Attributes, Types, Ownership and Permissions

The command chmod (change mode) changes the file system modes of files and directories. It is normally executed on permissions, but can also include special modes. The command uses either an octal reference or a symbolic reference for notation. To see what permissions currently exist, use the ls -l command. Among others there should be a file something like the following;


[train01@trifid ~] ls -l
-rw-r--r-- 2 lev vpac 379 Jul 1 10:32 lorax.txt

The file attributes and permissions are the series -rw-r--r--

The first character indicates the file type. Usually you will enounter either a "-" for a regular file, a "d" for a directory, and "l" for a symbolic link. Less common file types include "b" for block devices (e.g., hard drives, ram etc), "c" for character devices which stream data one character at a time (e.g., mice, keyboards, virtual terminals).

After the first character the notation should be understood in terms of three groups of three. The first group refers to what the owners can do with the file, the second group what group members can do and the third group what other users can do. The triplet of characters in each group are usually "r" for "readable", "w" for writable" and "x" for executable. Executable also implies 'searching', thus "x" is usually found for directories as well. If there is a "-" in a particular location, there is no permission. Note also that there is no inheritance of permissions; just because a directory is set to "x" it doesn't mean the files within it are executable. So in the example given above the regular file lorax.txt can be read and written to by user "lev", and can be read by the group "vpac" and all others.

It is also possible to encounter a "s" for setuid. This is only found in the execute field. If the execute bit for the owner is set to "s" the set user ID bit is set causing any user or process that run the executable to have access to system resources as though they are the owner of the file. If the bit is set for the group, the set group ID bit is set and the user running the program is given access based on access permission for the group the file belongs to. Finally there is "t", "save text attribute", or more commonly known as "sticky bit". This allows a user to delete or modify only those files in the directory that they own or have write permission for. A typical example is the /tmp directory, which is world-writeable


[train01@trifid ~] ls -l /tmp
drwxrwxrwt 29 root root 36864 Nov 11 11:42 tmp

Whilst everyone can read, write, and access the directory, the "t'' indicates that only the user that created a file in this directory can delete that file.

To chmod a file you have to own it. The command is : chmod [option] [symbolic | octal] file.

For options, the most common is -R or --recursive which changes files and directories recursively. The symbolic or octal option is two ways of setting permissions. For symbolic notation, first establish the user reference, either "u" (user, the owner of the file), "g" (group, members of teh file's group), "o" (others, neither the owner or group members), or "a" (all). If a user reference is not specified the operator and mode applies to all.

After this determine the operation that is going to be expressed, either "+" (add the mode), "-" remove the mode, or "=" (equals, mode only equals that expression). Finally, specify the mode permissions as described above, "r" (read), "w" (write), "x" (execute), "s" (setuid, setgid), "t" (sticky). One final mode permission is "X" (exclusive execute) which sets execute only if the file or directory already has at least one execute permission (user, group, other). Usually this is applied to directory trees with "-R" and "+" allowing for the addition of execute permissions without setting execute on normal files (such as text files). As an example the first command would set execute on all files for everyone regardless of the file type, to the current directory and all subdirectories, whereas the second would not:


chmod -R a+rx .
chmod -R a+rX .

As an example, let's make the truffula.txt file read-only. Again, note that if there is no user reference it applies to all users.


[train01@trifid ~] chmod -r truffula.txt
[train01@trifid ~] ls -l
--w------- 2 lev vpac 379 Jul 1 10:32 truffula.txt
[train01@trifid ~] vim truffula.txt

What would happen if we took the execute bit off the directory?

[train01@trifid ~] chmod -x seuss
[train01@trifid ~] cd seuss
-bash: cd: seuss: Permission denied
[train01@trifid ~] ls -l seuss
total 0
?--------- ? ? ? ? ? truffula.txt

You can see how problematic that could be! Perhaps we'd better return that to it's normal state.


[train01@trifid ~] chmod +x seuss
[train01@trifid ~] cd seuss
[train01@trifid ~] chmod a+r truffula.txt

Multiple chmod commands can be applied to a file or directory with separation of commands with a comma e.g.,


[train01@trifid ~] chmod -R u+w,go-rw PhD

This will recurse into the directory PhD, add write access for the user, and deny write access for everybody else.

Another method of using the chmod command is to use octal rather than symbolic notation. In octal notation a three or four digit base-8 value is presented derived from the sum of the component bits, so the equivalent of "r" in symbolic notation adds 4 in octal notation (binary 100), "w" in symbolic notation adds 2 in octal notation (binary 010) and "x" adds 1 in octal notation (binary 001). No permissions adds 0 (binary 000). For special modes the first octal digit is either set to 4 (setuid), 2 (setgid), or 1 (sticky).

The sum of the three (or four components) thus makes up an alternative exact notation for the chmod command. For example, on a website it is not usual to set files as u+rw, g+r, o+r and directories as u+rwx, g+rx, o+rx. This is the equivalent of chmod 0644 filename.html in the first instance and chmod 0755 directory/ in the second.

Usually, only those with superuser (root) access make use of the chown (change owner) command. The general syntax for this is chown [option] [user:group] [file | directory]. Usually group is optional on the grounds that users are usually provided ownership. A common use is to provide ownership to web-writeable directories e.g., (chown -R www-data:www-data /var/www/files). In contrast regular users can use chgrp ("change group") change the group associated with a file and directory with the same syntax, but only to one of which they are a member.

Finally there is one other relevant command for this section; umask ("user mask") which we encountered in the .bashrc for global definitions sourced in /etc/bashrc in the section entitled "Login Files". The relevant section had the following:


# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi

What this command does is sets a file mode creation mask, limiting the permission modes for files and directories created by a process. When a program or script creates a file or directory, it specifies permissions. The operating system then removes from those the permissions that the file mode creation mask does not allow. Typical umask values are 022 (removing the write permission for the group and others) and 002 (removing the write permission for others).

Top of Page