Episode: 992
Title: HPR0992: LiTS 007: Chmod and Unix Permissions.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0992/hpr0992.mp3
Transcribed: 2025-10-17 17:04:37

---

Welcome to Linux in the Shell episode 7 Unix file permissions in the CH mod command.
My name is Dan Washko, I'll be your host, and start off I'd like to thank hacker public
radio for hosting the website and these audio files and then remember if you have not read
the website the entry for episode 7 at linuxinachel.org I encourage you to do so after listening
to this audio to solidify the command in your mind and to watch the example video okay
Unix file permissions or Linux file permissions because they're pretty much the same thing
operate on three basic permissions read, write and execute and those permissions are applied
to three different levels. They're applied to the owning user, the owning group and the
own everybody else. So let's start by talking about the permissions and when I talk about
permissions on files I'm talking about specifically files, not directories, in the Unix world
pretty much everything is a file, even a directory, although a directory is a special
type of file. There is a differentiation between how permissions are applied to files and
to directories, which I'll cover in just a second, but at the level of a file the three
permissions read, write and execute, operate in this manner. Read permission allows you to
open a file and look at the contents of a file and look at the doing an LS command, LS-L
command allow you to see the different aspects of the file. So with read you can open a file
and look at the contents in this information. With a write permission allows you to alter
or create a file, allows you to alter the contents of the file to delete a file if you
want to. So it allows you to change that file is what it does. And finally the execute
bit allows you to execute a file and whether it's a shell script or a binary or whatever
allows you give permission to run that file as a program or as a shell script. Those
permissions differ for a directory though. Now the read permission on a directory means
that you have the ability or permission to read any files in that directory that you
have permissions to read explicitly on those files, but it doesn't allow you to list the
contents or to actually see those files in that directory so to speak. To do that you
need the execute a little bit on the directory. Now the execute a little bit gives you two
things. It allows you to list the contents of a directory and allows you to change into
or CD into that directory. So if you had a directory called my directory and you had read
but not execute and you ex issued LS slash my directory you would get permission denied.
But if you had a file in there called test and you did LS the name of the direct my directory
slash test you'd be able to see that file. If you wanted to open it with the less command
you can type LES less my file slash test and open it. But you cannot view it by Lessing
the direct directory nor can you use a wild card into that directory to open that file.
Basically understand that on a directory if you want to be able to list the contents of the
directory and if you want to be able to change into the contents of the directory or to use a wild
card inside the directory you need the executable permission on there. Read only allows you to look at
a file specifically that you have ownership to look at to begin with. You have to name that file
in there. Also with read on a directory and execute on a file you could execute the file so
long as you can you specify the name of it. You don't need the execute bit on the directory.
Execute bit on the directory only gives you the ability to list all the files in the directory
or to change into the directory. Be aware of that. Now write permission on a directory operates
a little differently than it does on a file. It can override the right permission on a file so
if you have right capabilities to a directory and you want to alter a file in that directory that
you don't have right permissions to it will ask you say hey you don't really have right permissions
to this file are you sure you want to do this to which you have to answer yes or if you're like
in the vi or vim and you're trying to edit a file in there that you don't have you'll have to
provide the bang to the right option that explicitly say okay do that so that's what right does
on a directory as opposed to on a file. With that clear down these permissions are applied at the
owning user the owning group and all others so for a single file or directory there are three sets
of permissions one for the owning user one for the owning group and run for all others so you can
specify permissions at user level group owning owner owner call that owner group only group level
and for everyone else. Now there are three special permissions in Linux and these special
permissions are called set user ID bit set group ID bit and set sticky bit and the way that
these work in Linux may differ from other flavors of Unix but I believe how they work in Linux and
BSD are pretty much the same thing. The set user ID and set group ID bit allow you to these are mainly
for executing an application or a script a program or a script what that does is if you're going
to execute that you execute it and it's executed as either the owning user or the owning group all right
so if the set user ID bit is on a file and you run that and you have the executable ability to
that when you run that it'll run as the owning user and if it's set at the group level it will run
as the owning group used to have to do this I forget with which one it was but there used to be
some old somba directory browsing utilities or GUI based somba applications that I believe
required you to set some of the somba stuff as set UID bit on the root user so that when you
executed the somba command that the GUI application required and ran somba stuff as the root user
so you can mount somba directors and stuff I think that that was long ago that was back in the day
