Ubuntu chmod commands. Chmod: change permissions

In our documentation of the umask command. It contains a comprehensive description of how to define and specify file permissions.

In general, chmod commands take the form:

chmod options permissions file name

if no options are specified, chmod modifies the permissions of the file specified by file name to the permissions specified by permissions.

permissions defines the permissions for the owner of the file (the "user"), members of the group who owns the file (the "group"), and anyone else ("others"). There are two ways to represent these permissions: with symbols (alphanumeric characters), or with octal numbers (the digits 0 through 7 ).

Let's say you are the owner of a file named myfile, and you want to set its permissions so that:

the u ser can r head, w rite, and e x ecute it;
members of your g row-can r ead and e x ecute it; and
o thers may only r read it.

This command will do the trick:

Chmod u=rwx,g=rx,o=r myfile

This example uses symbolic permissions notation. The letters u, g, and o stand for" user", "group", and " other".the equals sign(" = ") means "set the permissions exactly like this," and the letters " r", "w", and " x" stand for "read", "write", and "execute", respectively. The commas separate the different classes of permissions, and there are no spaces in between them.

Here is the equivalent command using octal permissions notation:

Chmod 754 myfile

Here the numbers 7 , 5 , and 4 each individually represent the permissions for the user, group, and others, in that order. Each digit is a combination of the numbers 4 , 2 , 1 , and 0 :

4 stands for "read",
2 stands for "write",
1 stands for "execute", and
0 stands for "no permission."

So 7 is the combination of permissions 4 +2 +1 (read, write, and execute), 5 is 4 +0 +1 (read, no write, and execute), and 4 is 4 +0 +0 (read, no write, and no execute).

Syntax

chmod[ OPTION]... MODE[,MODE]... FILE...chmod[ OPTION]... OCTAL-MODE FILE...chmod[ OPTION]... --reference= RFILE FILE...

Options

-c, --changes	Like --verbose, but gives verbose output only when a change is actually made.
-f, --silent, --quiet	Quiet mode; suppress most error messages.
-v, --verbose	verbose mode; output a diagnostic message for every file processed.
--no-preserve-root
	Display a help message and exit.

	The file's owner.
hopestaff	The group to whom the file belongs.

Feb 03 15:36	The file "s mtime (date and time when the file was last modified).
file.txt	The name of the file.

Examples

chmod 644 file.htm

Set the permissions of file.htm to "owner can read and write; group can read only; others can read only".

Chmod -R 755 myfiles

recursively( -R) Change the permissions of the directory myfiles, and all folders and files it contains, to mode 755 : User can read, write, and execute; group members and other users can read and execute, but cannot write.

Chmod u=rw example.jpg

Change the permissions for the owner of example.jpg so that the owner may read and write the file. Do not change the permissions for the group, or for others.

Chmod u+s comphope.txt

Set the "Set-User-ID" bit of comphope.txt, so that anyone who attempts to access that file does so as if they are the owner of the file.

Chmod u-s comphope.txt

The opposite of the above command; un-sets the SUID bit.

Chmod 755 file.cgi

Set the permissions of file.cgi to "read, write, and execute by owner" and "read and execute by the group and everyone else".

Chmod 666 file.txt

Set the permission of file.txt to "read and write by everyone.".

Chmod a=rw file.txt

Accomplishes the same thing as the above command, using symbolic notation.

related commands

chown- Change the ownership of files or directories.
getfacl- Display file access control lists.
ls- List the contents of a directory or directories.

Change file permissions

Syntax:

chmod[-fv] [-R [-H | -L | -P]] mode file ... chmod[-fv] [-R [-H | -L | -P]] [-a | +a | =a] .ACE file ... chmod[-fhv] [-R [-H | -L | -P]] [ ACL_Option] file ...

