Definition of access rights in the form of a numeric code. Defining access rights as a numeric code Examples of using the chmod command in absolute mode

Remember the shorthand version of the chmod command? Let's now consider another way to change access rights. At first glance it looks more complex.
Let's return the original access rights to the example1.txt file:
-rw-rw-r-- 1 user user 42 Mar 24 22:07 example1.txt Each type of access rights can be represented digitally:

• r = 4
• w = 2
• x = 1
• - = 0

The sum of these values ​​is used to set specific access rights. For example, if you want to grant read-write permission, you must use the number 6, since 4 (read) + 2 (write) = 6.
Here is the digital equivalent of the permissions for example1.txt:
- (rw-) (rw-) (r--) | | |
4+2+0 4+2+0 4+0+0
The sum of user rights is 6, the sum of group rights is 6, and the sum of other users' rights is 4. The permissions read 664 .
If you want to change the permissions so that users belonging to your group can read the file but cannot change it, remove the corresponding permission from them by subtracting two from the corresponding set of numbers.
The digital equivalent will become equal to the number 644.
To put the new settings into effect, enter:
chmod 644 example1.txt Now test the changes by typing the following command:
ls -l example1.txt The output should be:
-rw-r--r-- 1 user user 42 Mar 24 22:17 example1.txt Now neither the group nor other users have write permission to the example1.txt file. To return write permission to the group, add the write permission value (2) to the second set of permissions.

chmod 664 example1.txt

• Here is a list of some commonly used settings, digital equivalents and their meanings:
• -rw------- (600) - only the owner has rights to read and change the file;
• -rw-r--r-- (644) - only the owner has read and change rights; the group and others have read-only permission;
• -rwx------ (700) - only the file owner has rights to read, modify and execute the file;
• -rwxr-xr-x (755) - the owner has read, modify and execute rights, and the group and other users have read and execute rights;
• -rw-rw-rw- (666) - any user can read and modify the file (be careful with such rights);
• -rwxrwxrwx (777) - any user can read, modify and execute the file (we warn you once again that in general it is dangerous to use such permissions).

Some common directory permissions:

• drwx------ (700) - only the owner can read and change this directory;
• drwxr-xr-x (755) - the owner can read and modify the directory, users and groups have read and execute rights.

Many novice Linux OS users often get confused when assigning access rights using the command chmod.

In this advice, accessible and visual, I will give examples of using the chmod command . Just use these examples in your work, substituting the necessary files or directories.

chmod command is a convenient tool for increasing the security of the operating system and allows you to assign access rights to files or directories.

If you are running the system using (or granted) extended superuser privileges as root, you will be able tochange the access rights of any file and directory belonging to any user of the system.

If you are a standard user, you will only be able to assign or change permissions on directories and files that you create.

Assign access rights to files or directories using the command chmod can be done in two ways - using symbolic and absolute modes.

Examples of using the chmod command in character mode:

(The initial value of file permissions is rwxrwxrwx - full access for everyone)

To revoke permission to execute a file for all users and groups:

$ chmod a-x file(rw-rw-rw-)

To cancel writing to a file by a group and other users:

$ chmod go-w file(rw-r--r--)

Permission to execute file by owner:

$ chmod u+x file(rwxr--r--)

Granting the group the same access rights that the file owner has:

$ chmod g=u file(rwxrwxr--)

Cancel reading and writing to a file by group users and other users:

$ chmod go-rw file(rwx--x---)

Examples of using the chmod command in absolute mode:

Permission to read, write, execute file file by all users and groups (full control):

$ chmod 777 file(rwxrwxrwx)

Set read and write permissions for owner, group, and other users:

$ chmod 666 file(rw-rw-rw-)

Setting full file access for the owner and read-only for the group and other users:

$ chmod 744 file(rwxr--r--)

Setting full access to the file for the file owner and denying access to the group and other users:

$ chmod 700 file(rwx------)

Setting read and write permissions for the file owner and read only for the group and others:

$ chmod 644 file(rw-r--r--)

Setting read and write permissions for the file owner and his group and denying access to others:

$ chmod 640 file(rw-r-----)

Setting file access with read permission for all users and groups:

$ chmod 444 file(r--r--r--)

File permissions for read, write, execute by owner and read, execute by group and others:

$ chmod 755 file(rwxr-xr-x)

Allowing read and execute access to a file for a user and others and denying access to a group:

$ chmod 505 file(r-x---r-x)

If you want to assign permissions to all files in the current directory, simply put an * (asterisk) after the permissions you assign:

$ chmod 755 *

As a result of executing this command, the owner will have full rights (read, modify, execute) to all files in the current directory, while the group and other users will have only read and execute rights.

