chmod

In Unix-like operating systems, chmod is the command and system call which may change the access permissions to file system objects (files and directories). It may also alter special mode flags. The request is filtered by the umask. The name is an abbreviation of change mode.[1]

History

A chmod command first appeared in AT&T Unix version 1.

As systems grew in number and types of users access_control_lists were added to many file systems in addition to these most basic modes to increase flexibility.

Command syntax

chmod [options] mode[,mode] file1 [file2 ...]

[2]

Usual implemented options include:

If a symbolic link is specified, the target object is affected. File modes directly associated with symbolic links themselves are typically never used.

To view the file mode, the ls or stat commands may be used:

$ ls -l findPhoneNumbers.sh
-rwxr-xr--  1 dgerman  staff  823 Dec 16 15:03 findPhoneNumbers.sh
$ stat -c %a findPhoneNumbers.sh
754

The r, w, and x specify the read, write, and execute access, respectively. The first letter denotes the file type; a hyphen represents a plain file. This script can be read, written to, and executed by the user, read and executed by other members of the staff group and can also be read by others.

Octal modes

The chmod numerical format accepts up to four octal digits. The rightmost three (digits two until four) refer to permissions for the file owner, the group, and other users respectively. The optional first digit specifies the special setuid, setgid, and sticky flags.

Numerical permissions

# Permission rwx
7 read, write and execute 111
6 read and write 110
5 read and execute 101
4 read only 100
3 write and execute 011
2 write only 010
1 execute only 001
0 none 000

Numeric example

In order to permit all users who are members of the programmers group to update a file

$ ls -l sharedFile
-rw-r--r--  1 jsmith programmers 57 Jul  3 10:13  sharedFile
$ chmod 664 sharedFile
$ ls -l sharedFile
-rw-rw-r--  1 jsmith programmers 57 Jul  3 10:13  sharedFile

Since the setuid, setgid and sticky bits are not specified, this is equivalent to:

$ chmod 0664 sharedFile

Symbolic modes

The chmod command also accepts a finer-grained symbolic notation, which allows modifying specific modes while leaving other modes untouched. The symbolic mode is composed of three components, which are combined to form a single string of text:

$ chmod [references][operator][modes] file ...

The references (or classes) are used to distinguish the users to whom the permissions apply. If no references are specified it defaults to “all” but modifies only the permissions allowed by the umask. The references are represented by one or more of the following letters:

Reference Class Description
u user the owner of the file
g group users who are members of the file's group
o others users who are neither the owner of the file nor members of the file's group
a all all three of the above, same as ugo

The chmod program uses an operator to specify how the modes of a file should be adjusted. The following operators are accepted:

Operator Description
+ adds the specified modes to the specified classes
- removes the specified modes from the specified classes
= the modes specified are to be made the exact modes for the specified classes

The modes indicate which permissions are to be granted or removed from the specified classes. There are three basic modes which correspond to the basic permissions:

Mode Name Description
r read read a file or list a directory's contents
w write write to a file or directory
x execute execute a file or recurse a directory tree
X special execute which is not a permission in itself but rather can be used instead of x. It applies execute permissions to directories regardless of their current permissions and applies execute permissions to a file which already has at least one execute permission bit already set (either user, group or other). It is only really useful when used with '+' and usually in combination with the -R option for giving group or other access to a big directory tree without setting execute permission on normal files (such as text files), which would normally happen if you just used "chmod -R a+rx .", whereas with 'X' you can do "chmod -R a+rX ." instead
s setuid/gid details in Special modes section
t sticky details in Special modes section

Multiple changes can be specified by separating multiple symbolic modes with commas (without spaces).

Symbolic examples

Add write permission (w) to the group's(g) access modes of a directory,
allowing users in the same group to add files:

$ ls -ld shared_dir # show access modes before chmod
drwxr-xr-x   2 teamleader  usguys 96 Apr 8 12:53 shared_dir
$ chmod  g+w shared_dir
$ ls -ld shared_dir  # show access modes after chmod
drwxrwxr-x   2 teamleader  usguys 96 Apr 8 12:53 shared_dir

Remove write permissions (w) for all classes (a),
preventing anyone from writing to the file:

$ ls -l ourBestReferenceFile
-rw-rw-r--   2 teamleader  usguys 96 Apr 8 12:53 ourBestReferenceFile
$ chmod a-w ourBestReferenceFile
$ ls -l ourBestReferenceFile
-r--r--r--   2 teamleader  usguys 96 Apr 8 12:53 ourBestReferenceFile

Set the permissions for the user and the group (ug) to read and execute (rx) only (no write permission) on referenceLib,
preventing anyone other than the owner to add files.

