Understanding UNIX permissions and chmod

Introduction

This is a topic that has been beaten to death both in books and on-line. For some reason, it seems that it is one of the most common misunderstandings that people have to face when learning how to write and/or configure their first cgi programs. This tutorial aims to clarify the concepts involved. Note that we will be referring to UNIX in a generic sense in this article. Most of what we are going to discuss here applies to all UNIX flavours. (such as Linux, SVR4, BSD etc.) It is also a good idea to type man chmod to check for the specific details on your system, too.

Users

A UNIX system serves many users. Users are an abstraction that denotes a logical entity for assignment of ownership and operation privileges over the system. A user may correspond to a real-world person, but also a type of system operation. So, in my system, I have user 'nick' that corresponds to me, but I also have user 'www' which corresponds to the privileges necessary to operate the local webserver. UNIX doesn't care about what the user means for me. It just knows what belongs to any given user and what each user is allowed to do with any given thing (file, program, device, etc) on the system. UNIX identifies each user by a User ID (UID) and the username (or login) such as 'nick' and 'www' is just an alias to the UID that makes humans more comfortable.

Groups

Users can be organized in groups. A user may belong to one or more groups of users. The concept of groups serves the purpose of assigning sets of privileges for a given resource and sharing them among many users that need to have them. (perhaps because they are all members of a project working team and they all need access to some common project files) So, on my system user 'nick' and user 'www' both belong to the group 'perlfect'. This way, they can have some shared privileges over the files for this site. User 'nick' needs them to edit the site, and user 'www' needs them to manage the webserver that will be publishing the site.

Ownership

Every file in UNIX has an owner user and an owner group. So, for any file in the system, user 'nick' may have one of the following ownership relations:

nick owns the file, i.e. the file's owner is 'nick'.
nick is a member of the group that owns the file, i.e. the file's owner group is 'perlfect'.
nick is neither the owner, nor belonging to the group that owns the file

Permissions

Every file on the system has associated with it a set of permissions. Permissions tell UNIX what can be done with that file and by whom. There are three things you can (or can't) do with a given file:

read it,
write (modify) it and
execute it.

Unix permissions specify which of the above operations can be performed for any ownership relation with respect to the file. In simpler terms, what can the owner do, what can the owner group do, and what can everybody else do with the file. For any given ownership relation, we need three bits to specify access permissions: the first to denote read (r) access, the second to denote (w) access and the third to denote execute (x) access. We have three ownership relations: 'owner', 'group' and 'all' so we need a triplet for each, resulting in nine bits. Each bit can be set or clear. (not set) We mark a set bit by it's corresponding operation letter (r, w or x) and a clear bit by a dash (-) and put them all on a row. An example might be rwxr-xr-x.What this means is that the owner can do anything with the file, but group owners and the rest of the world can only read or execute it. Usually in UNIX there is also another bit that precedes this 9-bit pattern. You do not need to know about it, at least for the time being.

So if you try ls -l on the command prompt you will get something like the following:

[nick@thekla src]$ ls -l
-rwxr-xr-x   1 nick     users          382 Jan 19 11:49 bscoped.pl
drwxr-xr-x   3 nick     users         1024 Jan 19 11:19 lib/
-rwxr-xr-x   1 nick     users         1874 Jan 19 10:23 socktest.pl

The first column here shows the permission bit pattern for each file. The third column shows the owner, and the fourth column shows the owner group. By the time, the information provided by ls -l should be enough for you to figure out what each user of the system can do with any of the files in the directory.

Directories

Another interesting thing to note is that lib/ which is a directory has permissions, too. Permissions take a different meaning for directories. Here's what they mean:

read determines if a user can view the directory's contents, i.e. do ls in it.
write determines if a user can create new files or delete file in the directory. (Note here that this essentially means that a user with write access toa directory can delete files in the directory even if he/she doesn't have write permissions for the file! So be careful with this.)
execute determines if the user can cd into the directory.

