Tutorial on CHMOD By John O'Donnell From the manual page on chmod(1L) chmod changes the permissions of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new permissions. (.. snip ..) I am only going to explain the numeric mode of setting permissions. There are 4 permission bits belonging to every file, directory, device, link, FIFO, etc. that are set using octal numbers. I will explain what they do first, then I will explain the numbers... The first is kinda special. I won't explain that here. If curious, look at the man page. But the others, in order, are "user", "group", and "world". This is shown when you do a "ls -l" and you'll see the "-rwxr-xr-x" stuff in the beginning of the line. This particular set of permissions you might find on an executable shell script program or a directory, but not a data file like your pppd options file. The first set of "rwx" is read, write, and execute permissions for the user that owns that file shown in the "ls -l". The second set of permissions, the "r-x", is the read and execute for the "group" , also shown is the "ls -l". Now anyone belonging to the group can run the program, but they are NOT allowed to change it. They have no write permissions. The last set of permissions "r-x" is the same as the group, but these rules apply to the rest of the world. You would find these particular permissions in my example (-rwxr-xr-x) on a shell script as the shell itself needs read access to read through the file and execute your commands. A compiled executable only needs "execute" permissions. (Interesting: I was just looking at my /usr/bin directory from my Slackware Linux and I notice that compiled programs there are "-rwxr-xr-x" and on my SCO Open Server 5 box they are "-rwx--x--x" - I'd be curious to know what you RedHat users see...) Anyway, on datafiles you'd typically see "-rw-r--r--" giving read/write access to the user and ONLY read access to anyone else in the "group" as well as the rest of the world. If you wanted to lock down a data file so that no one could read it but you, you'd set "-rw-------" and make sure you were the owner of the file. Check your pppd executable and options file for this. Now directories are a little different. If the user does not have access to the directory itself, then they cannot see any of the files nor run them. Let me stray for a second and remind you to keep in mind that a directory is nothing but a file itself that has a list of files and inodes in it. I ran a SCO Unix program called "hd" (hex dump) on my Linux box (thanks to iBCS2) to create this partial output of my /usr/bin directory: 0000 01 50 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 .P.............. 0010 01 48 2e 2e 00 00 00 00 00 00 00 00 00 00 00 00 .H.............. 0020 02 50 6d 74 6f 6f 6c 73 00 00 00 00 00 00 00 00 .Pmtools........ 0030 03 50 75 6e 7a 69 70 00 00 00 00 00 00 00 00 00 .Punzip......... 0040 04 50 7a 69 70 00 00 00 00 00 00 00 00 00 00 00 .Pzip........... 0050 05 50 7a 69 70 6e 6f 74 65 00 00 00 00 00 00 00 .Pzipnote....... 0060 06 50 7a 69 70 73 70 6c 69 74 00 00 00 00 00 00 .Pzipsplit...... You can see the first 2 entries are the usual "." and ".." and from there it is the unsorted list of files and the 2 byte inodes with all the information about the file. Each new file that get created in the directory gets appended to this file unless a file before it was deleted. Deleted files still show up here, but the inode is zeroed out (Hex: 0x00 0x00). Long filenames start with 0xff 0xff and continue until the inode is reached. Example: 1880 ff ff 69 33 38 36 2d 70 63 2d 6c 69 6e 75 78 2d ..i386-pc-linux- 1890 25 52 67 6e 75 6c 69 62 63 31 2d 67 63 63 00 00 %Rgnulibc1-gcc.. results in "i386-pc-linux-gnulibc1-gcc"... Ok enuf directory crap... Now the permissions work almost in the same way for directories. The same "user", "group", and "world" sets. If you have read permission you can open the directory and know/see the contents. If you have write, you can add to the directory or delete files! But, without execute, you cannot actually change to the directory and do anything. So if you really wanted to lock a directory out so that people could open a file but not be able to see or delete it you could set "---x--x--x" permissions and lock it down. Granted they would have to know the exact name of the file becaus you just restricted them from doing a "ls"... If you want full open access set it to "-rwxrwxrwx". To set these bits using the octal numbers all you have to do is keep in mind these 3 numbers: 4 - READ 2 - WRITE 1 - EXECUTE All you need to do is add up the bits you want. If you want Read/Write: (4+2 = 6). If you want Read/Execute: (4+1 = 5). To use this with chmod and achive "-rwxr-xr-x" you would type: chmod 755 [file/directory]. If you were changing a data file to "-rw-r----" (Owner: Read/Write, Group: Read Only, World: LOCKED OUT) you would type: chmod 640 [file]. Johnny O (johnod[at] voicefx[dot] com)