666: The Devil's Read/Write Permission

by Erica Sadun

Terminal's command line makes it simple to set permissions for any of your OS X files. Permissions specify access control--who may read, write or execute your files. The chmod command takes two or more arguments, the first is a multi-digit number that specifies your control choices, the rest is a list of files affected by this change.



The multi-digit number is created by summing up the permissions you'd like to apply. Quoting from the OS X manual pages, these numbers are as follows:



4000: (the set-user-ID-on-execution bit) Executable files with this bit set will run with effective uid set to the uid of the file owner. Directories with the set-user-id bit set will force all files and sub-directories created in them to be owned by the directory owner and not by the uid of the creating process, if the underlying file system supports this feature: see chmod(2) and mount(8).

2000: (the set-group-ID-on-execution bit) Executable files with this bit set will run with effective gid set to the gid of the file owner.

1000: (the sticky bit) See chmod(2) and sticky(8).

0400: Allow read by owner.

0200: Allow write by owner.

0100: For files, allow execution by owner. For directories, allow the owner to search in the directory.

0040: Allow read by group members.

0020: Allow write by group members.

0010: For files, allow execution by group members. For directories, allow group members to search in the directory.

0004: Allow read by others.

0002: Allow write by others.

0001: For files, allow execution by others. For directories allow others to search in the directory.


So, to set a file's permissions to universal read, universal write you must sum up the read attributes and the write attributes for owner, group members and others: 0400 + 0200 + 0040 + 0020 + 0004 + 0002, which equals 0666 or more simply 666:



% touch bar
% chmod 666 bar
% ls -l bar
-rw-rw-rw- 1 ericasad ericasad 0 Jun 6 08:03 bar

16 Comments

Sherm
2006-06-06 12:46:48
That's too much like work. If you want to give write access to a group, you have to first get the current permissions, apply the new permissions mask, and then run chmod. I prefer to use the "symbolic mode" instead, just "chmod g+w foo.txt" to do the same thing. No math, no pain - but I'm repeating myself now.
Ryan Bates
2006-06-06 17:46:19
For those who didn't notice, the date is also 6/6/06. ;)
steve
2006-06-07 02:26:29
As a professional sysadmin, I don't agree with using symbolic mode. You set the permissions to what they should be... you don't modify them from what they might be.
Erica Sadun
2006-06-07 09:58:01
Steve: Excellent point.
sjk
2006-06-07 18:30:32
I'm not convinced Steve's point is excellent, at least not without clarification.


With ~30 years of Unix experience, I know it's not always possible to accurately determine what file permissions "should" be. I sure can't provide that information about every single file on my own OS X systems even though I thoroughly understand permissions. Sometimes it's just a best guess with prior permissions, file type/content, and context as a guide. The near-half-century-old Unix permissions scheme wasn't designed for managing the larger numbers of files on todays filesystems. It doesn't scale.


Relative and absolute file permission changes are both valid, regardless of whether or not symbolic mode is used. Making only absolute numeric permission changes is unnecessarily restrictive and can produce undesirable results by toggling bit states that should be preserved (e.g. by naively running "chmod -R 777 ..." commands).

Sherm
2006-06-09 09:16:44
Not so excellent at all. Steve suggests that symbolic mode is used to "modify [permissions] from what they might be", but that's absurd. Determining the changes that are needed is an entirely separate question from deciding how to make those changes. If I didn't know what the current perms are, what they should be, and why they need to be changed, I'd be a fool to change them at all, regardless of the tool I used to make the change.


Similarly, once you've done your research and arrived at the conclusion that "/etc/foo needs to be group writable, but it's not", the *only* question left is how to make that change. Do you want to do the math yourself, or use g+w and let chmod handle the math? To put it another way, do you want to introduce *two* opportunities for error (typos & mathos) with numeric mode, or just *one* opportunity for a typo with symbolic mode?

Erica Sadun
2006-06-09 09:21:11
Sherm, with all due respect, I think you overestimate the difficulty of the math. It becomes pretty repetitive over time. I know the patterns I want and I find it easier just to use 'em directly.
Sherm
2006-06-09 12:48:32
Erica, I said that numeric mode introduces an additional opportunity for math errors, which symbolic mode avoids by eliminating the math. How is "not zero > zero" an overestimation? And how does the fact that *you* or *I* can do octal math while asleep have any relevance to the readers in the audience who are not similarly gifted?
Grant
2006-06-09 15:32:51
I'm starting to see any interesting pattern with Erica's posts. It goes like this:


* Erica posts to the blog
* 0 or more people agree with her
* 1 or more people disagree with her and give an alternative (and/or superior) solution
* Erica defends blog post without really acknowledging the weaknesses found therein.


Nothin' but love, Erica. :)

Erica Sadun
2006-06-09 16:15:44
Grant, it is permissible and appropriate to disagree politely in a public forum. When technical arguments turn into ad hominem attacks, I will remove myself from the conversation. This is what happened during our previous discussion, and this is what I will do now. I look forward to your future on-topic responses and thank you in advance for your technical insights.
sjk
2006-06-09 17:44:52
Determining the changes that are needed is an entirely separate question from deciding how to make those changes.


That was my objection to Steve's comment, expressed more clearly and succinctly.


2006-06-12 09:26:06
Dumb reason for not using symbolic mode. You can set them perfectly well with chmod u=rw,g=rw,o=r if you want.


Also important to point out that those are octal numbers.

Grant
2006-06-12 14:40:34
Grant, it is permissible and appropriate to disagree politely in a public forum. When technical arguments turn into ad hominem attacks, I will remove myself from the conversation. This is what happened during our previous discussion, and this is what I will do now. I look forward to your future on-topic responses and thank you in advance for your technical insights.


1) What I posted was not an attack, merely an observation. And a somewhat humourous one, at that. Notice the use of the smiley face at the end.


2) In our previous discussion, I did not attack you, merely your idea that you stubbornly clung to despite numerous responses to the contrary. I was very direct, and attacked many of the points with which you chose to defend your idea, but I did not attack you or your character or anything else that I could see as a valid type of "ad hominem" attack. Ironically, accusing someone else of an "ad hominem" attack can itself be an "ad hominem" attack.

Grant
2006-06-12 14:53:13
As far as the comments that have been made, both styles of chmod have their place.


If I know the exact permissions that I want a file to have, I would use the "numeric" mode


Otherwise, I would use the symbolic mode, as it makes it very easy to "add" permissions that are needed or "remove" permissions that are not needed. Numeric mode can sometimes have un-inteded consequences. But, to each his/her own, I suppose.

Grant
2006-06-12 14:57:49
Also, since we are throwing fun "logical fallacy" terms around, Steve's argument is basically an "appeal to authority" argument. Read about it at Wikipedia. Of course, sending you to Wikipedia is, in and of itself, an "appeal to authority". Perhaps we should get off the logical merry-go-round. :)
Erica Sadun
2006-06-15 10:21:09
To be clear, I regularly use both modes. I use symbolic for when I'm doing batch changes and I use numeric on file-by-file bases.