4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

Tutonics
Tutorials on Linux, Ubuntu Tips & Guides

Ubuntu CLI Apps

Linux File Permissions, chmod, & umask

Understand how Ubuntu / Linux le permissions and special mode bits

work. Learn how to change these permissions using the chmod command.

Find out how default permissions for new les are con
gured via a user's

umask value.

Contents

Linux File Permissions

How "Read", "Write", And "Execute" Permissions Are Represented

A File's "User" And "Group"

Special Mode Bits

Permissions: Octal Representation

Changing File Permissions - Chmod

Using Symbolic Modes With Chmod

Using Numeric Modes With Chmod

Umask - Con ymguring Default File / Directory Permissions

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 1/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

Linux File Permissions

In Ubuntu / Linux everything is a le, so everything will have permissions also.

File permissions de ne which user or system accounts have permissions to read, write, and

execute speci
c les.

These read, write, and execute permissions are de ned for:

user the user that owns the le

group users in the les group

other every other user

There are also three other components when it comes to le mode bits, namely the setuid

bit, the setgid bit, and the sticky bit.

As you'll see later, these "special mode bits" can only be used for certain les.

How Read, Write, And Execute Permissions Are Represented

File permissions are identi ed through le mode bits. These bits represent what actions can

be carried out by speci c user accounts.

For example, if you run the command lsl to list the les in the current directory, you'll

see something similar to this at the beginning of each line in the results:

rwxrwxrwx

The repeated rwx sequences represent the notion of read (r), write (w), and execute (x)

permissions for user, group, and other (in that order).

Hence the rwxrwxrwx above indicates that user, group, and other have read, write and

execute permissions for that le or in other words: the owner of the le, anyone in the le's

group, and everybody else has read, write, and execute permissions for that le).

Note that the leading you'll see in permissions like rwxrwxrwx simply indicates that this is

a normal
le ( le type regular).

File Types

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 2/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

The possible le types you may see are depicted by preceding the permissions by one of

these:

= Regular File

d = Directory

l = Symbolic Link

b = Block Special Device

c = Character Device

s = Unix Socket (local domain socket)

p = Named Pipe

Here are a few more examples of what you might see:

rwrwr

A regular le, readable and writeable by user and group, but only readable by everybody

else.

drwxrxrx

Note that the d above indicates that the permissions are for a directory (i.e. the le's type is

a directory).

This directory is readable, writeable, and executable by "user" whilst only readable and

executable by "group" and "other".

Also note that for directories, the execute mode bit x indicates access / searchability of that

directory for a particular category of user.

rw

The above permissions show that the owner of this regular le has read and write

permission but nobody else has any permissions for that le.

If you see a le with permissions like this:

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 3/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

crww

You'll know it refers to a "character device" (such as a tty) where the "user" has read and

write permission, the "group" has write permission, and "other" has no permissions.

To recap, the meanings of r , w , and x for each of the three categories "user", "group", and

"other" are illustrated in the image below which shows an lsl command run in a directory

which contains lename.txt:

A File's "User" And "Group"

The user name shown in the image above is the name of the user account which owns the

le (normally the creator, but this can be changed using chown) whilst the group name is the

creator's primary group (this can be changed using chgrp).

By default in Ubuntu, the default primary group is a group with the same name as the user.

This is the case above where both the user and group are "tutonics" (for more info about

user accounts and groups, please read our post about user account and group management).

To understand how default permissions are determined, skip to section "Umask -

Con guring Default File / Directory Permissions" below.

Special Mode Bits

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html
Normal Process Permissions 4/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

Normal Process Permissions

When a process runs, it takes on the e ective permissions of the user who started it. This

means the process can only read / write / execute what the user has permissions for.

The same applies to the e ective group id of a process, it assumes that of the user, so group

permissions of the process mirror that of the user.

This behaviour gets changed when setuid and/or setgid bits are set as you'll see next.

Setuid - Set User ID

When the setuid bit is set for a program, on execution the process's e ective user ID gets

set to that of the program le itself (rather than that of the user running it).

