One of the hardest things for the beginner webmaster to get to grips with is how to use chmod correctly to set permissions on files on UNIX and Linux web servers. You need to set the correct permissions on CGI scripts when you install them, to stop those dreaded “500 Server Error” messages.
In this tutorial, I’m going to explain the concept of permissions, and show you how to set permissions using your FTP program or via SSH.
What are permissions?
On a UNIX web server, every single file and folder stored on the hard drive has a set of permissions associated with it, which says who is allowed to do what with the file. Every file (and folder) also has an “owner” and a “group” associated with it. If you created the file, then you are usually the owner of that file, and your group, or the group associated with the folder you created the file in, will usually be associated with that file.
Who can do stuff?
There are three types of people that can do stuff to files – the Owner of the file, anyone in the Group that the file belongs to, and Others (everyone else). In UNIX, these 3 types of people are referred to using the letters U (for Owner, or User in UNIX-speak!), G (for Group), and O (for Others).
What stuff can you do?
There are three basic things that can be done to files or folders:
- You can read the file. For folders, this means listing the contents of the folder.
- You can write to (change) the file. For folders, this means creating and deleting files in the folder.
- You can execute (run) the file, if it’s a program or script. For folders, this means accessing files in the folder.
What do all these funny letters and numbers mean?!
That’s the basics of permissions covered. As you can see, there’s not much to them really!
The confusion often occurs when you have to start actually setting permissions on your file server. CGI scripts will tell you to do things like “chmod 755” or “Check that the file is executable”. Also, when you use FTP or SSH, you’ll see lots of funny letters next to the files (such as rwxrw-rw-). We’ll now explain what all these hieroglyphics mean!
When you FTP to your web server, you’ll probably see something like this next to every file and folder:
This string of letters, drwxrwxrwx, represents the permissions that are set for this folder. (Note that these are often called attributes by FTP programs.) Let’s explain what each of these letters means:
| d | r | w | x | r | w | x | r | w | x |
|---|---|---|---|---|---|---|---|---|---|
| Owner | Group | Other | |||||||
| Directory | Read | Write | Execute | Read | Write | Execute | Read | Write | Execute |
As you can see, the string of letters breaks down into 3 sections of 3 letters each, representing each of the types of users (the owner, members of the group, and everyone else). There is also a “d” attribute on the left, which tells us if this is a file or a directory (folder).
If any of these letters is replaced with a hyphen (-), it means that permission is not granted. For example:
drwxr-xr-x- A folder which has read, write and execute permissions for the owner, but only read and execute permissions for the group and for other users.
-rw-rw-rw-- A file that can be read and written by anyone, but not executed at all.
-rw-r--r--- A file that can be read and written by the user, but only read by the group and everyone else.
Using numbers instead of letters
As we said earlier, you’ll often be asked to do things using numbers, such as “set 755 permissions”. What do those numbers mean?
Well, each of the three numbers corresponds to each of the three sections of letters we referred to earlier. In other words, the first number determines the owner permissions, the second number determines the group permissions, and the third number determines the other permissions.
Each number can have one of eight values ranging from 0 to 7. Each value corresponds to a certain setting of the read, write and execute permissions, as explained in this table:
| Number | Read (R) | Write (W) | Execute (X) |
|---|---|---|---|
| 0 | No | No | No |
| 1 | No | No | Yes |
| 2 | No | Yes | No |
| 3 | No | Yes | Yes |
| 4 | Yes | No | No |
| 5 | Yes | No | Yes |
| 6 | Yes | Yes | No |
| 7 | Yes | Yes | Yes |
So, for example:
777 is the same as rwxrwxrwx
755 is the same as rwxr-xr-x
666 is the same as rw-rw-rw-
744 is the same as rwxr--r--
Setting permissions
The two most common ways to set permissions on your files and folders is with FTP or SSH. Let’s take a look at FTP first.
Setting permissions with FTP
Your FTP program will probably allow you to set permissions on your files by selecting the file (in the remote window) and either right-clicking on it and selecting an option such as CHMOD or Set permissions, or by selecting CHMOD / Set permissions from a menu option.
Once you’ve selected the appropriate menu option, you’ll probably see a dialog box similar to the following (this is from CuteFTP for Windows):
As you can see, it’s pretty easy to set or un-set read, write and execute permissions for the owner, group and others using the check boxes. Alternatively, you can type in the equivalent 3-digit number, if you know it (see the previous section). Easy!
Setting permissions with SSH
The other common way to set permissions on your files is using SSH (or a standard shell if you’re actually sitting at your Web server). This is generally quicker if you want to change lots of files at once (e.g. change all .cgi files in a folder to have execute permission), but is a bit more fiddly for the beginner.
Once you’ve SSHed to your server and logged in, change to the folder containing the files you want to change, e.g.:
cd mysite/cgi-bin
You can then use the command chmod to set permissions on your files and folders. You can use the number notation described above, or you can use an easier-to-remember letter-based system.
Using number notation
To set permissions with numbers, use the following syntax:
chmod nnn filename
where nnn is the 3-digit number representing the permissions, and filename is the file you want to change. For example:
chmod 755 formmail.cgi
will assign read, write and execute permission to the owner, and just read and execute permission to everyone else, on the script called formmail.cgi.
Using letter notation
You can use the letters u (owner/user), g (group) and o (other) to set permissions for each of the user types, and r (read), w (write) and x (execute) to represent the permissions to set.
You can also use a instead of u, g, and o, to mean all users (u,g,o).
You assign permissions using either the plus sign (+), which means “add these permissions”, the minus sign (-), which means “remove these permissions”, or the equals sign (=), which means “change the permissions to exactly these”.
