chmod
  modify the access mode on files.
  -c like verbose mode,but report only changes
   a display the all
  -R use the recursive mode,descending(传,降,减少) through directory hierarchies under files and making midifications throughout.
  -v use verbose behavior,reporting actions for files
  group(g), user(u), other(o), + add, - remove, = only the permission,
  write(2) read (4), execute(1), userID(4), groupID(2), sticky(1);
  
  a file's mode controls access by these classes of users:
  user the user that owns the file
  group the group that owns the file
  other all other users on the system.
  
  for example:
  $chmod 644 afile
  $chmod -v u=rw,go=r afile
  $chmod -v o-wrx adir(recursively remove all permissions for other on a directory)
  $chmod -v +t adir(set sticky bit on a directory)
  $chmod change permission,
  $chmod g+w *.c
  $chmod -R 755 ~/direcs

  
SUID (set user ID)
  the SUID property is for executable files only and has no effect on directories.nomally the user who launches a program owns the resulting process.However,if an executeable file has its SUID bit set,the file's owner owns the resulting process, no matter who launched it.when SUID is useed,the file's owner is usually is root.this offers anyone temporary root access for the duration(持续时间,为期) of the command.An example of an SUID program is lpr,the line print command. this command needs special access to manupulate the print spools, and runs as user root.
  Using the SUID bit in cases like lpr enhance security by allowing access to secure functions without giveaway the root password. on the other word,SUID is a security risk if access is granted by unwisely
SGID(set group ID)
   the SGID property works the same way as SUID for executeable files. setting the process group owner to the file's group. In addition,the SGID property has a special effect on directories. when SGID is set on directority, new files created within that directory are assigned the same group ownership as the directory itself. for example,if directory /home/fin has the group finance and has SGID enabled, then all files under /home/fin are created with group ownership of finance, regardless of the creator's group. this is an important attribute for teams,ensuring that shared files all have the same group ownership
sticky
   at one time,the sticky(more commonly known as the sticky bit), applied to executable programs, flagging the system to keep an image of the program in memory after the program finished running.this capability increased performance for subsequence users by eliminating the programs' load phase,and was applied to programs that were large or were run frequently. modem virtual memory techniques have made this use unnecessary, and under linux there is no need to use the sticky bit on executable programs.
   when applied to a directory, the sticky bit offers additional security for files within the directory.regardless of file permissions.the only users who can rename or delete the files from a directory with the sticky bit set are the file owner, the directory owner,and the root.when used in a team environment,the sticky bit allows groups to create and modify files but allows only file owners the privilege of deleting or rename them,like the other access controls,these special properties are binary and are considered bits in the access mode
   insteade of adding there more bits to the left of rwxr-xr-x,the SUID permission is indicated in the string by changing the user execute position from x to s. SGID permission is handled the same way.the sticky permission is indicated by replacing x in the other execute position with T.for example, an executable program with mode 6755 would have the following equivalent symbolic mode:
   rwsr-sr-x
   a directory with mode 1774 would have this equivalent string: swxr-xr-T
   
set access modes
   when new files are create,the protection bits are set according to the user's default setting.that default is established using the umask command,probably is a startup script.this command accepts only one argument,which is a three-digit octal string that masks the user,group,and other permission bits for newly created files and directories.without a value,umask reports the current value:
  $umask
  22
  when provided with an integer,umask sets the value for the current shell:
  $umask 2
  $umask
  2
  the special bits are always turned offand are not masked by the umask.when a file is created,the umask si subtract(减法,减) from 666;for directories, it is subtracted from 777,this calculation yields the effective protection mode for the file or directory.
  here's an example of the umask kin action:
  $umask 27
  $touch afile
  $mkdir adir
  $ls -ld adir afile
  drwxr-x--- ......... adir
  -rw-r---- ........ afile
  the letter d indicates a directory,a - indicates a file,the letter 1 indicates a symbolic link,a b indicates a block device(such as a disk), and a c indicate a character device(such as a terminal).
  category(种类,类项) mode description
  user class      u        user
           g        group
           o        other
           a         all classes
  operation     -        take away permission
           +        add permission
           =        set permission exactly
  permissions      r        read permission
                    w         write permission
                    x        execute permission
                    X        execute permission for directories and files with another execute permission,but not plain files
                    s        SUID or SGID permissions
                    t         sticky bit
   u+x add execute permission for the user
   go-w remove write permission from group and other classes
   o+t set sticky bit.
   a=rw set read and write,but not execute,permission for everyone
   a+X give everyong execute for directories and for those files with any existing execute permission
   
   现在让我们来看一具体的实例
  the steps you may use to create a useful workgroup directory for a small team of people are briefly decribed here.the goals of the directory are as follows:
  the workgroup is to be called sales and has members jdoe,bsmith, and jbr
  the directory is /home/sls
  only the creators of files in /home/sls should be able to delete them
  members shouldn't need to worry about(有关,大约) file ownership, and all group members require full access to files
  nonmembers shoule have no access to any of the files
  the following steps will satisfy the goals:
  1.create the new group
   #:/usr/sbin/groupadd sales
  2.create the new user
   #:/usr/sbin/useradd -D jdoe
   #:/usr/sbin/useradd -D bsmith
   #:/usr/sbin/useradd -D jbr
  3.add the existing user to the group
    /usr/sbin/usermod -G sales jdoe
    /usr/sbin/usermod -G sales bsmith
    /usr/sbin/usermod -G sales jbr
  4.create a directory for the group
   #mkdir /home/sls
  5.set ownership of the new directory
   #chgrp sales /home/sls
 6.protect the directory from others:
  # chmod 770 /home/sls
 7.set the SGID bit to ensure that the sales group will own all new files.also set the sticky bit to protect files from deletion by non-owners:
 chmoe g+s,o+t /home/sls
 8.test it
  su jdoe
  cd /home/sls
  touch afile
  ls -l afile
  exit
  su bsmith
  rm afile
  rm: cannot remove `file1': Operation not permitted