If a le with permissions rwxrwxrw gets its setuid bit set, the permissions will be displayed

as rwsrwxrw . Note the lower case s where the x was.

If however, the le didn't have the x permissions for the user, and then had the setuid bit

set, you'd see rwSrwxrw instead.

So to recap, there is a di erence between S and s the former indicates just the setuid bit,

the latter indicates setuid bit and execute x (for that position) in the permissions is set.

Setgid - Set Group ID

When the setgid bit is set for a program, on execution the process's e ective group ID gets

set to that of the program le (rather than that of the user's primary group).

Like setuid, the setgid bit is shown as either an S or s.

If a le starts out with rwrr (no group x) and has its setgid bit set, you'd see it being

displayed as rwrSr whereas if it started out as rwrxr it would be displayed as

rwrsr once the setgid bit is set.

Setuid For Directories

When the setuid bit is set as part of a directory's permissions in Ubuntu, it does nothing, i.e.

it has no e ect (This is not the case for the setgid bit, as you'll see next).

Setgid For Directories

When the setgid bit is set for a directory, any les created in that directory will have the

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 5/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

same group as that directory.

Also, any directories created in that directory will also have their setgid bit set.

Sticky Bit

Nowadays (for linux) the sticky bit is used only in relation to directories.

When a directory has the sticky bit set, only root or the le's owner has permission to

change les in that directory.

The letter's T and t are used to indicate that the sticky bit is set. e.g. A directory with

permissions drwxrxrx having the sticky bit set, would change to drwxrxrt whilst a dir

with drwxrxr would change to drwxrxrT (So t vs T depends on whether the "other"

category has x permissions set or not respectively).

Permissions: Octal Representation

Sometimes, you'll see permissions referred to numerically in base 8 octal (i.e. using digits 0-

7).

Permissions Symbolic Binary Octal

read, write, and

rwx 111 7
execute

read and write rw- 110 6

read and execute r-x 101 5

read r-- 100 4

write and execute -wx 011 3

write -w- 010 2

execute --x 001 1

no permissions --- 000 0

So for example, using the table above, we can see that the le permissions rwxrwxrwx can

be represented in octal as 777 (because each rwx translates to an octal digit 7).

Note that the octal number refers to permissions, the le type does not matter.

So, if we wanted to represent the permissions drwxrwxrwx of a directory in octal, the same

octal number 777 would also apply.

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html
Other Octal Permission Examples: 6/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

Other Octal Permission Examples:

User / Group / Other rwx Mode

Octal Equivalent
Symbols

rwxrxrx 755

rwrwr 664

rwrr 644

rw 600

Changing File Permissions - Chmod

The chmod command is used to change the various permission bits of a

le or directory.

The command takes the general form:

chmodMODEfile

There are two ways to represent the MODE:

1. Using symbolic modes (letters to indicate the categories and permission)

2. Using numeric modes (An octal (base 8) number that represents the mode)

Using the "numeric modes" way of setting these permissions is shorter than the symbolic

method, but not as exible because you can't build on top of existing permissions which is

possible when using "symbolic modes".

Using Symbolic Modes With Chmod

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 7/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

In order to change the permissions of a le using symbolic permissions, use the command

format:

chmodSYMBOLICMODEFILENAME

where SYMBOLIC-MODE is the symbolic representation of permissions (which we describe

below) that you wish to apply to FILENAME.

The letters for user, group, and other are u, g, and o respectively. The letter a is used to

mean all three of these categories.

The MODE above takes the form (as per manpage):

[ugoa...][[+=][permissions...]...]

So, the operations available are:

+ (add the permissions to what currently exists).

(remove the permissions from what currently exists).

= (set to this value only, replacing existing permissions).

When you combine the above with the permission letters r , w , and x you can run chmod

commands like those shown below.

For example, to use chmod to set permissions of

le " lename" to rwxrwxrwx you could run:

chmoda=rwxfilename

Breaking this down, the a means all and rwx means set read, write, and execute.

The = means that permissions are to be set to exactly what we specify.(i.e. we overwrite the

current permissions).

