Guide to Understanding chmod

Introduction

File access permissions and security are at the heart of *nix-based operating systems. File objects can belong to users and/or groups, and at times they need to be shared with various combinations of those two. There are multiple ways in *nix systems to reinforce secure sharing of these objects.

We use the chmod utility to change or modify the file permissions.

This guide discusses file permissions and how we can change them with chmod. While the explanations and code should work for almost all *nix-based systems, this guide was specifically written for Linux.

Ownership and Permissions

Before we could get into chmod, let's go over the basics of file and directory ownership in Linux. The files and directories that you find or create have access permissions provided in three categories of owners:

Owners Symbolic Representation Description
Users u The primary owner of the file/directory object
Groups g A user can be part of one or many groups
Others o Other users who also aren't part of the group

These owners can have one or many of the following access permissions assigned:

Permission Symbolic Representation Octal Representation Description
Read r 4 Permission to read, copy from directory
Write w 2 Permission to write/edit, delete, add new files to directory
Execute x 1 Permission to execute the binary

Let's get hands-on experience with chmod commands and permissions by first creating an empty file:

$ touch temp.txt

We will also be using the ls -l command very often to check access permissions. The ls command is used to list files, but the -l flag returns them in the long format, which also includes the information regarding access permissions:

$ ls -l temp.txt
-rw-r--r-- 1 ubuntu ubuntu 0 Apr 20 22:17 temp.txt

The left-hand side of the result contains information on access permissions. Though, they're not as intuitive as the two tables from just a moment ago. The result has several components:

The permissions can be split into three parts - each corresponding to the owners in the order - Users, Groups, and Others. You may have also noticed the name of the owners i.e. the user and the group to which the object belongs to.

The order of the permission for each codon of 3 is of the structure rwx. If one of these permissions is unavailable, the missing permission is replaced with a dash (-) like rw-. The other details are related to the file itself: its size, creation date, and name.

The chmod Utility

The chmod utility helps us to assign permissions to file/directory objects. It has a special set of arguments, corresponding to the ownership and permissions:

Permission Symbolic Representation Octal Representation
read r 4
write w 2
execute x 1
no permission - 0

For each owner, these permissions can be summed (for Octal Representation - e.g. 4+2 = 6 denotes read & write permissions) or combined (for Symbolic Representation - e.g. rw denotes read & write permissions).

This is key to understanding how the chmod command works. Let's modify the access permissions of the temp.txt file, and allow read, write and execute permissions to the User, but disallow any access to the Group and Others.

You can use either Octal Representation or Symbolic Representation for this:

$ chmod 700 temp.txt

The octal notation - 700 can be broken down as:

  • The first octal integer position corresponds to the User and the number 7 itself is an octal representation of all permissions (rwx) i.e. 4+2+1 = 7.
  • The second and third octal integer positions correspond to the Group and Others, where the number 0 shows that there aren't any permissions to access the object.

Let's take a look at the permission on the temp.txt file now:

$ ls -l temp.txt
-rwx------ 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt

We can perform the same command, and assign the permissions in much the same way if we rewrite the 700 argument using the symbolic notation:

Free eBook: Git Essentials

Check out our hands-on, practical guide to learning Git, with best-practices, industry-accepted standards, and included cheat sheet. Stop Googling Git commands and actually learn it!

$ chmod u+rwx,g-rwx,o-rwx temp.txt

We remove permissions using a - sign, and added by +. When using the symbolic representation, owners are separated by commas ,. Here, we've added the rwx permission to u, but removed it from g and o.

This results in the same access permissions:

$ ls -l temp.txt
-rwx------ 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt

Now, let's consider another command:

$ chmod u+rwx,g-rw+x,o-rw+x temp.txt

Here, we've intertwined pluses and minuses:

  • 'u+rwx' denotes that the read, write and execute permissions are provided to the User.
  • 'g-rw+x' and 'o-rw+x' show that the Group and the Others are denied to perform any of the read/write operations but they are allowed to perform executions.

This is equivalent to chmod 711 temp.txt using octal representation.

Let's check the file again:

$ ls -l temp.txt
-rwx--x--x 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt

We can also use an '=' sign to set/overwrite permissions to the corresponding owner. The aforementioned command could also be written as:

$ chmod u=rwx,g=x,w=x temp.txt

This, yet again, results in:

$ ls -l temp.txt
-rwx--x--x 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt

Advanced chmod Usage - SUID, GUID and Sticky Bits

Now that the basics of chmod are clear, let's take it one step further by reviewing an extra set of special execution/deletion-only permissions that act as the fourth level of security to the existing read, write and execute permissions. These include:

Special Permission Symbolic Representation Octal Representation Description
SUID (Set UserID) rw**s**------ 4 Execution-Only permission defined at the User Level. It is used to provide user-like privileges to whoever executes the file(s) inside the directory objects.
SGID (Set GroupID) ---rw**s**--- 2 Execution-Only permission defined at the Group Level. It is used to provide group-like privileges to whoever executes the file(s) inside the directory objects.
Sticky Bit ------rw**t** 1 Defined at the Others Level. It prevents the file or object from getting deleted. Only the Owner or Root can delete the file or object.

When calling the chmod utility, and setting the argument - the special permission precedes the regular permissions. If we want to add a special permission to our regular 700 argument, we simply add a digit beforehand:

$ chmod 5700 temp.txt
$ ls -l temp.txt
-rws-----T 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt

Here, the 5 defines the sum of 4+1, which is a combination of the SUID and Sticky Bit permission. 700 represents the 'rwx' permission for the Owner only. SUID overrides the owner permission, and whoever executes the file will always execute as the owner of the file. In addition to this, only the owner of the file will be able to delete it. In the output, notice the presence of the character 'T', which denotes that the Sticky Bit is set.

Let's rewrite the command, using symbolic representation:

$ chmod u+srwx,g-rwx,o+t-rwx temp.txt
$ ls -l temp.txt
-rws-----T 1 ubuntu ubuntu 0 Apr 20 22:19 temp.txt

Let's breakdown the argument by commas, since it's getting a bit long:

  • u+srwx: The user has a SUID permission attached to it, along with rwx.
  • g-rwx: The group is devoid of the rwx permissions.
  • o+t-rwx: The +t denotes the addition of a Sticky Bit permission and the others are devoid of the rwx permissions.

If you happen to have another user, try switching to that user and check if you can delete the file. You should be getting a prompt just like this:

$ sudo su unknown
$ rm temp.txt
rm: remove write-protected regular empty file 'temp.txt'?

Conclusion

In this guide, we learned about file and directory ownership and permissions in Linux. We then used chmod to modify them. These commands can be quite useful in securing the files or directories with much ease in *nix-based Operating Systems.

Last Updated: March 16th, 2023
Was this article helpful?

Improve your dev skills!

Get tutorials, guides, and dev jobs in your inbox.

No spam ever. Unsubscribe at any time. Read our Privacy Policy.

Sathiya Sarathi GunasekaranAuthor

Pythonist 🐍| Linux Geek who codes on WSL | Data & Cloud Fanatic | Blogging Advocate | Author

© 2013-2024 Stack Abuse. All rights reserved.

AboutDisclosurePrivacyTerms