Demystifying Unix File Permissions And The Chmod Command
Understanding UNIX File Permissions
UNIX file permissions determine the level of access users have to files and directories. Permissions are associated with three classes of users: the file owner, the group owner, and all other users. The permissions define the read, write, and execute access rights for each class.
The file owner is generally the user that created the file. Each file also belongs to a group consisting of one or more users. All other system users that are not the owner or group members make up the world or others class.
Here is an example directory listing showing file permissions:
$ ls -l -rw------- 1 jsmith users 120 Feb 26 13:34 file1.txt -rw-r--r-- 1 jdoe admin 1945 Feb 23 08:10 report.pdf drwxr-xr-x 2 jadmin wheel 6 Jan 14 10:51 scripts
There are 10 characters at the start of each line displaying the permissions. The first character indicates the file type. The next 9 characters represent the read, write and execute permissions for the owner, group owner and world.
Interpreting the Permission Bits
Let’s examine the 10 permission characters in detail:
d rwx r-x r-x
- First character (d): File type – directory, file, symlink, etc.
- Next 3 characters (rwx): File owner permissions
- r: Read permission – view contents of file
- w: Write permission – modify contents of file
- x: Execute permission – ability to run a file if it is a script or program
- Next 3 characters (r-x): Group owner permissions
- Same as owner permissions but apply to group owner
- Last 3 characters (r-x): Permissions for world/others
- Apply to all other users on the system besides owner and group
Some key points about permissions:
- Not all combinations are applicable for every file type
- Only directories can have the execute permission enabled
- Execute permission allows the ability to access directory contents or run a program/script
Here are some examples demonstrating permissions:
-rw------- Only the owner has full read/write access; no access for group or world -rw-r--r-- Owner has full access; group and world can only read -rw-rw---- Owner can read/write; group can read/write; world has no access -rwxrwxr-x Owner, group and world can read/write/execute (for scripts) drwxrws--- Owner and group can access directory contents; world cannot
Using the chmod Command
The chmod command is used to change the permissions on files and directories. The basic syntax is:
chmod [options] mode file...
To specify a mode, either a symbolic representation or octal notation can be used. Some examples:
chmod g+w file.txt # Add group write permission chmod 755 myprog # Numeric mode for rwxr-xr-x chmod go-rwx dir1 # Remove permissions
Here are some common permission modes and usage scenarios for chmod:
chmod 700 file # Private read/write/execute for owner only chmod 600 file # Owner can read and write; all others no access chmod 755 script # Owner r/w/x; group and world r-x (executable script) chmod 777 dir # Everyone has full r/w/x access chmod +t file # Enable sticky bit chmod g=rwx file # Assign group r/w/x; leave other perms unchanged
Setting Default Permissions on New Files
When new files and directories are created, they receive default permissions as determined by the umask value. This controls the permission bits that are masked out or disabled.
To view or set the umask, use the umask command:
$ umask # Print current value 0002 $ umask 0027 # Set umask value $ umask # New value took effect 0027
Common umask values to set new file defaults for everyone:
umask 0022 # New dirs: 755; new files: 644 umask 0002 # New dirs/files: 775/664 umask 0077 # New dirs/files: 700/600 (private)
Advanced Permission Topics
In addition to the standard read, write and execute UNIX permissions, there are some advanced topics that add additional controls:
- Setuid & Setgid – Allows an executed file to assume the permissions of the file owner or group temporarily
- Sticky Bit – Prevents non-owners from deleting or renaming files in directories like /tmp
- Access Control Lists (ACLs) – More complex conditional permissions based on users and groups
Here is an example using chmod to set the setuid permission:
chmod u+s myprog
When myprog runs, it will have access to the file owner’s permissions rather than the user executing it. This allows for privileged programs that need temporary enhanced access to run on behalf of other users.