Linux File Permissions Explained
Every Linux system uses file permissions to control who can read, write, or execute a file. Get them wrong and you either lock out legitimate users or leave sensitive files exposed. This guide explains how Linux file ownership and permissions work, how to read the permission string, and how to change permissions using chmod and chown.
Key Takeaways
- Every file has an owner, a group, and a permission set for three classes: owner, group, and others.
- Permission triplets use
r(read),w(write), andx(execute) — and behave differently on files versus directories. - Use
chmodto change permissions (symbolic or octal) andchownto change ownership. - The
umaskvalue controls default permissions for newly created files and directories. - Special bits (setuid, setgid, sticky) and POSIX ACLs handle cases the standard model cannot.
How Linux File Ownership and Permissions Are Structured
Every file and directory on Linux is assigned:
- An owner (a user account)
- A group (a set of users)
- A permission set for three classes: owner, group, and others
When a process tries to access a file, the kernel checks these classes in order — owner first, then group, then others — and stops at the first match. The classes are mutually exclusive: if you are the owner, only the owner bits apply, even if the group bits are more permissive.
How to Read rwx Permissions in Linux
Run ls -l to view permissions:
$ ls -l
-rw-r--r-- 1 alice developers 4017 Jun 1 10:00 config.conf
drwxr-x--- 2 alice developers 68 Jun 1 10:00 project/The first character is the file type (- for regular file, d for directory, l for symlink). The next nine characters are three permission triplets:
rw- r-- r--
↑ ↑ ↑
owner group othersEach triplet uses three bits: r (read), w (write), x (execute). A - means that permission is not set.
Note: If you see a
+at the end of the permission string (e.g.,-rw-r--r--+), the file has a POSIX ACL applied. Standardls -lwon’t show those extra rules — usegetfaclto inspect them.
What Each Permission Bit Actually Does
On files:
| Bit | Effect |
|---|---|
r | Read file contents (cat, cp) |
w | Modify or overwrite the file |
x | Execute the file as a program or script |
On directories:
| Bit | Effect |
|---|---|
r | List directory entries (file names) |
w | Create, rename, or delete files inside |
x | Traverse the directory (cd, open files by path) |
The execute bit on directories is often misunderstood. Without it, you cannot cd into the directory or access any file inside it by path — even if you have read permission.
How to Change Linux File Permissions with chmod
chmod accepts both symbolic and numeric (octal) modes.
Symbolic mode:
chmod u+x script.sh # add execute for owner
chmod go-w config.conf # remove write from group and others
chmod u=rwx,g=rx,o= app/ # set exact permissions for all classes
chmod -R u=rwX,g=rX,o=rX /var/www/html # recursive: capital X sets execute on directories and files that already have executeNumeric (octal) mode — each digit sums r=4, w=2, x=1:
chmod 644 config.conf # owner rw, group r, others r
chmod 750 script.sh # owner rwx, group rx, others none
chmod 700 ~/.ssh # owner only — correct for SSH directories
Discover how at OpenReplay.com.
How to Change File Ownership with chown
chown changes the owner, the group, or both:
chown alice config.conf # change owner only
chown alice:developers config.conf # change owner and group
chown -R www-data:www-data /var/www # recursive ownership changeHow Default Permissions Are Set with umask
New files don’t start with open permissions. The umask value masks out bits from the system default (typically 666 for files, 777 for directories). A umask of 022 produces 644 files and 755 directories — the most common default on Linux servers.
If the parent directory has a default ACL configured, those ACL rules are inherited instead of relying purely on the umask.
umask # view current umask
umask 027 # set stricter default: files 640, directories 750Special Permission Bits: setuid, setgid, and Sticky Bit
These extend the standard model for specific use cases:
- setuid (4xxx): An executable runs with the file owner’s privileges. Used by system binaries like
/usr/bin/passwd. Dangerous on custom scripts — avoid it. - setgid (2xxx) on a directory: New files inherit the directory’s group instead of the creator’s primary group. Useful for shared project directories.
- Sticky bit (1xxx) on a directory: Only the file owner, directory owner, or root can delete files inside. Standard on
/tmp.
chmod 2775 /shared/project # setgid on shared directory
chmod 1777 /tmp # sticky bit — already set by defaultBeyond Classic Permissions: ACLs and Security Modules
Standard rwx permissions cover most use cases, but they have limits. If you need to grant a specific user access without changing group membership, use POSIX ACLs via setfacl and getfacl. On systems running SELinux or AppArmor, security module policies apply on top of standard permissions — a file can be world-readable at the UNIX layer but still blocked by an SELinux policy.
Quick Reference: Common Permission Patterns
| Mode | Symbolic | Typical Use |
|---|---|---|
644 | rw-r--r-- | Web server config files, public content |
755 | rwxr-xr-x | Directories, executable scripts |
700 | rwx------ | Home directories, SSH keys directory |
600 | rw------- | Private key files (~/.ssh/id_rsa) |
2775 | rwxrwsr-x | Shared group directories |
1777 | rwxrwxrwt | World-writable directories like /tmp |
Conclusion
Linux file permissions follow a consistent, predictable model. Once you understand the owner/group/others structure, the rwx bits, and how chmod and chown apply them, you have the foundation to secure any file or directory correctly. For cases where the three-class model isn’t granular enough, reach for ACLs — and always keep the principle of least privilege in mind.
FAQs
Setting 777 grants read, write, and execute permissions to every user on the system. While it removes all access barriers, it also means any user or compromised process can modify or delete the file. Always assign the minimum permissions necessary for a file to function correctly.
chmod changes what actions (read, write, execute) are allowed on a file. chown changes who owns the file and which group it belongs to. You typically use chown to assign the right owner and group first, then chmod to set the appropriate permission bits for each class.
Listing requires the read (r) bit, but entering a directory requires the execute (x) bit. If a directory has r but not x, you can see file names with ls but cannot cd into it or open any file inside by path. Add the execute bit with chmod to fix this.
Use chmod with a capital X instead of lowercase x. The capital X flag sets execute only on directories and files that already have at least one execute bit set. For example, chmod -R u=rwX,g=rX,o=rX /path applies execute to directories while leaving regular files non-executable.
Gain control over your UX
See how users are using your site as if you were sitting next to them, learn and iterate faster with OpenReplay. — the open-source session replay tool for developers. Self-host it in minutes, and have complete control over your customer data. Check our GitHub repo and join the thousands of developers in our community.