For example:
chmod a+x formmail.cgi adds execute permissions for all users to the file formmail.cgi (in other words, makes the file executable).
chmod u=rwx formmail.cgi sets read, write and execute permission just for the owner (the permissions for the group and for others remain unchanged).
chmod go-w formmail.cgi removes write permission for the group and for others, leaving the permissions for the owner unchanged.
Checking your permissions
You can check the permissions on all files and folders in the current directory by using the command:
ls -l
This will show you the permissions for every file and folder, in the same way as your FTP program does.
Happy CHMOD’ing!
Awesome tutorial. Thank you very much! ๐
Hi Matt, thank you so much. It is so simple and easy to understand. Much Much Appreciated.
@viscro: You’re welcome, thanks for the feedback ๐
Hi,
This post is wonderful. I usually do not read whole post/ Tutorial’s / HowTo’s on blogs however the preciseness and simplicity of the post made me read the whole post and actually understand the topic quite well (now just need to practically do it).
I wasn’t going to sign up but the quality of the posts basically the whole site compelled me to sign up.
Thanks for making Internet better with your presence.
Wonderful stuff
Nuvo.
@nuvo: Thanks for your kind words. I’m glad you enjoyed reading the post! ๐
As all the above comments; great job, simple & concise. HOWEVER, I was hoping to better understand the purpose of the permissions/attributes. Probably best for me to explain my issue…
EXAMPLE: I found your post after Googling: ftp “file attributes” for web folders.
MY PROBLEM: I wish to make a web folder available to all my clients ONLY for the purpose of them being able to download a zipped file (bundle of AntiVirus fixes).
How would you go about this? Is it not the correct use of folder permissions?
WHAT I’VE TRIED:
I’ve set the folder “/AV” to 444 i.e.’Read permission only’ for Owner, Group and Public. Yet, I am unable to view the folder at my domain now?! How much do I need to set in order for you and other to be able to goto mywebsite.com/AV and view&download the zip file.
Thank in anticipation of your reply.
Steve Walters. Small Business Helper Limited.
[Edited by sbusinesshelper on 11-May-11 14:02]
@sbusinesshelper: You need to set execute permission on a folder in order to be able to read the folder’s contents. Depending on your web server setup this might be 755 or 744.
You can set the file(s) within the folder to 644.
You pretty much always want to keep read/write permissions for the owner on files, and read/write/execute permissions for the owner on folders.
Very good post. Making me sign up even says how good and interesting to read your article is. Keep it up ๐
-Micz
R&D Engineer
the post is great …learned a lot from this.. thank u so much
[Edited by ESHWOR KC on 01-Jul-13 08:14]
Thanx! Very informative post…
However it is not fully complete,
My problem is how to understand these checkboxes
for User ID and Group ID (two checkboxes)
When filled in, I probably should enter a number in a text input for each (UID & GID).
How does this work?
“My problem is how to understand these checkboxes
for User ID and Group ID (two checkboxes)
When filled in, I probably should enter a number in a text input for each (UID & GID).”
What input boxes are you referring to?
“However it is not fully complete,”
Maybe not, but it can’t cover absolutely everything because ‘we’ do not know what it is you are using to set permissions.
But I shall hazard a guess.
Usually and assuming you are trying this on a LINUX server, when a username is created for a hosting control panel a ‘group’ will be created with the same name. So if your control panel login name is ‘bobajob’ your userID and groupID should be ‘bobajob’ (minus the quotes)
wonderful and neat article
Wonderful article. I have inherited a web business and am trying so hard to learn so I can continue to help customers as I try to shut parts of the business down. Thank you for the clear and concise tutorial.
Wow, this was written in 2001. Can’t believe it has survived that long ๐
its 2020, and this post is very awesome,
i know all of this permissions things
but the simplicity of this post made me to read it all,
keep going man
What a classic piece of writing. Thank you so much for sharing it! Still valuable in 2021. ๐
Thanks David ๐
1. whats the difference between “rwxr-xr-x” and “rwxr-xr-xr”?
2. Why 4 characters are used for the owner’s permission? like: rwxr-xr-x. In here the owner permission contains 4 characters, read permission 2 times here. why?
That 4th character (r) is part of the group permission, not the owner. There are 9 characters in total (3 sets of 3, for owner, group, and other respectively).
The first char there in your example is usually a ‘d’ for Directory. Not a permission for one of the three groups.
10 years later, i come here to see this page, and very easy to understand hehehe. thanks, matt!
Great stuff! You’re welcome ๐
This is a great post.
One thing I am fuzzy about is who is in “the group”? The three sets of permissions are for “User”, “Group”, and “World”.
But no where on the internet does it say who is in this Group. The middle set.
This is quite a good intro to Linux user groups:
https://www.geeksforgeeks.org/group-management-in-linux/
Hi! I have done all the things you wrote there. I still cant access the files. For example /snap/blender/460 is still “read only”, and I already did: chmod 777 /snap/blender/460 which told me: chmod: changing permission of ‘/snap/blender/460’ : Read-only file system
What should I do?
Br
Thunderball
Oh… Hi again!
I tried also mount -o rw /dev/loop4 /snap/blender/460
resulting in:
mount: /snap/blender/460: WARNING: device write-protected, monted read-only
thanks for the text.
-Thunderball
โRead-only file systemโ means just that: the volume that is storing your files and directories is set to read-only mode, so you canโt make any changes to it.
https://askubuntu.com/questions/47538/how-to-make-read-only-file-system-writable
Thanks Matt
Hi Matt, thank you so much. It is so simple and easy to understand. Much Much Appreciated.
Thank you very much. This is great document