Introduction

This document explains how directory and file permissions on a UNIX or Linux machine are set and can be changed by the user. This allows you to share files or directories or to lock them down to be private. If you want to set file or directory permissions by right-clicking on the file or directory and checking or unchecking boxes, you can do that in a GUI file transfer software interface like with the MobaXterm, SSH Secure Shell client, WinSCP etc. If you are logged onto a Linux box running an Xsession you can use the Windows Explorer equivalent for Linux with either the nautilus or konqueror commands. Otherwise, this document provides a full explanation of how the UNIX command chmod works.

You can see the permissions of your file using the ls command with the -l option (lowercase L not 1):

% ls -l myfile.txt

will return a long string of information that starts with the file’s permissions:

-rw-r--r--

Permissions

Every file and directory under UNIX or Linux has a set of permissions associated with it that is shown as a three digit number (such as 755). These permissions are categorized into three groups who have or do not have the permissions:

  • the file owner
  • the owner’s group
  • everyone else who has access to the server (referred to as “other”)

These three groups, in turn, may or may not have three different privileges:

Privilege Definition
read (r) reading, opening, viewing, and copying the file is allowed
write (w) writing, changing, deleting, and saving the file is allowed
execute (x) executing and invoking the file is allowed. This is required for directories to allow searching and access.

Thus, there are nine total variables:

  • permission for the owner to:

1. read the file

2. write to the file

3. execute the file

  • permission for the owner’s group members to:

1. read the file

2. write to the file

3. execute the file

  • permission for others to:

1. read the file

2. write to the file

3. execute the file

These variables are organized into a three by three array as follows:

owner group other
read  (r)             4          4          4
write  (w)            2          2          2
execute  (x)           1          1          1
-----------        -----      -----       -----
total  value           7          7          7

Column Values

The three by three array above shows the basis for describing the set of nine permissions. Note that each permission has a numeric value associated with it:

Value Permission
4 read (r)
2 write (w)
1 execute (x)

If a permission is denied, then its value is always zero. (In the example above, all permissions have been granted.) For each category of user (owner, group member, or other) these three permission values potentially add up to seven. If we deny one or more type of permission, then that value (4, 2, or 1) is subtracted from the value for that category of user. Thus, if we wish to deny write permission to the owner’s group, we subtract 2 from the total of that permission, which leaves a column value of 5. And if we wish to deny both write and execute permissions to “others,” we subtract both 2 and 1, leaving a value of 4. These changes are shown in the array below:

owner group other
read  (r)          4         4        4
write  (w)          2         0        0
execute  (x)        1         1        0
-----------       -----     -----    -----
total  value        7         5        4

The total value is now 754 rather than 777. Note that whatever combination of permissions we create, the numbers will always be a unique representation of that combination, as shown in the following chart:

Column Value Permissions       Represented by
------------ -----------       --------------
0           none                ---
1        execute-only           --x
2           write               -w-
3     execute  and  write       -wx
4          read-only            r--
5    read  and  execute         r-x
6       read  and  write        rw-
7  read,  write,  and  execute  rwx

Total Value

Just as each column designates a specific combination of permissions, so the total value represents a specific combination of permissions associated with user types since the order is always given as: owner group other. Thus, from any three digit total value, you can deduce each of the nine possible permissions. This three-digit “total value” (in the examples above, 777 and 754) is used in defining and changing permissions, as described below. Remember that this total value is always given in the order: owner group others.

Setting Permissions

When you wish to set the mode of a file (set the permissions) you use the UNIX command chmod at the system prompt. As you become familiar with the chmod command, try using the -v option for a verbose response as in the following example:

% chmod -v 640 myfile.txt
mode  of  `myfile.txt'  changed  to  0640  (rw-r-----)

This command designates that the file named myfile.txt has read and write (rw-) permission for the owner (you), read-only (r–) permission for the group members, and no access permissions for others (—). Remember that the permissions for “owner” are always first and the permissions for “other” are always last. Setting permissions for a directory follows exactly the same procedure; you would simply substitute the directory name for the file name.

You can also use the letters r, w, and x to set read, write, and execute permissions and the letters u, g, o, and a to specify user, group, other or all:

% chmod -v a+x myfile.txt
mode  of  `myfile.txt'  changed  to  0751  (rwxr-x--x)

The above adds the executable permission for all users.