$ ls -ld referenceLib
drwxr-----   2 teamleader  usguys 96 Apr 8 12:53 referenceLib
$ chmod ug=rx referenceLib
$ ls -ld referenceLib
dr-xr-x---   2 teamleader  usguys 96 Apr 8 12:53 referenceLib

Special modes

The chmod command is also capable of changing the additional permissions or special modes of a file or directory. The symbolic modes use s to represent the setuid and setgid modes, and t to represent the sticky mode. The modes are only applied to the appropriate classes, regardless of whether or not other classes are specified.

Most operating systems support the specification of special modes using octal modes, but some do not. On these systems, only the symbolic modes can be used.

Command line examples

command explanation
chmod a+r publicComments.txt read is added for all classes (i.e. User, Group and Others).
chmod +r publicComments.txt omitting the class defaults to all classes, but the resultant permissions are dependent on umask
chmod a-x publicComments.txtexecute permission is removed for all classes.
chmod a+rx viewer.sh add read and execute for all classes.
chmod u=rw,g=r,o= internalPlan.txtuser(i.e. owner) can read and write, group can read, Others cannot access.
chmod -R u+w,go-w docsadd write permissions to the directory docs and all its contents (i.e. Recursively) for user and deny write access for everybody else.
chmod ug=rw groupAgreements.txt User and Group members can read and write (update the file).
chmod 664 global.txtsets read and write and no execution access for the user and group, and read, no write, no execute for all others.
chmod 0744 myCV.txtequivalent to u=rwx (400+200+100),go=r (40+ 4). The 0 specifies no special modes.
chmod 1755 findReslts.shthe 1000 specifies set sticky bit and the rest is equivalent to u=rwx (400+200+100),go=rx (40+10 + 4+1) This suggests that the script be retained in memory.
chmod 4755 SetCtrls.shthe 4 specifies set user ID and the rest is equivalent to u=rwx (400+200+100),go=rx (40+10 + 4+1).
chmod 2755 SetCtrls.shthe 2 specifies set group ID and the rest is equivalent to u=rwx (400+200+100),go=rx (40+10 + 4+1).
chmod -R u+rwX,g-rwx,o-rx PersonalStuff Recursively set a directory tree to rwx for owner directories, rw for owner files, --- (i.e. no access) for group and others.
chmod -R a-x+X publicDocsremove the execute permission on all files in a directory tree (i.e. Recursively), while allowing for directory browsing.

System call

The POSIX standard defines the following function prototype:

int chmod(const char *path, mode_t mode);

The mode parameter is a bitfield composed of various flags:

Flag Octal value Purpose
S_ISUID 04000 Set user ID on execution
S_ISGID 02000 Set group ID on execution
S_ISVTX 01000 Sticky bit
S_IRUSR, S_IREAD 00400 Read by owner
S_IWUSR, S_IWRITE 00200 Write by owner
S_IXUSR, S_IEXEC 00100 Execute/search by owner
S_IRGRP 00040 Read by group
S_IWGRP 00020 Write by group
S_IXGRP 00010 Execute/search by group
S_IROTH 00004 Read by others
S_IWOTH 00002 Write by others
S_IXOTH 00001 Execute/search by others

Where alternate flag names are given, one of the pair of names might not be supported on some OSs. The octal values of the flags are summed or combined in a bitwise OR operation to give the desired permission mode.

The function returns an error code.

Common Errors

When you type in 'ls -l' and see bunch of question marks such as this:

ls: cannot access example/authorized_keys: Permission denied
ls: cannot access example/id_dsa: Permission denied
ls: cannot access example/id_dsa.pub: Permission denied
ls: cannot access example/id_rsa.pub: Permission denied
ls: cannot access example/id_rsa: Permission denied
ls: cannot access example/known_hosts: Permission denied
ls: cannot access example/config: Permission denied
total 0
?????????? ? ? ? ?            ? authorized_keys
?????????? ? ? ? ?            ? config
?????????? ? ? ? ?            ? id_dsa
?????????? ? ? ? ?            ? id_dsa.pub
?????????? ? ? ? ?            ? id_rsa
?????????? ? ? ? ?            ? id_rsa.pub
?????????? ? ? ? ?            ? known_hosts

this usually means that one of the parent folders does not have proper permissions set.

Unless you fix the permissions of the parent folder, commands like:

sudo chown -R me:me example
sudo chmod -R 775 example

won't work.

See also

References

  1. Tutorial for chmod
  2. chmod

External links