The chmod (change mode) command is used to set access permissions for a file or a directory to protect them from unauthorized access to users on the same system. The basic permissions are read, write & execute and these permissions are limited to owner, group or everyone else on the system. Here I’ll explain the chmod command and how to use it in the Linux terminal.
Note: To list the permissions of an object (file or directory), use the ls -l command.
chmod [options] mode files
The Options Parameter
The options parameter can take the following arguments:
|-f, –silent,–quiet||Suppress most error messages|
|-v, –verbose||Output a diagnostic for every file processed (Show objects changed; unaffected objects are not shown).|
|-c, –changes||Like verbose but report only when a change is made|
|-R,–recursive||Change files and directories recursively (Explained below)|
|–help||Display help and exit|
|–version||Output version information and exit|
Note: The options parameter is can be ignored all together when using the chmod command.
Note: The recursive attribute (-R) is used to recursively operate on all files and directories under a given directory (i.e. to include the contents of a directory while executing chmod on the parent directory).
The Mode parameter
The mode parameter is what sets the permissions for the three security levels (owner, group, others). The mode parameter can have 3 different forms:
- The octal representation of the symbolic (rwx permissions). This octal value can be of upto 4 bits long. The last 3 bits represent: owner, group and others respectively. The 4th bit holds the sticky bit.
Note: The sticky bit holds either a 1 or 0. This bit does a really great job if you know what you’re doing. Normally, what happens is that if you have the write permissions for a directory, you can delete & modify the files inside that directory. But if you set the sticky bit to 1, you would need separate write permissions for deleting the files even when you have the same for the directory itself.
Here’s a chart that shows the octal representations of rwx permissions. To learn more about file permissions on Linux, read this article.
|-wx||3||Write & Execute permissions|
|r-x||5||Read & Execute permissions|
|rw-||6||Read & Write permissions|
|rwx||7||Read, Write & Execute permissions|
- –reference=file, to set the same permissions as a different file specified to the current file.
- The symbolic representation consisting of three sets of three characters (each for the owner, group & everyone else). The symbols either specify absolute permissions or relative permissions (related to the file’s existing permissions). The correct format for specifying a permission under this mode is:
[ugoa…] [+-=] [rwxXstugo…]
The first set defines to whom these new permissions apply:
- u for the user or the owner
- g for the group
- o for others or everyone else
- a for all of the above
The second set of characters indicate whether you want to add the new permissions to the existing permissions (+ sign), remove the permissions from the existing permissions (- sign) or set the new permissions directly (= sign).
The third set defines the permission itself:
- r for read permission
- w for write permission
- x for execute permission
- X to assign execute permissions only if the object is a directory or already has execute permissions
- s (setuid or setgid) to set the UID or GID on execution of a script or an executable file (Explained below)
- t for the sticky bit
- u to duplicate user permissions
- g to duplicate group permissions
- o to duplicate others permissions
The setuid (Set User ID) and setgid (Set Group ID) attributes have a really powerful function when applied to shell scripts or executables.
Consider for example, a file named program.sh owned by some user named John and a group named Colleagues. If the file program.sh has setuid enabled in the permissions, then anyone who runs program.sh will become the user “John” with all rights and privileges (as defined in the permissions), till the program ends. In a similar manner, if the file program.sh has setgid enabled, then anyone who runs it will become the member of the group Colleagues with all privileges.
Warning: As you might think, the setuid & setgid has an effect on the security of the system. Therefore, use these attributes carefully.
Here are some examples of me using the chmod command that will help you understand it’s usage better:
- chmod 755 program.sh
Explanation: The octal value 7 gives rwx permissions to the user i.e. phantomphreak while giving only read execute permissions to the group and everyone else.
- chmod 1755 program.sh
Explanation: This command is same as the previous one but with an added sticky bit. Sticky bit is explained earlier in this article.
- chmod u-x program.sh
Explanation: This command removed the execute permissions from the user i.e. phantomphreak. Notice the (-) sign.