Chmod: Change permissions. Linux commands: CHMOD Chmod description

In our documentation of the umask command. It contains a comprehensive description of how to define and specify file permissions.

In general, chmod commands take the form:

Chmod options permissions file name

If no options are specified, chmod modifies the permissions of the file specified by file name to the permissions specified by permissions.

permissions defines the permissions for the owner of the file (the "user"), members of the group who owns the file (the "group"), and anyone else ("others"). There are two ways to represent these permissions: with symbols (alphanumeric characters), or with octal numbers (the digits 0 through 7 ).

Let's say you are the owner of a file named myfile, and you want to set its permissions so that:

1. the u ser can r ead, w rite, and e x save it;
2. members of your g group can r ead and e x save it; and
3. o thers may only r eat it.

This command will do the trick:

Chmod u=rwx,g=rx,o=r myfile

This example uses symbolic permissions notation. The letters u, g, and o stand for " user", "group", and " other". The equals sign (" = ") means "set the permissions exactly like this," and the letters " r", "w", and " x" stand for "read", "write", and "execute", respectively. The commas separate the different classes of permissions, and there are no spaces in between them.

Here is the equivalent command using octal permissions notation:

Chmod 754 myfile

Here the digits 7 , 5 , and 4 each individually represent the permissions for the user, group, and others, in that order. Each digit is a combination of the numbers 4 , 2 , 1 , and 0 :

• 4 stands for "read",
• 2 stands for "write",
• 1 stands for "execute", and
• 0 stands for "no permission."

So 7 is the combination of permissions 4 +2 +1 (read, write, and execute), 5 is 4 +0 +1 (read, no write, and execute), and 4 is 4 +0 +0 (read, no write, and no execute).

Syntax

Options

Examples

Set the permissions of file.htm to "owner can read and write; group can read only; others can read only".

Chmod -R 755 myfiles

Recursively ( -R) Change the permissions of the directory myfiles, and all folders and files it contains, to mode 755 : User can read, write, and execute; group members and other users can read and execute, but cannot write.

Chmod u=rw example.jpg

Change the permissions for the owner of example.jpg so that the owner may read and write the file. Do not change the permissions for the group, or for others.

Chmod u+s comphope.txt

Set the "Set-User-ID" bit of comphope.txt, so that anyone who attempts to access that file does so as if they are the owner of the file.

Chmod u-s comphope.txt

The opposite of the above command; un-sets the SUID bit.

Chmod 755 file.cgi

Set the permissions of file.cgi to "read, write, and execute by owner" and "read and execute by the group and everyone else".

Chmod 666 file.txt

Set the permission of file.txt to "read and write by everyone.".

Chmod a=rw file.txt

Accomplishes the same thing as the above command, using symbolic notation.

Related commands

chown— Change the ownership of files or directories.
getfacl— Display file access control lists.
ls— List the contents of a directory or directories.

Good health, dear blog readers! We would all like everyone or a folder located on the hosting server and belonging to the site to be protected as much as possible from unauthorized access.

This protection is ensured due to the fact that 90% of hosters use Unix-like operating systems, in which it is possible to regulate access rights to all files and directories. The server of my hosting provider, on which several of my projects are located, is no exception.

By the way, be sure to take an interest by following the link provided. But let's continue. The rules established in Unix differ from the rules of work in the operating room that many are accustomed to. Windows system, where protection in this aspect is not so strong, which sometimes leads to disastrous consequences in the form of virus infection of the system.

CHMOD for users and access rights to files and folders (directories)

In systems managed by Unix, the situation is different and there is an opportunity to seriously complicate life for bad guys who will try to take advantage of the results of your painstaking work over a long period. Namely, correctly configure CHMOD access rights. Our task is to give the minimum possible rights to access files and folders, which nevertheless will not interfere with the correct operation of the site.

Agree, it’s a sin not to take advantage of the opportunity to seriously strengthen. Of course, in this case, editing some files will take a little more time, but here you have to choose: either optimizing system security, or... Below I will try to systematize the information on CHMOD (access rights), because there are several nuances that are necessary webmaster knows. So let's begin.

Access rights vary for different user groups. When a connection is attempted, the server determines which group to assign a particular user to. All users are divided into three categories:

1. "user" - file owner
2. "group" - one of the members of the group to which the owner belongs
3. “world” - “rest of the world”, that is, all other users

If you connect to the server using and log in using your username and password, you will be identified as "user"(u) if anyone else connects via FTP it will be detected as "group"(g), if the user uses a browser, then he falls under the category "world"(o).

