chmod Command Cheat Sheet

chmod (change mode) changes the file mode bits of each given file. It is the primary tool for managing access control (read, write, execute) for users, groups, and others on Linux systems.

Synopsis

chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
chmod [OPTION]... --reference=RFILE FILE...

Description

chmod changes the permissions of each given file according to mode, which can be either a symbolic representation of changes to be made, or an octal number representing the bit pattern for the new mode bits.

Permission Basics

Classes

• u: User (owner)
• g: Group
• o: Others
• a: All (u+g+o)

Permissions

• r (4): Read
• w (2): Write
• x (1): Execute (or access for directories)
• X: Execute only if file is a directory or already has execute permission for some user
• s: Setuid/Setgid
• t: Sticky bit

Numeric (Octal) Mode

Permissions are calculated by adding the values: Read (4) + Write (2) + Execute (1).

Common Modes

Usage

chmod 755 script.sh
chmod 644 config.yaml
chmod 600 id_rsa

Symbolic Mode

Format: [classes][operator][permissions]

Operators

• +: Add permission
• -: Remove permission
• =: Set exact permission (overwriting others)

Examples

Add execute for all:

chmod +x script.sh
# Equivalent to: chmod a+x script.sh

Remove write for group and others:

chmod go-w file.txt

Set group to read-only:

chmod g=r file.txt

Copy user permissions to group:

chmod g=u file.txt

Recursive Operations

Use -R to apply changes recursively to files and directories.

Warning: Using chmod -R 755 . makes all files executable too, which is usually not desired.

Correct Way to Fix Web Directory

Directories need execute (to traverse), files usually don't.

# Directories to 755
find /var/www -type d -exec chmod 755 {} +

# Files to 644
find /var/www -type f -exec chmod 644 {} +

Special Permissions

SUID (Set User ID)

Runs the executable with the permissions of the file owner (usually root). - Symbolic: u+s - Octal: 4000

chmod u+s /usr/bin/passwd
# Permissions look like: -rwsr-xr-x

SGID (Set Group ID)

• Files: Runs with permissions of the file group.
• Directories: Files created inside inherit the directory's group (essential for shared folders).
• Symbolic: g+s
• Octal: 2000

chmod g+s /shared/team_folder
# Permissions look like: drwxrwsr-x

Sticky Bit

Restricted Deletion Flag. On directories (like /tmp), prevents users from deleting files owned by other users. - Symbolic: +t - Octal: 1000

chmod +t /tmp
# Permissions look like: drwxrwxrwt

Reference Mode

Apply the same permissions as another file.

chmod --reference=good_file target_file

Verbose Output

To see what is being changed:

chmod -v 644 file.txt
# Output: mode of 'file.txt' retained as 0644 (rw-r--r--)

To see only changes:

chmod -c 644 file.txt

Practical Examples

Secure a Private Key

chmod 600 ~/.ssh/id_rsa

Make a Script Executable

chmod +x run_me.sh

Restrict Folder to Owner Only

chmod 700PrivateFolder

Setup a Shared Group Directory

mkdir /srv/dev
chgrp developers /srv/dev
chmod 2775 /srv/dev
# 2 ensures SGID (groups match), 775 allows group write access

Troubleshooting

"Operation not permitted"

You are not the owner of the file (or root).

Capital 'X' vs Small 'x'

chmod -R a+X dir/ is safer than a+x. It adds execute permission only to directories and files that already have execute permission for someone. It doesn't blindly make text files executable.

"Read-only file system"

You cannot change permissions on a mounted read-only filesystem (like an ISO or specific mounts).

Common Mistakes

chmod 777

Never use 777 (full access for everyone) "just to make it work". It allows anyone on the system to modify or delete your files. Use specific group permissions instead.

Recursive disaster

Running chmod -R 777 / will destroy your system security and likely break it (sudo will stop working).

Exit Status