HMC Homepage CS Home

Setting file Protections using chmod

Often you will have a file or directory you wish to make private. On the other hand, sometimes you might want to make a file or program available to the public. The chmod(1) command allows you to set the file protections on any file or directory you own. You may do so either symbolically or absolutely, as explained below.

The File Mode Format

  1. Type ls -l to see a list of your files. You will notice that the left-most column is made up of a series of 10 dashes and letters, like this:

    -rwxr-xr-x 1 jelliot students 103406 Sep 18 life.c

    These are the protections, or the "modes," of the file. Each position shows the status of a particular protection: if it is occupied by a letter, that mode of operation is available. If the position contains a dash, the file is restricted from that usage.

  2. The first character on the left identifies the type of entry. If the file is a directory, a "d" will be the first character. It will be "l" for a symbolic link. (See the man page for ln(1) for more information on links.) A "p" indicates a named pipe, or FIFO. (See the man page for mkfifo(1M) for more information on named pipes.) Otherwise, a "-" will occupy the first position, indicating a normal file.

  3. The next three characters identify the modes available to the "user." Here "user" refers to the file's owner (the owner of a file is the second column of the file listing). The three letters possible are "rwx," which stand for read, write, and execute. For example, if a file's mode listing shows

    -rw------- 1 wcameron students 256418 Mar 21 book.ms

    you can read and write to the file, but you cannot run it as a command.

  4. The next three positions (fifth, sixth, and seventh) indicate whether these same modes are open to members of your group. The command ls -lg will list the files including the group to which each file belongs. For instance, the listing

    ----r-x--- 1 bpascal students 12509 Dec 7 happy.p

    shows that the file happy.p can be read or executed by any user in the group "students." However, they may not write to it (the "w" bit is not set). To see a list of the groups that you are in, type groups.

  5. The final three characters identify the modes set for "others" (that is, any user on the system).

  6. A typical file might have the mode "-rwxr-x--x" which would indicate that it may be read by the user (owner) and any member of the group, written to only by the user, and executed by anyone. This says nothing about someone's ability to delete the file, however. That is determined by the ability to write to the directory containing that file. Read the Notes section at the end of this file.

Changing the Mode Symbolically

  1. To add or remove protections from a file, use the command chmod. The format for this is

    % chmod [ugoa][+-=][rwx] filename

    Here "u" stands for user, "g" for group, "o" for others, and "a" for all. Thus, "a" would stand for "u," "g," and "o" combined. "+" indicates addition, "-" specifies removal, and "=" sets the specified bits and resets all others. The "r," "w," and "x," of course, identify the mode(s) to be added or removed.

    Let us say that you want to give yourself (the user) read access to the file calendar . The command

    % chmod u+r calendar

    would do the trick.

    The line

    % chmod go-rwx calendar

    would obviously change calendar so that no one except the user will have access to it.

    And

    % chmod a=r calendar

    gives everyone read access and removes all other privileges (in this case, write and execute) from the file.

Changing the Mode Absolutely

  1. There is another, more direct way to change file protections. It involves indicating the new mode of the file by use of octal numbers.

    The mode in octal is made up of three digits. The first represents the three "user" bits, the second stands for the three "group" bits, and the third specifies the "others" bits.

    The way these are coded is by assigning binary values to each group of three, and adding up the digits. The values of each bit are as follows: 

    - r w x  r w x  r w x
- 4 2 1  4 2 1  4 2 1

    For instance, "-r----x-w-" is represented by 412. The "user" has the "r" bit set, yielding a 4; the "group" has only an "x," giving 1; and "others" has only a "w," shown by the 2.

    As another example, 743 represents "-rwxr--wx." The 7 is obtained by adding 4 ("r"), 2 ("w"), and 1 ("x") in the "user" positions. The 4 identifies the "r" by itself for the "group" bits, and 3 is the sum of 2 ("w") and 1 ("x") for "others."

Notes:

  1. In order for a directory to be accessed, the user must have both read and execute privileges. If users can write to a directory, they can create and delete files within that directory.

    The ability to delete a file is only dependent upon the write protections of the directory in which it resides, NOT upon its own write protections.

    Sometimes you will see the letters "s" also appear in a file's mode in place of an "x." This stands for "set user id" or "set group id." For more information on this and other specialized protections, read the manual pages for chmod(2).

    For more information, read the manual pages for chmod(1).

Copyright (c) HMC Computer Science Department. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License.''

HMC Computer Science Department
Contact Information
Last Modified Tuesday, 22-May-2001 15:17:51 PDT