Linux Commands – chmod
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed usermod command in Linux which is used to modify a user.
https://cloudaffaire.com/linux-commands-usermod/
In this blog post, we will discuss chmod command in Linux. chmod command stands for change mode and is used to change file mode. chmod changes the file mode bits of each given file according to mode. Before starting with the chmod command, let us explain the file permission as represented by ls long listing (-l) command.
|
1 2 3 4 5 6 7 8 9 |
ls -l ## drwxrwxr-x 2 user group 6 May 29 10:33 mydir ## -rw-rw-r-- 1 user group 6 May 29 10:33 myfile Let us break the above output into segments and explain. ## d rwx rwx r-x 2 user group 6 May 29 10:33 mydir ## [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] |
[1]. FileType:
The 1st character represents the file type. In Linux you have different types of files, below are some of the file types available in Linux and their representation in the ls output.
| Character | Interpretation |
| – | regular file |
| b | block special file |
| c | character special file |
| C | high performance (“contiguous data”) file |
| d | directory |
| D | door (Solaris 2.5 and up) |
| l | symbolic link |
| M | off-line (“migrated”) file (Cray DMF) |
| n | network special file (HP-UX) |
| p | FIFO (named pipe) |
| P | port (Solaris 10 and up) |
| s | socket |
| ? | some other file type |
[2]. File permission for user:
[3]. File permission for group:
[4]. File permission for others:
The next nine characters represent the file permissions and are divided into a chunk of three characters with the first three representing user permission, second three representing group permission, and last three for all user (world) permission. Below are the permissions available for files in Linux with their representation in the ls output.
| Type | Mode | Permission | [2]. User’s Bit (rw[x|s|S]——) | [3]. Group’s Bit (—rw[x|s|S]—) | [4]. Other’s Bit (——rwx[t|T]) |
| File | r– | read | file owner has read access | file owner group has read access | others have read access |
| File | -w- | write | file owner has write access | file owner group has write access | others have write access |
| File | –x | execute | file owner has execute access | file owner group has execute access | others have execute access |
| File | –s | setuid/setgid + x (execute) | setuid is set with execute (x) | setgid is set with execute (x) | NA |
| File | –S | setuid/setgid – x (execute) | setuid is set without execute (x) | setgid is set without execute (x) | NA |
| File | —t | sticky bit + x (execute) | NA | NA | No effect on file access |
| File | —T | sticky bit – x (execute) | NA | NA | No effect on file access |
| File | –X | execute/search access if already had execute permission for some user | NA | NA | NA |
| File | — | no other bit is set | file owner has no access | file owner group has no access | others have no access |
| Directory | r– | read | dir owner can list dir contents | dir owner group can list dir contents | others can list dir contents |
| Directory | -w- | write | dir owner can modify dir content | dir owner group can modify dir content | others can modify dir content |
| Directory | –x | execute | dir owner can get inside the dir | dir owner group can get inside the dir | others can get inside the dir |
| Directory | –s | setuid/setgid + x (execute) | No effect on directory access | setgid is set with execute (x) | NA |
| Directory | –S | setuid/setgid – x (execute) | No effect on directory access | setgid is set without execute (x) | NA |
| Directory | —t | sticky bit + x (execute) | NA | NA | others cannot modify dir contents |
| Directory | —T | sticky bit – x (execute) | NA | NA | No effect on dir access |
| Directory | –X | execute/search access if already had execute permission for some user | dir owner can get inside the dir | dir owner group can get inside the dir | others can get inside the dir |
| Directory | — | no other bit is set | dir owner has no access | dir owner group has no access | others have no access |
[5]. NumberOfLinks:
This number is the hardlink count of the file, when referring to a file, or the number of contained directory entries when referring to a directory.
[6]. Owner:
The owner of the file.
[7]. Group:
The owner group of the file.
[8]. SizeInBytes:
The size of the file in bytes.
[9]. LastModified:
The date and time when the file was last modified.
[10]. FileName:
The name of the file.
Special permission modes:
In Linux, there are three special permission bits available namely setuid, stegid, and sticky bit.
Setuid: setuid can be set on an executable binary file. If setuid is set, the binary will be executed with its owner privileges instead of executioner privileges. One example of setuid is passwd binary, which whenever called executes as root privilege (passwd owner) irrespective of the executioner privileges and is used to set password. Setuid has no effect on a directory with respect to directory permissions.
Setgid: setgid is similar to setuid but effects both file and directory differently. In the case of a file, if setgid is set, the file will be executed with owner group privileges instead of executioner group privileges. In the case of a directory, if setgid is set, all the files within the directory will have the same group as the directory instead of the user group who created those files. One example of setgid is to create a file share.
