We've done the thinking and the seeing, now to start the doing. Continuing our series on file permissions, we look at using the chmod command.
In the previous article in this series we learned how to use the “ls” command to check the permissions and ownership of files and directories. Now we can look at the command we use to change those permissions. That command is “chmod”.
The basic format for chmod looks something like:
chmod [permissions] [file1 file2 file3...]
The chmod command looks a lot like chown — the part you’re changing comes first (for chmod, the permissions), then you list one or more file targets for the command.
Like the chown command, you can use “-R” to tell chmod to apply permissions to everything in a directory:
chmod -R [permissions] [directory]
With the format of the command in mind, let’s look at the first of two ways permissions can be assigned: symbolically.
The symbolic approach to chmod and permissions is a bit easier to understand, so we'll start there. The general format is to specify an "accessor", which designates the permissions category being modified, then an operator like "=" or "+" or "-", then the permissions themselves.
That's right, what I just described is the easy way. Don't focus on that too much, focus on how brilliant you will be when, at the end of this, you are a file permissions expert.
The first part of setting permissions is the "accessor", which describes the category the permissions will be applied to. Each category name has a one-letter abbreviation:
u refers to the user category, the one that applies to the file owner
g refers to the group category, that applies to users that share a group with the file
o refers to the other category, the category that applies to everyone else
There’s one more accessor of note:
a refers to all categories at once
The permissions are represented by the same letters as they are in a directory listing — read, write, and execute are r, w, and x, respectively.
To connect the accessors to the permissions you'll use an operator. The first operator we'll look at is a straightforward assignment:
= assigns the listed permissions to the listed categories.
You can list more than one category or permission on each side of the operator. For example, to give everyone every permission for a file, you could run:
chmod ugo=rwx file1
Though granted, there’s an “a” operator you could use, so that would probably look cleaner as:
chmod a=rwx file1
You usually don't want to use the same permissions for every user unless you're making a file read-only (there are often better ways to solve a problem than giving everyone write access). You can send multiple operations to chmod by separating them with commas (no spaces):
chmod u=rwx,g=rx,o=rx file1 file2
And again, just to be clear, you can combine accessors to achieve the same result:
chmod u=rwx,go=rx file1 file2
Both of the above give the owner full access and everyone else read and execute permissions.
Aside from the “=” operator, you can also add or subtract permissions:
+ adds the listed permissions to what is already there for the listed categories. If the requested permissions are already in place, nothing is changed.
- removes the listed permissions from what is already there for the listed categories. If the requested permissions aren’t there to begin with, nothing is changed.
To just add group write permissions to some files without changing any other permissions, you can run:
chmod g+w file1 file2 file3
If you want to remove read and execute access from everyone but the file owner, you can run:
chmod go-rx file1 file2 file3
If you omit the accessor, the change will be applied to all categories (as if you'd used the "a" accessor). So to remove all execute access to a file, you can just type:
chmod -x file1 file2
It’s generally safer to keep in the habit of specifying the category, or using “a” if you want to change permissions for everyone at once.
There’s a special permission option you can send to chmod: a capital X.
X refers to execute permission just for directories and for files that already have execute permission for one or more categories.
Using "X" for a permission is kind of like telling chmod to intelligently change execute permissions. With X, you won't add execute permissions to files you haven't already made executable. It's much safer and cleaner than applying executable permissions to files you don't actually want to execute as commands.
The X permission is usually used when you're making changes to everything in a directory and its subdirectory using the "-R" flag. For example:
chmod -R a+X directory
The above command would grant everyone execute permission for the directory in question, all subdirectories, and any files for which someone already has execute permissions.
Or, to illustrate the effect through a directory listing, if you start with these files and directories:
-rwxr-x--- 1 demo demo 0 2010-07-15 01:40 foo -rw-r----- 1 demo www-data 0 2010-01-21 15:55 gee.txt drwxrwx--- 2 demo demo 4096 2010-07-16 18:18 testsub
And then run:
chmod o+rX *
Then you will apply read permissions and execute permissions to the “other” category as appropriate for all files and directories (the “*” in the command is a shortcut for all files):
-rwxr-xr-x 1 demo demo 0 2010-07-15 01:40 foo -rw-r--r-- 1 demo www-data 0 2010-01-21 15:55 gee.txt drwxrwxr-x 2 demo demo 4096 2010-07-16 18:18 testsub
Note that "gee.txt" did not get get the execute permission set, but everything else did. Everything else was either a directory or could already be executed by user or group.
You can use the X permission when assigning permissions directly:
chmod -R u=rwX,go=rX directory
That command would set read and write permissions for the user and read permissions for everyone else on all files in the directory, then add execute permission to the directory, all subdirectories, and any files that were already executable.
It’s possible to use X with the “-” (remove) operator, but since it behaves the same as “x” (since it just removes the execute bit) there isn’t much point to using X that way.
Still, the main point, and the reason I explained this one at such length: When changing permissions on a directory and all its contents you’re much better off using “X” than “x”. Adding the execute bit to files that don’t need it can be a potential security headache, and it can make it harder to remember which files you actually want to be executable when everything’s already executable.
Now we’re getting somewhere! Now that you can both check and change permissions, you can both hunt down problems and fix them. You also know enough to be able to set up some fancy permission combinations using users and groups. If some instructions tell you to make a file or directory writeable by everyone, you’ll find it much more secure to use group permissions to add that access to just the users and processes that actually need it.
Don’t stop now, though. The next article describes another way to use chmod. It’s not a very intuitive way to set permissions, but it’s useful, and more importantly, it’s widely used. Someday you’ll need to understand what it means when someone says to set a directory to “777” (and why to say no). Learning about using chmod with octal mode will help you with that.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License