On Linux and Unix, the security starts with file permissions. On a very basic level, file and directory permissions play a vital role in the security of a system. When you create a file or directory on Linux systems, it comes with default permissions.
The file permissions are applied on three levels: the
group members and
others. The chmod command is used in Linux to change these permissions.
In this tutorial, we will discuss how to change file permissions in Linux using chmod command.
1) Change permissions using Numeric (octal) method
Permissions (access modes) can be changed with the chmod command by using some operators (-, + or =) to assign permissions (r, w or x) to a specific user (u, g, o or a). The command accepts either numerical (octal) or symbolic access mode specifications.
Numerical method is the most commonly used way of setting permissions for files and directories. To do this, enter
chmod numeric_permission filename.
Each permission is represented by a number and the permission for a specific entity is finally represented by a set of three columns.
In the above diagram,
The 'User' is given (4 2 1 ) permission where user has read, write and execute.
The 'Group' is given (4 2 0) permission where group members can read and write.
The 'Other (world)' is given (4 0 0) permission where others can only read.
In the numeric method, all the permissions are changed at once.
755 : set read+write+execute permission to the
user, set read+execute permission to the
group and set read+execute permission to the
# chmod 755 asciiquarium.tar.gz
# ls -l asciiquarium.tar.gz -rwxr-xr-x 1 linoadmin linoadmin 15436 Mar 9 2013 asciiquarium.tar.gz
476 : set only read permission to the
user, set read+write+execute permission to the
group and set read+write permission to the
# chmod 476 bootstrap
# ls -l bootstrap -r--rwxrw- 1 root root 5747 Apr 25 01:45 bootstrap
500 : set read+execute permission to the
user, set no permissions to the
group and set no permissions to the
# chmod 500 asciiquarium_1.1/
# ls -ld asciiquarium_1.1/ dr-x------ 2 linoadmin linoadmin 4096 Mar 9 2013 asciiquarium_1.1/
When using the numeric method, you should always specify three values (owner, group, and others).
2) Change permissions using symbolic mode
Numerical access mode is more preferred by most Linux users. However, some people prefer to use symbolic forms because they usually modify an existing mode instead of completely replacing it.
Symbolic mode is used as
chmod entity=permissions filename. Symbolic mode specifications have three parts, made up of individual characters and uses a letter to identify the part:
Entity: User owner = u, group owner = g, other = o, and all = a
Operation: + to add, - to remove, or = to assign (remove the other existing permissions)
Permissions to set: r = read, w = write, and x = execute
Some examples to make you understand.
chmod +x : Add execute permission for all the entity user, group and other. It is used to make a script or a program executable in order to run it
# chmod +x hello.sh
# ls -l hello.sh -rwxr-xr-x 1 root root 66 May 15 20:12 hello
Now you can run your script as below
# ./hello Hello... How are you ?
u+x : Add execute permission for the user only
# chmod u+x backupdb.sh
# ls -l backupdb.sh -rwxr--r-- 1 linoadmin linoadmin 15436 Mar 9 2013 backupdb.sh
go-w : Remove write permission from group and other classes only.
# chmod go-w script-test/
# ls -ld script-test/ drwxr-xr-x 3 root root 4096 Apr 25 02:21 script-test/
a=rw : Set read and write, but not execute, permissions for everyone.
# chmod a=rw bootstrap
# ls -l bootstrap -rw-rw-rw- 1 root root 5747 Apr 25 01:45 bootstrap
g-x,o-rx : Remove execute permission for the
group and remove read+execute permission for the
Note: Don't use space after the comma (,)
# chmod g-x,o-rx baba/
Let's verify permission using ls command:
# ls -ld baba/ drwxr----- 2 root root 4096 Apr 13 01:35 baba/
When you using the symbolic method it is possible to do combinations to manipulate some entities at the same time.
Keep in mind, when using the symbolic mode, the permissions that you are not specifying stay as they were before executing the chmod command
3) Change permissions recursively
When you use chmod command on a directory without any option, it doesn't affect the permissions on its subdirectories. It means that the permissions are only applied on the directory itself.
To change permissions of a directory with its subdirectories (recursively), we can use
For example, look our 'asciiquarium_1.1' directory on which we applied
When we list the permission for file and directories inside 'asciiquarium_1.1' directory, we can it's not set to '500'.
# ls -l asciiquarium_1.1/ total 60 -rw-rw-r-- 1 linoadmin linoadmin 27679 Mar 9 2013 asciiquarium -rw-rw-r-- 1 linoadmin linoadmin 228 Mar 9 2013 CHANGES -rw-rw-r-- 1 linoadmin linoadmin 18092 Mar 9 2013 gpl.txt -rw-rw-r-- 1 linoadmin linoadmin 45 Mar 9 2013 MANIFEST -rw-rw-r-- 1 linoadmin linoadmin 1060 Mar 9 2013 README
Now let's use
chmod -R command with the same permissions on 'asciiquarium_1.1' directory using the following command:
# chmod -R 500 asciiquarium_1.1/
Now let's verify files and directories permission as follows:
# ls -l asciiquarium_1.1/ total 60 -r-x------ 1 linoadmin linoadmin 27679 Mar 9 2013 asciiquarium -r-x------ 1 linoadmin linoadmin 228 Mar 9 2013 CHANGES -r-x------ 1 linoadmin linoadmin 18092 Mar 9 2013 gpl.txt -r-x------ 1 linoadmin linoadmin 45 Mar 9 2013 MANIFEST -r-x------ 1 linoadmin linoadmin 1060 Mar 9 2013 README
You can see that permissions have set on files and subdirectories.
4) Special bit permissions
Most of the tasks you will complete with permissions will be with the read, write, and execute permissions. However, there are several other special permissions that you can assign to files and directories in your file system. These special permissions are referenced as an extra digit added to the beginning of the file or directory’s mode.
The following special bits are available for Linux file system use:
- SUID: the Set User ID permission allows users to run a program as if they were the user owner of the program; in most cases the user owner is the root user. The numeric value of this permission set is 4XXX (where “XXX” is replaced by the numeric values for the set of three mentioned previously).
- SGID: When set on a directory, the Set Group ID permission automatically gives group ownership of all new files created in the directory to the group owner of the directory (numeric = 2XXX). When set on a file, the SGID allows users to run a program as if they were the group owner of the file.
- Sticky bit: this permission set is used to keep “nonowners” from deleting files in a common directory (numeric = 1XXX). In a sticky bit directory, only the owner of the file or the owner of the directory can delete the file (root always can delete files as well).
To understand let me give you one example:
We will apply SUID permission on a file using the following command:
# chmod 4755 bootstrap
# ls -l bootstrap -rwsr-xr-x 1 root root 5747 Apr 25 01:45 bootstrap
When changing permissions you can always use either the numeric method or the symbolic method. Numeric permissions are the most often used, and they appear every time. As a rule, I recommend using the numeric mode to set or force permissions on an object, as opposed to making small changes to permissions. You should have root or sudo user access to change permissions for files and directories owned by others otherwise its only possible to change permissions of files and directories you own.