now the set sticky bit allows you to what that does is when you set the sticky bit on a directory
that what that does is override the directory execute or write option what that does is any file
in there you can only delete that file if you are the owner if you are not the owner you cannot
delete or alter that file when the sticky bit is set on a directory and I guess I didn't specify
this and I'm going to say now generally the sticky bit is set on directories not on files but
generally on directories and a great example is the temp directory so if you do an ls dash ld slash
tmp and look at the values on your temp directory it'll come back and report the values as being
rewrite execute rewrite execute rewrite t and the sticky bit is set for all others on that
so even though you have rewrite execute capabilities in that directory you can't delete a file
that is owned by somebody else so that overrides like the directory right bit in that case
little information there about specifying the ls dash l command when you're looking at that the
view of files permissions or directories permissions you'll notice that you'll either get
you'll get rewrite x rewrite x rewrite x or some derivation in there if you don't have the
permission it's just a dash and those three sets that's 12 I'm not 12 that's nine columns right
there those three sets but you'll notice there's one leftmost column that could be a dash a d
or some other letter that that's telling you the type of file that you're looking at the type of
file whether it's just a file is a regular dash whether it's a directory is a d there's
character file which is a c so understand what that means that that leftmost column right there
that first column that you're looking at all right so now we kind of have a better understanding
of the Linux file permissions what if you need to change that that's done by using the CH mod
command change or some people call change mod or CH mod CH mod CH mod command however you want
to say it basically the CH mod command is short for changing the mode bit so it's changing the
permission bit very simple command to use takes two parameters one is the permissions that you want
to set and the second one is the square you want to set those permissions be it a file group of
files or directory now there are two ways that you can specify the permissions one is in symbolic
mode which is probably the easiest for new users any other one is an octal mode which is my preferred
mode is not that difficult to use and is a little more short form or precise I think not that
symbolic mode isn't precise but we'll cover octal mode in just a minute so I had specified that
there are three groups user owning user owning group and all others that's you geo we specify you
equals owning user g equals owning group and oh equals all others there's a there's a fourth
way that you can specify and that's a for all or everyone so it's you geo a is what to remember
you for user you owning user g for owning group oh for others and a for everyone all right so
you specify that by by passing to it in symbolic mode one of those values you geo a
and then either using equals plus or minus and then the permissions so then if you wanted to
specify like um the owner has all permissions it would be CH mod u equals read write r w x
and then the file now again r equals read w equals write x equals executable I don't think I
specify that in the beginning r equals write I'm sorry r equals read w equals write x equals
executable so again to give the owning user all permissions read write and execute it's CH mod
u equals read r w x and then name it a file now if you wanted to specify all three different group
permissions for instance you user owning user you wanted to give all permissions group you only
wanted to give read and execute and all other users just read it would be u equals r w x comma g
equals r x comma oh equals r that would give owning user all rewrite and execute permissions
owning group read and execute permissions and all others just read permissions now you can specify
instead of equals you can add or subtract permissions by specifying like u plus r
asterisk dot log would give every would give the owner read permissions to all the log files if
they already didn't have it secretly you can do the same thing with the map minus which would be
to remove a permission for that group so symbolic takes the use of u g o a owning user owning group
all others or everybody and provides one of the permissions r equals read w equals write x equals
execute now the other special permissions I talked about sticky bit and set uid and set group
their symbolic representations are t for sticky bit s for set uid or set gid bit so if you wanted
to set one of those values you can do that but I think a better way to kind of set those values
the symbolic special symbolic values special values is to use octomode an octomode is very very simple
once you get it down it's just it's really dead easy to think about octomode is using the octal
values of those permissions and providing for each group each set the octal value so you sum up
the octal values of each individual permission for that group it's going to be a value of 0 to 7
so read permission equals 4 write permission equals 2 and execute permission equals 1 so if you look
at that if you look at that and read the values octally so you have the leftmost of the three read
right and execute is read write and execute the first one all the way to the right execute is
either 1 or 0 the middle one right is a value of 2 or 0 and then the third one read is a value of
4 or 0 so remember that counting octally 1 or 0 2 or 0 4 or 0 you look at those values read
right and execute it's either going to be one of those three values or 0 so you add them up
so if you had all three permissions read right and execute that would be read which equals 4
plus write which equals 2 so that's 4 plus 2 plus execute which equals 1 so that's 4 plus 2 plus 1
equals 7 that gives you the full value of read right execute 7 if you just have read and execute
that's read which equals 4 write which is not set which equals 0 and execute x which equals 1
