'chmod g+s' command
Hello I want to understand the role of the
chmod g+scommand in Unix.
I also would like to know what it does in this particular context:
cd /home/canard; touch un; chgrp canard .; chmod g+s .; touch deux ;
I understand all the commands roles except for
chmod g+sand I want to know the differences between the files
deuxresulting from this series of commands.
chmod g+s .;
This command sets the group ID (setgid) on the current directory, written as
This means that all new files and subdirectories created within the current directory inherit the group ID of the directory, rather than the primary group ID of the user who created the file. This will also be passed on to new subdirectories created in the current directory.
g+saffects the file's group ID but does not affect the owner ID.
Note that this applies only to newly-created files. Files that are moved (
mv) into the directory are unaffected by the setgid setting. Files that are copied with
cp -pare also unaffected.
touch un; chgrp canard .; chmod g+s .; touch deux ;
In this case,
deuxwill belong to group
unwill belong to the group of the user creating it, whatever that is.
Minor Note on the Use of Semicolons in Shell Commands
perl, a shell command only needs to be followed by a semicolon if there is another shell command following it on the same command line. Thus, consider the following command line:
chgrp canard .; chmod g+s .;
The final semicolon is superfluous and can be removed:
chgrp canard .; chmod g+s .
Further, if we were to place the two commands on separate lines, then the remaining semicolon is unneeded:
chgrp canard . chmod g+s .
Files that are copied (e.g. by `cp`) are in fact newly created. If they don't inherit the group permission, the copying program is playing games, like copying to a temporary file and then moving it to the target directory.
@Kaz Good point. I updated the answer to clarify that it is `cp -p` that overrides the setgid setting.
But does `cp -p` override the setgid setting? On every single Unix implementation in existence? POSIX says that it is unspecified whether a failure to copy the user ID or group ID under cp -p results in a diagnostic message! However, the S_SUID and S_SGID bits, respectively, are required to be cleared in that situation (i.e. if a file is setuid bob, but bob's ownership can't be copied so that the file is owned by janet, don't make it setuid janet.)
_"does `cp -p` override the setgid setting?"_ According to the POSIX spec, that is what it is supposed to do. It does so on all the Unix systems that I have used. You have quoted the part of the spec regarding what to do to protect security in the case when the group ID __cannot__ be duplicated. I have never run into such a "cannot" situation, have you?
You can change file permissions with the chmod command. In Unix, file permissions, which establish who may have different types of access to a file, are specified by both access classes and access types. Access classes are groups of users, and each may be assigned specific access types
Unix/Linux has users and user groups that can be assigned for file access
the options g+s are as follows:
g - the permissions that other users in the file's group have for it
s - set user or group ID on execution
here is a sample usage:
chmod =rwx,g+s filename
(allow everyone to read, write, and execute a particular file and turn on the set group-ID)
To set/modify a file's permissions you need to use the chmod program. Of course, only the owner of a file may use chmod to alter a file's permissions. chmod has the following syntax: chmod [options] mode file(s) The 'mode' part specifies the new permissions for the file(s) that follow as arguments. A mode specifies which user's permissions should be changed, and afterwards which access types should be changed. Let's say for example: chmod a-x socktest.pl
This means that the execute bit should be cleared (-) for all users. (owner, group and the rest of the world) The permissions start with a letter specifying what users should be affected by the change, this might be any of the following:
u the owner user g the owner group o others (neither u, nor g) a all users
This is followed by a change instruction which consists of a +(set bit) or -(clear bit) and the letter corresponding to the bit that should be changed. Let's see some examples:
$ ls -l socktest.pl -rwxr-xr-x 1 nick users 1874 Jan 19 10:23 socktest.pl* $ chmod a-x socktest.pl $ ls -l socktest.pl -rw-r--r-- 1 nick users 1874 Jan 19 10:23 socktest.pl $ chmod g+w socktest.pl $ ls -l socktest.pl -rw-rw-r-- 1 nick users 1874 Jan 19 10:23 socktest.pl $ chmod ug+x socktest.pl $ ls -l socktest.pl -rwxrwxr-- 1 nick users 1874 Jan 19 10:23 socktest.pl* $ chmod ug-wx socktest.pl $ ls -l socktest.pl -r--r--r-- 1 nick users 1874 Jan 19 10:23 socktest.pl
Strange numbers... You might have encountered things like chmod 755 somefile and of course you will be wondering what this is. The thing is, that you can change the entire permission pattern of a file in one go using one number like the one in this example. Every mode has a corresponding code number, and as we shall see there is a very simple way to figure out what number corresponds to any mode. Every one of the three digits on the mode number corresponds to one of the three permission triplets. (u, g and o) Every permission bit in a triplet corresponds to a value: 4 for r, 2 for w, 1 for x. If the permission bit you add this value to the number of the permission triplet. If it is cleared, then you add nothing. (Some of you might notice that in fact, the number for a triplet is the octal value corresponding to the three-bit pattern - if you don't know what an octal value is, it doesn't really matter, just follow the instructions) So if a file has rwxr-xr-x permissions we do the following calculation:
Triplet for u:
rwx => 4 + 2 + 1 =
Triplet for g:
r-x => 4 + 0 + 1 =
Triplet for o:
r-x => 4 + 0 + 1 =
Which makes :
So, 755 is a terse way to say 'I don't mind if other people read or run this file, but only I should be able to modify it' and 777 means 'everyone has full access to this file'
The result of ls command will depend of umask.
g+s will set sgid to the file. Check here for more deep information about SUID SGID
so if your umask for example is 022 the result will be something like:
-rw-r--r-- 1 romeo canard 0 Jan 31 20:58 deux -rw-r-Sr-- 1 romeo UsersGrp 0 Jan 31 20:58 un
In Linux one of the default mount option for ext? fs is 'nogrpid | sysvgroups'. So the first touch un, creates a file with group id equal to fsgid of the creating process where fsgid = egid.
chmod g+s ., makes subsequent file/dir creation inherit group id from the parent folder and if the created thing is a dir it too gets g+s set as its parent.
Here touch deux, creates deux, with group canard.
The semantics changes if mount option was 'grpid | bsdgroups' in that case, new file / dir creation would inherit group id from its parent folder even without setting g+s for the parent itself.