_____                   _             ___     _________  __
 |_   _|__ _ __ _ __ ___ (_)_ __   __ _| \ \   / / ____\ \/ /
   | |/ _ \ '__| '_ ` _ \| | '_ \ / _` | |\ \ / /|  _|  \  /
   | |  __/ |  | | | | | | | | | | (_| | | \ V / | |___ /  \
   |_|\___|_|  |_| |_| |_|_|_| |_|\__,_|_|  \_/  |_____/_/\_\
intermediate11 min

File Permissions: A Guide to chmod and chown

The Unix File Permission Model

In Linux and other Unix-based operating systems, file permissions are one of the fundamental building blocks of security. Every file and directory has a set of permissions that determine who can read, write, and execute it. This system guarantees data protection and system integrity in multi-user environments.

To view the permissions of a file, we use the ls -l command:

$ ls -l script.sh
-rwxr-xr-- 1 ali developers 2048 Jan 20 14:30 script.sh

The first 10 characters in this output carry the permission information. Let us now examine what each of these characters means in detail.

Decoding the Permission Structure

The permission string consists of 10 characters in the format: -rwxrwxrwx

  • 1st character: File type. - regular file, d directory, l symbolic link, b block device, c character device.
  • Characters 2-4 (rwx): Permissions for the file owner.
  • Characters 5-7 (rwx): Permissions for the group.
  • Characters 8-10 (rwx): Permissions for others.

Meaning of r, w, x Permissions

Each permission triplet contains three different permission types:

  • r (read): For files, the ability to read contents; for directories, the ability to list contents.
  • w (write): For files, the ability to modify contents; for directories, the ability to create/delete files.
  • x (execute): For files, the ability to run as a program; for directories, the ability to enter the directory (cd).
# Example permission breakdown
-rwxr-xr--

Type:   - (regular file)
Owner:  rwx (read + write + execute)
Group:  r-x (read + execute)
Others: r-- (read only)

Owner, Group, and Others

In Linux, every file has an owner and a group. Permissions are determined according to these three categories:

  • Owner (User): The user who created the file. Usually has the broadest permissions.
  • Group: The user group associated with the file. Team members working on the same project can be included in a common group.
  • Others: All users who are neither the owner nor group members.
$ ls -l projects/
drwxrwxr-x 2 ali developers 4096 Jan 20 14:30 web-app
-rw-rw-r-- 1 ali developers 1024 Jan 20 14:30 README.md

# Owner: ali
# Group: developers
# web-app directory: owner and group full access, others read+execute
# README.md: owner and group read+write, others read only

Numeric (Octal) Notation

Permissions can be expressed with numbers (octal) as well as letters (symbolic). Each permission type is assigned a numeric value:

  • r = 4
  • w = 2
  • x = 1
  • No permission = 0

These values are summed for each triplet:

rwx = 4 + 2 + 1 = 7
rw- = 4 + 2 + 0 = 6
r-x = 4 + 0 + 1 = 5
r-- = 4 + 0 + 0 = 4
--- = 0 + 0 + 0 = 0

This produces a three-digit number. For example:

-rwxr-xr-- = 754
-rw-rw-r-- = 664
-rwxr-xr-x = 755
-rw-r--r-- = 644
-rwx------ = 700

Changing Permissions with chmod

The chmod (change mode) command is used to change the permissions of files and directories. It supports two different syntaxes: symbolic and numeric.

