Method to set permissions equal to or less than something like "0740" in Linux

Question

I want all files in every user's home directory to be 0740 or less permissive.

Let's say a user has perms like this:

-rwxr----- 1 doej users 321 Jan 6 2013 file1.txt
-rwxrwx--- 1 doej users 555 Jan 6 2013 file2.txt
-rwxr-xr-x 1 doej users 875 Jan 6 2013 file3.txt
-r--r--r-- 1 doej users 875 Jan 6 2013 file4.txt
-rwxr----x 1 doej users 875 Jan 6 2013 file5.txt
-r--r----x 1 doej users 875 Jan 6 2013 file6.txt
-r-------- 1 doej users 875 Jan 6 2013 file7.txt
-rwxrwxrwx 1 doej users 875 Jan 6 2013 file8.txt

I'm looking for the ability to:

change files like file8.txt to chmod 740
leave alone files like file7.txt
change files like file6.txt to chmod 440

Essentially, reduce excessive permissions without adding more permissions.

If I do this, it will add excessive permissions to files which are below the requirements:

sudo chmod 0740 /home/*

Is there a command to do this? Does it require a bash script?

You do NOT want all files to have the execute bit set. Why on earth would you want that on text files? I am sure what ever _other_ agency you are talking about, they will know that text files should not be executable and are far more likely to take action against you for that. — Bib, Apr 08 '22 at 20:44
@Bib While he didn't want to clear the x bit from all files, what he asked wasn't about having it set on all of them either. The `.txt` might be merely an example. — Tom Yan, Apr 09 '22 at 03:10
@Tom Yan, hence the reason for the comment and not an answer. — Bib, Apr 09 '22 at 09:07

score 1 · Accepted Answer · answered Apr 08 '22 at 17:08

1

chmod g-wx,o-rwx … will remove wx for the group and rwx for others; it will not alter anything for the user (owner) nor the state of r for the group.

Notes:

Recursive chmod is chmod -R, but usually you want to treat directories differently. See Generalized chmod function differentiating between directories and [regular] files.
If you wanted at most 700, it would be enough to chmod few directories, non-recursively.
IMO changing mode of another user's single file is a potential abuse of trust, it requires consent or a good reason. Massive change is potentially all the more abusive. If the admin did this for my files out of the blue, I would be concerned.
Users can chmod their files later anyway.

answered Apr 08 '22 at 17:08

Kamil Maciorowski

69,815
22
136
202

Thanks! I think this is precisely what I was looking for. I understand your concerns, but this is a rigorously compliant environment. If I don't change the permissions, another agency will shut down the server all together. Users can override, but I will be running it as a cron job (they could run a cron job after my cron job restoring perms, but that is a discussion we'd have to have later). Thanks again! – davidhaskins Apr 08 '22 at 17:13
1

@davidhaskins I understand there may be valid reasons. When I write an answer, I do it for general audience, for future users with similar problems and for the OP (here: for you); sometimes in this exact order of significance. :) Maybe in the future admins with less important reasons will read this and reconsider. The note about a potential abuse is mainly for them. – Kamil Maciorowski Apr 08 '22 at 17:45

harrymc · Answer 2 · 2022-04-08T17:38:28.470

0

Use find with the perm argument, defined as:

 -perm -mode
          All of the permission bits mode are set for the file.
          Symbolic modes are accepted in this form, and this is
          usually the way in which you would want to use them.  You
          must specify `u', `g' or `o' if you use a symbolic mode.

With the parameter -perm -740 you will search for all files that have at least 740 permissions, like this:

sudo find . -perm -740 -type f -exec chmod 740 {} \;

(You will be setting files that have exactly 740 also to 740, but that's not a problem.)

For more information see How to audit permissions with the find command.

edited Apr 08 '22 at 17:38

answered Apr 08 '22 at 16:36

harrymc

455,459
31
526
924

Did you miss the word `exactly` in the part of the manual that you have quoted? – Tom Yan Apr 08 '22 at 16:43
@TomYan: No, I forgot the minus in front of the 740. Fixed. Don't be so hasty to downvote. If not convinced, read the link at the end of my answer. – harrymc Apr 08 '22 at 17:09
1

The truth is, you *forgot* you quoted the wrong part of the manual too. – Tom Yan Apr 08 '22 at 17:22
@TomYan: You're a hard person to satisfy. Is everything to your liking now? – harrymc Apr 08 '22 at 17:39
1

@TomYan The answers provided on stack exchange are posted by volunteers, generally providing their expertise on their own free time. If you start coming down on them for problems in the details I think you will find the source of free advice drying up for your questions. Be gentle in your criticisms. – doneal24 Apr 08 '22 at 19:42
@doneal24 So what was the point of the volunteering when the key that makes the answer make sense is considered "detail"? You may as well *just* paste the link of the manual. I might be less "critical". Thank you for your free time, but no thanks, if feeling good because of upvotes / high reps has become the whole point. – Tom Yan Apr 09 '22 at 03:00
@TomYan You might notice that I post many solutions in comments where they don't add to my rep but will lead others to strengthen their answers. @ harrymc certainly doesn't need the rep boost either. Typos happen - don't kill the messenger when they occur. It's also understood that you should test answers against your particular environment and adjust as necessary. – doneal24 Apr 10 '22 at 16:35

Method to set permissions equal to or less than something like "0740" in Linux

2 Answers2