Control who can access files, search directories, and execute scripts using the Linux chmod command. This command modifies Linux file permissions, which sounds complicated at first glance but is actually quite simple once you know how they work.
chmod changes file permissions
On Linux, who can do what in a file or directory is controlled by sets of permissions. There are three sets of permissions. One set for the owner of the file, one for the members of the file group and one for all the others.
Permissions control the actions that can be performed on the file or directory. They allow or prevent the reading, editing or execution of a file, whether it is a script or a program. For a directory, permissions determine who can enter the directory and who can create or modify files in the directory.
View and understand file permissions
We can use the -l (long format) option for ls to list access rights to files and directories.
On each line, the first character identifies the type of entry listed. If it is a dash (-) it is a file. If it is the letter d is a directory.
The next nine characters represent the settings of the three sets of permissions.
The first three characters indicate the permissions of the user who owns the file (user permissions).
The middle three characters indicate the permissions for the members of the file. group (group permissions).
The last three characters indicate the permissions for anyone who is not in the first two categories (other permissions).
There are three characters in each set of permissions. Characters are indicators of the presence or absence of one of the permissions. They are either a dash (-) or a letter. If the character is a dash, it means that the permission is not granted. If the character is an r, w, or x, this permission has been granted.
The letters represent:
r: read permissions. The file can be opened and its contents viewed.
w: write permissions. The file can be edited, modified and deleted.
x: Execute permissions. If the file is a script or a program, it can be executed.
— means that no permission has been granted.
rwx means that all permissions have been granted. The read, write and execute flags are all present.
In our screenshot, the first line starts with a d. This line refers to a directory called "archive". The owner of the directory is "dave" and the name of the group to which the directory belongs also calls "dave".
The next three characters are the user permissions for this directory. These show that the owner has all the permissions. The characters r, w and x are all present. This means that the user has read, write, and execute permissions on this directory.
The second set of three characters corresponds to the group permissions, this is r-x. These show that dave group members have read and execute permissions on this directory. This means that they can list the files and their contents in the directory, and that they can cd (execute) in that directory. They do not have write permissions, so they can not create, edit, or delete files.
The last set of three characters is also r-x. These permissions apply to people who are not governed by the first two sets of permissions. These people (called "others") have read and executed permissions on this directory.
So, to summarize, group members and other people have read and execute permissions. The owner, a user called Dave, also has write permissions.
For all other files (with the exception of the mh.sh script file), dave and dave group members have read and write properties on the files, while others have only read permissions.
In the particular case of the mh.sh script file, the dave owner and group members have read, write, and execute permissions, while others have read and execute permissions only.
Understand the syntax of permissions
To use chmod to set permissions, we need to tell it:
Who: for whom we define permissions.
What: What change are we doing? Do we add or remove permission?
Which ones: What permissions are set?
We use indicators to represent these values, and we form short "statement of permissions" such as u + x, where "u" means "user" (who), "+" means add (what) and " x "means the authorization to execute. (which).
The "who" we can use are:
u: user, meaning the owner of the file.
g: Group, meaning the members of the group to which the file belongs.
o: Others, that is to say persons not governed by the authorizations u and g.
a: All, which means all the above.
If none of these are used, chmod behaves as if "a" had been used.
The "what" we can use are:
-: Minus sign. Deletes the permission.
+: Sign more. Give permission. The authorization is added to the existing authorizations. If you want to have this permission and only this set of permissions, use the = option, described below.
=: Equal sign. Set an authorization and delete the others.
The values we can use are:
r: read permission.
w: write permission.
x: the authorization of execution.
Definition and modification of authorizations
Suppose we have a file in which everyone has full permissions.
ls -l new_ file.txt
We want the dave user to have read and write permissions, and the group and other users only have read permissions. We can do using the following command:
chmod u = rw, og = r new_file.txt
"Use of the operator" = "means that we erase all existing permissions and then set the specified ones.
check the new permission on this file:
ls -l new_file.txt
The existing permissions have been removed and the new permissions have been set as expected.
Why not add an authorization without deleting the existing authorization settings? We can do it easily too.
Suppose we have finished the script file. We must make it executable for all users. His current permissions look like this:
ls -l new_script.sh
We can add the runtime permission for everyone with the following command:
chmod a + x new_script.sh
If we look at the authorizations, we will see that the authorization to execute is now granted to everyone and that the existing authorizations are still in place.
ls -l new_script.sh
We could have achieved the same thing without the "a" in the statement "a + x". The following command would have worked as well.
chmod + x new_script.sh
Set permissions for multiple files
We can apply permissions to multiple files at the same time.
These are the files in the current directory:
Suppose we want to remove write permissions for "other" users from files with the extension ".page". We can do it with the following command:
chmod o-r * .page
Let's see what effect it had:
As can be seen, the reading rights have been removed from the ".page" files of the "other" category of users. No other files have been assigned.
If we wanted to include files in subdirectories, we could have used the -R (recursive) option.
chmod -R o-r * .page
Another way to use chmod is to provide the permissions you want to give the owner, group, and other users as a three-digit number. The leftmost digit represents the permissions for the owner. The middle number represents the permissions for the members of the group. The rightmost number represents the permissions for the others.
The numbers you can use and what they represent are listed here:
0: (000) No authorization.
1: (001) Run the authorization.
2: (010) write permission.
3: (011) Write and execute permissions.
4: (100) read permission.
5: (101) Read and execute permissions.
6: (110) Read and write permissions.
7: (111) Read, write and execute permissions.
Each of the three permissions is represented by one of the bits in the binary equivalent of the decimal number. So 5, which is 101 in binary, means read and execute. 2, which is 010 in binary, would mean write permission.
By using this method, you set the permissions that you want to have; you do not add these permissions to the existing permissions. So, if read and write permissions were already in place, you will have to use 7 (111) to add execute permissions. The use of 1 (001) removes read and write permissions and adds permission to run.
Let's add read permission on ".page" files for other categories of users. We also need to set permissions for users and groups. We must therefore define them on what they already are. These users already have read and write permissions, which is 6 (110). We want the "others" to read and have permissions. They must therefore be set to 4 (100).
The following command will accomplish this:
chmod 664 * .page
This sets the permissions we need for the user, group members and others on what we need. Users and group members have their permissions reset to what they already were, and others have read permission restored.
If you read the manual page for chmod, you will see some advanced options related to SETUID and SETGID bits, as well as the restricted or "sticky" delete bit.
In 99% of the cases for which you will need chmod, the options described below will help you protect yourself.