The Linux command chmod allows you to control exactly who is able to read, edit, or run your files. Chmod is an abbreviation for change mode; if you ever need to say it out loud, just pronounce it exactly as it looks: ch’-mod.
How does chmod work?
To use chmod, you need to know about access modes. Each file on a Linux system has nine access modes (or settings) that determine exactly who can do what to the file. Chmod is the command that lets you change these settings.
There are three classes of people:
- user (u)
- the person who created the file
- group (g)
- people in a selected group
- other (o)
- everyone else on the system
For each class of people there are three classes of permissions:
- read (r)
- ability to see the contents of the file
- write (w)
- ability to change the contents of the file
- execute (x)
- ability to execute the contents of the file
Viewing file and directory permissions
Use the Linux command, ‘ls -l‘ (that is the letter l, not the number 1) to see a listing of files and their permissions.
% ls -l
total 161
-rw-r--r-- 1 fred 49487 Jan 26 12:36 all
-rw-r--r-- 1 fred 3235 Jan 26 16:46 cs320
-rw------- 1 fred 64 Jan 26 20:14 diary
%
How to interpret the permissions
Here is a sample directory listing, showing the permission fields and the people associated with each permission:
:<------------special flag to indicate type of file
: [d : directory, - : file]
: u<--------------three permissions for USER
:|||
:||| g<--------------three permissions for GROUP
:|||:::
:|||::: o<---------------three permissions for OTHER
:|||:::|||
drwxrwxrwx 2 fred 1024 Jan 26 12:26 stuff
-rw------- 2 fred 1024 Jan 26 12:26 more-stuff
-rwxr-xr-x 2 fred 1024 Jan 26 12:26 yet-more
A hyphen (-) indicates that the permission is disabled. An enabled permission is shown by the appropriate letter, ‘r’ ‘w’ or ‘x.’ In the example above, stuff is a directory (more on that below), the file more-stuff may be read and changed only by the owner (Fred), and the file yet-more may be read, changed and executed by Fred, and read and executed by everyone else.
Directory permissions
The permission fields for directories are interpreted a little differently than those for a file. The three fields (user, group, other) remain the same as those for a file but the three permissions mean:
r(ead): can look for a file name in this directory
w(rite): can create or delete files in this directory
x(ecute): can search into this directory
In other words, directory permissions protect files rather than the contents of files. For example, if someone only has execute permission on a directory, he or she can list or run a file in that directory but cannot get a listing of all the files in that directory. For that they would have to know the exact names in advance.
It is necessary to have execute permission on a directory to change (chdir) to it.
Controlling access with chmod
In order to control the access users may have to your file or directory, use the ‘change mode’ program, chmod.
The chmod command allows changing of permissions using the letters u, g, and o (user, group, and others) and r, w, and x (read, write, and execute). For example, to turn off others’ write permission you can issue the command:
chmod o-w filename
(you might translate “o-w” as “for others, take away write permission.”)
To turn write permission back on you would say:
chmod o+w filename
(similarly, “for others, add write permission.”)
You can group changes together with commas. For example, in order to make a file readable by the public but writable by your group, you might use the command:
chmod g+rw,o+r filename
To remove write permission from your group later on, you could issue the command:
chmod g-w filename
Another way to achieve the same result would be to use the command
chmod g=r filename
The = operator assigns the permission explicitly so that all other settings for that category (owner, group, or others) will be reset. For example, g=r would remove all permission from the group except read, and explicitly set read if not set already.
Some tips on permissions and privacy:
- It is unlikely that you would ever want to give the public write permission to your files or directories.
- If you wish to grant access to a directory to others, without risking changes to the directory’s files, give ‘r’ AND ‘x’ permissions. The execute flag is important for access along with the read flag.
- If you wish to keep the directory private, then remove permissions from the ‘other‘ fields.
Note: it is possible to delete a file in a directory, even without having read or write access to that file, merely by having write access to the file’s directory.
Changing access to multiple files
The chmod -R option allows you to recursively descend through directory arguments, setting the mode for each file as specified. When symbolic links are encountered, their mode is not changed and they are not traversed.
Using octal values to change access
You can also use numbers (octal values) instead of letters to set the permissions. The following table shows some commonly used settings.
Private Public
Directory 700 755
Text file 600 644
To change the mode of the protection fields, use the command
% chmod 700 directory
% ls -ld directory
drwx------ 2 fred 1024 Jan 6 18:32 directory
% chmod 755 directory
% ls -ld directory
drwxr-xr-x 2 fred 1024 Jan 6 18:32 directory
% chmod 600 filename
% ls -l filename
drw------- 2 fred 3234 Jan 6 18:34 filename
% chmod 644 filename
% ls -l filename
drwxr-xr-x 2 fred 3234 Jan 6 18:34 filename
Can you lock yourself out?
You can chmod a file so that you can’t read, write, or execute it even though you own it. There may be circumstances in which you intentionally turn off write permission to yourself, so that you don’t accidentally change the file — or you may do it by mistake. You can never get yourself into very much trouble with this feature, but some people get worried when the system refuses to let them read or write their own files. If you should find yourself in this situation, just use chmod again, changing the permissions to whatever settings you prefer.
References
For further information, see the chmod, ls, and umask online manual pages or one of the many general books on using the Linux file system. Research Computing Services offers tutorials on Linux and other subjects at the start of the Fall, Spring, and Summer.