`chmod`

To set/modify a file's permissions you need to use the chmod program. Of course, only the owner of a file may use chmod to alter a file's permissions. chmod has the following syntax: chmod [options] mode file(s)

The 'mode' part specifies the new permissions for the file(s) that follow as arguments. A mode specifies which user's permissions should be changed, and afterwards which access types should be changed. Let's say for example: chmod a-x socktest.pl This means that the execute bit should be cleared (-) for all users. (owner, group and the rest of the world) The permissions start with a letter specifying what users should be affected by the change, this might be any of the following:

u the owner user
g the owner group
o others (neither u, nor g)
a all users

This is followed by a change instruction which consists of a +(set bit) or -(clear bit) and the letter corresponding to the bit that should be changed.

Let's see some examples:

$ ls -l socktest.pl 
-rwxr-xr-x   1 nick     users         1874 Jan 19 10:23 socktest.pl*

$ chmod a-x socktest.pl 
$ ls -l socktest.pl 
-rw-r--r--   1 nick     users         1874 Jan 19 10:23 socktest.pl

$ chmod g+w socktest.pl 
$ ls -l socktest.pl 
-rw-rw-r--   1 nick     users         1874 Jan 19 10:23 socktest.pl

$ chmod ug+x socktest.pl 
$ ls -l socktest.pl 
-rwxrwxr--   1 nick     users         1874 Jan 19 10:23 socktest.pl*

$ chmod ug-wx socktest.pl 
$ ls -l socktest.pl 
-r--r--r--   1 nick     users         1874 Jan 19 10:23 socktest.pl

Strange numbers...

You might have encountered things like chmod 755 somefile and of course you will be wondering what this is. The thing is, that you can change the entire permission pattern of a file in one go using one number like the one in this example. Every mode has a corresponding code number, and as we shall see there is a very simple way to figure out what number corresponds to any mode.

Every one of the three digits on the mode number corresponds to one of the three permission triplets. (u, g and o) Every permission bit in a triplet corresponds to a value: 4 for r, 2 for w, 1 for x. If the permission bit you add this value to the number of the permission triplet. If it is cleared, then you add nothing. (Some of you might notice that in fact, the number for a triplet is the octal value corresponding to the three-bit pattern - if you don't know what an octal value is, it doesn't really matter, just follow the intstructions) So if a file has rwxr-xr-x permissions we do the following calculation:

Triplet for u: rwx => 4 + 2 + 1 = 7
Triplet for g: r-x => 4 + 0 + 1 = 5
Tripler for o: r-x => 4 + 0 + 1 = 5
Which makes : 755

So, 755 is a terse way to say 'I don't mind if other people read or run this file, but only I should be able to modify it' and 777 means 'everyone has full access to this file'

