File Permissions - chmod

Rob

Administrator
Staff member
Linux has inherited from UNIX the concept of ownerships and permissions for files. This is basically because it was conceived as a networked system where different people would be using a variety of programs, files, etc. Obviously, there's a need to keep things organized and secure. We don't want an ordinary user using a program that could potentially trash the whole system. There are security and privacy issues here as well. Let's face it, we don't want Bill to read Bob's love letters to the Janet who works in R & D. (because Janet is Bill's fiance) In the end, it's important to know what belongs to me, to you and to everybody.

As we mentioned at the beginning of this course, the big advantage that Linux has is its multi-user concept- the fact that many different people can use the same computer or that one person can use the same computer to do different jobs. That's where the system of file permissions comes in to help out in what could be a very confusing situation. We're going to explain some basic concepts about who owns the file and who can do what with a file. We won't get into an enormous amount of detail here. We'll save that for the Linux system administration course. We will show you how to understand file permission symbols and how to modify certain files so that they're more secure.

File permission symbols

If you run the command
Code:
ls -l
in your home directory, you will get a list of files that may include something like this

Code:
-rw-r--r--  1  bob  users  1892  Jul 10  18:30 linux_course_notes.txt
This basically says, interpreting this from RIGHT to LEFT that the file, linux_course_notes.txt was created at 6:30 PM on July 10 and is 1892 bytes large. It belongs to the group users (i.e, the people who use this computer). It belongs to bob in particular and it is one (1) file. Then come the file permission symbols.

Let's look at what these symbols mean:

The dashes - separate the permissions into three types

The first part refers to the owner's (bob's) permissions.

The dash - before the rw means that this is a normal file that contains any type of data. A directory, for example, would have a d instead of a dash.

The rw that follows means that bob can read and write to (modify) his own file. That's pretty logical. If you own it, you can do what you want with it.

The second part of the these symbols after the second dash, are the permissions for the group. Linux can establish different types of groups for file access. In a one home computer environment anyone who uses the computer can read this file but cannot write to (modify) it. This is a completely normal situation. You, as a user, may want to take away the rights of others to read your file. We'll cover how to do that later.

After the two dashes (two here because there is no write permissions for the group) come the overall user permissions. Anyone who might have access to the computer from inside or outside (in the case of a network) can read this file. Once again, we can take away the possibility of people reading this file if we so choose.

Let's take a look at some other examples. An interesting place to look at different kinds of file permissions is the /bin directory. Here we have the commands that anybody can use on the Linux system. Let's look at the command for gzip, a file compression utility for Linux.

Code:
-rwxr-xr-x  1 root    root        53468 May  1  1999 gzip
As we see here, there are some differences.

The program name, date, bytes are all standard. Even though this is obviously different information, the idea is the same as before.

The changes are in the owner and group. Root owns the file and it is in the group "root". Root is actually the only member of that group.

The file is an executable (program) so that's why the letter x is among the symbols.

This file can be executed by everybody: the owner (root), the group (root) and all others that have access to the computer

As we mentioned, the file is a program, so there is no need for anybody other than root to "write" to the file, so there is no w permissions for it for anybody but root.

If we look at a file in /sbin which are files that only root can use or execute, the permissions would look like this:

Code:
-rwxr--r--  1 root    root        1065 Jan 14  1999 cron
'cron' is a program on Linux systems that allows programs to be run automatically at certain times and under certain conditions. As we can see here, only root, the owner of the file, is allowed to use this program. There are no xpermissions for the rest of the users.

We hope you enjoyed this little walk-through of file permissions in Linux. Now that we know what we're looking for, we can talk about changing certain permissions.

chmod

chmod is a Linux command that will let you \"set permissions\" (aka, assign who can read/write/execute) on a file.

Code:
chmod permissions file
Code:
chmod permission1_permission2_permission3 file
When using chmod, you need to be aware that there are three types of Linux users that you are setting permissions for. Therefore, when setting permissions, you are assigning them for yourself, "your group" and "everyone else" in the world. These users are technically know as:

Owner
Group
World

Therefore, when setting permissions on a file, you will want to assign all three levels of permissions, and not just one user.

Think of the chmod command actually having the following syntax...

chmod owner group world FileName

Now that you understand that you are setting permissions for THREE user levels, you just have to wrap your head around what permissions you are able to set!

