Linux chmod Example

One of the most critical jobs a system administrator has to continuously be dealing with is the permission administration. The most small carelessness with the permissions can lead to a security hole in the system.

This example will show how are changed the permissions, a task for which chmod command is used

For this example, Linux Mint 17.3 has been used.

1. Linux permission system

What makes the Linux permission system so great is its simplicity, specially when it’s compared to others, such us Windows’. In any case, we will see briefly how it works.

There are three main things that have to be understood: the elements the permissions are defined for, the actions that can be performed, and who can perform them.

The elements are two:

  • Files.
  • Directories.

The actions are three:

  • Read
  • Write.
  • Execute. Apart from for executing scripts and binaries, also corresponds to folders: to create files and other folders inside it.

And who can perform them, other three:

  • The user that owns the file.
  • The group that the user owning the file belongs to.
  • Any other user that is not the owner and does not belong to the group the owner does.

To see how the permissions are organized, we can list the files in the terminal:

ls -l

And we will see something similar to the following:

-rw-r--r-- 1 julen julen      0 Jun 26 14:20 file.txt
drwxr-xr-x 2 julen julen   4096 Jun 26 14:22 folder

The first section, 10 characters, are which correspond to permissions. Let’s examine it:

  • The first character is for file type. - means that the file is a regular file, and d means that is a directory.
  • The following nine characters are for read (r), write (w) and execute (x) permissions for the owner, the group of the owner, and others, respectively.

2. Changing permissions

To change the permissions, the chmod command (contraction of change and mode) is used. The syntax is the following:

chmod permissions file [file 2] [file n]

The specification of the files seems quite obvious, but, how are the permissions specified?

2.1. Octal representation

One of the options is the octal notation.

For example, for setting read and write permissions for the owner, read permissions for its group, and no permission for others, to a file.txt file, we would have to execute:

sudo chmod 640 file.txt

We can try to read the file with a user that is not the owner and does not belong the the owner’s group, to see what happens:

sudo -u other-user more file.txt

And we would receive an error message:

file.txt: Permission denied

But where comes that 640 from?

Each digit of that number represents which permissions will have the owner, its group, and others. And each digit is the octal representation of the permission combination we want to assign. So:

  • 0 for no permission.
  • 1 is for execution permission.
  • 2 is for write permission.
  • 4 is for read permission.

So, for assigning read and write permissions, what we have done is 2 + 4 = 6.

The following table shows the permissions that gives each digit:

NumberBinaryRead? (r)Write? (w)Execute? (x)

2.2. Symbolic representation

Apart from octal representation, chmod also allows symbolic representation.

In the symbolic representation letters and arithmetic operators are used:

For the users, the symbols are the following:

  • u: file owner.
  • g: file owner’s group.
  • o: other users.
  • a: all users.

The actions are represented with the same symbols that we have seen before:

  • r: read.
  • w: write.
  • x: execute.

And the operators to set the permissions are:

  • =: sets the permissions as specified, overwriting any other previous permissions.
  • +: adds permissions.
  • -: removes permissions.

The syntax for the symbolic representation is the following:

sudo chmod who operator action(s)[,who operator action(s),...]

For example, the previous example (owner: read and write; group: read; others: none) with the symbolic notation, would be the following:

sudo chmod u=rw,g=r,o-rwx file.txt

As you can see, for this example, this notation requires much more verbosity.

But for other cases is more suitable. For example, if we want to maintain the current permissions, but allowing now everybody to write, we would have to type:

sudo chmod a+w file.txt

And the file would pass from these permissions:

-rw-r----- 1 julen julen 0 Jun 26 17:38 file.txt

To these ones:

-rw-rw--w- 1 julen julen 0 Jun 26 17:39 file.txt

3. Special permissions

Apart from those permissions we have seen, there are three more special permissions in Linux: the setuid (user id), the setgid (group id), and the sticky.

3.1. setuid

The setuid bit (set user ID) can be assigned to executable files, which is for, when a file is executed, allow the process acquire that file’s owner’s permissions. This is generally used to allow normal users (those without superuser privileges) to obtain root privileges for some executables.

This can be seen, for example, in common binaries, such us /bin/ping. If we check its permissions, we will see that it has the setuid bit bit assigned:

-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping*

Which is expressed with a s, in the place for the execution bit for the owner.

If we remove the setuid bit from that executable:

sudo chmod u-s /bin/ping

A normal user won’t be able to use ping, and if it would try to use it:

ping localhost

The following message will be shown:

ping: icmp open socket: Operation not permitted

Of course, an user with sudo permissions could execute the command with root privileges, but, as said before, this bit is though for users that don’t have superuser privileges.

To add the setuid bit again:

sudo chmod u+s /bin/ping

3.2. setgid

If the setuid bit allows the user acquire the permissions of the owner, the setgid (set group id) allows to acquire the permissions of the group.

The bit can be set as follows with the octal notation:

sudo chmod 2777

Which is set with the 2.

And with symbolic notation:

sudo chmod g+s

If the setuid bit was placed in the owner’s execution bit place, in this case, is placed in the group’s execution’s place:

-rwxrwsrwx  1 julen julen     14 Jun 27 19:22*

3.3. sticky

The sticky bit is used in directories, when we want a file, or folder writable for several users, but where files and folders inside it can only be deleted by the owner. This bit is used, for example, in /tmp and /var/tmp directories.

The sticky bit can be assigned the following way:

sudo chmod 1777 sticky/

Where the sticky bit is set with the leading 1, and then, the wanted permissions (which usually are 777 for this cases).

And, with symbolic notation:

sudo chmod +t sticky/

The sticky bit is expressed with a t in the place for the execution bit for others:

drwxrwxrwt  2 julen julen   4096 Jun 27 19:22 sticky/

We can see how it works, we can create a file in our sticky/ directory, try to modify it with the owner and other user, and also to delete it:

touch file.txt
echo "written with owner" > file.txt
sudo -u other-user echo "written with other user" > file.txt

Which would work. But if we try to delete it with the user that is not the owner…

sudo -u other-user rm file.txt

And we would see:

rm: remove write-protected regular file ‘file.txt’?

We can type y to confirm, but…

rm: cannot remove ‘file.txt’: Operation not permitted

But the owner of the file could delete it with no problem.

To remove the sticky bit:

sudo chmod -t sticky/

4. Summary

In this example, we have first seen very briefly how the Linux permission, identifying the main concepts that are involved when dealing with permissions. Then, we have seen how the permissions are changed for the different notations, and, to end up with the example, we have taken a look for the special permissions bits that are available in Linux.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Back to top button