Sticky bit: sticky bit only affects the permission of a directory. When set on a directory, only the file owners, directory owner or root can modify the files/directory within the directory where it’s set. On example is /tmp directory where any user with any privileges can manipulate his files and directory but cannot manipulate others files and directories by default.
Linux Commands – chmod:
You can use chmod command to change file and directory permission.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
############################ ## Linux Commands | chmod ## ############################ ## Prerequisites: One Unix/Linux/POSIX-compliant operating system with bash shell ##------ ## chmod ##------ ## chmod [option]... MODE[,MODE]... FILE... ## chmod [option]... OCTAL-MODE FILE... ## chmod [option]... --reference=RFILE FILE... ## chmod command sudo groupadd mygroup1 ## create some user/group/file/dir sudo useradd -g mygroup1 myuser1 sudo passwd myuser1 su - myuser1 ## execute below code to create files and directories with all possible ## permissions combinations available using chmod mkdir mydir && cd mydir for i in {0..7}; do for j in {0..7}; do for k in {0..7}; do for l in {0..7}; do echo "hello" > myfile_$i$j$k$l mkdir mydir_$i$j$k$l chmod $i$j$k$l myfile_$i$j$k$l chmod $i$j$k$l mydir_$i$j$k$l done done done done cd .. ls -l mydir/ ## list all permissions that can be assigned in linux ls -l mydir/myfile_ ls -l mydir/mydir_ rm -rf mydir |
chmod changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make or an octal number representing the bit pattern for the new mode bits.
symbolic representation:
The format of a symbolic mode is [ugoa…][[+-=][perms…]…], where perms are either zero or more letters from the set rwxXst, or a single letter from the set ugo. Multiple symbolic modes can be given, separated by commas. Below is the meaning of each character that can be passed in symbolic representation.
| user bits | interpretation |
| u | the user who owns it |
| g | other users in the file’s group |
| o | other users not in the file’s group |
| a | all users, equivalent to ugo. |
| action bits | interpretation |
| + | causes the selected file mode bits to be added to the existing file mode bits of each file |
| – | causes the selected file mode bits to be removed from the existing file mode bits of each file |
| = | causes the selected file mode bits to be added or if unmentioned, bits to be removed (except dir SETUID or SETGID). |
| permission bits | interpretation |
| r | if read bit is set |
| w | if write bit is set |
| s | If the set-user-ID or set-group-ID bit and the corresponding executable bit are both set |
| t | If the restricted deletion flag or sticky bit, and the other-executable bit, are both set. |
| X | execute/search permission is affected only if the file is a directory or already had execute permission. |
| x | If the executable bit is set and none of the above apply. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
## chmod symbolic representation echo "hello" > myfile ## create a file and directory mkdir mydir ls -l ## drwxrwxr-x 2 myuser1 mygroup1 6 May 31 14:33 mydir ## -rw-rw-r-- 1 myuser1 mygroup1 6 May 31 14:34 myfile chmod a=r myfile && ls -l myfile ## -r--r--r-- chmod a=w myfile && ls -l myfile ## --w--w--w- chmod a=x myfile && ls -l myfile ## ---x--x--x chmod ug+rw myfile && ls -l myfile ## -rwxrwx--x chmod o-x myfile && ls -l myfile ## -rwxrwx--- chmod ug+s myfile && ls -l myfile ## -rwsrws--- chmod ug-x myfile && ls -l myfile ## -rwSrwS--- rm myfile chmod a=r mydir && ls -l ## dr--r--r-- chmod a=w mydir && ls -l ## d-w--w--w- chmod a=x mydir && ls -l ## d--x--x--x chmod g+rw mydir && ls -l ## d--xrwx--x chmod g+s mydir && ls -l ## d--xrws--x chmod g-x mydir && ls -l ## d--xrwS--x chmod o+t mydir && ls -l ## d--xrwS--t chmod o-x mydir && ls -l ## d--xrwS--T chmod o-t,g-s,u+rw mydir && ls -l ## drwxrw---- rm -rf mydir |
numeric representation:
A numeric mode is from one to four octal digits (0-7), derived by adding up the bits with values 4, 2, and 1. Below is the meaning of each number in numeric representation.
- The first digit selects the set user ID (4) and set group ID (2) and restricted deletion or sticky (1) attributes.