Now about CMOD access rights to files and directories. In essence, they are slightly different, although the designations are the same. File permissions:

• r (read) - the right to read file data
• w (wright) - the right to change content (you can only edit the content - write, but cannot delete)
• x (eXutive) - the right to execute the file

Access rights to folders (directories):

• r - the right to read a folder (you can get the contents of a directory, that is, a list of files included in it)
• w - the right to change the contents (permission to create and delete objects in the directory; if you have the right to write files, then you can even delete objects that do not belong to you)
• x - access right to a particular directory (the peculiarity here is that even if you have all the necessary rights to a file that is located “deep” in the directories, but do not have access rights to at least one subdirectory on the path to this object, then you won't be able to access it)

The hyphen “-” indicates the absence of any rights. All these rights are assigned by the administrator, who gains this opportunity by entering a password. If we can set the maximum possible restrictions on CHMOD access rights to certain resource files, then we can practically eliminate the danger of virus programs carrying out their “dirty deeds”.

For clarity, let's consider an example when the owner of the file u has all possible rights: read, write and execute. Users assigned to category g (group) have read and write only, all others (w) have only read rights. Then the CHMOD entry will look like this: “rwx rw- r- -”.

Access rights to files and folders in digital terms: CHMOD (777, 755, 444)

But more often, webmasters in their practical activities have to assign certain access rights in digital terms:

• r (read) - 4
• w (record) - 2
• x (performance) - 1
• - (no rights) - 0

Now let's look at the above example again to assign access rights "rwx rw- r- -". To display the rights of each user, the addition of his rights is used (r read + w write + x execute). Thus, part of the entry for the file owner u (user) - “rwx” will turn into 7 (4+2+1). For a member of the group g (group) - “rw-” in 6 (4+2+0) and for other users o (world) - “r- -” in 4 (4+0+0). As a summary I will present pivot table with CHMOD permission values ​​expressed in both letters and numbers:

Now I’ll present another table that reflects the total CHMOD rights for all user groups in numerical format:

These are the main combinations that are most often used in the work of a webmaster. The rest are formed by analogy. If you are an administrator of a site or blog, but are working with a project without connecting via the FTP protocol, you also belong to the “Other users” group. In this case, when working with a site in this mode, you need to take into account the last digit in the CHMOD value.

Usually on the server where your files are located WordPress blog, folders have access rights set to 755, and files that are part of them are set to 644. This is true when the resource is built using HTML files, however, in modern conditions, CMS (content management systems), which include WordPress, are widely used to build a website. And here there may be objects that need to be written to by the “world” user group. There may be folders in which content is downloaded, including images.

Therefore, the assignment of CHMOD rights to certain files must be differentiated. If you log into site management via FTP, you can perform any actions, however, in many cases we work with our project through, and in this case problems may arise if the rights are too high, and, conversely, if access rights to one or another file (folder) are underestimated, then the security threat increases. Therefore, based on the above, we can determine some recommendations for the practical use of CHMOD for a WordPress blog:

777 - for folders in which files are constantly being written and erased (for the caching folder)
755 - in relation to folders in which files are constantly written but not deleted
666 - for files where you need to add an entry from time to time (for example, a .htaccess file)
644 - for files that are read-only (.php, .html, etc.)

How to configure CHMOD permissions using FileZilla FTP manager

If you need to make some changes when working with a resource, but due to the ban on editing this cannot be done, you need to connect to the hosting server using FTP protocol and change the access rights to 777. However, after making changes to the file, it is recommended to set the previous CHMOD again.

Now let's learn more about how to perform this operation using . To do this, open the program and connect via FTP to the hosting server. On the left side "Remote Server" First, we mark the files whose attributes will be edited:

And from context menu caused by pressing right button mouse, select "File Permissions". After this a dialog box will appear "Change file attributes":

Here we assign the necessary CHMOD values ​​for the selected (or selected) files. But this is only if you selected a file or group of files. If you want to set or change CHMOD values ​​for a directory (folder), when you select “Change file attributes”, an analog window will appear, somewhat different from the one located above, namely:

See, they appeared here additional settings. If you check the box next to the line "Redirect to subdirectories", this means that the specified access rights will be applied to directories (folders) or files nested in this directory. When the box below is checked, the group of settings located will become active and you will also need to select how the settings should be applied: to all files and directories, only to attached files, or only to directories.