In this example group members are granted read-only permission:

% chmod -v g=r myfile.txt
mode  of  `myfile.txt'  changed  to  0741  (rwxr----x)

Here are some examples that if done in the following order would set the permissions as shown:

Command (equivalent command using number system) Permissions
chmod a=rwx myfile.txt chmod 777 myfile.txt rwxrwxrwx
chmod o= myfile.txt chmod 770 myfile.txt -rwxrwx—
chmod g=w myfile.txt chmod 720 myfile.txt -rwx-w—-
chmod go=r myfile.txt chmod 744 myfile.txt -rwxr–r–
chmod g+x myfile.txt chmod 754 myfile.txt -rwxr-xr–
chmod o-r myfile.txt chmod 750 myfile.txt -rwxr-x—

Setting Permissions Without Specifying u, g, o, or a

Permissions are set for user, group, and other if u, g, o, or a are not specified, but your umask (user file-creation mask) comes into play which makes things complicated. The most common umask is 022 which means that when you create a new directory the permissions are not the default of 777 ( drwxrwxrwx) but rather 777 – 022 which is 755 ( drwxr-xr-x). And when you create a new file, the permissions are not the default 666 ( -rw-rw-rw-) but rather 666 – 022 which is 644 ( -rw-r–r–).

The following will happen if your umask is the most common umask of 022:

Command (equivalent command using number system) Permissions
chmod =rwx myfile.txt chmod 755 myfile.txt -rwxr-xr-x
chmod -wx myfile.txt chmod 444 myfile.txt -r–r–r–
chmod +x myfile.txt chmod 555 myfile.txt -r-xr-xr-x

This last example is often used in documentation when the user is being instructed to make the file executable.

The reason to use the number system over the letter system to set permissions is that using the numbers allows you to set the permissions to be different for user, group, and other in one issue of the chmod command and is not reliant on how the permissions are currently set. It is good practice to use -v (verbose) option of the chmod command to see what the permissions changed to since your umask may have had a role in the creation of the permissions.

Paths and Permissions

In order for you to be able to set permissions for a file or directory, UNIX must first be able to find the file or directory. Thus, if you are not in the directory that contains the file or directory for which you are setting permissions, you must provide a path name. For example, if you were in your home directory and you wished to set permissions for a file called myfile.txt in a directory called files located in your home directory, you would use the following command:

% chmod -v 644 files/myfile.txt
mode  of  `files/myfile.txt'  changed  to  0644  (rw-r--r--)

Determining Current Permissions

To determine the current permissions for a file or directory, use the ls command with the -l (lowercase “L,” not the number one “1”) option, as in the following example:

% ls -l myfile.txt

At the left of the resulting line of output will be the list of permissions expressed as a series of ten letters and hyphens. The last nine spaces are divided into groups of three, each of which will have, in order, an r (read), w (write), and x (execute) or, if that permission has been denied by the file owner, a hyphen (-) in its space. As in setting permissions, the three groups of three are given in the order: owner group other. For example, the file whose mode was set above as 644 would have the letters:

-rw-r--r--

This sequence shows that ” myfile.txt” is an ordinary file (the first dash; a ” d” in this location indicates directory) with read and write permission for the owner ( rw-), read-only permission for the owner’s group members ( r–), and read-only permission for others ( r–). If we change the mode again using the command:

% chmod -v 765 myfile.txt
mode  of  `files/myfile.txt'  changed  to  0644  (rw-r--r--)

then the ls -l myfile.txt command would show as the permissions:

-rwxrw-r-x

Naturally, only the owner can modify the permissions for a file or directory.

Directory vs. File Permissions

UNIX is a “top-down” environment. This means that if you deny “group” or “other” permissions to a directory, all subdirectories and files within that directory will be denied the permissions established at the directory level though the settings will appear not to have changed. For example, if the permissions to directory projects are: drwxr-xr-x and for subdirectory project1 are: drwxr-xr-x and you deny “group” and “other” permissions to access directory projects such that the permissions are now: drwx—— the permissions of subdirectory project1 visually remain the same: drwxr-xr-x but members of the group and others do not really have the permissions that are shown for subdirectory project1. This works the same way but in reverse when you create a subdirectory and set permissions to allow group members and others to access the directory. They will not be able to access the directory if they do not have access permissions for all previous directories in the path to the directory you want them to have permission to access.

The minimum permission for access to a directory is execute (x).

Groups

As discussed above, there is a set of permissions for “group” associated with each file and directory. As this implies, every user of a UNIX system is a member of one or more groups. When an account is created, its user is assigned to a group, usually the user’s academic designation. The group ID number that appears on the user’s entry in the password file indicates the user’s “primary” group. Groups are designated by both a name (“faculty” for example) and a group ID number (201 is the number for faculty). The group number is arbitrary, and it will always be greater than 100. One can also be a member of one or more “secondary” groups. Unlike your primary group ID, the secondary group ID number is not on your entry in the password file.

To see your group ids and all the groups of which you are a member, use the UNIX command id:

%  id

If you own a file and if you are also a member of more than one group, you can modify the group “ownership” of that file using the chgrp command, as shown in the following example:

% chgrp marine myfile.txt

In this example, ” marine” is the name of the group you wish to have permissions. Note that this in no way affects the individual ownership of the file; it merely changes the group to which the group permissions apply. Only the owner can make this change (and the system administrator, of course) and the owner must be a member of both the groups involved-that is, the default group assigned to you when your login was created, and the new group to which you are granting permissions.

Getting Started on UNIX/Linux