There are three types of permissions that Linux allows for each file.

read
write
execute

Putting it all together:

So, in laymen terms, if you wanted a file to be readable by everyone, and writable by only you, you would write the chmod command with the following structure.

COMMAND : OWNER : GROUP : WORLD : PATH

chmod read & write read read FileName
Code:
chmod 644 myDoc.txt
Wait! What are those numbers?!?

Computers like numbers, not words. Sorry. You will have to deal with it. Take a look at the following output of `ls -l`

Code:
-rw-r--r-- 1 gcawood iqnection 382 Dec 19 6:49 myDoc.txt
You will need to convert the word read or write or execute into the numeric equivalent (octal) based on the table below.

4 read (r)
2 write (w)
1 execute (x)

Practical Examples

chmod 400 mydoc.txt read by owner
chmod 040 mydoc.txt read by group
chmod 004 mydoc.txt read by anybody (other)
chmod 200 mydoc.txt write by owner
chmod 020 mydoc.txt write by group
chmod 002 mydoc.txt write by anybody
chmod 100 mydoc.txt execute by owner
chmod 010 mydoc.txt execute by group
chmod 001 mydoc.txt execute by anybody

Wait! I don't get it... there aren't enough permissions to do what I want!

Good call. You need to add up the numbers to get other types of permissions...

So, try wrapping your head around this!!

7 = 4+2+1 (read/write/execute)
6 = 4+2 (read/write)
5 = 4+1 (read/execute)
4 = 4 (read)
3 = 2+1 (write/execute)
2 = 2 (write)
1 = 1 (execute)

chmod 666 mydoc.txt read/write by anybody! (the devil loves this one!)
chmod 755 mydoc.txt rwx for owner, rx for group and rx for the world
chmod 777 mydoc.txt read, write, execute for all! (may not be the best plan in the world...)

Good luck! Hope this helps.
 
Last edited by a moderator:


iam_ak

New Member
Thanks rob,this is very helpfull.
Edit: My first post here !!
I do have one query.
Lets say i do
Code:
chmod 000 abc.txt
so if i view the permissions i see this
Code:
[email protected]:~/Desktop/code/c$ ls -l abc.txt
---------- 1 arun arun 16 Feb 23 14:06 abc.txt
There are totally 10 "-".
The first "-" is for file type i.e normal file or a directory

That leaves us with 9 dashes.
So are the groups split into 3 dashes(-) per group? i mean 3 for the owner,3 for the group and 3 for the worldI am a little confused here?If the file is an executable sometimes i see "-rwxr-xr-x". How do i identify the permissions in this case?
 

JasKinasis

Well-Known Member
So are the groups split into 3 dashes(-) per group? i mean 3 for the owner,3 for the group and 3 for the world
Yes, that is exactly right.

I am a little confused here?If the file is an executable sometimes i see "-rwxr-xr-x". How do i identify the permissions in this case?
In your above example - where your executable file has the permissions:
-rwxr-xr-x

The permissions are:
owner: rwx = read,write and execute
group: r-x = read and execute
others: r-x = read and execute

As per Robs post, each flag has a numerical value:
r = 4
w = 2
x = 1

Substituting the above numerical values for each flag, the permissions are:
owner (rwx): 4 + 2 + 1 = 7
group (r-x): 4 + 1 = 5
others (r-x): 4 + 1 = 5

So the permissions for your executable are 755.
In other words, the owner can read, write AND execute it. Group members and everybody else can only read and execute it.

To assign the same permissions to another file you would use:
Code:
chmod  755 /path/to/file
Alternative syntax for chmod:
Rob hasn't mentioned it in his post, but if the numeric method of assigning permissions confuses you. There is some alternative syntax that could be used to set the same permissions:
Code:
chmod u=rwx,g=rx,o=rx /path/to/file
In the above, we are explicitly stating which flags should be set using the = operator. Any unspecified flags are unset. In this case, we have specified rwx for user, rx for group and rx for others. We have left out the write flags for group and other. So they will not be set.

Personally, I'm really comfortable with the numeric method. But some people find the above syntax easier to understand.

Note: when using the alternative syntax there must be no spaces used in the permissions string.

Alongside the = operator, the alternative syntax also has + and - operators.
+ and/or - can be used if you only want to change a single permission bit without affecting the rest of the existing permissions.

So, if you have a script called script.sh with default permissions (e.g. 644, or rw-r--r--)
You can make it executable for everybody by using:
Code:
chmod +x script.sh
Then when you list the file, the permissions will be:
rwxr-xr-x (or 755)

And if you want to remove the ability to execute the file from everybody:
Code:
chmod -x script.sh
Then the permissions on the script will be set back to:
rw-r--r-- (or 644) - So now nobody can run the script, everybody can read it and only the owner can alter it.

You can use + and - on the read and write permissions bits too.
The difference between +, - and = are:
+ will set the specified flag/s and leave other permissions alone
- will unset the specified flag/s and leave all other permissions alone
= will set any specified flags and unsets any that are left out of the list.

Now lets say that you only want to allow the owner and members of the group to be able to execute the script. This is one way of setting those flags:
Code:
chmod u+x,g+x script.sh
That will only change the execute bit for the user and the group. All of the other existing permissions will be preserved.
Now the permissions will be:
rwxr-xr-- (or 754)

Or perhaps you want to allow group members to be able to edit the script:
Code:
chmod g+w script.sh

You can even mix and match =,+ and -:
Lets say we have someotherfile which has default permissions of rw-r--r-- (or 644).
Lets mix and match using =,+ and - :
Code:
chmod u=rwx,g+x,o-rx someotherfile
In the above, we are explicitly setting rwx for user, adding the x flag for the group and removing the read flag from other.
So the initial permissions were:
rw-r--r-- (644)
now they will be:
rwxr-x--- (750)

So there are multiple ways of setting and/or modifying permissions on files.

Generally speaking, I use the numeric method, because I find it quicker and more intuitive (and less characters to type!). But sometimes, I'll use the more expressive syntax with + or -. Typically to flip the execute permission-bits for a file.
 
Last edited:

iam_ak

New Member
Thanks for such a detailed reply.After assigning a few file permissions i understood the numbers much more clearly.Personally i like this syntax
Code:
chmod u=rwx,g=rx,o=rx /path/to/file
As it is easy for me to remember them :)
 

CptCharis

Well-Known Member
I feel also that this way
Code:
chmod u=rwx,g=rx,o=rx /path/to/file
is much more easier!!
 

IT_Master

New Member
Hi,

I am newbie here and just started Ubuntu learning.
I am in permission part and got a trouble.

When I remove "x" permission from a file (text file) I still can execute that file, why? The syntax is as follow:

creating file:
Code:
$ touch newfile
checking permissions:
Code:
$ ls -l
Code:
-rw-rw---- 1 amin amin        0 Jun 21 06:06 newfile
as you see I dont have "x" permission by default but I can run the file, why?
 

atanere

Well-Known Member
Because you have "read" permission. This is different from "execute". You're dealing with a text file... you can read a text file without executing it. If you remove the execute permission from a binary file, then it will not launch (also depending on who's permission you removed... user, group, or everyone).

Welcome to linux.org!

Cheers
 

atanere

Well-Known Member
Perhaps a good example would be a Bash script. You can create a text file, for example, HelloWorld.sh (.sh is not required but is common for Bash or other shell script files). Inside the HelloWorld.sh text file you enter these two lines and save the file:
Code:
#!/usr/bin/env bash
echo Hello World!
Now, you have a text file that is a script, but it will not execute if you use:
Code:
./HelloWorld.sh
So you must first make it executable with:
Code:
chmod +x HelloWorld.sh
Then, it will work properly when you again run:
Code:
./HelloWorld.sh
I hope that makes it more clear for you. Permissions confuse all of us in the beginning, and sometimes I still get confused! :D

Cheers
 

IT_Master

New Member
Because you have "read" permission. This is different from "execute". You're dealing with a text file... you can read a text file without executing it. If you remove the execute permission from a binary file, then it will not launch (also depending on who's permission you removed... user, group, or everyone).

Welcome to linux.org!

