Change Access Permissions with chmod

chmod changes the access permissions of the named files. Synopsis:
chmod [option]… {mode | --reference=ref_file} file…

Structure of File Mode Bits

The file mode bits have two parts: the file permission bits, which control ordinary access to the file, and special mode bits, which affect only some files.

There are three kinds of permissions that a user can have for a file:

  1. permission to read the file. For directories, this means permission to list the contents of the directory.
  2. permission to write to (change) the file. For directories, this means permission to create and remove files in the directory.
  3. permission to execute the file (run it as a program). For directories, this means permission to access files in the directory.

There are three categories of users who may have different permissions to perform any of the above operations on a file:

  1. the file’s owner;
  2. other users who are in the file’s group;
  3. everyone else.

Files are given an owner and group when they are created. Usually the owner is the current user and the group is the group of the directory the file is in, but this varies with the operating system, the file system the file is created on, and the way the file is created. You can change the owner and group of a file by using the chown and chgrp commands.

In addition to the three sets of three permissions listed above, the file mode bits have three special components, which affect only executable files (programs) and, on most systems, directories:

The set-user-ID bit (setuid bit): On execution, set the process’s effective user ID to that of the file. For directories on a few systems, give files created in the directory the same owner as the directory, no matter who creates them, and set the set-user-ID bit of newly-created subdirectories.

The set-group-ID bit (setgid bit): On execution, set the process’s effective group ID to that of the file. For directories on most systems, give files created in the directory the same group as the directory, no matter what group the user who creates them is in, and set the set-group-ID bit of newly-created subdirectories.

The restricted deletion flag or sticky bit: Prevent unprivileged users from removing or renaming a file in a directory unless they own the file or the directory; this is commonly found on world-writable directories like /tmp. For regular files on some older systems, save the program’s text image on the swap device so it will load more quickly when run, so that the image is “sticky”.

Setting Permissions

The basic symbolic operations on a file’s permissions are adding, removing, and setting the permission that certain users have to read, write, and execute or search the file. These operations have the following format:

users operation permissions

The spaces between the three parts above are shown for readability only; symbolic modes cannot contain spaces.

The users part tells which users’ access to the file is changed. It consists of one or more of the following letters. When more than one of these letters is given, the order that they are in does not matter.
u the user who owns the file;

gother users who are in the file’s group;

o all other users;

aall users; the same as ‘ugo’.

The operation part tells how to change the affected users’ access to the file, and is one of the following symbols:

+ to add the permissions to whatever permissions the users already have for the file;

- to remove the permissions from whatever permissions the users already have for the file;

= to make the permissions the only permissions that the users have for the file.

The permissions part tells what kind of access to the file should be changed; it is normally zero or more of the following letters. As with the users part, the order does not matter when more than one letter is given. Omitting the permissions part is useful only with the ‘=’ operation, where it gives the specified users no access at all to the file.

r the permission the users have to read the file;

w the permission the users have to write to the file;

x the permission the users have to execute the file, or search it if it is a directory.

For example, to give everyone permission to read and write a regular file, but not to execute it, use: a=rw

To remove write permission for all users other than the file’s owner, use: go-w

The above command does not affect the access that the owner of the file has to it, nor does it affect whether other users can read or execute the file.

To give everyone except a file’s owner no permission to do anything with that file, use the mode below. Other users could still remove the file, if they have write permission on the directory it is in. go=

Another way to specify the same thing is: og-rwx

chmod never changes the permissions of symbolic links, since the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. In contrast, chmod ignores symbolic links encountered during recursive directory traversals.

Only a process whose effective user ID matches the user ID of the file, or a process with appropriate privileges, is permitted to change the file mode bits of a file.

A successful use of chmod clears the set-group-ID bit of a regular file if the file’s group ID does not match the user’s effective group ID or one of the user’s supplementary group IDs, unless the user has appropriate privileges. Additional restrictions may cause the set-user-ID and set-group-ID bits of mode or ref_file to be ignored. This behavior depends on the policy and functionality of the underlying chmod system call. When in doubt, check the underlying system behavior.

If used, mode specifies the new file mode bits. If you really want mode to have a leading ‘-’, you should use — first, e.g., ‘chmod -- -w file’. Typically, though, ‘chmod a-w file’ is preferable, and chmod -w file (without the –) complains if it behaves differently from what ‘chmod a-w file’ would do.

Let us take a look at options supported by chmod:

-c or --changes Verbosely describe the action for each file whose permissions actually changes.

-f or --silent or --quiet Do not print error messages about files whose permissions cannot be changed.

--preserve-rootFail upon any attempt to recursively change the root directory, /. Without --recursive, this option has no effect.

--no-preserve-root Cancel the effect of any preceding --preserve-root option.

-v or --verbose Verbosely describe the action or non-action taken for every file.

--reference=ref_file Change the mode of each file to be the same as that of ref_file. If ref_file is a symbolic link, do not use the mode of the symbolic link, but rather that of the file it refers to.

-R or --recursive Recursively change permissions of directories and their contents.

Examples:

# Change file permissions of FOO to be world readable
# and user writable, with no other permissions.
chmod 644 foo
chmod a=r,u+w foo

# Add user and group execute permissions to FOO.
chmod +110 file
chmod ug+x file

# Set file permissions of DIR and subsidiary files to
# be the umask default, assuming execute permissions for
# directories and for files already executable.
chmod -R a=,+rwX dir

Leave a comment

Your email address will not be published. Required fields are marked *