Numeric Method

# Owner: rwx, Group: r-x, Others: r-x
$ chmod 755 script.sh

# Owner: rw-, Group: r--, Others: r--
$ chmod 644 document.txt

# Owner: rwx, Group: ---, Others: ---
$ chmod 700 secret-script.sh

# Owner: rw-, Group: rw-, Others: ---
$ chmod 660 shared-file.txt

# Apply to directory and all contents (-R: recursive)
$ chmod -R 755 public/

Symbolic Method

In symbolic notation, you specify the target (u=owner, g=group, o=others, a=all) and the operation (+=add, -=remove, ==set exactly):

# Add execute permission for owner
$ chmod u+x script.sh

# Remove write permission from group
$ chmod g-w file.txt

# Remove all permissions for others
$ chmod o-rwx secret.txt

# Give read permission to everyone
$ chmod a+r document.txt

# Owner read+write, group read, others nothing
$ chmod u=rw,g=r,o= file.txt

# Multiple changes at once
$ chmod u+x,g+r,o-w file.txt

Changing Ownership with chown

The chown (change owner) command changes the owner and group of files and directories. This command generally requires root privileges.

# Change owner
$ sudo chown ali file.txt

# Change owner and group
$ sudo chown ali:developers file.txt

# Change group only
$ sudo chown :developers file.txt
# or using the chgrp command
$ sudo chgrp developers file.txt

# Change ownership of directory and all contents
$ sudo chown -R ali:developers project/

# Change ownership of the symbolic link itself
$ sudo chown -h ali link.txt

Common Permission Patterns

Here are the permission configurations you will frequently encounter in practice:

# Web server files
$ chmod 644 index.html     # Everyone can read, owner can write
$ chmod 755 cgi-bin/       # Everyone can enter directory, owner full access

# Shell scripts
$ chmod 755 deploy.sh      # Everyone can execute
$ chmod 700 admin-script.sh # Only owner can execute

# Configuration files
$ chmod 600 .env           # Only owner can read/write
$ chmod 644 config.yaml    # Everyone can read, owner can write

# SSH keys (very important!)
$ chmod 700 ~/.ssh         # Only owner can access
$ chmod 600 ~/.ssh/id_rsa  # Private key: owner only
$ chmod 644 ~/.ssh/id_rsa.pub # Public key: everyone can read

# Shared project directory
$ chmod 775 /shared/project/ # Owner and group full access

Special Permission Bits

In addition to the standard rwx permissions, there are three special permission bits:

SUID (Set User ID) — 4000

When SUID is set on a file, the file runs with the owner's privileges when executed. The passwd command is an example of this: regular users can change their passwords because passwd runs with root privileges.

$ chmod u+s program
$ chmod 4755 program
$ ls -l program
-rwsr-xr-x 1 root root 1234 Jan 20 program

SGID (Set Group ID) — 2000

When SGID is set on a directory, files created in that directory inherit the directory's group. This is very useful for team collaboration.

$ chmod g+s /shared/project/
$ chmod 2775 /shared/project/
$ ls -ld /shared/project/
drwxrwsr-x 2 ali developers 4096 Jan 20 /shared/project/

Sticky Bit — 1000

When the sticky bit is set on a directory, only the file owner or root can delete files in the directory. The /tmp directory is an example of this.

$ chmod +t /shared/
$ chmod 1777 /tmp
$ ls -ld /tmp
drwxrwxrwt 15 root root 4096 Jan 20 /tmp

Security Considerations

  • Apply the principle of least privilege: Give files only the minimum permissions they need. Permission 777 should be avoided whenever possible.
  • Protect sensitive files: .env files, database configurations, and private keys must have 600 or more restrictive permissions.
  • SSH key permissions: SSH checks the permissions of key files and rejects keys with overly broad permissions. Use 600 for private keys and 700 for the .ssh directory.
  • Web server directories: Web-accessible files should be 644, directories should be 755. Write permission should only be granted where necessary.
  • Use SUID carefully: Files with SUID set can pose security risks. Only set SUID on programs you trust and genuinely need.
  • Audit regularly: Use find / -perm -4000 to regularly check for SUID-enabled files.

Understanding and correctly applying file permissions is essential for managing a secure Linux system. By applying the knowledge in this guide to your daily work, you can both protect your files and facilitate team collaboration.

← Previous Article10 Essential Terminal Commands Every Developer Should KnowNext Article →Pipes and Redirection: Combining Commands
← Back to Blog