Options:

-R	Recursion. Used for folders. Changes the rights not only for the specified object, but for all nested in it
-R -H	Follow symbolic links in command line. Symbolic links are not processed by default.
-R -L	All symbolic links will be processed
-R -P	The link tree will not be processed. The default setting.
-v	Verbose. Shows all files that have been modified
-v -v	very verbose mode. Old and new permissions will be displayed in octal (numeric) and alphabetic display mode
-f	do not display diagnostic messages if it is not possible to change file permissions

ACL_Option(ACL - access control lists for user groups) ACL_manipulation_options

Access rights:

Permissions can be specified in alphabetical code or numeric based octal system reckoning

Management via numeric authorization:

Three bits are used for rights management

the first is the right to read
the second is the right to write
the third is the right to execute

bit by bit	Number	Letter code	description of law
000	0		no rights
001	1		right to perform
010	2		write-only right
011	3		right to record and perform
100	4		read-only right
101	5		the right to read and perform
110	6		read and write permission without execution
111	7		all rights

These file permissions are set for three types of access:

for the owner
for a group
for others

As a result, the command looks like this:

$ chmod 444 file - read-only permission for everyone

$ chmod 755 file - the owner has all rights (7), other users only read and run (5)

$ chmod 066 file - the owner has no rights to the file (0), everyone else has the right to read and write without executing

Management by means of literal indication of access rights:

Format for specifying rights by character code

[who...][[+-=][rights...]...][,...]

who is a combination of characters "ugoa" pointing to users whose permissions to access the file or folder will be changed

u user owner
g user group
o other users
a (all) for all, similar to ugo

The chmod command is used to change the permissions of files or directories.

On Linux and other Unix-like operating systems for each file there is a set of rules that determine who and how can access this file. These rules are called file permissions or file modes. The command name chmod stands for "change mode" and is used to determine how a file is accessed.

In general, chmod commands look like this:

chmod permission options filename

If a options not specified, chmod changes the permissions of the file specified in file name, to the permissions specified in permissions.

Permissions define access rights for the owner of the file ("user"), members of the group that owns the file ("group"), and everyone else ("others"). There are two ways to represent these permissions: using symbols (alphanumeric characters) or octal numbers (numbers 0 through 7).

Let's say you own a file named myfile and want to set its permissions so that:

user( u ser) could read ( r ead), write ( w rite) and execute ( x ecute) him;
group members ( g row) can read ( r ead) and execute ( x ecute) him;
as well as others ( o thers) can only read ( r ead) him.

This command will look like this:

chmod u=rwx,g=rx,o=r myfile

This example uses a symbolic entry for permissions. The letters u, g, and o stand for user, group, and other. The equal sign ("=") means "set permissions like this", and the letters "r", "w" and "x" mean "read", "write" and "execute" respectively. Commas separate various classes permissions, and there are no spaces between them.

Here is the equivalent command using octal permission notation:

chmod 754 myfile

Here, the numbers 7, 5, and 4 each individually represent the permissions for the user, group, and others, in that order. Each digit is a combination of the numbers 4, 2, 1 and 0:

4 means "read",
2 means "write",
1 means "execute",
0 means "no permission".

So 7 is a combination of permissions 4 + 2 + 1 (read, write, and execute), 5 is 4 + 0 + 1 (read, no write, and execute), and 4 is 4 + 0 + 0 (read , no write, and no execute).

Syntax chmod

chmod ... MODE[,MODE]... FILE... chmod ... OCTAL-MODE FILE... chmod ... --reference=RFILE FILE...

chmod options

-c, --changes Like --verbose, but only produces verbose output when a change is actually made.

-f, --silent, --quiet Silent mode; suppress most error messages.

-v, --verbose Detail mode; output a diagnostic message for each processed file.

--no-preserve-root Do not treat "/" (root directory) in any special way, which is the default setting.

--preserve-root Don't work recursively on "/".

--reference=RFILE Set permissions to match those of the RFILE file, ignoring any MODE specified.

-R, --recursive Change files and directories recursively.

--help Show help message and exit.

--version Display version information and exit.

Technical description

chmod changes the file mode of each specified FILE according to MODE, which can be either a symbolic representation of the changes being made, or an octal number representing the bit pattern for the new mode bits.

Symbolic mode format:

[[+-=]...]

where perms is zero or more letters from the set r, w, x, X, s, and t, or one letter from the set u, g, and o. You can specify multiple character modes separated by commas.

A combination of the letters u, g, o, and controls that will change users' access to the file: the user who owns it (u), other users in the file's group (g), other users not in the file's group (o), or all users (a). If none of these are given, the effect will be as if a were given, but the bits that are set in umask are not affected.

