r), write (w), execute (or access for directories) (x), execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), sticky (t),
  the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file's group (g), and the permissions granted to users that are in neither of the two preceding categories (o).

SUID, SGID, Sticky bit 의 설정 시 대문자 S, T 인 경우 파일에 실행 권한이 없는 상태이다.

chmod u+s 파일명  → suid를 적용 (u : user)

chmod g-s 파일명  → sgid를 해제

chmod o-t 파일명  → sticky bit를 해제

suid나 sgid는 root가 아닌 사용자들이 잠깐 root의 사용권한을 써서 프로그램을 실행해야할 필요가 있을때 주는 권한 설정이다.

1. suid는 절대표기값은 4000이다. 일반 사용자가 소유자 권한으로 실행할 수 있도록 하는 것은 보안상 문제가 있기때문에 조심해서 사용해야 한다.

2. sgid는 절대표기값은 2000이다. 일반 사용자가 소유그룹의 권한을 실행할 수 있도록 하는 것. 파일 적용이되면 다른 그룹이 소유그룹의 권한으로 파일을 실행하는것과 같다.

3. sticky bit는 모든 사용자가 쓸 수 있는 디렉토리를 적용하여 디렉토리내에 있는 파일을 임의대로 삭제할 수 없고, 오직 소유자에게만 삭제, 변경권한이 있다. linux에서는 /tmp가 대표적인 stick bit로 설정되어있다
http://blog.naver.com/bsyoo7975/80049013210

* 권한의 우선순위는 파일보다 디렉터리가 우선이다.

A numeric mode is from one to four octal digits (0-7), derived by adding up the bits with values 4, 2, and 1. Any omitted digits are assumed to be leading zeros. The first digit selects the set user ID (4) and set group ID (2) and sticky (1) attributes. The second digit selects permissions for the user who owns the file: read (4), write (2), and execute (1); the third selects permissions for other users in the file's group, with the same values; and the fourth for other users not in the file's group, with the same values.

chmod never changes the permissions of symbolic links; the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. In contrast, chmod ignores symbolic links encountered during recursive directory traversals.

STICKY FILES

On older Unix systems, the sticky bit caused executable files to be hoarded in swap space. This feature is not useful on modern VM systems, and the Linux kernel ignores the sticky bit on files. Other kernels may use the sticky bit on files for system-defined purposes. On some systems, only the superuser can set the sticky bit on files.

STICKY DIRECTORIES

When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable.

OPTIONS

Change the mode of each FILE to MODE.

-c, --changes

like verbose but report only when a change is made

-f, --silent, --quiet

suppress most error messages

-v, --verbose

output a diagnostic for every file processed

--reference=RFILE

use RFILE's mode instead of MODE values

-R, --recursive

change files and directories recursively

--help

display this help and exit

--version

output version information and exit

Each MODE is one or more of the letters ugoa, one of the symbols +-= and one or more of the letters rwxXstugo.

SEE ALSO

The full documentation for chmod is maintained as a Texinfo manual. If the info and chmod programs are properly installed at your site, the command

info chmod

should give you access to the complete manual.