a question about chmod and chown and chgrp

gumnos (Tim Chase) gumnos at hotmail.com
Fri Feb 27 16:56:36 UTC 2004

> I have a partition on my hard drive called /private.  Now I want to
> this so that only root and user Scott can see this directory.  What
> be the best combination of chown and chgrp as well as chmod?  Will I
> to umask also?  Thanks for the help.

Well, since root can see anything (unless you go the route of encrypted
file-systems, in which case it becomes a different game), you're really
just concerned about the user Scott accessing it.  It would be the same
as your home directory for ~Scott in that it should be set to the
following privs:

User: read, write, execute
Group & other: none

You'd then want to use "umask" (best done as a call in one of the
profile or .login files for the "scott" account) so that files have the

User: read, write, not execute
Group & Other:  none

I don't remember off the top of my head which direction the bits go for
the umask command, but I think that would be 077, which would strip off
rights by default for Group and Others.

If "scott" doesn't already own the /private directory, you can "su" to
root, and change the ownership, so you'd do something like

    login:  scott
    password:  ****
    scott at mybox# su
    root at mybox$ chmod o-rwx /private
    root at mybox$ chmod ug+rwx /private
    root at mybox$ chown scott.scott /private
    root at mybox$ exit
    scott at mybox# echo umask 077 >> ~/.profile

This assumes that you've got the user "scott" in a private group called
"scott" as well.  Adjust the "chown" line accordingly, if the user
"scott" is part of another group.  You can always use your favorite
editor to add the "umask..." line to your login file rather than using
the trusty "echo ... >> ..." method, if you need to have more control
over where it goes.

If you need to add a second user (say "scotts_beau"), you have to make
use of groups--so "scott" and "scotts_beau" would be members of the
group "privy", and you'd "chown scott.privy /private".  That would give
both scott and scotts_beau  access to work within that directory,
keeping it private from other users.

Take note that if you have files within that directory with rights set
to being publicly viewable, they can be read if another user knows the
file names and can ask for them directly...can be the case on a multi-
user system where each user has a ~/public_html folder that has to be
made available to the web-server...files in there (including, perhaps,
PHP/JSP/whatever source code with passwords) can be requested directly
by other users on the system.



More information about the Blinux-list mailing list