The chmod command in Linux: change file permissions

Posted onbyBlockmyIP| Category:Linux terminal commands

Introduction

In Unix-type systems, each file and directory has a set of permissions that determine who can read, modify or run that resource. The chmod command (change mode) is the standard tool to change those permissions from the command line. Understanding its operation is essential for system administrators, developers and any user working with Linux.

Basic concepts of permits

Permissions are represented by three types of access: reading (r), writing (w) and execution (x). Each is assigned to three categories of users: the owner (user), group (group) and others (others). So, we see a string as -rwxr-xr- where the first character indicates the file type and the following nine correspond to the permissions of user, group and others in that order.

A compact way to express these permissions is by using octal notation. Each permit is used for a value: r = 4, w = 2, x = 1. By adding the values of each category we get a digit between 0 and 7. For example, rwx = 4 + 2 + 1 = 7, r-x = 4 + 0 + 1 = 5 and -x = 0 + 0 + 1 = 1. So, -rwxr-xr- is written as 754.

Symbolic mode vs octal mode

chmod accepts two ways to specify the new mode: symbolic and octal.

  • Octal mode: is written directly as a three-digit number (or four if special bits are included). Example: chmod 755 archivo.txt.
  • Symbolic mode: is combined who (u, g, or, a), the operator (+, -, =) and the permit (r, w, x). Example: chmod u + x, go-r archivo.txt.

The symbolic mode is more legible when you want to modify only one bit, while the octal is fast to assign a complete set of permissions.

Practical examples

  • chmod 600 archivo.conf→ only the owner can read and write (typical use for sensitive configuration files).
  • chmod 644 index.html→ owner can read and write; group and others can only read (common on web pages).
  • chmod 755 script.sh→ owner can read, write and run; group and others can read and run (ideal for executable scripts).
  • chmod go+w carpeta→ gives writing permission to the group and others on the directory.
  • chmod a-x programa→ removes the execution permit to all categories.
  • chmod u+s binario→ sets the bit setuid (will be represented with a fourth digit, for example 4755).

Special Bits: setuid, setgid and sticky bit

Beyond the basic nine bits, Linux allows three special bits that influence the way the files are run or the directories are used.

  • setuid (4): when running a file with this bit, the process runs with the privileges of the file owner, not with those of the user who invokes it. It is represented by adding a 4 as the first octal digit (e.g. 4755).
  • setgid (2): similar to the setuid, but the process runs with the file group. In a directory, it makes the files created inside inherit the directory group.
  • sticky bit (1): mainly used in exchange directories as / tmp; only allows the owner of a file to delete it or name it, even if others have writing in the directory.

To assign them with chmod a fourth digit is used at the start: chmod 1755 / tmp assigns the stick bit along with the 755 permissions.

Useful Chmod Options

  • -Ror-recursive: apply the changes recursively to all files and subdirectories within a directory. Example: chmod -R 755 / var / www.
  • -cor-changes: shows a report only of the files that were actually modified.
  • -vor-verbose: shows a message for each processed file, useful for debugging.
  • -for- Silent.: removes most error messages.
  • -reference = file _ ref: copy the permissions of a destination reference file. Example: chmod -reference = planetla.txt nuevo.txt.

Use with find

It is common to combine find with chmod to apply permissions to file sets that meet certain criteria. For example:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

These orders put reading and writing permissions for files and for reading, writing and running for directories, typical on a website.

Logical operators can also be used: find / home -user juan -perm / u + w -exec chmod u-w {}; to remove the owner's writing permission in files where he has it.

Good practices

  • It applies the principle of lesser privilege: it gives only the strictly necessary permits.
  • Check the permissions with ls-l before and after using chmod.
  • In installation scripts, avoid using chmod 777; prefer more restrictive permissions and adjust as necessary.
  • It uses UNIX groups to share access between several users without giving permission to «other».
  • It regularly audits special bits, especially setuid and setgid, as they can be privilege climbing vectors if assigned incorrectly.
  • It documents permit changes in production environments through change control systems or audit records.
  • When working with containers or virtual machines, check that the permissions within the file system match those required by the application.

Conclusion

The chmod command is a fundamental part of the Linux permissions management. Domain both octal and symbolic notation, know the special bits and know how to use your advanced options will allow you to maintain a secure and orderly system. With the practice and application of the good practices described, you can avoid security risks and ensure that each file and directory has exactly the level of access you need.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish