Linux File Permissions Explained (With Examples)

4 min read
Beginner Linux Permissions Security Basics

Quick Answer: ls -la shows permissions. Format: -rwxr-xr-- means owner can read/write/execute, group can read/execute, others can read only. chmod 755 file sets rwxr-xr-x. chmod 644 file sets rw-r--r--. chown user:group file changes ownership.

How Permissions Work

Every file and directory in Linux has three sets of permissions for three types of users:

User Type Who Example
Owner (u) The user who owns the file You created the file
Group (g) Users in the file's group Your team
Others (o) Everyone else The public

Each set has three permissions:

Permission Letter Number On Files On Directories
Read r 4 View contents List files inside
Write w 2 Modify contents Create/delete files inside
Execute x 1 Run as program Enter the directory (cd)

Reading Permission Strings

ls -la

Output:

-rwxr-xr-- 1 sam developers 4096 Apr 06 12:00 script.sh
drwxr-xr-x 2 sam developers 4096 Apr 06 12:00 mydir/

Breaking down -rwxr-xr--:

-    rwx    r-x    r--
│    │      │      │
│    │      │      └── Others: read only
│    │      └── Group: read + execute
│    └── Owner: read + write + execute
└── File type (- = file, d = directory, l = symlink)

Numeric (Octal) Notation

Add up the numbers for each permission:

Permission Number
Read (r) 4
Write (w) 2
Execute (x) 1
None (-) 0

Three digits = owner, group, others:

Octal String Meaning
755 rwxr-xr-x Owner full, others read+execute
644 rw-r--r-- Owner read+write, others read only
700 rwx------ Owner full, no one else
600 rw------- Owner read+write, no one else
777 rwxrwxrwx Everyone full access — never use this
750 rwxr-x--- Owner full, group read+execute
664 rw-rw-r-- Owner+group read+write, others read

chmod — Change Permissions

Numeric Method

chmod 755 script.sh        # rwxr-xr-x
chmod 644 config.txt       # rw-r--r--
chmod 600 id_rsa           # rw------- (SSH private key)
chmod 700 .ssh/            # rwx------ (SSH directory)

# Recursive (all files in directory)
chmod -R 755 /var/www/html/

Symbolic Method

chmod +x script.sh         # Add execute for everyone
chmod u+x script.sh        # Add execute for owner only
chmod g+w file.txt         # Add write for group
chmod o-r file.txt         # Remove read for others
chmod u=rwx,g=rx,o=r file  # Set exact permissions
chmod a+r file.txt         # Add read for all (a = all)

chown — Change Ownership

# Change owner
chown sam file.txt

# Change owner and group
chown sam:developers file.txt

# Change group only
chown :developers file.txt
# Or use chgrp:
chgrp developers file.txt

# Recursive
chown -R www-data:www-data /var/www/html/

Common Permission Patterns

Use Case Permission Why
Web files 644 Web server reads, only owner edits
Web directories 755 Web server enters and lists, only owner modifies
Scripts 755 Everyone can run, only owner edits
SSH private key 600 SSH refuses to use keys with loose permissions
SSH directory 700 Only your user can access
Shared directory 775 Owner and group can modify
Config files 640 Owner read/write, group read, others nothing
Secrets/passwords 600 Only owner
Log files 640 App writes, group reads for monitoring

Special Permissions

SUID (Set User ID)

When set on an executable, it runs as the file owner instead of the user running it.

# Example: passwd runs as root even when a normal user runs it
ls -la /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 ... /usr/bin/passwd
#   ^ the 's' means SUID is set

# Set SUID
chmod u+s program
chmod 4755 program

SGID (Set Group ID)

On files: runs as the file's group. On directories: new files inherit the directory's group.

# Set SGID on directory (new files inherit group)
chmod g+s /shared/
chmod 2775 /shared/

Sticky Bit

On directories: only the file owner can delete their own files (even if others have write access). Used on /tmp.

ls -la /tmp
drwxrwxrwt ... /tmp
#         ^ the 't' means sticky bit

# Set sticky bit
chmod +t /shared/
chmod 1777 /shared/

Troubleshooting

# Permission denied running a script?
chmod +x script.sh

# Can't edit a file?
ls -la file.txt            # Check owner and permissions
sudo chown $USER file.txt  # Take ownership

# SSH key refused?
chmod 600 ~/.ssh/id_rsa
chmod 700 ~/.ssh/

# Web server 403 Forbidden?
chown -R www-data:www-data /var/www/html/
chmod -R 755 /var/www/html/

# Find files with wrong permissions
find /var/www -not -user www-data    # Wrong owner
find /var/www -type f -perm 0777     # World-writable files (bad)

Default Permissions (umask)When you create a new file or directory, the default permissions come from umask. The umask removes (masks out) permissions from the defaults: 666 for files, 777 for directories.``bashumask # View current (e.g., 0022)# umask 022: new files = 644, new dirs = 755# umask 077: new files = 600, new dirs = 700 (private)umask 077 # Set stricter umask`Add umask 022 to ~/.bashrc` to make it permanent.---

See Also