mjhjmtu

Under what circumstances will chmod fail?

I looked at the man page but it only specifies usage and doesn't go into details about what circumstances it won't work in.

I'd assume chmod will work if:

• you're root


• you own the target file (and are setting a mundane mode bit i.e. not sticky bit, others)

Can users use chmod to change permissions on a file they have group access for? Is it related to read/write access?

Only the owner of the file, or the root user, may change a file's permissions. The current permissions on the file or on its parent directory are irrelevant¹. This is specified in POSIX:

The application shall ensure that the effective user ID of the process matches the owner of the file or the process has appropriate privileges in order to do this.

On most unices, “appropriate privileges” means running as root. If these conditions are not met, chmod usually fails with EPERM, though other behaviors such as aborting the program due to a security violation are permitted.

In addition, some unix variants have system-specific ways of authorizing or forbidding chmod. For example, Linux has a capability (CAP_FOWNER) that allows processes to change a file's permissions and other metadata regardless of its owner.

There are other reasons chmod might fail even though the file exists, is accessible and has the appropriate owner. Common ones include a read-only filesystem or a filesystem that does not support permissions such as FAT. Less common ones include system-specific restrictions such as the immutable attribute on Linux's ext2 filesystem and successors.

¹ _{Except insofar as he process running chmod must be able to access the file, so it must have execute permission on the directory containing the file and any other directory that it traverses to do so.}

The details you want are in the manual page for the chmod() system call. Instead of man chmod use man 2 chmod. man chattr and man 2 setxattr will interest you as well; the file attributes that chattr/setxattr() set augment the behavior of the traditional Unix permissions set by chmod.

According to the UNIX standard, "The effective user ID of the process must match the owner of the file or the process must have appropriate privileges in order to do this."

The bit about appropriate privileges needs some explanation. On traditional systems, chmod is allowed on all files when the effective UID (on Linux the filesystem UID, but see below) of the process is 0 [i.e. root].

Linux has a system called capabilities, and the CAP_FOWNER bit controls the ability to use chmod on all files. By default, all capabilities are granted when an execve() call creates a root process (either by executing a setuid binary or when the real UID is 0) or when the effective UID is set to 0 (and removed when it is set to a nonzero value), and a set of capabilities including CAP_FOWNER are enabled when the filesystem UID is set to 0 (and disabled when it is set to a nonzero value). Read the manpage for more details.

You mentioned the sticky bit, but omitted the fact that users also may not set the setgid bit on a file when they are not in the group that is assigned to the file. The setuid or setgid bit may also be ignored in additional implementation-defined circumstances.

Can users use chmod to change permissions on a file they have group access for?

Why don't you just try and see?

$ touch foo
$ sudo install -o root -g $(id -gn) -m660 foo bar
$ ls -la bar
-rw-rw---- 1 root staff 0 Oct 21 21:33 bar
$ chmod g-w bar
chmod: bar: Operation not permitted
$ chmod g+x bar
chmod: bar: Operation not permitted