Modify User Permissions

File permissions on Unix and Linux are one of the most ubiquitous stumbling blocks for even regular users of those operating systems. The intricate structure of which users on a system are allowed to do what is one of the foundations of Unix, providing security and interoperability, but at times it can make working with the system a pain. Here's a look at how permissions work and how to work with them.

This article is a wiki. Got extra advice? Log in and add it.

How to read a directory listing

When you run "ls -l" from the Unix command line, the resulting file listing shows data about each file:

-rwxr-xr-x  1 root root  31660 Jan 30 13:51 touch

We're interested in that first column, which shows the permissions set on the file or directory. It consists of 10 characters.

The first one indicates the type of entity it is. In the example, "-" means it's an ordinary file. "D" would indicate a regular file, "l" a symbolic link, and so on.

The subsequent nine characters show the permissions; they're divided into three hunks of three, representing the owner, the group, and everyone else. Every file and directory has an owner, who is a user on the computer where the file exists. It also has a primary group, which is granted its own set of permissions. For instance, on a Debian system, only members of the cdrom group (as well as root, of course), have access to the CD drive.

We can look at the above example as rwx r-x r-x The three characters within each hunk represent Read, Write, and eXecute permission for that user; each permission is either on or off. In rwx r-x r-x, the first hunk has all three permissions turned on, and the second two hunks each have Read and eXecute permissions on, but Write permission off. This means that the file's owner has full permission, but members of the file's user group, and everyone else on the system, lack Write permission for the file.

A user with read permission can view the contents of a text file, or list the contents of a directory. Without write permission, though, the user can't modify the file, or create, rename, move, or delete files within the directory on which the permission is set. Execute permission on a directory allows the permitted users to enter that directory with cd; execute permission on a file -- a shell script, perhaps -- means the user can run the file as a program. These permissions can be held in combination or separately.

Modifying permissions and ownership

The owner of a file or directory can change the file or directory's permissions. This is done from the command line with the chmod command, which stands for "change mode." There are two different syntaxes that can be used with chmod. The easiest is class-operator-mode syntax, in which you specify, respectively, whose permissions you want to change, what change you want to make, and which kind of permissions will be effected. The class is represented by one or more of u, g, o, and a, meaning the User (owner), the Group, the Others (everyone else), and All of the above. The permissions are the now-familiar r, w, and x. The two are joined by an operator, +, -, or =, which respectively add the specified permission to the user class, remove it, or allow the class exactly the permissions, no more and no less.

Some examples:

chmod u+x filename - adds execute permission for the owner of the file

chmod a+x filename - adds execute permission for all users

chmod a-x filename - removes execute permission for all users

chmod g-x filename - removes execute permission for the file's group

chmod a=x filename - gives all users execute permission, nothing more or less

chmod o=rx filename - sets other users' permissions to read and execute, not write</code>

chmod ug+x filename - adds execute permission for the owner and the group

Bitmasks

The other syntax that can be used with chmod involves an octal bitmask to represent each possible set of permissions. This is less intuitive but worth understanding. In the octal representation, a three-digit number is used to express the permissions on a file.

Each digit is the sum of three bits, with 4 representing read permission, 2 representing write permission, and 1 representing execute permission. The bits are added together to give a unique total: read plus write = 6; read plus execute = 5; all three together = 7. So 755 is the same as rwxr-xr-x.

This syntax can be used interchangeably with the other in chmod.

Some examples:

chmod 111 filename - gives all users execute permission, nothing more or less

chmod 754 filename - owner has full permission; group can't write; others can only read

Chown

The chown command can be used to change the ownership of a file.

Example:

chown root filename - changes the owner to root

chown wendy:admin filename - changes the owner to wendy and the group to admin

Chgrp

chgrp changes just the group ownership of a file:

Example:

chgrp users filename - changes the file's primary group to users

Only the owner of a file -- or root, who is exempt from all permissions -- can change the ownership and group ownership of the file.

Suggested reading

Other Webmonkey tutorials on using the Linux/Unix command line:

• Learn Enough Unix for Your Resume

• Install and Use Cygwin

• Vi Tutorial for Beginners

• Advanced vi Tutorial