chmod

chmod is a generally straighforward command so this article will instead focus on the more obscure aspects of chmod.

Execute Only on Directories

In order to read directories, execute permissions must be granted. As a result, administrators will often end up granting execute to both directories and files when execute is necessary only for files.

A typical situation, change an existing folder, for example, /home/ckent/daily-planet-articles/ which contains a number of existing directories and files owned by ckent. ckent, now wants to grant read access of this article to other members of his team belonging to the group wgdailyplanet  but not to anybody else. Here is the desired settings,

Notice that the group wgdailyplanet must be have execute permission to directories. Otherwise, members of wgdailplanet will not be able to transverse (cd into) the directories.

Often this is used by administrators,

cd /home/ckent/
sudo chown ckent:wgdailyplanet ./daily-planet-articles/
sudo chmod -R g+rx,o-rwx ./daily-planet-articles/

This will work, but the resulting effect will look like this,

The proper way to provide execute only to directories,

sudo chmod -R g+rX,o-rwx ./daily-planet-articles/

The key command switch is the capital X which will set execute/search when one or more of the criteria are met,

• The file is a directory (everything in *nix is a file, even a directory)
• Execute permission already set somewhere in Owner, Group or Other.

This covers the scenario of resetting permissions. But what about if ckent had been carefuly setting up permissions and explicitly set execute permissions on some files, and does not want those in the group wgdailyplanet to execute those files, only read?

In that case, the find command must be used to be more explicit,

cd /home/ckent/
sudo chown ckent:wgdailyplanet ./daily-planet-articles/
sudo find -type d -print0 | xargs -0 chmod u+rwx,g+rX,o-rwx
sudo find -type f -print0 | xargs -0 chmod g+r,o-rwx