chmod File Permissions

chmod cheatsheet — set file permissions with octal (755, 644) and symbolic (+x, go-w). chmod -R for recursion, chmod +x to make executable. Every pattern explained.

7 min read

What it is

chmod is a command-line utility used to change the file mode bits (permissions) of a file or directory. You reach for it when you need to control who can read, write, or execute a file.

Installation

chmod is a standard Unix/Linux/macOS utility and is pre-installed on most systems. No installation is typically required.

Core Concepts

File permissions in Unix-like systems are divided into three categories:

  • User (u): The owner of the file.
  • Group (g): Members of the group that owns the file.
  • Others (o): Everyone else.

For each category, three types of permissions can be granted or denied:

  • Read ®: Allows viewing the contents of a file or listing the contents of a directory.
  • Write (w): Allows modifying the contents of a file or creating/deleting files within a directory.
  • Execute (x): Allows running a file as a program or entering a directory.

Permissions can be represented in two ways:

  1. Symbolic notation: Uses letters (u, g, o, a for all) and symbols (+, -, =).
  2. Octal notation: Uses a three-digit number where each digit represents permissions for user, group, and others, respectively.
    • 4: read ®
    • 2: write (w)
    • 1: execute (x)
    • Sum these values for combined permissions (e.g., 7 for rwx, 6 for rw-, 5 for r-x).

Commands / Usage

Changing Permissions with Symbolic Notation

Granting Permissions:

  • chmod u+x script.sh Grant execute permission to the user (owner) of script.sh.
  • chmod g+w data.txt Grant write permission to the group of data.txt.
  • chmod o+r config.yml Grant read permission to others for config.yml.
  • chmod a+r public_file.txt Grant read permission to all (user, group, others) for public_file.txt.
  • chmod ug+rw report.docx Grant read and write permissions to both the user and the group for report.docx.
  • chmod +x executable_program Grant execute permission to user, group, and others (if a+x is not specified, +x defaults to a+x in many shells, but it’s safer to be explicit with a+x if that’s the intent).

Removing Permissions:

  • chmod u-w private.key Remove write permission from the user (owner) of private.key.
  • chmod g-r shared_document.pdf Remove read permission from the group of shared_document.pdf.
  • chmod o-wx sensitive_data.csv Remove write and execute permissions from others for sensitive_data.csv.
  • chmod -w file.txt Remove write permission from all (user, group, others) for file.txt.

Setting Specific Permissions (Overwriting existing):

  • chmod u=rwx,g=rx,o=r file.txt Set user permissions to read, write, and execute; group to read and execute; and others to read for file.txt. This overwrites any previous permissions for these categories.
  • chmod u=rw,g=,o= file.txt Set user permissions to read and write; remove all permissions for group and others for file.txt.
  • chmod a=rwx directory Set read, write, and execute permissions for all (user, group, others) on the directory.

Changing Permissions with Octal Notation

Granting Permissions (Adding to existing): Note: Octal notation typically overwrites permissions. To add, you would first read the current permissions and then calculate the new octal value.

Setting Specific Permissions (Overwriting existing):

  • chmod 755 script.sh Set permissions for script.sh to:
    • User: rwx (4+2+1 = 7)
    • Group: r-x (4+0+1 = 5)
    • Others: r-x (4+0+1 = 5) This is common for executable scripts and directories.
  • chmod 644 data.txt Set permissions for data.txt to:
    • User: rw- (4+2+0 = 6)
    • Group: r-- (4+0+0 = 4)
    • Others: r-- (4+0+0 = 4) This is common for regular data files that should be readable by everyone but only writable by the owner.
  • chmod 600 private.key Set permissions for private.key to:
    • User: rw- (4+2+0 = 6)
    • Group: --- (0+0+0 = 0)
    • Others: --- (0+0+0 = 0) This makes the file readable and writable only by the owner, a common setting for sensitive files.
  • chmod 700 directory Set permissions for directory to:
    • User: rwx (4+2+1 = 7)
    • Group: --- (0+0+0 = 0)
    • Others: --- (0+0+0 = 0) This allows the owner full access and no access for anyone else.

Recursive Operations

  • chmod -R 755 project_folder/ Recursively change permissions for project_folder and all its contents to 755 (user rwx, group r-x, others r-x).
  • chmod -R u+w docs/ Recursively grant write permission to the user (owner) for all files and subdirectories within docs/.
  • chmod -R o-rwx private_files/ Recursively remove all permissions (read, write, execute) for others from private_files/ and its contents.

Special Permissions

  • chmod u+s file.sh Set the SetUID bit for file.sh. When this file is executed, it will run with the permissions of the file’s owner, not the user executing it. (Octal: 4755 if base is 755)
  • chmod g+s directory/ Set the SetGID bit for directory/. When a file is created within this directory, it will inherit the group ownership of the directory, not the primary group of the user creating the file. (Octal: 2775 if base is 775)
  • chmod +t temp_directory/ Set the sticky bit for temp_directory/. On directories, this means that only the owner of a file (or the owner of the directory, or root) can delete or rename that file. (Octal: 1777 if base is 777)

Displaying Permissions

While chmod changes permissions, ls -l is used to view them:

  • ls -l script.sh Output like -rwxr-xr-x 1 user group 1234 Jan 1 10:00 script.sh The first set of rwx represents the owner’s permissions. The second set represents the group’s permissions. The third set represents others’ permissions. A - indicates a denied permission. Special bits: s instead of x for SetUID/SetGID (e.g., -rwsr-xr-x), t for sticky bit (e.g., drwxrwxrwt).

Common Patterns

Make a script executable:

  • chmod +x deploy.sh

Set standard read-write for owner, read-only for group/others:

  • chmod 644 config.json

Make a file private to the owner:

  • chmod 600 secrets.txt

Create a directory that everyone can read/write/enter, but only owners of files can delete/rename:

  • chmod 1777 shared_folder/

Recursively change ownership and permissions (often combined with chown):

  • sudo chown -R www-data:www-data /var/www/html/
  • sudo find /var/www/html/ -type d -exec chmod 755 {} \; (Directories: rwx for owner, rx for group/others)
  • sudo find /var/www/html/ -type f -exec chmod 644 {} \; (Files: rw for owner, r for group/others)

Set permissions for files and directories differently recursively:

  • chmod -R u+w my_project/
  • find my_project/ -type d -exec chmod o-w {} \; (Remove write for others on directories)

Gotchas

  • Octal vs. Symbolic: Be mindful of whether you’re using octal or symbolic notation. Octal notation replaces permissions, while symbolic notation adds or removes them (unless you use =).
  • -R is powerful: Using chmod -R can quickly change permissions on many files. Double-check your command before executing it, especially with sudo. You can accidentally lock yourself out of files or expose sensitive data.
  • Directories need x: To cd into a directory or access files within it, you need execute (x) permission on the directory itself.
  • Windows Subsystem for Linux (WSL): File permissions on WSL can sometimes be tricky, especially when interacting with the Windows filesystem (e.g., /mnt/c). Permissions might not translate perfectly.
  • Default permissions: The umask command determines the default permissions that are removed when a new file or directory is created. chmod overrides this for existing files.
  • SetUID/SetGID/Sticky Bit: These special permissions can have significant security implications. Use them with caution and understanding. For example, SetUID on a script could allow a user to gain root privileges if the script is flawed.
  • +x behavior: While often defaulting to a+x, explicitly using a+x (or u+x,g+x,o+x) is clearer if you intend to grant execute to everyone.