Change file permissions

Syntax:

Parameters:

Access rights:

Access rights can be specified in alphabetic code or numeric based on the octal number system

Management via digital authorization:

Three bits are used to control rights

• the first is the right to read
• the second is the right to write
• third - the right to execute

Such file rights are established for three types of access:

• for the owner
• for a group
• for the rest

As a result, the command looks like this:

$ chmod 444 file - read-only permission for everyone

$chmod 755 file - the owner has all rights (7), other users only read and run (5)

$chmod 066 file - the owner has no rights to the file (0), all others have read and write rights without execution

Management using alphabetic access rights:

Format for specifying rights using a symbolic code

[who...][[+-=][rights...]...][,...]

Who is a combination of characters "ugoa" pointing to users whose access rights to the file or folder will be changed

• u user is the owner
• g user group
• o other users
• a (all) for everyone, similar to ugo

Team chmod (Change MODe- change mode) has a very specific syntax. Syntax in general case:
but what characterizes it is that regime change can take many forms. It can be specified in two ways:

1. as an octal number. The owner's permissions correspond to numbers in the form 00, where the assigned permission corresponds: 4 for read, 2 for write and 1 for execution. Likewise, permissions for the owner's group take the form 0 , and permissions for "others" take the form . Then, all you have to do is find the sum of the assigned permissions to get desired mode. Thus, permissions rwxr-xr-- correspond to 400+200+100 (permissions for the owner, rwx) +40+10 (permissions for the group, r-x) +4 (permissions for others, r--) = 754; thus, permissions are expressed through free terms. This means that previous permissions are certainly superseded;
2. using expressions. In this case, permissions are expressed through a sequence of expressions separated by commas. Hence the expression takes the following form: [category]<+|-|=><разрешения> .

• chmod -R o-w /shared/docs: Recursively removes write permission from all other files and subdirectories in the /shared/docs/ directory.
• chmod -R og-w,o-x private/: Recursively removes write permission for group and others from the entire private/ directory, and removes execute permission for others.
• chmod -c 644 misc/file*: Changes the permissions for all files in the directory misc/ whose names begin with file to rw-r--r-- (i.e. read permission for everyone and write permission for owner only), and reports only those files , which were exposed to the command.

The following example shows how to allow everyone to read, make changes to, and save a file. To do this, you need to change the access rights of the “others” group.
Enter at the command line:
ls -l example1.txt The following information will be displayed on the screen:
-rw-rw-r-- 1 user user 42 Mar 24 22:07 example1.txt Now enter the following command:
chmod o+w example1.txt The o+w command means that you give permission to “others” (“others”, denoted by the letter “o”) to write to the file example1.txt. To see what the result of running the specified command, let's look at the file again:
-rw-rw-rw- 1 user user 42 Mar 24 22:09 example1.txt Now everyone can read and write to the file.
To prevent the example1.txt file from being read or written to, use the chmod command.
chmod go-rw example1.txt The go-rw command tells the system that you want to prevent the group and "others" from reading or writing to the file example1.txt.
As a result, the access rights will look like this:
-rw------- 1 user user 42 Mar 24 22:10 example1.txt The classes and rights discussed are abbreviations for the corresponding English words, so they are easy to remember: all you need to remember are a few symbols and letters.
Here is a list of transcripts of these abbreviations:

Classes u - the user who is the owner of the file (from the English “user”);
g - the group to which the user belongs (from the English “group”);
o - others (not the owner and not the owning group, from the English “others”);
a - all (u, g and o, from the English “all”). Rights r—right to read;
w — write right;
x is the right to perform. Actions + - gives the right;
- - takes away the right;
= — leaves only this right.

Want to test your knowledge? Remove all rights to the file example1.txt from all users.
chmod a-rwx example1.txt Now check if you can read this file command cat example1.txt . You should see the following:
cat: example1.txt: Permission denied By revoking all rights, including your own, you have blocked access to the file. But since the file belongs to you, you can always return the rights with the following command:
chmod u+rw example1.txt To make sure that you can read this file, use the cat example1.txt command.
Here are some examples of using the chmod command:

• g+w - gives the owning group write permission;
• o-rwx - takes away all rights from other users;
• u+x - gives the owner the right to execute the file;
• a+rw - allows anyone to read and write to the file;
• ug+r - allows the owner and group to read the file;
• g=rx - Allows the group to read and execute the file (not write to it).

