Technology Tips: chmod overview

Marvin Crippen, DO-IT technology assistant

The chmod (CHange MODe) command is used to change permissions for a file or directory on a Unix machine. For example, let's say you've downloaded a piece of software you want to share with other people on your system. If the file is large it would be a waste of resources to have everyone who wanted to use the software download their own copy. It would be much better to have one person download the software and change the permissions so everyone on that system could access the file. Or perhaps you've uploaded some software and you need to change the file permission so you can run it.

Finding the current permissions

Typing ls -ld at the host system prompt will show you the permissions of your home directory, with a string of 10 characters that should look something like drwx------ or drwx--x--x. The first character is what type of entry you're looking at, either d for directory or - for a plain file. The rest of the characters are broken up into fields of three. The first set of three represent the owners permissions, the second set of three represent the group permissions (the use of group permissions varies from system to system. They are not generally used on UW Uniform Access systems), and the third set of three representing the "other" permissions. The "other" category encompasses everyone else and is usually called world, which I will use for the rest of this article. The first character of each set represents read (r) which allows read access to the file. The second character of each set represents write (w) which allows changes to be made to the file, including deletion. The third character of each set represents execute (x) which allows running the file. A dash (-) in any entry means no permission for that operation. So, the first example of the ls -ld command (drwx---------) means the entry is a directory in which the owner has read, write and execute permissions and no one else has any permissions. The second example of the ls -ld command (drwx--x--x) is a directory (it happens to be my home directory on Hawking) in which the owner has read, write, and execute permissions, the group has execute permissions and everyone else (world) has execute permissions.

How to change permissions

The format of the chmod command is chmod [permission] [filename]. The permission can be specified in either the symbolic or absolute mode. In the symbolic mode you must specify three things. One, who to change the permission for; owner (u), group (g) and/or world (o). Two, what kind of change to make to the permission; add permission (+), remove permission (-) or exclusive permission (=) add that permission and remove all other permissions. Three, what permission; read (r), write (w) and/or execute (x). To add world read and execute permission to a file using the symbolic mode you would type chmod o+rx [filename]. To remove world read permission from a file you would type chmod o-r [filename]. To remove group read and execute permission while adding the same permission to world you would type chmod g-rx,o+rx [filename]. To remove all permissions for group and world you would type chmod go= [filename].

Sound a bit complex? There is an alternative. All you have to do is remember a couple of numbers and you can use the absolute mode to change permission. The absolute mode uses 3 numbers to represent the permission. To remove all permissions for group and world you would type chmod 700 [filename]. To give the owner all permissions and world execute you would type chmod 701 [filename]. To give the owner all permissions and world read and execute you would type chmod 705 [filename]. The absolute mode functions like the exclusive permission of the symbolic mode in that it exclusively sets the permission specified removing all other permissions. For more information on how to use the absolute mode, including how to figure out the numbers see the absolute mode section of the chmod man page (man chmod).

Absolute vs. Symbolic

Which method you use is a matter of personal preference; use whatever you feel most comfortable with. In general the symbolic mode is easier for making small modifications such as adding world execute to files that already have world read. Absolute mode is easier for making large modifications such as removing all world and group permissions.

Now What?

There are just a couple more steps to go in order to let other users access your files. First off you need to give world execute permission for your root directory using the command chmod o+x ~. For your root directory execute is safer than execute and read. See Important Notes for why. Second you need to change the permissions for the files you want other users to be able to access, including any directories along the way. Since sub directories generally do not have as much important information as your root directory giving sub directories world read and execute permissions is not as big a security risk. If I wanted to give everyone on Hawking access to the file ~mcrip/World/, I would use the following three commands from my root directory:

chmod o+x ~                   (Change permission of root directory)
chmod o+rx World              (Change permission of World directory)
chmod o+rx World/  (Change permission of file

Important Notes

If you set your root directory to world execute and read everyone will be able look at a list of the files in your root directory. They will also be able to view any file that has world read permission and run any file that has world execute permission. If you set your root directory to world execute no one will be able to get a listing of the files in your root directory. Other users will still be able to view or run a file if the permissions are set correctly, but only if they know the name of the file. If you were working on a private file and accidentally left the world permission on read it would be much harder (but not impossible) for anyone else to access this file if your root is set to world execute rather than read. Since your root directory contains important files many of which have a standard name (.login, .cshrc, .pinerc) it is a good idea to only assign world execute permissions.

In general, it is a very bad idea to give write permission to group or world. It effectively gives other users control of your file(s).

Make sure to remove all group and world permissions from files you want to keep private: chmod 700 [filename].

To remove the owner's write permission, which would prevent you from accidentally overwriting or erasing the file, you would type chmod u-w [filename] or chmod 600[filename]. You can still remove the file but first you'll be asked for confirmation.