[Big Mac]

Hey guys, due to the heightened focus on security, I am no longer running as an administrator on my Macs. Now, instead of logging out of my primary account and logging into my admin account for something like an application move, I'm logging in through terminal and doing what I need to from there. The problem is that I'm a CHMOD newb. I would like to:

A. Be able to change the permissions for a folder so that they match another folder (without resorting to using the Finder), and I would like CHMOD to operate recursively on the contents;

B. Learn CHMOD octals.

[Juggle5]

Well, I'll explain the octal deal. Once you have that, the chmod man page has lots of examples at the end that should help out.

If you type "ls -l" on the command line, you see files/directories with all their permissions listed (the first column):

lrwxr-x--- 1 jcross staff 20 7 Aug 2004 join_mpeg@ -> /usr/local/bin/mpgtx
-rwxr-x--x 1 jcross staff 275 5 Nov 2001 myls*
-rwxr-x--x 1 jcross staff 1250 6 Nov 2001 travesty*
drwxr-xr-x 12 jcross staff 408 23 Nov 2003 xv-3.10a-bin/

the first character tells if the item is a file (-), a directory (d), or a symbolic link (l). The next 9 characters give the permissions. They are grouped in three triplets, each something like "rwx". The first (leftmost) group is for the owner of the file (jcross in this case), the second for the group (staff), and the last for "others"--everyone else. Note that files actually have another triplet of permissions, but it's not displayed by ls and you don't usually have to worry about them.

Now within each triplet: if an r is there, the file is readable; if there's a dash instead, then the file is not. Similarly, the w or - indicates if a file is writable, and the x or - indicates if the file may be executed. (If a directory isn't "executable" then you can't go in the directory and see the contents of it).

Thus for example, rwxr-x--x means that I can read, modify and execute the file, others in the same group as me can examine it and run it, and everyone else can only run it.

Now, you can represent these strings just as binary numbers. Put a 1 where there's a letter and a 0 where there's a dash. So the above example is 111101001. If you convert this to base 8, you get a three digit octal string 751. Converting binary to octal is really easy: read the digits in groups of three (padding with extra zeros on the left if necessary so the number of digits is a multiple of 3) and use the following table:

binary <--> octal
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7

For example, 001 110 101 011 100 (binary) is 16534 (octal).

For the chmod command, one way you may specify the permissions via such an octal string. For example, if you want a file to be readable and writable by me and nobody else, you can do "chmod 600 file", as 600 corresponds to 110 000 000, or rw- --- ---.

When modifying lots of files at the same time, as in your case, you probably want to modify some permissions of a file without modifying others. Here, you avoid the octal numbers altogether. In this case, you do can commands like "chmod o-rw *" which removes reading and writing privileges to others, without modifying any other permissions, for everything in the current directory.

Again, check out the chmod man page "man chmod" for a more thorough explanation and lots of examples. It should be intelligible by now.

To recursively go through directories, you want the "find" command. This command is definitely a little tricky to get the hang of, but you can do very powerful things with it. I'm tired and going to bed now, so anyone else want to volunteer to explain it?

[Gavin]

Wow, good intro

I just use chmod's -R flag for recursive changes
cd /blah/blah
chmod -R 755 *

I don't bother with "find" unless I only want to apply the changes to specific types of files - like change permissions on just mp3 files. (find can do patten matching)

[Big Mac]

Thank you for that great explanation, Juggle5. It's still a bit confusing, but I'm going to read through it a few times and then ask follow-up questions as necessary.

[Chuckit]

Easier to remember is this:

1=execute
2=write
4=read

Add the permissions you want together to get a digit. For instance, read+execute is 4+1 = 5.

There are three slots for the digits, giving different permissions for different types of users. The first slot is the file's owner. The second is the file's group. The last is the whole world. So chmod 640 myfile sets myfile to be readable and writable by its owner, readable by users in the file's group, and completely closed to everybody else. On a file, it would look like "-rw-r-----" in a ls listing.

[whgoodman]

It can be a bit easier if you take it one group at a time and not try to work with SUID, SGID and sticky bits yet. Unix permissions are set in three groups [four if you consider SUID, SGID and sticky bits]. User, group and other in that order. User is the owner of the file. Group can be any valid group, but normally the group that the user resides in. Other is everyone else. Like juggle5 said, these values are actually octal. If you consider read permission as a value of 4, write permission as a value of 2 and execute permission a value of 1 then calculating the octal value becomes easier too. So read and write permissions for one of the three groups would be 6, or the sum of 4 and 2. When you set the permissions you will have to set the permissions for User, Group and Other so setting read, write and execute for user along with read and write for group and other would be chmod 755 filename. When you have this down pat then you can look at the fourth field which contains the SUID, SGID and sticky bits, but normally you won't use these.

[Chuckit]

Just to be clear, 755 is read and execute for group and other, not read and write. (Not trying to harp on you or anything. Just don't want anybody learning to get confused with typos.)

[whgoodman]

755 is rwx,r-x,r-x. Full access for user and read/execute for everyone else.