Linux Chmod Command

Unix/Linux file permissions are controlled with the [.inline-code]chmod[.inline-code] command. This command accepts numeric representations of permissions, as well as symbolic representations. For more details on file permissions, see our previous article.

[#with-numeric-representations][.inline-code]chmod[.inline-code] With Numeric Representations[#with-numeric-representations]

The most common usage of [.inline-code]chmod[.inline-code] is a command like [.inline-code]chmod 644 FILENAME[.inline-code], using the numerical representation of the permission you’re trying to achieve. Check our writeup on file permissions to see some common numeric representations you may want to use with [.inline-code]chmod[.inline-code].

[#with-symbolic-representations][.inline-code]chmod[.inline-code] With Symbolic Representations[#with-symbolic-representations]

Symbolic representations can be a little easier to grok than numeric representations. For example, to add the executable bit for all users to a file, you would run [.inline-code]chmod a+x FILENAME[.inline-code] ("all add executable"). To add write capability for just the owner, you would run [.inline-code]chmod u+w FILENAME[.inline-code] ("user add write"). But you can also just run [.inline-code]chmod 644[.inline-code] to a file to make it readable to everyone and writeable by you, or [.inline-code]chmod 755[.inline-code] to change permissions on a directory.

‍

‍

When using symbolic representation, [.inline-code]u[.inline-code] means user (owner), [.inline-code]g[.inline-code] means group, [.inline-code]o[.inline-code] means other (world), and [.inline-code]a[.inline-code] means all (user, group, and other). Any combination of these are combined with an operator: [.inline-code]-[.inline-code] to remove a permission, [.inline-code]+[.inline-code] to add, or [.inline-code]=[.inline-code] to set permissions explicitly. 

Note that "group" refers to the Unix group that owns the _file_, not the current user's group. That's controlled by [.inline-code]chown[.inline-code] or [.inline-code]chgrp[.inline-code] and is out of scope for this post, but be aware that sometimes a file is owned by a group that the current user isn't a part of, so it can be an entirely separate permission. For example, in the case of a website, it's common for the files to be owned by the current user, but assigned to a [.inline-code]www[.inline-code] group (or similar). You would want permission for both the user and group to modify the file in this case, and permission for the world (other) to read it.

To use symbolic representations, combine one or more user types, an operator, and permissions. For example, to add read and write permissions to user and group, you would use [.inline-code]chmod ug+rw PATH[.inline-code]. To set user and other permissions to read/execute but not write, you could use [.inline-code]chmod uo=rx PATH[.inline-code]. See the [.inline-code]man chmod[.inline-code] page for more examples.

‍

[#controlling-read-and-write]Controlling who can read and write[#controlling-read-and-write]

The [.inline-code]r[.inline-code] and [.inline-code]w[.inline-code] bits of a file determine who can read and who can write to a file. If a user has read access, they'll be able to [.inline-code]cat[.inline-code] the file, but without write access, they'll be unable to modify it (this includes the ability to delete the file). A file that has the permissions [.inline-code]-rw-------[.inline-code] will be readable and writable only by the owner of the file (current user) but completely inaccessible to anyone else. In most cases you want the file to be readable by everyone, but only writable by you, which would mean permissions of [.inline-code]-rw-r--r--[.inline-code], or 644 (see the [file permissions article]({{LINK}}) for more details on numeric representations).

[#oops-i-broke-it]Oops, I broke it[#oops-i-broke-it]

If you ever mess up the permissions on a file and find yourself unable to modify it further because you don't have write access to it (operation not permitted), you can fix it using [.inline-code]sudo[.inline-code], assuming you have super user access to the current system.

If you do have super user access to the system, you can bypass any permissions on a file and make changes to them as needed. For a regular file, to restore your ability to modify and delete it, use [.inline-code]sudo chmod 644 FILENAME[.inline-code], enter your system password, and then proceed.

