The UNIX command chmod allows you to control exactly who is able to read, edit, or run your files. Chmod is an abbreviation for change mode; if you ever need to say it out loud, just pronounce it exactly as it looks: ch’-mod.

How does chmod work?

To use chmod, you need to know about access modes. Each file on a UNIX system has nine access modes (or settings) that determine exactly who can do what to the file. Chmod is the command that lets you change these settings.

There are three classes of people:

user (u)
the person who created the file
group (g)
people in a selected group
other (o)
everyone else on the system

For each class of people there are three classes of permissions:

read (r)
ability to see the contents of the file
write (w)
ability to change the contents of the file
execute (x)
ability to execute the contents of the file

Viewing file and directory permissions

Use the UNIX command, ‘ls -l’ (that is the letter l, not the number 1) to see a listing of files and their permissions.

          % ls -l

          total 161

          -rw-r--r--  1 fred   49487 Jan 26 12:36 all

          -rw-r--r--  1 fred    3235 Jan 26 16:46 cs320

          -rw-------  1 fred      64 Jan 26 20:14 diary

          %

How to interpret the permissions
Here is a sample directory listing, showing the permission fields and the people associated with each permission:

          :<------------special flag to indicate type of file

          :                  [d : directory, - : file]

          : u<--------------three permissions for USER

          :|||

          :||| g<--------------three permissions for GROUP

          :|||:::

          :|||::: o<---------------three permissions for OTHER

          :|||:::|||

          drwxrwxrwx  2 fred         1024 Jan 26 12:26 stuff

          -rw-------  2 fred         1024 Jan 26 12:26 more-stuff

          -rwxr-xr-x  2 fred         1024 Jan 26 12:26 yet-more

A hyphen (-) indicates that the permission is disabled. An enabled permission is shown by the appropriate letter, ‘r’ ‘w’ or ‘x.’ In the example above, stuff is a directory (more on that below), the file more-stuff may be read and changed only by the owner (Fred), and the file yet-more may be read, changed and executed by Fred, and read and executed by everyone else.

Directory permissions

The permission fields for directories are interpreted a little differently than those for a file. The three fields (user, group, other) remain the same as those for a file but the three permissions mean:

          r(ead):   can look for a file name in this directory

          w(rite):  can create or delete files in this directory

          x(ecute): can search into this directory

In other words, directory permissions protect files rather than the contents of files. For example, if someone only has execute permission on a directory, he or she can list or run a file in that directory but cannot get a listing of all the files in that directory. For that they would have to know the exact names in advance.

It is necessary to have execute permission on a directory to change (chdir) to it.

Controlling access with chmod

In order to control the access users may have to your file or directory, use the ‘change mode’ program, chmod.

The chmod command allows changing of permissions using the letters u, g, and o (user, group, and others) and r, w, and x (read, write, and execute). For example, to turn off others’ write permission you can issue the command:

          chmod o-w filename

(you might translate “o-w” as “for others, take away write permission.”)

To turn write permission back on you would say:

          chmod o+w filename

(similarly, “for others, add write permission.”)

You can group changes together with commas. For example, in order to make a file readable by the public but writable by your group, you might use the command:

          chmod g+rw,o+r filename

To remove write permission from your group later on, you could issue the command:

          chmod g-w filename

Another way to achieve the same result would be to use the command

          chmod g=r filename

The = operator assigns the permission explicitly so that all other settings for that category (owner, group, or others) will be reset. For example, g=r would remove all permission from the group except read, and explicitly set read if not set already.

Some tips on permissions and privacy:

  • It is unlikely that you would ever want to give the public write permission to your files or directories.
  • If you wish to grant access to a directory to others, without risking changes to the directory’s files, give ‘r’ AND ‘x’ permissions. The execute flag is important for access along with the read flag.
  • If you wish to keep the directory private, then remove permissions from the ‘other‘ fields.

Note: it is possible to delete a file in a directory, even without having read or write access to that file, merely by having write access to the file’s directory.

Changing access to multiple files
The chmod -R option allows you to recursively descend through directory arguments, setting the mode for each file as specified. When symbolic links are encountered, their mode is not changed and they are not traversed.

Using octal values to change access
You can also use numbers (octal values) instead of letters to set the permissions. The following table shows some commonly used settings.

                          Private         Public

          Directory         700             755

          Text file         600             644

     To change the mode of the protection fields, use the command

          % chmod 700 directory

          % ls -ld directory

          drwx------  2 fred         1024 Jan  6 18:32 directory

          % chmod 755 directory

          % ls -ld directory

          drwxr-xr-x  2 fred         1024 Jan  6 18:32 directory

          % chmod 600 filename

          % ls -l filename

          drw-------  2 fred         3234 Jan  6 18:34 filename

          % chmod 644 filename

          % ls -l filename

          drwxr-xr-x  2 fred         3234 Jan  6 18:34 filename

Can you lock yourself out?
You can chmod a file so that you can’t read, write, or execute it even though you own it. There may be circumstances in which you intentionally turn off write permission to yourself, so that you don’t accidentally change the file — or you may do it by mistake. You can never get yourself into very much trouble with this feature, but some people get worried when the system refuses to let them read or write their own files. If you should find yourself in this situation, just use chmod again, changing the permissions to whatever settings you prefer.

References

For further information, see the chmod, ls, and umask online manual pages or one of the many general books on using the UNIX file system. Information Services & Technology sponsors tutorials on UNIX and other subjects during the academic year.