Control who can access files, search directories, and run scripts using the Linux’s
chmod command. This command modifies Linux file permissions, which look complicated at first glance but are actually pretty simple once you know how they work.
chmod Modifies File Permissions
In Linux, who can do what to a file or directory is controlled through sets of permissions. There are three sets of permissions. One set for the owner of the file, another set for the members of the file’s group, and a final set for everyone else.
The permissions control the actions that can be performed on the file or directory. They either permit, or prevent, a file from being read, modified or, if it is a script or program, executed. For a directory, the permissions govern who can
cd into the directory and who can create, or modify files within the directory.
Viewing and Understanding File Permissions
We can use the
-l (long format) option to have
ls list the file permissions for files and directories.
On each line, the first character identifies the type of entry that is being listed. If it is a dash (
-) it is a file. If it is the letter
d it is a directory.
The next nine characters represent the settings for the three sets of permissions.
- The first three characters show the permissions for the user who owns the file (user permissions).
- The middle three characters show the permissions for members of the file’s group (group permissions).
- The last three characters show the permissions for anyone not in the first two categories (other permissions).
There are three characters in each set of permissions. The characters are indicators for the presence or absence of one of the permissions. They are either a dash (
-) or a letter. If the character is a dash, it means that permission is not granted. If the character is an
w, or an
x, that permission has been granted.
The letters represent:
- r: Read permissions. The file can be opened, and its content viewed.
- w: Write permissions. The file can be edited, modified, and deleted.
- x: Execute permissions. If the file is a script or a program, it can be run (executed).
---means no permissions have been granted at all.
rwxmeans full permissions have been granted. The read, write, and execute indicators are all present.
In our screenshot, the first line starts with a
d. This line refers to a directory called “archive.” The owner of the directory is “dave,” and the name of the group that the directory belongs to is also called “dave.”
The next three characters are the user permissions for this directory. These show that the owner has full permissions. The
x characters are all present. This means the user dave has read, write and execute permissions for that directory.
The second set of three characters are the group permissions, these are
r-x. These show that the members of the dave group have read and execute permissions for this directory. That means they can list the files and their contents in the directory, and they can
cd (execute) into that directory. They do not have write permissions, so they cannot create, edit, or delete files.
The final set of three characters are also
r-x. These permissions apply to people who are not governed by the first two sets of permissions. These people (called”others”) have read and execute permissions on this directory.
So, to summarise, group members and others have read and execute permissions. The owner, a user called dave, also has write permissions.
For all of the other files (apart from the mh.sh script file) dave and members of the dave group have read and write properties on the files, and the others have read permissions only.
For the special case of the mh.sh script file, the owner dave and the group members have read, write, and execute permissions, and the others have read and execute permissions only.
Understanding The Permission Syntax
chmod to set permissions, we need to tell it:
- Who: Who we are setting permissions for.
- What: What change are we making? Are we adding or removing the permission?
- Which: Which of the permissions are we setting?
We use indicators to represent these values, and form short “permissions statements” such as
u+x, where “u” means ” user” (who), “+” means add (what), and “x” means the execute permission (which).
The “who” values we can use are:
- u: User, meaning the owner of the file.
- g: Group, meaning members of the group the file belongs to.
- o: Others, meaning people not governed by the
- a: All, meaning all of the above.
If none of these are used,
chmod behaves as if “
a” had been used.
The “what” values we can use are:
- –: Minus sign. Removes the permission.
- +: Plus sign. Grants the permission. The permission is added to the existing permissions. If you want to have this permission and only this permission set, use the
=option, described below.
- =: Equals sign. Set a permission and remove others.
The “which ” values we can use are:
- r: The read permission.
- w: The write permission.
- x: The execute permission.
Setting And Modifying Permissions
Let’s say we have a file where everyone has full permissions on it.
ls -l new_ file.txt
We want the user dave to have read and write permissions and the group and other users to have read permissions only. We can do using the following command:
chmod u=rw,og=r new_file.txt
Using the “=” operator means we wipe out any existing permissions and then set the ones specified.
let’s check the new permission on this file:
ls -l new_file.txt
The existing permissions have been removed, and the new permissions have been set, as we expected.
How about adding a permission without removing the existing permissions settings? We can do that easily too.
Let’s say we have a script file that we have finished editing. We need to make it executable for all users. Its current permissions look like this:
ls -l new_script.sh
We can add the execute permission for everyone with the following command:
chmod a+x new_script.sh
If we take a look at the permissions, we’ll see that the execute permission is now granted to everyone, and the existing permissions are still in place.
ls -l new_script.sh
We could have achieved the same thing without the “a” in the “a+x” statement. The following command would have worked just as well.
chmod +x new_script.sh
Setting Permissions for Multiple Files
We can apply permissions to multiple files all at once.
These are the files in the current directory:
Let’s say we want to remove the read permissions for the “other” users from files that have a “.page” extension. We can do this with the following command:
chmod o-r *.page
Let’s check what effect that has had:
As we can see, the read permission has been removed from the “.page” files for the “other” category of users. No other files have been affected.
If we had wanted to include files in subdirectories, we could have used the
-R (recursive) option.
chmod -R o-r *.page
Another way to use
chmod is to provide the permissions you wish to give to the owner, group, and others as a three-digit number. The leftmost digit represents the permissions for the owner. The middle digit represents the permissions for the group members. The rightmost digit represents the permissions for the others.
The digits you can use and what they represent are listed here:
- 0: (000) No permission.
- 1: (001) Execute permission.
- 2: (010) Write permission.
- 3: (011) Write and execute permissions.
- 4: (100) Read permission.
- 5: (101) Read and execute permissions.
- 6: (110) Read and write permissions.
- 7: (111) Read, write, and execute permissions.
Each of the three permissions is represented by one of the bits in the binary equivalent of the decimal number. So 5, which is 101 in binary, means read and execute. 2, which is 010 in binary, would mean the write permission.
Using this method, you set the permissions that you wish to have; you do not add these permissions to the existing permissions. So if read and write permissions were already in place you would have to use 7 (111) to add execute permissions. Using 1 (001) would remove the read and write permissions and add the execute permission.
Let’s add the read permission back on the “.page” files for the others category of users. We must set the user and group permissions as well, so we need to set them to what they are already. These users already have read and write permissions, which is 6 (110). We want the “others” to have read and permissions, so they need to be set to 4 (100).
The following command will accomplish this:
chmod 664 *.page
This sets the permissions we require for the user, group members, and others to what we require. The users and group members have their permissions reset to what they already were, and the others have the read permission restored.
If you read the man page for
chmod you’ll see there are some advanced options related to the SETUID and SETGID bits, and to the restricted deletion or “sticky” bit.
For 99% of the cases you’ll need
chmod for, the options described here will have you covered.