Permission bits are manipulated using the chmod command. This command has two basic forms. The first uses numeric codes:
$ ls -l filename
-rw-rw-r-- 1 jeremy jeremy 1145 Apr 8 09:40
$ chmod 755 filename
$ ls -l filename
-rwxr-xr-x 1 jeremy jeremy 1145 Apr 8 09:42
In the second form of the chmod command, permissions are added or removed by symbolic codes. The levels of user, group, and other are represented by the codes u, g, and o respectively. The permissions are represented as usual by r, w, and x.
The syntax is then
chmod [levels][+/-/=][permission] filename
chmod u+x filename
chmod og=r filename
chmod o-x filename
respectively give user execute permission for filename, set read permission only for other and for group, and remove execute permission for other. The = argument is designed to assign only a specific permission (or set of permissions) to a file or directory.
The = argument will revoke all permissions you do not specifically assign. Here are a few
of the +, -, and = arguments.
Change the access mode of one or more files. Only the owner of a file or a privileged user may change its mode. Create mode by concatenating the characters from who, opcode, and permission. who is optional (if omitted, default is a); choose only one opcode.
GNU/Linux and Mac OS X Options
- -f, --quiet, --silent: Do not print error messages about files that cannot be changed.
- -R, --recursive: Recursively descend through the directory, including subdirectories and symbolic links, setting the specified group ID as it proceeds. The last of -H, -L, and -P takes effect when used with -R.
-v, --verbose: Verbosely describe ownership changes.
- -c, --changes: Print information about files that are changed.
- --no-preserve-root: Do not treat the root directory, /, specially (the default).
- --preserve-root: Do not operate recursively on /, the root directory.
- --reference=filename: Change the group to that associated with filename. In this case, newgroup is not specified.
By default, the chmod command uses concatenation to assign permission bits to a specific file or folder.
Therefore, chmod defaults to adding new values to any permissions values that might already exist on a file or directory.
Suppose that you have a file named userprogram. It has the following permissions: rw-rw-rw-.
If you enter
chmod u+x userprogram
you will be giving permission for a user to execute the program named userprogram.
The permissions for this file would read
By using the + argument, you have simply added one extra user permission to the file. You can, of course, use the - argument to revoke such permissions.
chmod u-x userprogram
would return the file's permissions to its original state. You must understand that the + and - arguments add and remove permissions, but any permissions you do not specify will remain in force for this particular file or directory. Unless you explicitly add or subtract permissions from the user, group, and everyone blocks of the file or directory, the permissions will remain unchanged. The = argument, however, works in exactly the opposite way. It removes all permissions except those you explicitly provide. For example, suppose that you have a file named passwd. Further, suppose that it has full access permissions noted in each block: rwxrwxrwx. If you used chmod with the = argument, you could modify the permissions without having to revoke each permission individually.
Therefore, if you typed
the file's permissions would read r-xr-x--x.
If you compare the resulting permissions with those the file originally had, you can see that the use of = removed several permissions automatically because you did not explicitly assign them. If you use the = argument without any modifiers, you will effectively remove all permissions associated with the group you have identified. For example, if you type
chmod u= userfile
users will not be able to read, write, or execute this file.
In addition, the a code refers to everyone (all). To remove read permission from user, group, and other simultaneously, type
chmod a-r filename
The empty permission string can be used to remove all permissions from some levels. For example, the following command removes all group-level permissions:
chmod g= filename
The chmod command supports a recursive option. For example, to add read permissions for user, group, and other recursively on a directory and its subdirectories and files recursively, use
chmod -R a+r
Remember, too, that like other commands, chmod can be used with wildcards. To add read permission for user, group, and other to every file in the current directory, the following command will work well:
chmod a+r *
The chmod –R command (and chmod itself) can have dangerous consequences.
For example, suppose you use chmod recursively while possessing root permissions. You would remove execute permission from practically every system command, including chmod. No commands could be run, so no easy fix would be available. Be careful, especially when working as root.
Changing File Permissions using chmod
The text below discusses using the chmod command.
Here are the steps required using the chmod command to change file permissions:
- You are currently logged in as user1, a user with normal permissions, and are in your home directory (/home/user1/). Obtain a listing of files in your home directory, including all associated permissions.
Solution: Use the ls command with the –l argument.
- Note that you own a file named readme. As you can see, although you own the file, you do not have read permission for it. Using symbolic codes, change the permissions so you can read, as well as write and execute the file. Do not allow anyone else to read the file.
chmod u+r readme
- Now you want to create a subdirectory of your home directory in which no one (including yourself, unless you take further steps) can create or delete files. You do, however, want to enable all users to list all directory contents. First, create the new subdirectory.
- Using numeric codes, remove write permissions for all users.
Solution: chmod 555 subdir
- Next, you want to create a new subdirectory of your home directory and then set permissions on this directory so no one, not even yourself, can list the files. However, you still want to allow all users to create and execute files, as long as they know where those files exist. To do this, create a directory named nolist.
Solution: mkdir nolist
- Use the a argument of chmod to remove read privileges to the nolist directory for all users.
Solution: chmod a-r nolist
- Set permissions so that no one but you can list the files. You still want other users to be able to create, delete, and execute new ones, however. Use numeric coding.
Solution: chmod 733 nolist
- Now, switch to the user2 account.
Solution: su user2
- Change to the nolist directory.
Solution: cd nolist
- Type ls -l to list the files, subdirectories, and associated permissions for this directory.
- Note that you cannot list any files or subdirectories. However, you can create new files and subdirectories. Use touch to create a new file named testfile. Solution: touch testfile
- Create a new directory named testdir. Solution: mkdir testdir
- Now, suspend the user2 subshell and return to your login shell.
- As user1, you have been tasked with creating a subdirectory inside your home directory that is completely hidden to all users. You are to make this directory so that no one can even discover its existence. First create a new subdirectory named
temp. It should reside directly beneath your home directory (user1).
Solution: mkdir temp
- Now, using numeric codes, set the permissions on this subdirectory so that only you can read, write, and execute files in the temp directory.
Solution: chmod 700 temp
- Create a new subdirectory in the /home/user1/temp directory named hiddendir.
Solution: mkdir ./temp/hiddendir
- Next, create a file in the hiddendir directory named hiddenfile.
Solution: touch ./temp/hiddendir/hiddenfile
- Using numeric codes, change the permissions of the hiddendir directory to be consistent with the temp directory: only you can read, write, and execute files in the directory.
Solution: chmod 700 ./temp/hiddendir
- Become user2 again.
- Go to the user1/temp directory. Be sure to enter the directory’s full path.
Solution: cd /home/user1/temp
- Note that you cannot read the contents of this directory as user2. Go to the /home/user1 directory.
Solution: cd /home/user1
- List the subdirectories, making sure to show all file attributes.
Solution: ls -l
- As user2, you can see that the temp subdirectory exists, but you cannot list its contents. These contents include the hiddendir subdirectory. Both the subdir directory and its contents are effectively invisible. Exit the user2 subshell.