Tag Archives: file permissions

Using CHMOD in symbolic mode for more fine grained control

I’d like to share some information on how to use “chmod” in symbolic mode. This will give you a lot more fine grained control than octal mode. I also intend to illustrate using examples as it is the easiest way of learning something new very quickly.

The format of a symbolic mode is [ugoa...][[+-=][perms...]...], where perms is either zero or more letters from the set rwxXst, or a single letter from the set ugo. Multiple symbolic modes can  be given, separated by commas.

Example (This adds read, write and execute to file1 & file2 for all users):

chmod a+rwx file1 file2
A  combination  of  the letters ugoa controls which users' access to the file will be changed:
the user who owns it (u),
other users in the file's group (g),
other users not  in  the  file's  group (o),
or  all  users  (a).
If none of these are given, the effect is as if a were given, but bits that are set in the umask are not affected.

Usually you will use chmod in this manner:

chmod [options] [permissions] [file or directory]

Operators are explained in this way:

+ adds the permissions to the selection. Be it either a file or directory. Or both.
- removes the permissions you've specified.
= assigns just the permissions you specified and removes everything else.

Examples
Adding read, write and execute to everyone.

chmod ugo+rwx file1 file2

Adding read, write and execute to everyone more elegantly.

chmod a+rwx file1 file2

Adding read, write and execute recursivly to all directories down the tree.

chmod -R a+rwx directory

Remove read and execute access from everyone but the file owner.

chmod go-rx file1

Set read, write and execute access to directory owner. And set read and execute for everyone else recursively down the tree.
(Note the use of the capitalized X. This will set execute only for directories and not for files. A wise precaution for the group and others. Note that you should not set execute for misc files, even though it’s only for the file owner)

chmod -R u=rwx,go=rX directory1

A more secure but less practical of setting read, write and execute access to the directory owner. And read and execute for everyone else down the tree.

chmod -R u=rwX,go=rX directory1

I would’ve most likely used the following, which is the same as the above except you leave files under the file/directory owner as-is. But add instead of set the permissions for the owner. Also note that the “-R” is at the end. I usually forget the options till the end.

chmod u+rwX,go=rX directory1 -R

I also want to include a short notice about the popular “777” that you will find instructions a lot of places to use. It’s a BIG no no. This is an octal reference to chmod. And means that you give read, write and execute permissions to everyone.

When someone have included instructions that tells you to do so, they have no clue what’s wrong. It is a lazy catch-all. The fix would be to set the appropriate permissions on the folder(s) and file(s) that are relevant. You should never use such instructions unless you’re in a test environment.

So just to clarify I’ll illustrate using both an symbolic and octal example.
Octal

chmod 777 file1

Symbolic

chmod a+rwx file1

The sequence of these numbers works just in the same way as the symbolic mode. First it’s a number representing certain rights for the user, then the group and lastly everyone else (others).
The values represent the following:

read = 4
write = 2
execute = 1

You either add or subtract from 7 to get the appropriate rights. “777” indicates

4 + 2 + 1 = 7

Worst case scenario using the octal mode would be

chmod -R 777 directory1

Which is the same as using

chmod -R a+rwx directory1

This does not even use the capital “X”, which means that not only does every directory have execute permissions. But every file as well. This is mildly put, highly insecure.

I hope this is sufficient to convey an understanding of how chmod works. Most importantly I want to say that setting permissions is hard and is supposed to be done by the ones that supply the application (this include web applications which usually come as compressed archives. In layman terms, Linux/BSD/Solaris preserves permissions from archives. Which is the opposite of what happens on Windows).

// CrashMAG