Changing access permissions: chmod

chmod mode filename

mode consists of three parts:

For example

chmod a+r *.pub

gives everyone permission to read all files with the extension .pub.

Warning: when using chmod, be careful not to compromise file security.

Managing files in Unix


Removing permissions

If you wish to remove access for a set of users, use a - in the command, rether than + or =. For example, if the file mode of the file myprog.for is currently rw-r--r--, read-access for others can be removed by the command:

chmod o-r myprog.for

Sharing your files with others

Allowing other users access to one of your files consists of three steps:

  1. Permit your home directory.
  2. Permit any intermediate directories.
  3. Permit the file itself.
  1. In order to change the file mode of your home directory so that both read and search access is given to members of your group and to all other users, type:
  2. chmod go=rx $HOME

  3. If the file or files you wish to permit are within a subdirectory, then access to any directory in the path from the home directory to those files must also be permitted.

    For example, if you wish to permit others to be able to read the file ~/project/docs/myprog.for, the file modes of the directories project and docs both need to be set appropriately. You can check their current settings by typing:

    ls -ld ~/project ~/project/docs

    You may change the file modes to allow access by typing:

  4. chmod go=rx ~/project ~/project/docs

  5. To permit an individual file called, for example, myprog.for, first ensure that you are in the directory containing the file, then type:

    chmod go+r myprog.for

    Provided that you have also permitted your home directory and the intermediate directories as decribed above, all users will now be able to access your file. Others do not need to know the location of your home directory: they can use the ~ character to reference your file. So if, for example, your login name is nxyz2, then your could refer to the file myprog.for as ~nxyz2/project/docs/myprog.for

Permitting only search access for a directory

Search access rights, denoted by x in the file mode, are the minimum that you can give in order to allow any access to a directory.

If a directory is only permitted x then nobody can use ls in order to list the names of files stored there - read access to the directory is needed for that.

Whilst this might seem useful, in fact if your colleagues forget the names of your files which they want to copy, x alone does not permit them to list the directory and remind themselves. Therefore, when permitting directories, it is common to put search and read access rights together, by giving rx access. Although they can then see the list of all your files, they will only be able to read or copy those which you have also permitted r.

Protecting a file from yourself

To make a file - for example one called myprog.for - read-only by yourself the command is:

chmod u=r myprog.for

If you later try to delete or otherwise change the file, you get a response like:

rm: override protection 400 for myprog.for?

If you type n, then the file is not removed; however if you really do want to delete it, respond with y

Setting access permissions numerically

There is a shorthand way of setting permissions by using octal numbers. Read permission is given the value 4, write permission the value 2 and execute permission 1.

    r  w  x
    4  2  1

These values are added together for any one user category:

    1   =   execute only
    2   =   write only
    3   =   write and execute (1+2)
    4   =   read only
    5   =   read and execute (4+1)
    6   =   read and write (4+2)
    7   =   read and write and execute (4+2+1)

So access permissions can be expressed as three digits. For example:

                          user    group   others

    chmod 640 file1       rw-     r--     ---
    chmod 754 file1       rwx     r-x     r--
    chmod 664 file1       rw-     rw-     r--