If you're like me and just cannot remember the order of permissions and different modes in chmod... https://chmodcommand.com is for you :)
You have 3 permission types:
- User (permissions applying to the file's owner)
- Group (permissions applying to the file's group)
- Other (permissions applying to everyone else)
For each of these types, you can allow 3 things:
- Ability to read (note that you need read permissions on a directory to list it)
- Ability to write
- Ability to execute
If you say:
chmod 755 some_file
It gets broken down like this:
User Group Other
7 5 5 (octal value, base-8)
111 101 101 (binary value, base-2 or binary)
RWX RWX RWX
where: R - Read, W - Write, X - eXecute
So that command would mean that the owner gets all permissions, but group members, and others can only read and execute.
There's another input format with chmod that's handy, and doesn't require you to do conversion to binary in your head. As an example, to add execute permission for user:
chmod u+x some_file
To remove those permissions, you would say
chmod u-x some_file
You can replace 'u' with 'u', 'g', or 'o' (user, group, other respectively), and 'x' with 'r', 'w', or 'x' (you get the idea).
You have to be careful with this. If you did:
chmod -R 777 some_directory
And that file contained sensitive configuration data, then you just gave 'other' (i.e. the outside world) full read permissions (meaning the web server may serve up this information).
It would also be worthwhile for you to have a look at the chown command as well.
If you don't understand the numbers, don't use them:
chmod u=rw,go=r file
That will set the permissions on the file to read and write for the user, and readonly for group and others. You can use + to add a permission:
chmod ug+x file
(so now the user and the group can execute the file), and you can use - to remove a permission:
chmod g-x file
(so now the members of the group can't execute the file).
If you want to use the numbers, there are two sets of facts you need to know:
- The numbers are octal (digits 0..7), and the first digit (of three) represents the permissions for the user, the second digit represents the permissions for the group, and the third and final digit represents the permissions for others.
The octal numbers use three bits, and the values for each bit are:
- 4 โ read
- 2 โ write
- 1 โ execute
Therefore, using permissions like:
chmod 640 file
can be split up into 6 for the user, 4 for the group and 0 for others. The 6 which is 4 + 2 (or 4|2) means 'read' and 'write' permission for the owner; the 4 for the group means group members can read the file; and 0 for others means that other people cannot access the file.
In the context of a directory, 'execute' is better termed 'access', meaning someone with access to the directory can use files in the directory if the file permissions permit, and the user knows the name. With read permission on a directory too, you can see a list of the files in the directory; with write permission on a directory, you can create new files or delete existing ones.
Note that a read-only file can be deleted if the user doing the deleting has write permission on the directory. Commands such as rm provide protection as a courtesy, rather than relying on the kernel to protect the user of the command.
I've not covered 3 more bits on the permissions, which appear before the user permissions. You don't need to worry about those while the basic permissions are causing you confusion, but the SUID or set UID bit (4), SGID or set GID bit (2), and the sticky bit (1) can be useful for advanced permission controls.