The (+) operator causes the selected file mode bits to be added to the existing file mode bits of each file; "-" causes them to be deleted; and "=" causes them to be added and causes the unmentioned bits to be removed, except that the unchangeable user-set directory bits and group identifiers are not affected.

The letters r, w, x, X, s, and t select the file mode bits for affected users: read (r), write (w), execute (x), execute only if the file is a directory or already has permission to executing for some user (X) set the user or group id when executing (s), the restricted deletion flag, or a fixed bit (t). For directories, the X and X execution options determine permission to view the contents of the directory.

Instead of one or more of these letters, you can specify one of the letters u, g, or o: permissions granted to the user who owns the file (u), permissions granted to other users who are members of the file's group (g), and permissions granted to users , which are not included in either of the two previous categories (o).

Numeric mode is one to four octal digits (0-7) obtained by adding bits with values 4, 2, and 1. Missing digits are assumed to be leading zeros. The first digit selects the given user id (4) and the given group id (2) and the restricted deletion or sticky attributes (1). The second digit selects the access rights for the user who owns the read (4), write (2), and execute (1) operations; the third selects permissions for other users in the file's group with the same values; and a fourth for other users not in the file's group, with the same values.

chmod never changes permissions on symbolic links; the chmod system call cannot change their permissions. But that's not a problem, since symlink permissions are never used. However, for each symbolic link specified on the command line, chmod changes the permissions on the specified file. In contrast, chmod ignores symbolic links encountered during recursive directory traversals.

Setuid and Setgid Bits

chmod clears the set-group-ID bit of a regular file if the file's group ID does not match the user's effective group ID or one of the user's additional group IDs, unless the user has the appropriate privileges. Additional restrictions may cause the set-user-ID and set-group-ID bits in MODE or RFILE to be ignored. This behavior depends on the policy and functionality of the underlying chmod system call. If in doubt, check the behavior of the system.

chmod preserves the set-user-ID and set-group-ID bits of the directory unless you specify otherwise. You can set or clear bits with symbolic modes like u+s and g-s, and you can set (but not clear) bits with numeric mode.

Limited Removal Flag (or "Sticky Bit")

The restricted deletion flag, or sticky bit, is a single bit whose interpretation depends on the file type. This prevents a file in a directory from being deleted or renamed by users who do not own the file or directory; this is called the limited deletion flag for a directory, and is typically found in globally writable directories such as /tmp. For normal files on some older systems, this bit saves the text image of the program on the swap device, so it loads faster on startup; this is called the sticky bit.

How to view file permissions

A quick and easy way to list file permissions is with the long list (-l) option of the ls command. For example, to view the permissions for file.txt, you can use the command:

Ls -l file.txt

Which will display output that looks like this:

chmod examples

chmod 644 file.htm

Sets the permissions for the file file.htm “owner can read and write; the group can only read; others can only read."

Chmod -R 755 myfiles

Recursively (-R) changes the permissions on the myfiles directory and all its folders and files to mode 755. The user can read, write, and execute; group members and other users can read and execute, but cannot write.

Chmod u=rw example.jpg

Changes the permissions on the owner of example.jpg so that the owner can read and write the file. Does not change permissions for the group or for others.

Chmod u+s comphope.txt

Sets the "Set-User-ID" bit of the comphope.txt file so that anyone who tries to access this file does so as if they were the owner of the file.

Chmod u-s comphope.txt

The opposite of the above command; clears the SUID bit

Chmod 755 file.cgi

Sets the permissions for file.cgi to "read, write, and execute by owner" and "read and execute by group and everyone else."

Chmod 666 file.txt

Sets the permission of file.txt to "read and write by everyone".

Chmod a=rw file.txt

Performs the same as the above command using symbolic notation.

Related commands

chown- Change the owner of files or directories.
getfacl- Show file access control lists.
ls- List the contents of a directory or directories.