In this case you can get the same result more explicitly using either:

chmodugo=rwxfilename

or

chmodugo+=rwxfilename
http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 8/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

Regarding just the symbolic mode part of the command, here are a few more examples:

To add read permission for all:

a+r

To remove permissions for all:

ar

To add execute permissions for all:

a+x

To remove execute permissions for all:

ax

To assign read, write permissions only for user and group:

ug=rw

To add read, write permissions to user and group to the permissions that already exist:

ug+=rw

To remove execute permissions from group and other (i.e from all users except the le's

owner):

gox

To remove permissions to do anything from all users except the owner:

go=

Note in the examples above and in general that there are di erent combinations that

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 9/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

have the same e ect.

Changing Special Modes Using Symbols

The setuid bit can be set using:

u+s

The setuid bit can be removed using:

us

Similarly, setgid can be set using:

g+s

and removed using:

gs

The sticky bit can be set by using:

+t

and removed using:

Using Numeric Modes With Chmod

To set the permissions of a le or directory using numeric modes, simply use the format:

chmodOCTALMODEFILENAME

where OCTAL-MODE is the octal form of the permissions.

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 10/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

For example, to set the permissions of lename to rwrr you could run the command:

chmod644filename

or to change permissions to -rwxrwxrwx you could use the command:

chmod777filename

Be careful when setting permissions to 777 as this means every single user account can read,

write, and execute that le.

Special Mode Bits

The setuid, setgid, and sticky bit can be set using chmod where

1 = sticky bit

2 = setgid

4 = setuid

For example to set the setuid bit along with permissions 766:

chmod4766filename

To set the setgid bit along with 776:

chmod2776filename

To set sticky bit along with 766:

chmod1776fileanme

To set both setuid(2) and setgid(4) along with 766, prepend with 6. i.e. 2+4:

chmod6766filename

Umask - Con ym guring Default File / Directory Permissions

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 11/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

When a user creates a le, how does the system determine that le's initial permissions?

This is done based on the user's umask value.

The umask value speci es which permissions are not to be set.

In Ubuntu, the default umask value for a normal user is 002, while the default for root is 022.

You can nd out the current umask value (or set it) using the umask command.

If (as a normal user) you run the command:

umask

You'll see something like 0002 displayed, however octal numbers are preceded by a 0 (in the

same way hex would be preceded by 0x), so the umask value itself is actually 002.

This value is an octal (base 8, digits 0-7) value which is subtracted from a base value of 777

for directories, or subtracted from a base value of 666 for les.

A umask of 002 basically means don't remove any permissions from the base value for "user"

or "group", but "other" is not allowed write permission (write permission is octal 2, or binary

010 meaning w ).

So if we create a new le:

touchnewfile.txt

The le permissions for this new le will be 666-002 = 664, i.e. rwrwr (readable and

writeable by user and group, but only readable by everyone else).

Similarly, if we create a new directory:

mkdirnewDir

The le permissions for the directory newDir will be 777-002 = 775, i.e. drwxrwxrx (readable,

writeable, executable by user and group, but only readable and executable by everyone

else).

If you wish to set the umask value to something else, simply use umask command like so:

umasknewvalue
http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 12/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

where "newvalue" is an octal number representing which permissions you do not want to be

set when les are created.

What's Next?

We'll be covering how to change le ownership and group ownership in the next post.

Thank you for reading this article. Please contact us if you have any suggestions for

improvements.

You might also like:

Terminal Basics

Handy Bash Shortcuts

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 13/14
4/16/2016 LinuxFilePermissions,chmod,&umaskTutonics

Find Files Based On Their Permissions

Performing Actions On Search Results With The Find Command

GPG Encryption Guide - Part 4 (Symmetric Encryption)

GPG Encryption Guide - Part 3 (Digital Signatures)

2016 Tutonics | About Us | Contact Us

Ubuntu & the Ubuntu logo are registered trademarks of Canonical Ltd.

http://www.tutonics.com/2012/12/linuxfilepermissionschmodumask.html 14/14