Access Permissions   «Prev  Next»
Lesson 7The chmod command
ObjectiveUse the chmod Command and its Options to change File Permissions.

Use chmod Command and its Options to change File Permissions

Permission bits are manipulated using the chmod command. This command has two basic forms. The first uses numeric codes:
$ ls -l filename
-rw-rw-r-- 1 jeremy jeremy 1145 Apr 8 09:40 
$ chmod 755 filename
$ ls -l filename
-rwxr-xr-x 1 jeremy jeremy 1145 Apr 8 09:42 

In the second form of the chmod command, permissions are added or removed by symbolic codes. The levels of user, group, and other are represented by the codes u, g, and o respectively. The permissions are represented as usual by r, w, and x. The syntax is then
chmod [levels][+/-/=][permission] filename 

The statements
chmod u+x filename 
chmod og=r filename 
chmod o-x filename

respectively give user execute permission for filename, set read permission only for other and for group, and remove execute permission for other. The = argument is designed to assign only a specific permission (or set of permissions) to a file or directory. The = argument will revoke all permissions you do not specifically assign. Here are a few more examples of the +, -, and = arguments.

Function of chmod Arguments

Change the access mode of one or more files. Only the owner of a file or a privileged user may change its mode. Create mode by concatenating the characters from who, opcode, and permission. who is optional (if omitted, default is a); choose only one opcode.
Common Options
  1. -f, --quiet, --silent: Do not print error messages about files that cannot be changed.
  2. -R, --recursive: Recursively descend through the directory, including subdirectories and symbolic links, setting the specified group ID as it proceeds. The last of -H, -L, and -P takes effect when used with -R.
GNU/Linux and Mac OS X Options
-v, --verbose: Verbosely describe ownership changes.
  1. -c, --changes: Print information about files that are changed.
  2. --no-preserve-root: Do not treat the root directory, /, specially (the default).
  3. --preserve-root: Do not operate recursively on /, the root directory.
  4. --reference=filename: Change the group to that associated with filename. In this case, newgroup is not specified.
By default, the chmod command uses concatenation to assign permission bits to a specific file or folder. Therefore, chmod defaults to adding new values to any permissions values that might already exist on a file or directory.
Suppose that you have a file named userprogram. It has the following permissions: rw-rw-rw-.
If you enter
chmod u+x userprogram

you will be giving permission for a user to execute the program named userprogram. The permissions for this file would read

By using the + argument, you have simply added one extra user permission to the file. You can, of course, use the - argument to revoke such permissions.

The command
chmod u-x userprogram

would return the file's permissions to its original state. You must understand that the + and - arguments add and remove permissions, but any permissions you do not specify will remain in force for this particular file or directory. Unless you explicitly add or subtract permissions from the user, group, and everyone blocks of the file or directory, the permissions will remain unchanged. The = argument, however, works in exactly the opposite way. It removes all permissions except those you explicitly provide. For example, suppose that you have a file named passwd. Further, suppose that it has full access permissions noted in each block: rwxrwxrwx. If you used chmod with the = argument, you could modify the permissions without having to revoke each permission individually.
Therefore, if you typed

the file's permissions would read r-xr-x--x.
If you compare the resulting permissions with those the file originally had, you can see that the use of = removed several permissions automatically because you did not explicitly assign them. If you use the = argument without any modifiers, you will effectively remove all permissions associated with the group you have identified. For example, if you type
chmod u= userfile

users will not be able to read, write, or execute this file.

In addition, the a code refers to everyone (all). To remove read permission from user, group, and other simultaneously, type
chmod a-r filename

The empty permission string can be used to remove all permissions from some levels. For example, the following command removes all group-level permissions:
chmod g= filename
The chmod command supports a recursive option. For example, to add read permissions for user, group, and other recursively on a directory and its subdirectories and files recursively, use
chmod -R a+r

Remember, too, that like other commands, chmod can be used with wildcards. To add read permission for user, group, and other to every file in the current directory, the following command will work well:
chmod a+r *
The chmod –R command (and chmod itself) can have dangerous consequences. For example, suppose you use chmod recursively while possessing root permissions. You would remove execute permission from practically every system command, including chmod. No commands could be run, so no easy fix would be available. Be careful, especially when working as root.

Changing File Permissions using chmod

The text below discusses using the chmod command. Here are the steps required using the chmod command to change file permissions:
  1. You are currently logged in as user1, a user with normal permissions, and are in your home directory (/home/user1/). Obtain a listing of files in your home directory, including all associated permissions.
    Solution: Use the ls command with the –l argument.
  2. Note that you own a file named readme. As you can see, although you own the file, you do not have read permission for it. Using symbolic codes, change the permissions so you can read, as well as write and execute the file. Do not allow anyone else to read the file.
    Solution: chmod u+r readme
  3. Now you want to create a subdirectory of your home directory in which no one (including yourself, unless you take further steps) can create or delete files. You do, however, want to enable all users to list all directory contents. First, create the new subdirectory.
    Solution: mkdir subdir
  4. Using numeric codes, remove write permissions for all users.
    Solution: chmod 555 subdir
  5. Next, you want to create a new subdirectory of your home directory and then set permissions on this directory so no one, not even yourself, can list the files. However, you still want to allow all users to create and execute files, as long as they know where those files exist. To do this, create a directory named nolist.
    Solution: mkdir nolist
  6. Use the a argument of chmod to remove read privileges to the nolist directory for all users.
    Solution: chmod a-r nolist
  7. Set permissions so that no one but you can list the files. You still want other users to be able to create, delete, and execute new ones, however. Use numeric coding.
    Solution: chmod 733 nolist
  8. Now, switch to the user2 account.
    Solution: su user2
  9. Change to the nolist directory.
    Solution: cd nolist
  10. Type ls -l to list the files, subdirectories, and associated permissions for this directory.
  11. Note that you cannot list any files or subdirectories. However, you can create new files and subdirectories. Use touch to create a new file named testfile. Solution: touch testfile
  12. Create a new directory named testdir. Solution: mkdir testdir
  13. Now, suspend the user2 subshell and return to your login shell.
    Solution: suspend
  14. As user1, you have been tasked with creating a subdirectory inside your home directory that is completely hidden to all users. You are to make this directory so that no one can even discover its existence. First create a new subdirectory named temp. It should reside directly beneath your home directory (user1).
    Solution: mkdir temp
  15. Now, using numeric codes, set the permissions on this subdirectory so that only you can read, write, and execute files in the temp directory.
    Solution: chmod 700 temp
  16. Create a new subdirectory in the /home/user1/temp directory named hiddendir.
    Solution: mkdir ./temp/hiddendir
  17. Next, create a file in the hiddendir directory named hiddenfile.
    Solution: touch ./temp/hiddendir/hiddenfile
  18. Using numeric codes, change the permissions of the hiddendir directory to be consistent with the temp directory: only you can read, write, and execute files in the directory.
    Solution: chmod 700 ./temp/hiddendir
  19. Become user2 again.
    Solution: fg
  20. Go to the user1/temp directory. Be sure to enter the directory’s full path.
    Solution: cd /home/user1/temp
  21. Note that you cannot read the contents of this directory as user2. Go to the /home/user1 directory.
    Solution: cd /home/user1
  22. List the subdirectories, making sure to show all file attributes.
    Solution: ls -l
  23. As user2, you can see that the temp subdirectory exists, but you cannot list its contents. These contents include the hiddendir subdirectory. Both the subdir directory and its contents are effectively invisible. Exit the user2 subshell.
    Solution: exit

SEMrush Software7