If you want your actions to propagate recursively (including all subdirectories), use the -R option:

$ chmod -R 777 *

The result of running the above command will be to recursively "traverse" all subdirectories of the current directory and assign full access to all users and groups.

This article covers just a few examples of using the command. chmod. If you want to know more about the team's work chmod And access rights on Linux, pay attention to .

Good health, dear blog readers! We would all like everyone or a folder located on the hosting server and belonging to the site to be protected as much as possible from unauthorized access.

This protection is ensured due to the fact that 90% of hosters use Unix-like operating systems, in which it is possible to regulate access rights to all files and directories. The server of my hosting provider, on which several of my projects are located, is no exception.

By the way, be sure to take an interest by following the link provided. But let's continue. The rules established in Unix differ from the rules of work familiar to many in the Windows operating system, where protection in this aspect is not so strong, which sometimes leads to disastrous consequences in the form of virus infection of the system.

CHMOD for users and access rights to files and folders (directories)

In systems managed by Unix, the situation is different and there is an opportunity to seriously complicate life for bad guys who will try to take advantage of the results of your painstaking work over a long period. Namely, correctly configure CHMOD access rights. Our task is to provide the minimum possible rights to access files and folders, which nevertheless will not interfere with the correct operation of the site.

Agree, it’s a sin not to take advantage of the opportunity to seriously strengthen. Of course, in this case, editing some files will take a little more time, but here you have to choose: either optimizing system security, or... Below I will try to systematize the information on CHMOD (access rights), because there are several nuances that are necessary webmaster knows. So, let's begin.

Access rights vary for different user groups. When a connection is attempted, the server determines which group to assign a particular user to. All users are divided into three categories:

1. "user" - file owner
2. "group" - one of the members of the group to which the owner belongs
3. “world” - “rest of the world”, that is, all other users

If you connect to the server using and log in using your username and password, you will be identified as "user"(u) if anyone else connects via FTP it will be detected as "group"(g), if the user uses a browser, then he falls under the category "world"(o).

Now about CMOD access rights to files and directories. In essence, they are slightly different, although the designations are the same. File permissions:

• r (read) - the right to read file data
• w (wright) - the right to change content (you can only edit the content - write, but cannot delete)
• x (eXutive) - the right to execute the file

Access rights to folders (directories):

• r - the right to read the folder (you can get the contents of the directory, that is, the list of files included in it)
• w - the right to change the contents (permission to create and delete objects in the directory; if you have the right to write files, then you can even delete objects that do not belong to you)
• x - access right to a particular directory (the peculiarity here is that even if you have all the necessary rights to a file that is located “deep” in the directories, but do not have access rights to at least one subdirectory on the path to this object, then you won't be able to access it)

The hyphen “-” indicates the absence of any rights. All these rights are assigned by the administrator, who gains this opportunity by entering a password. If we can set the maximum possible restrictions on CHMOD access rights to certain resource files, then we can practically eliminate the danger of virus programs carrying out their “dirty deeds”.

For clarity, let's consider an example when the owner of the file u has all possible rights: read, write and execute. Users assigned to category g (group) have read and write only, all others (w) have only read rights. Then the CHMOD entry will look like this: “rwx rw- r- -”.

Access rights to files and folders in digital terms: CHMOD (777, 755, 444)

But more often, webmasters in their practical activities have to assign certain access rights in digital terms:

• r (read) - 4
• w (record) - 2
• x (performance) - 1
• - (no rights) - 0

Now let's look at the above example again to assign access rights "rwx rw- r- -". To display the rights of each user, the addition of his rights is used (r read + w write + x execute). Thus, part of the entry for the file owner u (user) - “rwx” will turn into 7 (4+2+1). For a member of the group g (group) - “rw-” in 6 (4+2+0) and for other users o (world) - “r- -” in 4 (4+0+0). As a summary, here is a summary table with the values ​​of CHMOD access rights, expressed in both letters and numbers:

Now I will present another table that reflects the total CHMOD rights for all user groups in numerical format:

These are the main combinations that are most often used in the work of a webmaster. The rest are formed by analogy. If you are an administrator of a site or blog, but are working with a project without connecting via the FTP protocol, you also belong to the “Other users” group. In this case, when working with a site in this mode, you need to take into account the last digit in the CHMOD value.