(The initial value of file permissions is rwxrwxrwx - full control for everyone) Revoke permission to execute a file for all users and groups:

$ chmod a-x file(rw-rw-rw-)

Cancel writing to a file by a group and other users:

$ chmod go-w file (rw-r–r–)

File execution permission by owner:

$ chmod u+x file (rwxr–r–)

Giving the group the same access rights as the owner of the file:

$ chmod g=u file (rwxrwxr–)

Cancel reading and writing to a file by group users and other users:

$ chmod go-rw file (rwx-x-)

Examples of using the chmod command in absolute mode

Permission to read, write, execute the file file by all users and groups (full control):

$ chmod 777 file (rwxrwxrwx)

Setting read and write permissions for owner, group and other users:

$ chmod 666 file (rw-rw-rw-)

Setting full file access for the owner and read-only access for the group and other users:

$ chmod 744 file (rwxr-r-)

Setting full access to the file to the owner of the file and denying access to the group and other users:

$ chmod 700 file (rwx--)

Set read/write permissions for the file owner and read-only permissions for the group and others:

$ chmod 644 file (rw-r–r–)

Set read and write permissions for the owner of a file and its group, and deny access to others:

$ chmod 640 file (rw-r--)

Setting file access with read permission for all users and groups:

$ chmod 444 file (r–r–r–)

File permissions for read, write, execute by owner and read, execute by group and others:

$ chmod 755 file (rwxr-xr-x)

Allowing read and execute access to the file for the user and others, and denying access for the group:

$ chmod 505 file (r-x-r-x)

If you want to assign permissions to all files in the current directory, simply put an * (asterisk) after the assigned permissions:

$ chmod 755 *

As a result of executing this command, the owner will receive full rights (read, modify, execute) on all files in the current directory, while the group and other users will receive only read and execute. If you want your actions to propagate recursively (including all subdirectories), use the -R option:

$ chmod -R 777 *

The result of the above command will be to recursively "traverse" all subdirectories of the current directory and assign full access to all users and groups. This article only covers some examples of how to use the chmod command. If you want to learn more about how the chmod command works and Linux permissions, check out this article.

Change permissions for directories only (recursively)

$ find /path/to/base/dir -type d -exec chmod 755 () +

$ chmod 755 $(find /path/to/base/dir -type d)

$ chmod 755 `find /path/to/base/dir -type d`

$ find /path/to/base/dir -type d -print0 | xargs -0 chmod 755

Change permissions for files only (recursively)

$ find /path/to/base/dir -type f -exec chmod 644 () +

$ chmod 644 $(find /path/to/base/dir -type f)

$ chmod 0755 `find ./ -type f`

$ find /path/to/base/dir -type f -print0 | xargs -0 chmod 644

Chmod syntax for folders and files

Let's first understand the essence of the issue with Chmod in order to understand what exactly and how we configure. So let's get started. Permissions are divided into Chmod for files and Chmod for directories. They are designated the same, but mean a little different.

Access rights (Chmod) to files are divided into:

r - the right to read data.

w - the right to change the content (write - only change the content, but not delete).

x - the right to execute the file.

Let's dwell a little more on the right to execute a file. The fact is that in linux (Unix), any file can be executed. Whether it is an executable is determined not by its extension (the concept of extension is absent in file system Unix), and for permissions Chmod. If a file has the “X” permission (chmod x) set, it means that it can be run for execution.

Now about the access rights (Chmod) to the folder (directory):

r - the right to read the directory (you can read the contents of the directory, i.e. get a list of objects in it)

w - the right to change the contents of the directory (you can create and delete objects in this directory, and if you have write permission, then you can delete even those files that do not belong to you)

x - the right that allows you to enter the directory (this right is always checked first, and even if you have all the necessary rights to an object that is buried deep in the directory chain, but do not have the “X” right to access at least one directories on the path to this file, you will never get to it)

AT linux systems(Unix) all these rights are granted by the main administrator of the computer, access to which he gains by entering a password. And if most objects have read-only access rights (Chmod), then there will be practically nothing for viruses to do on such a computer. they will not be able to record themselves there, nor then be fulfilled. It is this result that we need to achieve by setting access rights (Chmod) to the objects of our site.