Comments


Gopi	Posted at 12:47am on Monday, March 5th, 2007
what about the "s"
Ravi	Posted at 1:55am on Monday, March 26th, 2007
Nice description...Really helpful...
test	Posted at 1:38am on Thursday, April 19th, 2007
test
Ninad	Posted at 4:12am on Thursday, April 19th, 2007
Good Post :)
Anonymous	Posted at 4:47am on Tuesday, April 24th, 2007
Good Description for Chmod command
balu	Posted at 5:06pm on Tuesday, May 8th, 2007
well! i want to be a gud unix programmer although i m a electronics engineer. But i am a new unix user..found this page very helpful
Anonymous	Posted at 6:52pm on Saturday, May 12th, 2007
thanx a bunch. This is about the simplest quickest tut on chmod i've seen yet.
Roger Graham	Posted at 4:46am on Sunday, May 13th, 2007
I've always never bothered to look into unix permissioning (and just done a 777 instead of actually understanding what's going on behind the scenes). Thanks for writing such a clear concise tutorial which has cleared things up!! ;-)
neil	Posted at 3:50am on Sunday, June 3rd, 2007
very simple an quick thanks
ace	Posted at 12:33pm on Monday, June 4th, 2007
Hi at the command prompt, I am only able to view directories. when I try to change permissions, i get 'permission denied' eventhough I am the owner and no-one else has access to my computer. No matter what command I put in, i get 'permission denied'. please help as i have run out of ideas. thanks ace
suraj	Posted at 12:06am on Tuesday, June 5th, 2007
in proc file system, what 'p' flag specifies?
waste..	Posted at 12:09am on Tuesday, June 5th, 2007
ace, are you logged in as root? can you paste o/p of #whoami #ls -l #df -k
waste..	Posted at 12:15am on Tuesday, June 5th, 2007
Suraj, p : named pipe use by system In computing, a named pipe (also FIFO for its behaviour) is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication. The concept is also found in Microsoft Windows, although the semantics differ substantially. A traditional pipe is "unnamed" because it exists anonymously and persists only for as long as the process is running. A named
Ruth	Posted at 6:58am on Tuesday, June 12th, 2007
This is very useful. I have installed Tomcat and set User variables in .cshrc file. and when I type $CATALINA_HOME I am getting error /home/tomcat: Permission Denied. I think it is Directory permissions problem. Help please...
sm	Posted at 3:59pm on Wednesday, June 13th, 2007
Thanks very help -sm
wae	Posted at 3:57pm on Saturday, June 16th, 2007
Fantastic tutorial. Much clearer than the man page.
irina	Posted at 1:55am on Wednesday, June 27th, 2007
really useful
vks	Posted at 2:34am on Monday, July 2nd, 2007
Its really very useful.. I was also unaware about chmod XXX. But after reading this tutorial, got the concept behind. Thanks !
ak	Posted at 9:40pm on Monday, July 2nd, 2007
good one.. appreciate thinks like this in future too..
Deii	Posted at 2:48am on Wednesday, July 4th, 2007
1 question> I notice the "" suffixed at the end of the filename for certain ls command lines - the first and the penultimate line; Can shed some light on that?? [i.e. filename.pl as opposed to filename.pl]
shankar	Posted at 11:34pm on Wednesday, July 4th, 2007
I want to delete a file of a different owner. What permission should that different owner can give while creating that file to do the same?
shankar	Posted at 12:08am on Thursday, July 5th, 2007
Just by giving "rwx" permissions to all users at the folder level. I am novice to unix. Thanks, if anybody made a try.
Murtaza	Posted at 12:07pm on Saturday, July 14th, 2007
@Roger Graham - using 777 without understanding it, is really stupid, anyways glad this post has you thinking again. LOL. Sorry offense meant...
Shyam	Posted at 10:19pm on Thursday, August 16th, 2007
It `s really helpful
Shyam	Posted at 10:19pm on Thursday, August 16th, 2007
Good one
NP	Posted at 7:36am on Wednesday, August 22nd, 2007
@Murtaza - nobody likes a smart arse!
Naveen Kanakam	Posted at 11:19am on Friday, September 14th, 2007
Thanks for help..Its really great...
Sandy	Posted at 11:38pm on Monday, September 17th, 2007
OK cool Nice info i will delete few files now
asif	Posted at 4:59am on Tuesday, September 25th, 2007