Typically, on the server where the files of your WordPress blog are located, the folders have access rights of 755, and the files that are part of them are set to 644. This is true when the resource is built using HTML files, but in modern conditions they are widely used to build a website CMS (content management systems), which includes WordPress. And here there may be objects that need to be written to by the “world” user group. There may be folders in which content is downloaded, including images.

Therefore, the assignment of CHMOD rights to certain files must be differentiated. If you log into site management via FTP, you can perform any actions, however, in many cases we work with our project through, and in this case problems may arise if the rights are too high, and, conversely, if access rights to one or another file (folder) are underestimated, then the security threat increases. Therefore, based on the above, we can determine some recommendations for the practical use of CHMOD for a WordPress blog:

777 - for folders in which files are constantly being written and erased (for the caching folder)
755 - in relation to folders in which files are constantly written but not deleted
666 - for files where you need to add an entry from time to time (for example, a .htaccess file)
644 - for files that are read-only (.php, .html, etc.)

How to configure CHMOD permissions using FileZilla FTP manager

If you need to make some changes when working with a resource, but because editing is prohibited, this cannot be done, you need to connect to the hosting server via FTP and change the access rights to 777. However, after making changes to the file, it is recommended to set the previous CHMOD again .

Now let's learn more about how to perform this operation using . To do this, open the program and connect via FTP to the hosting server. On the left side "Remote server" First, we mark the files whose attributes will be edited:

And from the context menu caused by pressing the right mouse button, select "File Permissions". After this a dialog box will appear "Change file attributes":

Here we assign the necessary CHMOD values ​​for the selected (or selected) files. But this is only if you selected a file or group of files. If you want to set or change CHMOD values ​​for a directory (folder), when you select “Change file attributes”, an analog window will appear, somewhat different from the one located above, namely:

You see, additional settings have appeared here. If you check the box next to the line "Redirect to subdirectories", this means that the specified access rights will be applied to directories (folders) or files nested in this directory. When the box below is checked, the group of settings located will become active and you will also need to select how the settings should be applied: to all files and directories, only to attached files, or only to directories.

(The initial value of file permissions is rwxrwxrwx - full access for everyone) Removing permission to execute a file for all users and groups:

$ chmod a-x file (rw-rw-rw-)

To cancel writing to a file by a group and other users:

$ chmod go-w file (rw-r–r–)

Permission to execute file by owner:

$ chmod u+x file (rwxr–r–)

Granting the group the same access rights that the file owner has:

$ chmod g=u file (rwxrwxr–)

Cancel reading and writing to a file by group users and other users:

$ chmod go-rw file (rwx–x-)

Examples of using the chmod command in absolute mode

Permission to read, write, execute file file by all users and groups (full control):

$ chmod 777 file (rwxrwxrwx)

Set read and write permissions for owner, group, and other users:

$ chmod 666 file (rw-rw-rw-)

Setting full file access for the owner and read-only for the group and other users:

$ chmod 744 file (rwxr–r–)

Setting full access to the file for the file owner and denying access to the group and other users:

$ chmod 700 file (rwx--)

Setting read and write permissions for the file owner and read only for the group and others:

$ chmod 644 file (rw-r–r–)

Setting read and write permissions for the file owner and his group and denying access to others:

$ chmod 640 file (rw-r-–)

Setting file access with read permission for all users and groups:

$ chmod 444 file (r–r–r–)

File permissions for read, write, execute by owner and read, execute by group and others:

$ chmod 755 file (rwxr-xr-x)

Allowing read and execute access to a file for a user and others and denying access to a group:

$ chmod 505 file (r-x-r-x)

If you want to assign permissions to all files in the current directory, simply put an * (asterisk) after the permissions you assign:

$chmod 755 *

As a result of executing this command, the owner will have full rights (read, modify, execute) to all files in the current directory, while the group and other users will have only read and execute rights. If you want your actions to propagate recursively (including all subdirectories), use the -R option:

$ chmod -R 777 *

The result of executing the above command will be to recursively “traverse” all subdirectories of the current directory and assign full access to all users and groups. This article covers just a few examples of how to use the chmod command. If you want to learn more about the chmod command and permissions in Linux, take a look at this article.