The -R option allows you to change permissions for the entire directory tree.
Since directories cannot be "executed" as applications, adding or removing the corresponding right means allowing (or denying) browsing to the directory.
For example, if you prevent other users from executing the docs/ directory, it doesn't matter who has read and write permission. No one will have access to the contents of a directory unless they know the exact name of the file in it.
For example, type:
chmod a-x docs to revoke execution rights from all users.
If you now try to change the directory using the cd docs command, you will receive a failure:
bash: docs: Permission denied Restore rights to yourself and your group:
chmod ug+x docs If you now check the results of your actions using the ls -l command, you will see that access to the docs/ directory is denied only to other users.

This short article provides fairly comprehensive information about access rights in Unix-like operating systems, options for changing them are described, and some concepts and definitions are deciphered.

First, you need to understand the basic concepts such as: who is the owner of a file in Linux, how the file is accessed by other users, and not just the owner himself, etc.
On Unix-like systems, the application runs with the rights of the user who called the specified application. This provides additional security since a process with user rights will not be able to gain write access to important system files, For example /etc/passwd, which is owned by the superuser root . It sounds simple, but there are some features that you need to know and take into account.

Owner, Group and All Others

Owner

The owner of a file or directory in Linux is the user who created it. Team chown you can change the owner of a file or directory.

Read, write and execute permissions are set using numeric codes 0400, 0200 and 0100 respectively. They can be combined. For example, code 0700 allows the owner to read, write, and modify files.

Group

A group is several Linux users, which can use (with sufficient access rights) files and folders at the same level as their owner. You can change the user group associated with a file or directory with the command chgrp .

Read, write and execute permissions are set using numeric codes 0040, 0020 and 0010 respectively. They can be combined. For example, code 0070 allows files to be read, written, and modified by the user group associated with the file.

Everyone else

This is a collective name for those who are not the owner of the file or are not part of a group of users that can work with that file or directory. A good analogy is “the whole world,” “everyone,” or “anyone.”

Read, write and execute permissions are set using numeric codes 0004, 0002 and 0001 respectively. They can be combined. For example, code 0007 allows anyone to read, write and change files.

Read, write and execute permissions

Reading

Allows a file to be read by a specific group of users.
Identified as "r" in the command output ls

Record

Allows you to change files or directories.
Identified as "w" in the command output ls

Execution

Allows you to run binary files. In addition, it checks whether the folder is searchable. For example, if the directory has permissions set to 0600, then you will not be able to use the command CD to enter this folder or view its contents with the command ls
Detected as "x" in the command output ls

Well, now you can move on to practice.

Defining and controlling access rights in Linux with the command ls

Using the command ls You can find out what access rights are set for files in a given or specified directory:

gruyere@meltingpot / test_perms $ ls -l
total 0
-rw-r--r-- 1 gruyere staff 0 27 Feb 19 :43 bar
drwxr-xr-x 2 gruyere staff 68 27 Feb 19 :45 baz
-rw-r--r-- 1 gruyere staff 0 27 Feb 19 :43 foo

As you can see from the example above, the command ls shows the symbolic code of access rights to files and directories. Columns 3 and 4 also indicate who owns these files or directories and which user group they belong to.

chmod

chmod (ch ange mod e) is a widely used command to change the permissions of files and folders in Linux. It allows you to set access rights for both a user and a group of users and for everyone else.

In addition, server-side programming languages ​​(like PHP or Python) provide a copy of this command in the sense that they have a similar notation for setting rights.

Absolute and symbolic notation

chmod supports 2 types of syntax for changing access rights:

• Absolute notation - an octal number indicating which access bit(s) to activate, for example 0777
• Symbolic notation is a combination of letters and numbers that set the access bit.

Octal code is more natural, it guarantees the installation of special access rights on files and directories, in addition, this approach is used in programming languages ​​to programmatically change access rights.

Symbolic notation is used to add or remove rights that have already been defined. There are special sites for translating absolute notation into symbolic and vice versa, they allow you to better understand how all these access rights and commands work chmod. Here's one of them.