‍

‍

If you don't have access to [.inline-code]sudo[.inline-code] on your system, you'll need to contact the system administrator to modify your access to any files you lack permissions for.

[#making-a-file-executable]Making a file executable[#making-a-file-executable]

If the executable bit ([.inline-code]x[.inline-code]) is set on a file, it can be executed directly by the users with that permission. In the case of a binary or script (with a proper shebang), this means that you can call it without having to pass it to a shell or script processor. So, instead of [.inline-code]python3 myscript.py[.inline-code], you can just run [.inline-code]./myscript.py[.inline-code]. All command line utilities (binaries) have the executable bit set for at least the owner (user) and usually for group and world (other) as well.

To make a file executable for all users, use [.inline-code]chmod a+x FILENAME[.inline-code]. You can change the [.inline-code]a[.inline-code] to [.inline-code]u[.inline-code]ser, [.inline-code]g[.inline-code]roup, or [.inline-code]o[.inline-code]ther, or a combination of those letters, to specify exactly which users can execute the file, e.g. [.inline-code]chmod ug+x[.inline-code].

Note that directories must have the executable bit set in order for a user to enter them with [.inline-code]cd[.inline-code] or list them with [.inline-code]ls[.inline-code]. If the user doesn't have permission to execute, they'll be unable to enter or list the directory. This means you can hide an entire directory from users other than you or outside of your group using [.inline-code]chmod go-x DIRECTORY[.inline-code].

[#chmod-options][.inline-code]chmod[.inline-code] Options[#chmod-options]

There are a few switches available for the [.inline-code]chmod[.inline-code] command. The most pertinent ones tell [.inline-code]chmod[.inline-code] how to deal with symbolic links.

The [.inline-code]-h[.inline-code] switch tells [.inline-code]chmod[.inline-code] that if the file is a symbolic link, change the permissions on the link itself, rather than the file it points to. If you're working with symbolic links and don't want to affect the original file, the [.inline-code]-h[.inline-code] switch is your friend.

The [.inline-code]-R[.inline-code] switch tells [.inline-code]chmod[.inline-code] to act recursively, which is generally advised against, as we cover in the Recursive chmod article.

But if you _are_ using [.inline-code]chmod -R[.inline-code], be aware of the [.inline-code]-H[.inline-code] switch, which stops the recursive action from following symlinks, and the [.inline-code]-L[.inline-code] command which _forces_ all symlinks to be followed. The default is the [.inline-code]-P[.inline-code] switch, in which no symlinks are followed.

The [.inline-code]-v[.inline-code] switch will offer verbose output, showing the name of affected files when the command runs. If you specify it twice, it will also output the old and new permissions, in both octal and symbolic representation:

 $ chmod -vv 777 to_changelog.rb
 to_changelog.rb: 0100755 [-rwxr-xr-x ] -> 0100777 [-rwxrwxrwx ]

[#examples]Examples[#examples]

Set a file's permissions to [.inline-code]-rw-r--r-[.inline-code], readable and writable by owner (user) and readable by everyone else:

 $ chmod 644 myfile.txt

Make a file or directory executable by the owner ([.inline-code]-rwx-r--r--[.inline-code]), readable by everyone else

In the case of a directory, this means that only the owner can use [.inline-code]cd[.inline-code] or [.inline-code]ls[.inline-code] on it, or affect anything it contains:

 $ chmod 755 myscript.sh

Make a file executable by anyone (e.g. [.inline-code]-rwx-r-x-r-x[.inline-code])

 $ chmod a+x myscript.sh

Make a file inaccessible to anyone but the owner ([.inline-code]-rw-------[.inline-code])

 $ chmod 600 ~/.ssh/rsa_id

Remove read, write, and execute for group and world, leaving user (owner) permissions alone

 $ chmod go-rwx ~/.ssh/rsa_id

Read more about Unix file permissions here. If you're curious about batch applying chmod to files and directories, check out the Recursive [.inline-code]chmod[.inline-code] article.