Every file in Unix is assigned a mode. The mode determines the type of file being viewed, the access allowed to the file by different groups, and a few other things.
The command to modify the mode is chmod and users can only modify files they own.
The type of file
The first thing mode determines is the type of file. This part cannot be altered through chmod, though it could be seen when running a command to view files and folders within a directory such as “ls -l”:
[server]$ ls -l drwxrwsr-x 9 bob webmasters 4096 Apr 4 19:44 dir -rw-rw-r-- 1 bob webmasters 6121 Apr 4 19:44 file.txt lrwxrwxrwx 1 bob webmasters 11 Apr 11 14:08 link -> dir
To the far left of each file or directory name, there are ten characters which show the attributes and permissions of the file.
The first column indicates whether the entry is a:
- directory (d),
- a regular file (-), or
- a symbolic link (l).
The other nine characters are organized into three groups of three:
|(drwxr-xr-x)||The first group of three characters after the file type pertains to the owner permissions. (You are the owner of your files).|
|(drwxr-xr-x)||The second group of three characters after the file type pertains to group permissions. These permissions are shared by others users in your same group.|
|(drwxr-xr-x)||The third group of three characters after the file type pertains to anyone else (such as the public).|
The nine characters that follow the file type determine the permissions that each group has on a file or directory.
The following describe the permissions for a regular file:
- The “r” permission
- Read ("r") means that the grantee has permission to open the file and look at its contents.
- The “w” permission
- Write ("w") means that the grantee has permission to edit or delete the file.
- The “x” permission
- Execute ("x") means that the grantee can run the file like a program (for example, for scripts).
The following describes permissions for a directory:
- The “r” permission
- Read ("r") means that the grantee has permission to see what files and directories have been placed inside of that directory.
- The “w” permission
- Write ("w") means that the grantee has permission to create new files within that directory and to delete the directory (when empty).
- The “x” permission
- Execute ("x") means that the grantee can "cd" or change into the directory. (Without "x", the user can't actually read or write either.)
For a link, the mode always gives all permissions. That is, since the symbolic link acts like the file or directory it points to (e.g., cd link above would change you into dir), the permissions of the destination are the permissions that are really in effect.
Special permissions can be added which allow you the special ability to automatically change users or group, or to specify a directory as a "temporary" directory.
The ‘s’ flag
An ‘s’ can be added to the owner or group ‘read’ permission. This indicates the setuid/setgid permission.
- If set on the group read permission, it sets the setgid bit. This means that any user who changes into that directory suddenly performs all actions as if the owners group was their default group. This can be helpful if you want all files in that directory to be created/owned by that owner group.
- If set on the owners read permission, it sets the setuid bit. This is not usually a good idea, so don't do it unless you really know what you're doing.
The ‘t’ flag
The t flag is basically the same thing as the "s" flag for a user or group, but is used when applied to all others. Here, the meaning is a little different. It means that anyone can create a file in the directory, but only the owner is allowed to remove the file, regardless of permissions set. This is the "temporary" directory permission and should also be avoided unless you really know what you're doing.
Review the following Linux article for further details:
There are a few ways that permissions could be set using chmod. The first is “Named Mode” which is a bit more difficult to comprehend. The second is “Numeric Mode” which is a little easier since you just need to add the values together.
There are two sets of permissions to assign when using ‘Named Mode’, which are ‘who’ and ‘what’ permissions. For example:
|u||change the user bits|
|g||change the group bits|
|o||change the other bits|
|a||change the bits for everybody|
|r||grant read access|
|w||grant write access|
|x||grant execute access|
|s||set the sticky bit|
Using (“+”) and (“-”) with the information above, you’d combine permissions from the ‘who’ and ‘what’ groups to assign the exact permissions you desire.
The format to use chmod in the following commands is:
[server]$ chmod “groups”+”access” file.example
Allows everybody to read file.txt. In the following example, ‘a’ is the bit for ‘everybody’ and the ‘r’ (read) permission is added:
[server]$ chmod a+r file.txt
Strips everybody of all permissions, except for the owner who retains any former permissions. In the following example, ‘g’ is group bit, ‘o’ is the ‘other users’ bit and the (“-”) sign is removing all permissions (rwx):
[server]$ chmod go-rwx file.txt
The file named script.cgi is now executable by the user and group. In the following example, ‘u’ is the user bit, ‘g’ is the ‘group’ bit, and the ‘x’ permission is added to both:
[server]$ chmod ug+x script.cgi
All files created in the directory somedir are owned by the group that owns somedir. In the following example, ‘g’ is the group bit and the ‘s’ flag is added to it:
[server]$ chmod g+s somedir
Using the numeric mode, you can assign numbers to each permission. For example:
- 4 = r
- 2 = w
- 1 = x
Then, you would add all three together in each set of permissions to get the full value. The following table illustrates this idea:
|7||read, write, and execute ("rwx")||4 + 2 + 1 = 7|
|6||read and write ("rw-")||4 + 2 = 6|
|5||read and execute ("r-x")||4 + 0 + 1 = 5|
|4||read only ("r--")||4 + 0 + 0 = 4|
|3||write and execute (rare) ("-wx")||0 + 2 + 1 = 3|
|2||write only (rare) ("-w-")||0 + 2 + 0 = 2|
|1||execute only (rare) ("--x")||0 + 0 + 1 = 1|
|0||no permissions ("---")||0 + 0 + 0 = 0|
Remember, there are three sets of permissions:
Thus, all three must now be added together to get the full value.
[server]$ chmod 600 file.txt
[server]$ chmod 700 dir
[server]$ chmod 755 program
[server]$ chmod 644 file.txt
[server]$ chmod 664 file.txt
While the above commands regarding chmod are useful, it can be understandable if a user doesn’t want to have to log in via SSH just to change permissions on a file. Fortunately, many FTP clients such as FileZilla have the ability to change permissions directly within the client.