Cheers
So, whats "execute" mean in txt file? if it acts same as "read" whats "execute" role here?
 

atanere

Well-Known Member
So, whats "execute" mean in txt file? if it acts same as "read" whats "execute" role here?
It basically has no role on a regular text file (unless it has executable code inside it, such as a script). I hope I'm not making this more confusing! :confused::D

All text files are "readable" (with read permission allowed).
Text files are only "executable" if they contain "something to execute."
Having "something to read" inside the text file is not the same as having "something to execute."
"Executing" a text file does NOT mean "reading" it.... they are different things.

But the "x" permission value does still apply, even if it has little or no meaning. For example, I created a test.txt file and added some text. The default permissions for that file do not include execute. So if I try this:
Code:
./test.txt
Then I get a "Permission denied" error. This is because it does not have permission to even TRY to execute the file.

Then if I do this:
Code:
chmod +x test.txt
#and
./text.txt
Then I get a "command not found" error. So Bash is TRYING to execute the file, but there is nothing inside that it can use (like it can with a script).

Execute means to run a file as a program.... and most text files are NOT programs. That is one reason that the default permissions for a .txt file do not include execute.

Better? Or worse? :D

Cheers
 

CptCharis

Well-Known Member
[QUOTE="atanere, post: 54821, member: 2]

All text files are "readable" (with read permission allowed).

[/QUOTE]


And the first thing we learn:
In Linux everything is a file.:D:p:D
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
Salaam, Amin (in Arabic أمين) is that so? Welcome to linux.org :)

If English is other than your first language, let us know, and we can be sure to try to be very clear with how we explain things.

I am from Australia, and you will "see me" from time to time.

Enjoy your Linux, I do, every day :D

Chris Turner
wizardfromoz
 

Dimitris

New Member
Skimming through I saw that there is a latin alternative to numeric values for permissions. Interesting, yet I usually think "Do I use 777? Yes? Good. No? Use 466". I guess latin values are native to all distros or are you guys talking aliases?
 

atanere

Well-Known Member
Skimming through I saw that there is a latin alternative to numeric values for permissions. Interesting, yet I usually think "Do I use 777? Yes? Good. No? Use 466". I guess latin values are native to all distros or are you guys talking aliases?
Not aliases, just simple permissions. Using numerical values is certain... they establish exactly the permission you want, and it's the method I personally like to use. @JasKinasis describes the "alternate syntax method" in post #3 above that uses the latin values. The Linux Documentation Project also has a pretty good summary here.
 

IT_Master

New Member
Salaam, Amin (in Arabic أمين) is that so? Welcome to linux.org :)

If English is other than your first language, let us know, and we can be sure to try to be very clear with how we explain things.

I am from Australia, and you will "see me" from time to time.

Enjoy your Linux, I do, every day :D

Chris Turner
wizardfromoz
Salam (Hi) wizardfromoz :)

LOL, you spoke in Farsi (Persian) ;)
I love Australia and I am planing to migrate to your country in next year:rolleyes:
Hope we could be a good friend:)
 

IT_Master

New Member
Mount problem:

This is my partitions info:
Code:
[email protected]:~$ lsblk -p
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
/dev/sdb      8:16   0    5G  0 disk
/dev/sr0     11:0    1 1024M  0 rom
/dev/sdc      8:32   1 14.5G  0 disk
└─/dev/sdc1   8:33   1 14.5G  0 part /media/amin/PATRIOT
/dev/sda      8:0    0   20G  0 disk
├─/dev/sda2   8:2    0    1K  0 part
├─/dev/sda5   8:5    0    4G  0 part [SWAP]
└─/dev/sda1   8:1    0   16G  0 part /
When I want to mount my additional HDD (/dev/sdb) I get this error:
Code:
[email protected]:~$ sudo mount /dev/sdb Desktop/sda
[sudo] password for amin:
mount: wrong fs type, bad option, bad superblock on /dev/sdb,
       missing codepage or helper program, or other error
       In some cases useful info is found in syslog - try
       dmesg | tail or so.
Additional info: my Ubuntu is installed on WMware
 

IT_Master

New Member
but I a
Hi Amin... the mount question deserves it's own thread and is drifting off topic from this tutorial. Please copy/paste what you have above and start a new thread for us to continue. Also please include the output from:
Code:
mount
Thanks!
But I am not able to open new topic in "Linux Beginner Tutorials". I dont see any related button to open new topic there.
 

Members online


Top