Changing permissions only for directories (recursively)

$ find /path/to/base/dir -type d -exec chmod 755() +

$ chmod 755 $(find /path/to/base/dir -type d)

$ chmod 755 `find /path/to/base/dir -type d`

$ find /path/to/base/dir -type d -print0 | xargs -0 chmod 755

Change permissions only for files (recursively)

$ find /path/to/base/dir -type f -exec chmod 644() +

$ chmod 644 $(find /path/to/base/dir -type f)

$ chmod 0755 `find ./ -type f`

$ find /path/to/base/dir -type f -print0 | xargs -0 chmod 644

Chmod Syntax for Folders and Files

Let's first understand the essence of the issue with Chmod in order to understand what exactly and how we configure it. So let's get started. Access rights are divided into Chmod for files and Chmod for directories. They are designated the same, but mean slightly different things.

Access rights (Chmod) to files are divided into:

r - right to read data.

w - the right to change the content (write - only change the content, but not delete).

x - the right to execute the file.

Let's take a closer look at the file's execution rights. The fact is that in linux (Unix), any file can be executed. Whether it is executable is determined not by its extension (the concept of extension is absent in the Unix file system), but by the Chmod access rights. If a file has the “X” right (chmod x), this means that it can be executed.

Now about access rights (Chmod) to the folder (directory):

r - right to read the directory (you can read the contents of the directory, i.e. get a list of objects located in it)

w - the right to change the contents of the directory (you can create and delete objects in this directory, and if you have write permission, you can even delete files that do not belong to you)

x - the right that allows you to enter the directory (this right is always checked first, and even if you have all the necessary rights to an object that is buried deep in the directory chain, you do not have the “X” right to access at least one directories on the path to this file, then you will never get through to it)

In Linux (Unix) systems, all these rights are granted by the main administrator of the computer, to which he gains access by entering a password. And if most objects have read-only access rights (Chmod), then viruses will have practically nothing to do on such a computer, because they will neither be able to write themselves there nor then be fulfilled. This is exactly the result we need to achieve by setting access rights (Chmod) to objects on our site.

Chmod syntax for user groups

The access rights themselves (Chmod) are divided into three categories, depending on who is accessing the object:

“user” - u (directly owner of the file)

"group" - g (member of the same group as the owner)

"world" - o (all others)

The server determines which user group to assign you to when you connect to the server. When you, for example, connect to a server via FTP, you log in with your username (and password), and then the server assigns you to the “user” (“u)” group. Other users who also connect via FTP to the server will be assigned to the group “group” (“g”), and the user who comes to your site using their browser will be assigned to the group “world” (“o”).

Variations of the three possible values ​​"r", "w" and "x" for the three categories "u", "g" and "o" determine the Chmod to the files. If a category is not specified, it is replaced with a hyphen “-”. access rights (Chmod) are specified sequentially in the given order:

first the rights for the owner - “u”

then for the group - “g”

and at the end of the right for everyone else - “o”

After the server assigns a user to a certain group, it grants him rights to act on objects, after which the user will be able to read, write or execute the file (depending on what his group is allowed to do with this object). To view the contents of a folder, it must have the “r” read attribute (for the group to which the server assigned the user). To create a file or folder in an existing one, it must have the Chmod attribute on the "w" entry.

For clarity, let's look at an example where the owner of the file (“user” - “u”) has all rights: the right to read, write to it and execute, and all other users only have the right to read. The entry for such Chmod will look like this: “rwx r-- r--”. Let's look at it in detail: “rwx” (this record specifies the rights to the object for the owner - “u”), “r--” (this record specifies the rights to the same object, but if the user is assigned by the server to a group - “g "), "r--" (this entry specifies the rights to the object for all other users - o").

What is the difference between Chmod files and folders

	Nothing can be done	Access to the directory and its subdirectories is denied
	Can see and change content	You can add, delete, change folder file
	Execute if file is binary	The user can execute a binary file that he knows exists, but is not allowed to enter or read the directory

Chmod syntax expressed in numbers (777)

You can see that here entries using Latin letters and hyphens are used to describe access rights, but you have probably already encountered the fact that Chmod is usually specified in digital form, for example, the well-known combination: Chmod 777, which allows everything to everyone. Indeed, access rights (Chmod) are also indicated by numbers:

w (record) is replaced by 2

x (execution) is replaced by 1

0 means - do nothing (what is denoted by a hyphen in alphabetic notation) Let's go back to the example of writing access rights that I gave a little earlier: rwx r-- r--. If we replace letters and hyphens with numbers in it, in accordance with the rule just described, and at the same time add up the numbers in each triple, we will get the digital form of this entry: 744. That is It turns out that the sum of these numbers shows Chmod to the files or folder. For example:

