The command used to change permissions from the command line is chmod, which means “change mode” (permissions are also called the mode of a ﬁle). The chmod command takes a permission instruction followed by a list of ﬁles or directories to change. The permission instruction can be issued either symbolically (the symbolic method) or numerically (the numeric method).
Changing Permissions with the Symbolic Method
# chmod [Who|What|Which] [file|directory]
- Who is u, g, o, a (for user, group, other, all)
- What is +, -, = (for add, remove, set exactly)
- Which is r, w, x (for read, write, execute)
The symbolic method of changing ﬁle permissions uses letters to represent the different groups of permissions: u for user, g for group, o for other, and a for all. With the symbolic method, it is not necessary to set a complete new group of permissions. Instead, you can change one or more of the existing permissions. Use + or – to add or remove permissions, respectively, or use = to replace the entire set for a group of permissions.
The permissions themselves are represented by a single letter: r for read, w for write, and x for execute. When using chmod to change permissions with the symbolic method, using a capital X as the permission ﬂag will add execute permission only if the ﬁle is a directory or already has execute set for user, group, or other.
Note: The chmod command supports the -R option to recursively set permissions on the ﬁles in an entire directory tree. When using the -R option, it can be useful to set permissions symbolically using the X option. This allows the execute (search) permission to be set on directories so that their contents can be accessed, without changing permissions on most ﬁles. Be cautious with the X option, however, because if a ﬁle has any execute permission set, X will set the speciﬁed execute permission on that ﬁle as well. For example, the following command recursively sets read and write access on demodir and all its children for their group owner, but only applies group execute permissions to directories and ﬁles that already have execute set for user, group, or other.
[root@host opt]# chmod -R g+rwX demodir
1. Remove read and write permission for group and other on file1:
[user@host ~]$ chmod go-rw file1
2. Add execute permission for everyone on file2:
[user@host ~]$ chmod a+x file2
Changing Permissions with the Numeric Method
In the example below the # character represents a digit.
chmod ### file|directory
– Each digit represents permissions for an access level: user, group, other.
– The digit is calculated by adding together numbers for each permission you want to add, 4 for read, 2 for write, and 1 for execute.
Using the numeric method, permissions are represented by a 3-digit (or 4-digit, when setting advanced permissions) octal number. A single octal digit can represent any single value from 0-7. In the 3-digit octal (numeric) representation of permissions, each digit stands for one access level, from left to right: user, group, and other. To determine each digit:
- Start with 0.
- If the read permission should be present for this access level, add 4.
- If the write permission should be present, add 2.
- If the execute permission should be present, add 1.
Examine the permissions -rwxr-x—. For the user, rwx is calculated as 4+2+1=7. For the group, r-x is calculated as 4+0+1=5, and for other users, — is represented with 0. Putting these three together, the numeric representation of those permissions is 750.
This calculation can also be performed in the opposite direction. Look at the permissions 640. For the user permissions, 6 represents read (4) and write (2), which displays as rw-. For the group part, 4 only includes read (4) and displays as r–. The 0 for other provides no permissions (—) and the ﬁnal set of symbolic permissions for this ﬁle is -rw-r—–. Experienced administrators often use numeric permissions because they are shorter to type and pronounce, while still giving full control over all permissions.
1. Set read and write permissions for user, read permission for group and other, on samplefile:
[user@host ~]$ chmod 644 samplefile
2. Set read, write, and execute permissions for user, read and execute permissions for group, and no permission for other on sampledir:
[user@host ~]$ chmod 750 sampledir
Changing file and directory user/group ownership
A newly created ﬁle is owned by the user who creates that ﬁle. By default, new ﬁles have a group ownership that is the primary group of the user creating the ﬁle. In Linux, a user’s primary group is usually a private group with only that user as a member. To grant access to a ﬁle based on group membership, the group that owns the ﬁle may need to be changed.
Only root can change the user that owns a ﬁle. Group ownership, however, can be set by root or by the ﬁle’s owner. root can grant ﬁle ownership to any group, but regular users can make a group the owner of a ﬁle only if they are a member of that group. File ownership can be changed with the chown (change owner) command. For example, to grant ownership of the test_file ﬁle to the geek user, use the following command:
[root@host ~]# chown geek test_file
chown can be used with the -R option to recursively change the ownership of an entire directory tree. The following command grants ownership of test_dir and all ﬁles and subdirectories within it to geek:
[root@host ~]# chown -R geek test_dir
The chown command can also be used to change group ownership of a ﬁle by preceding the group name with a colon (:). For example, the following command changes the group test_dir to admins:
[root@host ~]# chown :admins test_dir
The chown command can also be used to change both owner and group at the same time by using the owner:group syntax. For example, to change the ownership of test_dir to visitor and the group to guests, use the following command:
[root@host ~]# chown visitor:guests test_dir
Instead of using chown, some users change the group ownership by using the chgrp command. This command works just like chown, except that it is only used to change group ownership and the colon (:) before the group name is not required.
Note: You may encounter examples of chown commands using an alternative syntax that separates owner and group with a period instead of a colon:
[root@host ~]# chown owner.group filename
You should not use this syntax. Always use a colon. A period is a valid character in a user name, but a colon is not. If the user enoch.root, the user enoch, and the group root exist on the system, the result of chown enoch.root filename will be to have filename owned by the user enoch.root. You may have been trying to set the ﬁle ownership to the user enoch and group root. This can be confusing. If you always use the chown colon syntax when setting the user and group at the same time, the results are always easy to predict.
How to change the permissions and ownership of files in Linux
Understanding Linux Special permissions – Sticky Bit, SUID, SGID
How to Control the default permissions of new files created by users using “umask”