Cosmic Bytes

Unix Permissions - Part 2: chmod and Other Permission Command-line Apps

| 5 min read

Introduction

In the previous part of this series, we learned about Unix permissions and how they work, and established a conceptual model for understanding them. In this section, we will explore the practical side: How do we actually use Unix Permissions? How can I set or change permissions following the model from earlier?

We will look at various command-line applications that work with Unix permissions, and we will take a deep dive into two of the most important ones: chmod and chown.

chmod

chmod is a utility to define or modify permissions of a file.

Recall above when we talked about permissions, and how every file has permissions for 3 access types (read, write and execute) for each of 3 scopes (user, group and others).

chmod is precisely the utility that helps us set and define those permissions! It is the most important tool that we will discuss.

The command uses the following syntax:

chmod [OPTIONS] [MODE],[ANOTHER MODE]... [FILENAME]

The "MODE" is the important part here. It is basically a way to express the "permissions" that we want to define or change.

There are two different syntaxes for mode: symbolic mode, and octal mode. Regular mode is verbose, whereas octal mode uses numbers to make a shorter command. Let us explore them both.

Symbolic MODE Syntax

We can summarize symbolic mode syntax as follows: [scope][operator][accesses].

[scope] is the same scope we discussed when we spoke about permissions earlier. The scope is either the owner, group, or others.

There is one more category that chmod allows: "all", which denotes all of the scopes. Using all would be the equivalent of defining the same permissions separately for each scope. You can do it all in one MODE instead.

Each scope is denoted by a single letter in the symbolic MODE syntax:

  • u for the user owner
  • g for the group owner
  • o for all other users
  • a for all the above

[accesses] is the access types we spoke of previously, and they are also each denoted by single letters:

  • read, denoted by r
  • write, denoted by w
  • execute, denoted by x

Finally, the operator tells us what exactly to do with the access types for the specific scope:

  • + to add access to existing accesses
  • - to remove from existing accesses
  • = to set the accesses. In other words, those not listed in our mode will be removed

Each mode has exactly one scope and one operator, but can have one or more of the accesses. In other words, a mode can change only one access type for a given scope, or it can change all 3 for that scope.

To change multiple scopes, you need to write a separate symbolic mode for each.

For example, if we want to add read and write access for the group owner, we can do the following:

chmod g+rw someFile.txt

We used the plus + operator here, which as we said, adds accesses and does not set them. This means that if the file had execute access for the group owner, it would still be there. If we want to make sure only the accesses we declare in the mode persist, we must use the equal = operator:

chmod g=rw someFile.txt

Suppose that, simultaneously, we want to remove write access from "all other users". To do this, we can add a another mode. Modes are comma separated.

chmod g=rw,o-rw someFile.txt

It is important to note that there are other options for MODE that I did not discuss here. Please feel free to read the documentation for chmod to learn more interesting things you can do with permissions.

Octal MODE Syntax

Octal MODE syntax is the most commonly used syntax. It simplifies MODE syntax to use only 3 digits. Each digit represents which permissions are to be defined for each scope. We provide 3 digits to define the permissions for the 3 different scopes.

The 3 digits define permissions for the 3 scopes in the following order:

  1. User
  2. Group
  3. Others

or:

chmod [user digit][group digit][all digit] someFile.txt

With each digit denoting the access types we want to set for the given scope.

How do we determine what number goes with which level access? well it goes like this:

  • 1 for x or execute access
  • 2 for w or write access
  • 4 for r or read access
  • 0 for no access

So, if I want write access for the user, read access for the group, but no access for the rest, we can do:

chmod 240 someFile.txt

Keep in mind, the permissions here are being set, not added to existing permissions. In other words, if "other users" had any access prior, they go away. If group user had write access or execute access prior, it also goes away.

But what if we want more than one access? what if we want both read and write access for the user? Don't sweat it, we are in luck! The numbers were chosen carefully so that they can represent assigning multiple permissions in a single digit. To do so, simply add the digits together for the permissions you want. The numbers were chosen such that every sum is unique, and chmod can deduce which accesses you intend to give with just a single digit.

If we want both read and write access? we just add the digits for read and write: 2+4=6.

So if we want read and write access for user, read access for group, and read access for all others:

chmod 644 someFile.txt

What if we want read, write and execute for the user, read and write for the group, but only read for everyone else?

chmod 764

Congratulations! you just learned how to use chmod!

NOTE: Only the file's owner and the root user is able to execute chmod.

chown

Standing for "change owner", chown does exactly what you just head. It takes a file and changes the owner. This includes both the user owner and optionally the group.

This is very important. While chmod allows us to change the "permissions" that are applied to a file's owner and group, it is just as necessary that we are able to set these owners and groups. This defines the set of users for which we are setting or granting permissions.

To change the owner with chown, we can:

chown nezar someFile.txt

which sets the owner of the file to the user "nezar".

To change the group as well, we have to separate the user and group by a colon :

chown nezar:movies someFile.txt

This changes the owner to "nezar" and the group to "movies".

NOTE: Only root user is able to change the owner of a file. However, the owner user can change the group, but only to other groups they belong to. Otherwise, root privileges are required.

Other Tools

There are a few other tools that are helpful. Below are examples of some of those tools. I will not cover them in depth, but feel free to explore them on your own.

  • ls -l: The ls command lists all files in a directory. The -l option displays more details on each file, including its permissions
  • useradd: Creates a new user
  • groupadd: Creates a new group
  • usermod and groupmod: Modify existing users and groups. Helpful to assign a user to a group,or change the groups a user belongs to
  • userdel and groupdel: Delete users and groups
  • chgrp: very similar to chown but only for changing a group
  • umask: Change the default permissions assigned to newly created files in a directory
  • newgrp: Change the group assigned to the current login session
  • su: Change the current user or run a command as another user
  • sudo and doas: More advanced versions of the su command

Conclusion

In the next part of this series, we will look at how we can use what we learned so far to secure a file or a system using Unix Permissions. Please remember to provide feedback, it will help me write better in the future!