Chmod Syntax for User Groups

Permissions themselves (Chmod) are divided into three categories, depending on who is accessing the object:

"user" - u (direct file owner)

"group" - g (member of the same group as the owner)

"world" - o (everyone else)

The server determines which user group you belong to when you connect to the server. When you connect to a server via FTP, for example, you log in with your username (and password) and the server then assigns you to the “user” (“u)” group. Other users who also connect via FTP to the server will be assigned to the “group” (“g”) group, and the user who comes to your site using his browser falls into the “world” (“o”) group.

Variations of the three possible values "r", "w" and "x" for the three categories "u", "g" and "o" define Chmod for files. If a category is not specified, it is replaced by a hyphen "-". access rights (Chmod) are specified sequentially in the given order:

first rights for owner - "u"

then for the group - "g"

and at the end of the right for everyone else - "o"

After the server assigns the user to certain group, it grants him the rights to act on objects, after which the user will be able to read, write or execute the file (depending on what his group is allowed to do with this object). To see the contents of a folder, it must have the read attribute "r" (for the group to which the server assigned the user). To create a file or folder within an existing one, it must have the Chmod attribute set to the "w" entry.

For clarity, let's look at an example where the owner of the file ("user" - "u") has all the rights: the right to read, write to it and execute, and all other users only have the right to read. Such a Chmod entry would look like this: "rwx r-- r--". Let's consider it in detail: "rwx" (this entry sets the rights to the object for the owner - "u"), "r--" (this entry sets the rights to the same object, but if the user is assigned by the server to the group - "g ”), “r--” (this entry sets the rights to the object for all other users - o”).

What is the difference between Chmod files and folders


	Nothing can be done	Access to the directory and its subdirectories is denied

	Can see and edit content	Can add, delete, change folder file


	Run if file is binary	The user can execute a binary file that he knows exists, access or read the directory is prohibited

Chmod Syntax Numeric (777)

You can see that here records using Latin letters and hyphens are used to describe access rights, but you have probably already come across the fact that Chmod is usually set in digital form, for example, the well-known combination: Chmod 777, allowing everything and everyone. Indeed, access rights (Chmod) are also indicated by numbers:

w (record) is replaced by 2

x (execution) is replaced by 1

0 means do nothing (which is indicated by a hyphen in the alphabetic notation) Let's go back to the example of the access rights notation I gave a little earlier: rwx r-- r--. If we replace the letters and hyphens in it with numbers, in accordance with the rule just described, and at the same time add the numbers in each triple, we get digital view of this entry: 744. I.e. it turns out that the sum of these numbers shows Chmod to files or a folder. For example:

7 (rwx) = 4 + 2 +1 (full rights)

5 (r-x)= 4 + 0 + 1 (read and execute)

6 (rw-) = 4 + 2 + 0 (read and write)

4 (r--) =4 + 0 + 0 (read only)

This table lists all possible Chmod combinations in numerical form:

And now let's look at the various combinations of Chmod in numbers, in relation to user groups:

""Owner""	""Group""	""Rest""


		perform


	perform	perform

You yourself (except when you access the site via FTP) and all other visitors to your site belong to the “word” group (everyone else), so to work with the website, we need to first look at the last (third) digit Chmod. In order for the script to “launch the file” when the user works with the site, it will be enough that access rights (Chmod) are set on it, starting from “4” (r-- - read only) (5,6,7 are also suitable, but This would be overkill for security reasons.

“For the folder” in which the file of this script is located, you need to set at least “5” (r-x - you can go to the folder and read its contents, you cannot delete or add). 7 is also suitable, but it will also be superfluous in terms of security. If you need the script to not only read, but also “write” some data (for example, entered by the user), then the minimum rights to the “folder” will still be “5”, but the “file” will already need the rights “6 » (read and write).

Most likely, on the server where you copied the contents of your site engine, the following Chmod to objects will be installed:

Folders 755

the owner (user) can do everything, the group and everyone else can only read folders and go into them, but they are not allowed to write files, change names and delete them in directories. (rwxr-xr-x)

Files 644

If you had a site consisting of some html, then you could leave everything like that. But modern sites are built on engines, and there may be objects that need to be written to on behalf of users from the "world" group - o (everyone else). These can be folders used for caching pages or those into which pictures, etc. will be loaded in the course of working with the site. It goes without saying that if you access the site via FTP, you can write to these files or folders, but working with website interface as a normal user, you may experience problems. Therefore, the installation of certain Chmods must be approached selectively.