nice one !
sriram	Posted at 6:38am on Tuesday, September 25th, 2007
is there any other command to change the attributes(using c)
Hariharan	Posted at 3:36am on Wednesday, October 3rd, 2007
Best one
Nilesh	Posted at 2:08pm on Saturday, October 6th, 2007
Nice, cleared some stuff up - thanks!
Dhawal	Posted at 4:22am on Thursday, October 11th, 2007
Great! The example cleared my doubts completely
raj	Posted at 10:41pm on Monday, October 15th, 2007
yes 777 is used to be the way to go for me. But now i clearly understand. Thanks for making my day
rsom	Posted at 6:04am on Tuesday, October 16th, 2007
What does the 'c' permission define for permissions, 'crw-rw-rw-'?
pete	Posted at 7:40am on Sunday, October 21st, 2007
in reply to rsom: 'c' represents a character device e.g. a serial port or a terminal - note these process data in bits. 'b' represents a block device e.g. hard drive, cdrom etc.. these process data in blocks or bytes. 'l' represents a symbolic (soft) link as in a Windows shortcut 'd' represents directory '-' represents a file
Daniel	Posted at 11:12am on Sunday, October 21st, 2007
Nice Description.. it really help me..
Mikael	Posted at 7:58pm on Friday, November 2nd, 2007
I always use 4 2 1 and just add the numbers, makes more sense for me :-) 4 2 1 read write execute and "user group world" is all you need to put into memory!
Eben	Posted at 7:55am on Monday, November 5th, 2007
This relevant manual has cleared my previous misunderstanding about chmod. This is good
imkat	Posted at 3:02pm on Tuesday, November 6th, 2007
rili helpful. thanks...
Ravi	Posted at 8:36pm on Tuesday, November 6th, 2007
Simple and easy ...very good
Ben	Posted at 12:19pm on Wednesday, November 7th, 2007
What does the 'p' mean prwxr-xr-x? Thx
Aps	Posted at 6:37pm on Monday, November 12th, 2007
Hi everyone It's my first time to use unix and I am having problem. I know that I logged in as root, because when I type pwd the output is "/" ( which I know is the root). Upon logging in this was the message I've got: "/etc/profile[145]: /home/alc10513: not found". Also I cannot modify a file nor make a directory. Please help me. Thanks.
Aidan	Posted at 7:00am on Tuesday, November 20th, 2007
@Aps There are two kinds of root in unix, root user and the root of the filesystem. pwd prints the current working directory (which in your case is the root of the filesystem), it doesn't tell you who you are logged in as. To find that out, type whoami. To become root user, type sudo -s (you will need to know root's password). If you have no home directory and you can't make a file/directory, it sounds like your user account was not setup properly. You can make a new user by becoming root (sudo -s) then typing adduser yourname (replace yourname with whatever name you want). Type man adduser for more information.
Hasan Mehmood	Posted at 11:27pm on Wednesday, November 28th, 2007
though the topic was not complex but the way you have described the chmod command make it soooooooo easy to understand. please let me know if you have written any book on Linx/Unix. hasandirect@yahoo.com
Elle	Posted at 4:00pm on Friday, December 7th, 2007
does anyone know how to remove the set bit from a file. For example, I want the file permissions changed form -rw-rw-r--+ to -rw-rw-r--
TPot	Posted at 8:00pm on Tuesday, December 11th, 2007
To quote the man page on AIX (which says it better than I can): The mode displayed with the -e flag is the same as with the -l flag, except for the addition of an 11th character interpreted as follows: + Indicates a file has extended security information. For example, the file may have extended ACL, TCB, or TP attributes in the mode. The access control information (ACL) of a file is displayed by using the aclget command. Try the acledit command.
Jasleen	Posted at 8:36am on Thursday, December 20th, 2007
hey, thanks it was really a great help
KMK _TESTER	Posted at 7:58am on Friday, January 11th, 2008
Nice tutorial Was really useful for me in real time testing
Travler	Posted at 9:42am on Wednesday, January 23rd, 2008
HUH? :)
Jim	Posted at 12:15pm on Wednesday, February 6th, 2008
