Red Hat System Administration I
The chmod command has the following characteristics: It changes file and directory permissions from the command line. It can be interpreted as "change mode", because the mode of a file is another name for file permissions. It takes a permission instruction followed by a list of files or directories to change. You can set the permission instruction either symbolically or in octal (numeric) notation.
Use the chmod command to modify file and directory permissions.
chmod Who/What/Which file|directory
Who is the class of user, as in the following table. If you do not provide a class of user, then the chmod command uses the all group as the default.
| Who | Set | Description |
|---|---|---|
u
| user | The file owner. |
g
| group | Member of the file's group. |
o
| other | Users who are not the file owner nor members of the file's group. |
a
| all | All the three previous groups. |
What is the operator that modifies the Which, as in the following table.
| What | Operation | Description |
|---|---|---|
+
| add | Adds the permissions to the file. |
-
| remove | Removes the permissions to the file. |
=
| set exactly | Sets exactly the provided permissions to the file. |
Which is the mode, and specifies the permissions to the files or directories, as in the following table.
| Which | Mode | Description |
|---|---|---|
r
| read | Read access to the file. Listing access to the directory. |
w
| write | Write permissions to the file or directory. |
x
| execute | Execute permissions to the file. Allows entering the directory, and accessing files and subdirectories inside the directory. |
X
| special execute | Execute permissions to a directory, or execute permissions to a file if at least one of the execute bits is set. |
The symbolic method of changing file permissions uses letters to represent the permission groups: u for user, g for group, o for other, and a for all.
With the symbolic method, you do not need to set a complete new group of permissions. Instead, you can change one or more of the existing permissions. Use the plus (+) or the minus (-) characters to add or remove permissions, respectively, or use the equal (=) character to replace the entire set for a group of permissions.
A single letter represents the permissions themselves: r for read, w for write, and x for execute. You can use an uppercase X as the permission flag to add execute permissions only if the file is a directory or if execute is already set for user, group, or other.
The following list shows some examples for changing permissions with the symbolic method:
Remove read and write permission for group and other on the document.pdf file:
[user@host ~]$ chmod go-rw document.pdfAdd execute permission for everyone on the myscript.sh file:
[user@host ~]$ chmod a+x myscript.shYou can use the chmod command -R option to recursively set permissions on the files in an entire directory tree. For example, the next command recursively adds read, write, and execute permissions for the members of the group that own the myfolder directory and the files and directories inside it.
[user@host ~]$ chmod -R g+rwx /home/user/myfolderYou can also use the chmod command -R option with the -X option to set permissions symbolically. With the chmod command X option, you can set the execute (search) permission on directories so that their contents can be accessed, without changing permissions on most files. However, be cautious with the X option, because if any execute permission is set on a file, then the X option sets the specified execute permission on that file as well.
For example, the following command recursively sets read and write access on the demodir directory and all its children for their group owner, but applies group execute permissions only to directories and files where execute permission is already set for user, group, or other.
[root@host opt]# chmod -R g+rwX demodirYou can use the chmod command to change file permissions with the octal method instead of the symbolic method. In the following example, the # character represents a digit.
chmod ### file|directoryWith the octal method, you can represent permissions as a 3-digit (or 4-digit, when setting advanced permissions) octal number. A single octal digit can represent any single value from 0-7.
In the 3-digit octal representation of permissions, each digit stands for one access level, from left to right: user, group, and other. To determine each digit:
Start with 0.
To add read permissions for this access level, add 4.
To add write permissions, add 2.
To add execute permissions, add 1.
The following diagram illustrates how systems interpret the 644 octal permission value.
Experienced administrators often use octal permissions to implement on single or matching files, and provide full permission control.
The following list shows some examples for changing permissions with the octal method:
Set read and write permissions for user, and read permission for group and other, on the sample.txt file:
[user@host ~]$ chmod 644 sample.txtSet read, write, and execute permissions for user, read and execute permissions for group, and no permission for other on the sampledir directory:
[user@host ~]$ chmod 750 sampledirThe user owns a file that it creates. By default, new files have a group ownership that is the primary group of the user that creates the file. In Red Hat Enterprise Linux, a user's primary group is usually a private group with only that user as a member. To grant access to a file based on group membership, you might need to change the group that owns the file.
Only the root user can change the user that owns a file. However, the file's owner and the root user can set group ownership. The root user can grant file ownership to any group, but regular users can ONLY change the file's group ownership if they are a member of the destination group.
You can change file ownership by using the chown (change owner) command. For example, to grant ownership of the app.conf file to the student user, use the following command:
[root@host ~]# chown student app.confThe chown command -R option recursively changes the ownership of an entire directory tree. The following command grants ownership of the Pictures directory and all files and subdirectories within it to the student user:
[root@host ~]# chown -R student PicturesYou can also use the chown command to change group ownership of a file by preceding the group name with a colon (:). For example, the following command changes the group ownership of the Pictures directory to admins:
[root@host ~]# chown :admins PicturesYou can use the chown command to change both owner and group at the same time by using the owner:group syntax. For example, to change the ownership of the Pictures directory to the visitor user and the group to guests, use the following command:
[root@host ~]# chown visitor:guests PicturesInstead of using the chown command, some users change the group ownership by using the chgrp command. This command works similarly to chown, except that you can use it only to change group ownership, and the colon (:) before the group name is not required.
Important
You might encounter alternative chown syntax that separates owner and group with a period character instead of a colon:
[root@host ~]# chown owner.group filenameRed Hat recommends not using this syntax, and always using a colon. Because a period is a valid character in a username, a chown command might misinterpret your intent. The command might interpret the user and group as a file name. Instead, only use a colon character when setting the user and group at the same time.
References
ls(1), chmod(1), chown(1), and chgrp(1) man pages