Team chmod (Change MODE- change mode) has a very specific syntax. Syntax in general:
but what characterizes it is that regime change can take many forms. It can be specified in two ways:

as an octal number. Owner permissions correspond to numbers in the form 00 , where it corresponds to the assigned permission: 4 for reading, 2 for writing, and 1 for executing. Similarly, the permissions for the owner group become 0 , and the permissions for "others" become . Then, all you have to do is find the sum of the permissions you assign to get the desired mode. Thus, permissions rwxr-xr-- correspond to 400+200+100 (owner permissions, rwx) +40+10 (group permissions, r-x) +4 (other permissions, r--) = 754; thus, permissions are expressed in terms of free members. This means that previous permissions are unconditionally replaced;
using expressions. In this case, permissions are expressed through a sequence of expressions separated by commas. From here, the expression becomes: [category]<+|-|=><разрешения> .

Examples:

chmod -R o-w /shared/docs: Recursively removes write permission for others from all files and subdirectories in the /shared/docs/ directory.
chmod -R og-w,o-x private/: recursively removes write permission for group and others from the entire private/ directory, and removes execute permission for others.
chmod -c 644 misc/file*: changes the permissions of all files in the misc/ directory whose names begin with file to rw-r--r-- (i.e. read permission for everyone and write permission only for the owner), and only reports those files that were affected by the command.

The following example shows how to allow all users to read, modify, and save a file. To do this, you need to change the permissions of the "others" group.
Enter on the command line:
ls -l example1.txt The following information will be displayed:
-rw-rw-r-- 1 user user 42 Mar 24 22:07 example1.txt Now enter the following command:
chmod o+w example1.txt The o+w command means that you give "others", denoted by the letter "o", write permission to the file example1.txt . To see what the execution of the specified command resulted in, let's look at the file again:
-rw-rw-rw- 1 user user 42 Mar 24 22:09 example1.txt Now everyone can read and write to the file.
To disable reading and writing to example1.txt, use the chmod command.
chmod go-rw example1.txt The go-rw command tells the system that you want to prevent the group and "others" from reading and writing to file example1.txt.
As a result, the permissions will look like this:
-rw------- 1 user user 42 Mar 24 22:10 example1.txt The above classes and rights are shorthand for the corresponding English words, so they are easy to remember: all you need to remember is a few characters and letters.
Here is a list of transcripts of these abbreviations:

Classes u - the user who is the owner of the file (from the English "user");
g - the group to which the user belongs (from the English "group");
o - the rest (not the owner and not the owner group, from the English "others");
a - all (u, g and o, from the English " all"). Permissions r - the right to read;
w is the right to write;
x - the right to execute. Actions + - gives the right;
- - takes away the right;
= - leaves only this right.

Do you want to test your knowledge? Remove all rights to the example1.txt file from all users.
chmod a-rwx example1.txt Now check if you can read given file command cat example1.txt . You should see the following:
cat: example1.txt: Permission denied By revoking all permissions, including your own, you have denied access to the file. But since the file belongs to you, you can always return the rights with the following command:
chmod u+rw example1.txt To make sure you can read this file, use the cat example1.txt command.
Here are some examples of using the chmod command:

g+w Gives the owning group write permission.
o-rwx - takes away all rights from other users;
u+x - gives the owner the right to execute the file;
a+rw - allows anyone to read and write to a file;
ug+r - allows the owner and group to read the file;
g=rx - allows the group to read and execute the file (not write to it).

The -R option allows you to change permissions for the entire directory tree.
Since directories cannot be "executed" as applications, adding or removing the corresponding right means allowing (or disallowing) viewing the directory.
For example, if you prevent other users from executing the docs/ directory, it doesn't matter who has read and write permissions. No one will be able to access the contents of a directory unless they know the exact name of the file it contains.
Type, for example:
chmod a-x docs to revoke execute permission from all users.
If you now try to change the directory with cd docs , you will get a failure:
bash: docs: Permission denied Reclaim permissions for yourself and your group:
chmod ug+x docs If you now check the results of your actions with the command ls -l , you will see that only other users are denied access to the docs/ directory.