The question I have that this and everything else I've seen on the web talks right past is "in terms of web hosting, how does a server know if I am the owner or not when using a php (or other script) to upload a file or anything else requiring permissions?" IF that could be answered in 500 words or less, that would make this a great tutorial.
Abdullah	Posted at 7:52am on Tuesday, February 12th, 2008
This is a great page! - I'm impressed.
Abhijit	Posted at 3:05am on Friday, February 22nd, 2008
Really nice explanation of chmod command in unix. This will definitely help me in my new project wgich is 50% based on Unix env.
Cindy	Posted at 5:58am on Friday, February 22nd, 2008
What does the "t" in the following permission setting stand for: drwxrwxrwt I'm confused :o(
nico	Posted at 2:24pm on Wednesday, February 27th, 2008
Cindy, concerning the 't' which is sticky bit I just found this at linuxforums: If you have a look at the /tmp permissions, in most GNU/Linux distributions, you'll see the following: clem@pluto:/$ ls -l \| grep tmp drwxrwxrwt 10 root root 4096 2006-03-10 12:40 tmp The "t" in the end of the permissions is called the "sticky bit". It replaces the "x" and indicates that in this directory, files can only be deleted by their owners, the owner of the directory or the root superuser. This way, it is not enough for a user to have write permission on /tmp, he also needs to be the owner of the file to be able to delete it. In order to set or to remove the sticky bit, use the following commands: chmod +t tmp chmod -t tmp The url to the article: http://www.linuxforums.org/security/file_permissions.html
asifraheman	Posted at 11:05pm on Thursday, March 27th, 2008
Really nice explanation of chmod command in unix. This will definitely help me in my new project wgich is 50% based on Unix env.
Anonymous	Posted at 5:52am on Monday, April 7th, 2008
Its really very nice and helpful for any beginner. It gives me not only syntax idea but also detail impelementation knowledge. Site like this are very much helpful. Thanks Mohammed Tahir Khanooni
gyanendra verma	Posted at 1:33pm on Thursday, April 17th, 2008
I have created a script and for user i do not have execute permission. it is -rw-r--r-- still i am able to execute the script. what could be the reason
Addagirl	Posted at 8:40pm on Monday, April 21st, 2008
I am installing an autoresponder and need to create a htaccess file and set the following permissions: chmod for ar.cgi to 755 chmod for config.cgi to 755 chmod for activate.cgi to 755 chmod for lite.pm to 644 chmod for the autoresponder folder to 775. I do not know how to set this up or the proper format it sould be written in so I can upload it as an htaccess file on my web server. Can anyone help?
John	Posted at 5:53am on Tuesday, May 6th, 2008
Really nice explanation of chmod command in unix.very useful.
Gowtham	Posted at 3:25pm on Thursday, May 22nd, 2008
HI, I am having some problem with permissions. In this document, I couldnot able to find it out. My scenario is like this. I am having a user "nick"(home path - /home/nick) and user "stick" (home path - /home/stick). I am having a folder folder1 in nick folder. And I want to move that folder to Stick folder. Even though I have 777 permission to all the files for folder1 and its subfolders , I am not able to move the folder to Stick home path. Please let me know your coments. If it is possible , please post the reply to sen_smarty@yahoo.co.in
indrajeet	Posted at 8:28pm on Thursday, May 22nd, 2008
really use ful i having the problem with the permissions i want answer if possible please send me on sonud6208@gmail.com
Raja	Posted at 1:53am on Monday, May 26th, 2008
Nice tutorial...
Prosenjit	Posted at 2:46am on Tuesday, May 27th, 2008
good enough...
Neeraj	Posted at 2:06pm on Friday, May 30th, 2008
Nice info , explained quiet beautifully.
Visakh	Posted at 1:49am on Friday, June 6th, 2008
Very helpul. It is easy to understand. Thanks :)
Sanjeev	Posted at 5:36am on Tuesday, June 17th, 2008
Very well explained, easy to understand basics of permission and chmod command
Jenny	Posted at 5:48am on Wednesday, June 18th, 2008
