chmod / chown
- Bradley Roderick
We briefly mentioned in the intro to Bash, that every file has an owner and an ownership group. Each file also has sets of permissions. Permissions and Ownership in Linux can get to be as complex as you would like, but at its core, it is pretty simple. Let's create a test file and ls -l it so we can look at the components:
[bradr@ssh8-2 testdir]$ touch myfile && ls -l total 0 -rw-r--r-- 1 bradr Domain Users 0 Jan 5 11:23 myfile
So the line -rw-r--r-- 1 bradr Domain Users 0 Jan 5 11:23 myfile contains the permissions and ownership information.
The first part, -rw-r--r-- shows the filetype and what is authorized. The first character is the file type, don't worry about that here. There are essentially three actions allowed on a file. You can read it, you can write to it, or you can execute code in it. The nine characters after the file type in this line represent each of these three actions allowed for it's owner (the first three characters), it's ownership group (the next three characters), and everybody else (the last three characters). Anything that is represented by a letter ('x' or executable, 'r' for readable, or 'w' for writeable) represents an action that is permitted, and anything represented by a '-' represents an action that is not permitted. So we see that the owner is allowed to read and write to the file, the group can only read the file, and everybody else can read the file as well.
The second part bradr tells you who owns the file
The third part Domain Users tells who the group that owns the file
Now lets say that we are being secret about our file, so we don't want everyone to be able to read it, but we also need help, so we want everyone in the group to be able write to it. Also, it's going to be a great Bash script, so we need to be able to execute it as well. How do we go about changing these permission?
chmod
chmod is the command line utility to change permissions of a file, there are several ways to use it. The example we used in the Intro to Bash Scripting section was to just make it executable by anyone:
[bradr@ssh8-2 testdir]$ chmod +x myfile && ls -l total 0 -rwxr-xr-x 1 bradr Domain Users 0 Jan 5 11:23 myfile
We don't really want to do that here, since we aren't changing one permission for each group though, so lets undo that
[bradr@ssh8-2 testdir]$ chmod -x myfile && ls -l total 0 -rw-r--r-- 1 bradr Domain Users 0 Jan 5 11:23 myfile
So there are multiple ways of setting the permissions with chmod but the most common is using "numerical mode" which we can find information for in the man page. The basic syntax is chmod 755 myfile where the first number sets the permissions for the Owner, the second sets the permissions for the owner group, and the third sets the permissions for everyone. Now to know what the number means, it is an "octal" meaning there are 8 possible choices 0-7. These numbers represtent some summation of the following
| Permission | Number |
|---|---|
| Executable | 1 |
| Writeable | 2 |
| Readable | 4 |
And the number represents a sum of those numbers. So chmod 751 myfile would let the owner read, write and execute the file, because 7 represents 4+2+1. This would allow group users to only be able to read or execute the file, because 4 represents 4+1, and it would allow everyone else to only be able to execute the file because 1 represents 1+nothing. If one of the permissions is '0' that means that group is not allowed to do anything.
So now we have an idea of how to solve our problem above. We want the owner of our file to be able to read write and execute the file, we want the people in our group to help edit the file, so they can read and write it, and we don't want people outside the group to be able to read, write, or execute it. We can do that with the permissions '7' for the owner, '6' for the group, and '0' for everyone else.
[bradr@ssh8-2 testdir]$ chmod 760 myfile && ls -l total 0 -rwxrw---- 1 bradr Domain Users 0 Jan 5 11:23 myfile
**You can also change all of the permissions to every file in a directory with the -R flag. Ex: chmod +R 750 /path/to/directory/
chown
chown is much more simple. Every file has an owner and an ownership group as mentioned above. This can be changed with the syntax chown username:groupname myfile
Sometimes when copying files, something that you may be expecting to be run by the webserver using the apache user will have it's ownership changed because you are copying as the root user. So instead of it being owned by apache and running on the webserver, you will get a FORBIDDEN error. Let's look at this PHP file:
[root@linuxadmin:1 Widgets]# ls -l | grep WidgetRenderer.php -rw-rw-r--. 1 root root 6668 Mar 3 2022 WidgetRenderer.php
I'm expecting this php file to be accessed by the user apache which has the group apache . So I need to change it.
[root@linuxadmin:1 Widgets]# chown apache:apache WidgetRenderer.php | ls -l WidgetRenderer.php -rw-rw-r--. 1 apache apache 6668 Mar 3 2022 WidgetRenderer.php
There are some instances where this can be done by a non-root user, but it almost always needs root privileges.