so that's 4 plus 0 plus 1 which equals 5 if you had read and write but not execute that's
read which equals 4 write which equals 2 and execute which equals 0 so 4 plus 2 plus 0 equals 6
that gives you a value of 6 now you specify one of the octal value for each of the owning user
owning group and owning or everyone else so unlike the symbolic mode where you can you can specify
either everyone or one or two people and and switch it like that in octal mode you're going to
specify the full list of permissions for everybody so if you wanted to give the owning user
all permissions the owning group read and execute and everyone else just read those values would be
CH mod 7 for all permissions and then 5 for read and execute on the owning group and then 4 which
is just read on everyone else so once you get the octal representation down it's pretty darn easy
to set the octal values right away those three special permissions each have an octal value too
that sticky bit which is primarily put on directories like I said is 1 the octal value that is 1
the group set you ID bit octal value is 2 and the user set you ID bit set you ID bit octal value is 4
and those occupy the fourth or actually the left most fourth bit the left most bit
so if you're counting from right to left and octal this column 1 is for everyone column 2 is for
the owning group column 3 is for the owning user and the fourth column is for those special
permissions now that fourth column is optional if you're not setting a special permission if you're
not setting a special permission the value is 0 so you can either put 0 or you can leave it empty
now that's important to realize okay why can you leave it empty and just ignore it sets it to 0
those values to 0 understand that that applies for the whole thing all right and then when I said
that you need to specify the the octal values for uh UGL that's very important because if you don't
okay it starts to apply those values to the right most bit so the first bit first group and then
it moves forward so if you were only specify CH mod 7 some file what that sets the permissions to
is it set 7 read right next to your permission everyone all right so the owning user doesn't have
any permissions the owning group doesn't have any permissions but everyone has read right access
it's equivalent to saying CHMOD 007 on that file and if you did like 2 and 7 you would get the same
thing you would get owning user no permissions owning group has right permissions everyone else read
right execute that'd be equivalent on saying CHMOD 027 so be aware of that you need to at least
specify for those three groups UGL special bit the fourth one is optional so that's it that's
basically permissions in a nutshell very simple there are a few flags that you can use in conjunction
with the CHMOD command probably one of the most useful ones is the dash capital R or dash dash
recursive which will set those permissions um at on all files and directories and sub-directories
underneath that directory or where you currently are um so be aware of that that it will do that
recursively and a lot of times I've used that for certain things uh if you do that at the root
level it will change your root file system permissions as long as you're the root person
running it as root all the way there's an option in there a flag called dash dash preserve dash
root which will not operate recursively on the root directory that's not set by default okay if you
as root do CHMOD 666 slash root you're going to change all the permissions in that root directory
that so everybody has read and write and no executable permissions on every single file uh if you
tried to do that with the dash dash preserve dash root it would prevent you from doing it I don't
recommend messing around with it anyhow there is an option dash dash no dash preserve dash root
which uh is the default which doesn't preserve root all right so just be aware of that default
doesn't preserve root when you issue the CHMOD commands you generally won't get an output
but you will get um a response if there's an error if you want to see what's being done there is the
dash dash verbose or dash v mode now take take into consideration CHMOD dash v uh unlike a lot of
commands doesn't give you the version it goes into verbose mode if you want to see version it's
dash dash version but the dash v will tell you exactly what it is doing with all the files that
it processes so if it changes a permission it tells you what it changes to if it doesn't change
a permission it tells you that it didn't change a permission so that's verbose mode if you only
want to see what changes are made there's the dash c or dash dash changes which will only report
any changes it makes so if it doesn't change its positions on the file of directory it doesn't
report it to you but if it does you'll see what it changed it'll tell you what it did uh and finally
there's the dash f or dash dash silent or dash dash quiet mode which will suppress pretty much
every single error message that could be thrown by CHMOD if you don't have the if it's if it catches
an error or you don't have permission to do something um so CHMOD file permissions pretty basic
thanks for listening remember support hacker public radio if you haven't checked out the website
for this write-up do so my name is Dan and thank you very much and have a great day
you have been listening to hacker public radio or hacker public radio does our
we are a community podcast network that releases shows every weekday Monday through Friday
today's show like all our shows was contributed by an hbr listener by yourself
if you ever consider recording a podcast then visit our website to find out how easy it really is
hacker public radio was founded by the digital dog pound and new phenomenal computer cloud
hbr is funded by the binary revolution at binref.com all binref projects are crowd-sponsored by
linear pages from shared hosting to custom private clouds go to lunar pages.com for all your hosting
needs unless otherwise stasis today's show is released under a creative comments attribution share
like the social license