nice work.i now understand the concept of chmod though i just started learning UNIX.wud want more materials on UNIX
Amit	Posted at 2:29am on Monday, June 23rd, 2008
thanks a lot for such a wonderful information....
James	Posted at 6:00am on Wednesday, June 25th, 2008
Web TemplatesIt is really impressive work. Nice work man keep it up.
Rick	Posted at 6:02am on Wednesday, June 25th, 2008
http://www.5050webs.com...Good online source to get information about Unix..
Chendhil	Posted at 12:58am on Monday, July 7th, 2008
Good and easy to understand. Thanks..!
michael	Posted at 10:00pm on Thursday, July 10th, 2008
Yes. Very good. Suggestion to sharpen up the part on ownership. Ownership Every file in UNIX has an owner user and an owner group. So, for any file in the system, user 'nick' _has exactly_ one of the following ownership relations: * nick owns the file, i.e. the file's owner is 'nick'. * nick _does not own the filem but_ is a member of the group that owns the file, i.e. the file's owner group is 'perlfect'. * nick is neither the owner, nor belonging to the group that owns the file (The reason this is significant is because permissions are evaluated only for the particular relation - there is no conjunction going on. For example, if a user is both the owner, and a member of the group that owns the file, but permission is r--rwx--- then the user will not have permission to execute the file.)
Sys Admin pk	Posted at 3:12am on Friday, July 11th, 2008
this is great information for beginners.......please continue such information sharing
KalarioS	Posted at 2:35am on Friday, July 18th, 2008
Nice article .... explains the chmod in simple english
Dinesh	Posted at 8:40pm on Saturday, July 19th, 2008
what about the "s" here drwxr-s--- ? how to give "S" permision to new file ?
Parveez Khan	Posted at 10:44pm on Monday, July 21st, 2008
Thanks a lot.....
Divya	Posted at 2:13am on Monday, July 28th, 2008
Thanx for such a nice explanation for chmod.
Divya	Posted at 2:15am on Monday, July 28th, 2008
is there any thing called chmod a=x? what is the use of =?
barking squirrel	Posted at 5:39pm on Sunday, August 24th, 2008
Gotta respect an author who begins an article by putting down their reader; "For some reason, it seems that it is one of the most common misunderstandings that people have ..." So what does the 's' mean?
Drive by	Posted at 9:22am on Thursday, August 28th, 2008
s in the place where 'x' would normally go is called the set-UID or set-groupID flag.
Drive by	Posted at 10:07am on Thursday, August 28th, 2008
The set user ID, setuid, or SUID permission. When a file for which this permission has been set is executed, the resulting process will assume the effective user ID given to the user class.
Anonymous	Posted at 10:09am on Thursday, August 28th, 2008
Unless you are talking about the first character... The first character indicates the file type: - denotes a regular file d denotes a directory b denotes a block special file c denotes a character special file l denotes a symbolic link p denotes a named pipe s denotes a domain socket
Sush	Posted at 4:01am on Friday, August 29th, 2008
Hi frenz.Could any1 help me out why doesnt chmod +w filename doesnt reflect in the write permission field for all.I mean for user,group and others.I m confused !!! Please Help Me !!! Thanks Lads !!!
Karthick	Posted at 12:14am on Wednesday, September 10th, 2008
Useful
Karthick	Posted at 12:20am on Wednesday, September 10th, 2008
Hi Sush.While using chmod command you should specify to whom you are setting write permission.Check with this one chmod ugo+w ..
Mansvi	Posted at 10:16pm on Tuesday, October 7th, 2008
"Drive by Posted at 10:07am on Thursday, August 28th, 2008 The set user ID, setuid, or SUID permission. When a file for which this permission has been set is executed, the resulting process will assume the effective user ID given to the user class. " Can you please elaborate it further ..?

Comments to date: 87.

Like it? Share it!

Post to
del.icio.us

Hosted Perlfect Search^(beta)
Don't have the time or the expertise to install and maintain Perlfect Search? Then our freehosted Pelrfect Search service is for you!

RAID Data Recovery