7 (rwx) = 4 + 2 +1 (full rights)

5 (r-x)= 4 + 0 + 1 (read and execute)

6 (rw-) = 4 + 2 + 0 (read and write)

4 (r--) =4 + 0 + 0 (read only)

This table shows all possible Chmod combinations written digitally:

Now let's look at the various Chmod combinations in numbers, in relation to user groups:

	""Owner""	""Group""	""Rest""
			perform
		perform	perform

You yourself (except for the case when you access the site via FTP) and all other visitors to your site belong to the “word” group (everyone else), so to work with the website we need to first look at the last (third) Chmod number. In order for a script to “run a file” when a user works with a site, it will be enough for the access rights (Chmod) to be set on it, starting from “4” (r-- – read only) (5,6,7 are also suitable, but this will be unnecessary in terms of security).

“For the folder” in which the file of this script is located, you need to set the minimum to “5” (r-x - you can go into the folder and read its contents, you cannot delete or add). 7 will also work, but it will also be redundant in terms of security. If you need the script to not only read, but also “write” some data (for example, entered by the user), then the minimum rights for the “folder” will still be “5”, but for the “file” you will already need the rights “6” "(read and write).

Most likely, on the server where you copied the contents of your website engine, the following Chmods will be installed on objects:

Folders 755

the owner (user) can do everything, the group and everyone else can only read folders and enter them, but they are prohibited from writing files, changing names and erasing them in directories. (rwxr-xr-x)

Files 644

If you had a website consisting of only html, then you could leave everything like that. But modern sites are built on engines, and there may be objects that need to be written to on behalf of users from the “world” group - o (all others). These can be folders used for caching pages or those into which pictures, etc. will be loaded as you work with the site. It goes without saying that if you access the site via FTP, you can create an entry in these files or folders, but working with interface of the website, as a regular user, you may have problems. Therefore, the installation of certain Chmods must be approached selectively.

Each file and folder has 3 access attributes (rights):

1. Reading right (indicated by the letter "r" from English "read").
2. The right to edit and write to a file (indicated by the letter "w" from English "write").
3. The right to execute (run) a script (indicated by the letter "x" from English "eXecute"). On shared hosting, the execute right applies only to folders and CGI scripts. For ordinary files (HTML pages, pictures, PHP scripts, etc.) the execution right will not apply.

For folders, these attributes mean:

• Right to reading Allows the user to list the contents of a folder.
• Right to record allows you to create and delete files in this folder.
• Right to execution allows you to go to this folder.

There are several ways to record access rights: alphabetic and numeric notation. Below are the correspondences between the two record types:

Digital recording	Letter entry	Rights
«0»	---	Nothing is allowed
1	--x	Execution
2	-w-	Record
3	-wx	Recording and performance
4	r--	Reading
5	r-x	Reading and execution
6	rw-	Read and write
7	rwx	Read, Write and Execute

User categories

For each file (and folder) there are 3 user categories:

1. Owner of the file (folder).
2. The user group that the owner belongs to.
3. All other users.

If a digital record is used, the first digit determines the rights of the owner, the second - the rights of the group, and the third - the rights of all other users.

When writing alphabetically, the first three characters determine the rights of the owner, the second three determine the rights of the group, and the third three determine the rights of all other users.

Examples of access rights in digital and alphabetic records and explanations for them:

Digital	Letter	Owner	Group	Other
755	rwxr-xr-x	full access	reading and performing	reading and performing
644	rw-r--r--	write and read	only reading	only reading
555	r-xr-xr-x	reading and performing	reading and performing	reading and performing

What rights should be set?

Typically the correct permissions for folders are "755", and for files - "644", but there may be exceptions that the site developer should be aware of. You can also find information on the access attributes used in the documentation or on thematic forums of the CMS you use.

How to change permissions on files and folders?

There are two ways to change access rights to a file or folder: in your hosting control panel And via SSH.

Changing permissions in the hosting control panel

To change permissions in your hosting control panel:

Changing permissions via SSH

To set permissions for an individual file:

Ready! File/folder permissions will be changed.