- The second digit selects permissions for the user who owns the file: read (4), write (2), and execute (1)
- the third selects permissions for other users in the files group: read (4), write (2), and execute (1)
- the fourth for other users not in the files group: read (4), write (2), and execute (1)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
## chmod numeric representation echo "hello" > myfile ## create a file and directory mkdir mydir ls -l ## drwxrwxr-x 2 myuser1 mygroup1 6 May 31 14:33 mydir ## -rw-rw-r-- 1 myuser1 mygroup1 6 May 31 14:34 myfile chmod 0444 myfile && ls -l myfile ## -r--r--r-- chmod 0222 myfile && ls -l myfile ## --w--w--w- chmod 0111 myfile && ls -l myfile ## ---x--x--x chmod 0771 myfile && ls -l myfile ## -rwxrwx--x chmod 0770 myfile && ls -l myfile ## -rwxrwx--- chmod 6770 myfile && ls -l myfile ## -rwsrws--- chmod 6660 myfile && ls -l myfile ## -rwSrwS--- rm myfile chmod 0444 mydir && ls -l ## dr--r--r-- chmod 0222 mydir && ls -l ## d-w--w--w- chmod 0111 mydir && ls -l ## d--x--x--x chmod 0171 mydir && ls -l ## d--xrwx--x chmod 2171 mydir && ls -l ## d--xrws--x chmod 2161 mydir && ls -l ## d--xrwS--x chmod 1161 mydir && ls -l ## d--xrwS--t chmod 1160 mydir && ls -l ## d--xrwS--T chmod 000760 mydir && ls -l ## drwxrw---- rm -rf mydir |
You can use chmod -c or –changes options to verbosely describe the action for each FILE whose permissions actually changes.
|
1 2 3 4 5 6 7 8 9 |
## chmod -c or --changes options echo "hello" > myfile ## create a file chmod a=r myfile ## returns nothing chmod -c a=w myfile ## returns mode of ‘myfile’ changed from 0444 (r--r--r--) to 0222 (-w--w--w-) rm -f myfile |
You can use chmod -f or –silent or –quiet options to not print error messages about files whose permissions cannot be changed.
|
1 2 3 4 5 6 7 8 9 |
## chmod -f or --silent or --quiet options sudo mkdir /tmp/mydir chmod 777 /tmp/mydir ## chmod: changing permissions of ‘/tmp/mydir’: Operation not permitted chmod -f 777 /tmp/mydir ## returns no error message sudo rm -rf /tmp/mydir |
You can use chmod -R or –recursive options to recursively change permissions of directories and their contents.
|
1 2 3 4 5 6 7 8 9 10 |
## chmod -R or --recursive options mkdir -p mydir1/mydir2/mydir3 ## create some directories ls -lR chmod o-x mydir1 ## drwxrwxr-- set only in mydir1 ls -lR chmod -R o-x mydir1 ## drwxrwxr-- set in all three dir ls -lR |
You can use chmod -v or –verbose options to verbosely describe the action or non-action taken for every FILE.
|
1 2 3 4 5 6 7 8 9 |
## chmod -v or --verbose options chmod -Rv o+rw mydir1 ## mode of ‘mydir1’ changed from 0774 (rwxrwxr--) to 0776 (rwxrwxrw-) ## mode of ‘mydir1/mydir2’ changed from 0774 (rwxrwxr--) to 0776 (rwxrwxrw-) ## mode of ‘mydir1/mydir2/mydir3’ changed from 0774 (rwxrwxr--) to 0776 (rwxrwxrw-) rm -rf mydir1 |
You can use chmod –reference=REF_FILE options to change the mode of each FILE to be the same as that of REF_FILE.
Note: If REF_FILE is a symbolic link, do not use the mode of the symbolic link, but rather that of the file it refers to.
|
1 2 3 4 5 6 7 8 9 10 |
## chmod --reference=REF_FILE option touch myfile{1,2} ## create some files ls -l ## -rw-rw-r-- set by default chmod a=rwx myfile1 && ls -l myfile1 ## set myfile1 to -rwxrwxrwx chmod --reference=myfile1 myfile2 ## set myfile2 permission same as myfile1 ls -l myfile2 ## -rwxrwxrwx |
You can use chmod –preserve-root option to fail upon any attempt to recursively change the root directory, ‘/’. Without ‘–recursive’, this option has no effect. This is a failsafe mechanism of OS to protect accidental change of file permission critical to the OS.
|
1 2 3 4 5 |
## chmod --preserve-root option chmod -cfR --preserve-root a+w / ## no changes, just for fun ## chmod: it is dangerous to operate recursively on ‘/’ ## chmod: use --no-preserve-root to override this failsafe |
You can use chmod –no-preserve-root option to cancel the effect of any preceding ‘–preserve-root’ option. This is a very dangerous command and should be avoided. Do not try to execute the below command, given just as an example.
|
1 2 3 4 5 6 7 8 9 |
## chmod --no-preserve-root option chmod -cfR --preserve-root a+w / ## do not execute this command ## just given as an example exit ## exit myuser sudo rm -rf my* ## cleanup sudo userdel -rf myuser1 sudo groupdel mygroup1 |
Hope you have enjoyed this article. In the next blog post, we will discuss chown command.