Linux File Permissions: Complete Guide to chmod, chown, and Security
Stop getting "Permission denied" errors. Master Linux permissions with this comprehensive guide to chmod, chown, and the permission model that protects your files.
Why Understanding Permissions Is Critical
File permissions are the foundation of Linux security. They control who can read your data, modify your files, and execute your programs. Understanding permissions is not optional - it's essential for working safely and effectively in Linux.
Every "Permission denied" error, every security vulnerability, every file access issue traces back to permissions. Developers struggle with deployment permissions. Administrators battle with web server access. Users fight with SSH key errors. All of these problems stem from misunderstanding the permission model.
But permissions aren't complicated once you grasp the fundamentals. The system is logical, consistent, and predictable. Learn to read permission strings, understand chmod and chown, and you'll debug access issues in seconds instead of hours.
This guide covers the complete permission system - from basic concepts to advanced techniques. Master these six core concepts and you'll handle permissions with confidence, whether you're securing sensitive data or debugging why your script won't run.
Common Permission Mistakes
Using 777 Permissions
The Problem: Setting chmod 777 gives full access to everyone - a massive security hole. It's almost never the right solution, even though it "fixes" permission errors.
The Solution: Identify who actually needs access and give minimum required permissions. For web files, use 644 (files) and 755 (directories). For scripts, use 755. For private data, use 600 or 700. Only use 777 if you fully understand the security implications.
Not Understanding Directory Execute Permission
The Problem: Setting directory permissions to 666 (rw-rw-rw-) seems logical but makes the directory unusable. Without execute permission, you cannot access it.
The Solution: Directories need execute permission to be accessible. Use 755 for public directories, 750 for group-accessible, 700 for private. Remember: directories almost always need execute along with read.
Forgetting Recursive Flag
The Problem: Running chmod or chown on a directory without -R only changes the directory itself, not the files inside, leading to confusing permission issues.
The Solution: Use chmod -R and chown -R for directories when you want to change contents. Be careful with recursive operations - verify your path first. Consider using find for more precise control over which files to change.
Incorrect SSH Key Permissions
The Problem: SSH refuses to use private keys with wrong permissions (too open). This is a security feature, not a bug, but confuses many users.
The Solution: SSH private keys must be 600 (owner read/write only): chmod 600 ~/.ssh/id_rsa. Public keys should be 644: chmod 644 ~/.ssh/id_rsa.pub. The .ssh directory itself should be 700: chmod 700 ~/.ssh.
6 Essential Permission Concepts
Master these core concepts and permissions will never confuse you again. Each builds on the previous to create complete understanding.
Understanding the Permission Model
Linux uses a three-tier permission system: Owner, Group, and Others. Each tier has three permission types: Read (r), Write (w), and Execute (x).
# File permissions example
-rw-r--r-- report.txt
│││ │││ │││
│││ │││ └──┴── Others: read only (r--)
│││ └──┴────── Group: read only (r--)
└──┴────────── Owner: read + write (rw-)
# Directory permissions example
drwxr-xr-x documents/
│││ │││ │││
│││ │││ └──┴── Others: read + execute (r-x)
│││ └──┴────── Group: read + execute (r-x)
└──┴────────── Owner: full access (rwx)Pro Tips: Execute permission on directories is often misunderstood. Without it, you cannot cd into the directory or access files inside, even if you have read permission. Always set execute when setting read on directories.
Reading Permission Strings
When you run ls -l, the first column shows permissions as a 10-character string. Learning to decode this instantly tells you who can do what.
# View permissions
$ ls -l
-rw-r--r-- 1 user group 1024 Jan 15 10:30 document.txt
drwxr-xr-x 2 user group 4096 Jan 15 10:31 projects/
-rwxr-xr-x 1 user group 2048 Jan 15 10:32 script.sh
-rw------- 1 user group 256 Jan 15 10:33 private.key
# Breakdown of -rw-r--r--:
- : Regular file (not directory)
rw- : Owner can read and write
r-- : Group can only read
r-- : Others can only readPro Tips: Practice reading permission strings until it becomes second nature. When debugging access issues, always check ls -l first. The permissions, owner, and group tell you exactly why access is denied or allowed.
Using chmod with Numeric Notation
Numeric (octal) notation is the fastest way to set permissions. Each permission has a value: r=4, w=2, x=1. Add them up for each user type.
# Calculate permissions:
chmod 755 script.sh
│││
││└─ Others: 5 (4+1) = r-x
│└── Group: 5 (4+1) = r-x
└─── Owner: 7 (4+2+1) = rwx
# Common use cases:
chmod 644 document.txt # Regular files
chmod 755 script.sh # Executable scripts
chmod 700 private_dir/ # Private directories
chmod 600 ~/.ssh/id_rsa # SSH private keys
chmod 755 /var/www/html # Web directories
chmod 644 /var/www/*.html # Web filesPro Tips: Memorize these common modes: 644 (files), 755 (executables/dirs), 700 (private), 600 (sensitive files). They cover 90% of permission needs. Use chmod -R for recursive changes on directories.
Using chmod with Symbolic Notation
Symbolic notation is more readable and precise for making specific changes without affecting other permissions. It uses u (user/owner), g (group), o (others), a (all).
# Add execute for owner
chmod u+x script.sh
# Remove write for group and others
chmod go-w file.txt
# Set exact permissions for others (read only)
chmod o=r document.txt
# Add read and write for owner, read for group
chmod u+rw,g+r file.txt
# Remove all permissions for others
chmod o-rwx sensitive.txt
# Make executable for everyone
chmod a+x program.sh
# Set directory permissions recursively
chmod -R u=rwX,g=rX,o= private_project/Pro Tips: Use symbolic notation when you want to modify specific permissions without changing others. It's safer for scripts since you don't need to know current permissions. The uppercase X is useful for recursive directory operations.
Changing Ownership with chown
The chown command changes file ownership. Only root can change owners, but file owners can change group if they belong to the target group.
# Change owner only
sudo chown alice file.txt
# Change group only
sudo chown :developers file.txt
# or
sudo chgrp developers file.txt
# Change both owner and group
sudo chown alice:developers file.txt
# Recursive change for web server
sudo chown -R www-data:www-data /var/www/html
# Fix user home directory ownership
sudo chown -R newuser:newuser /home/newuser
# Change ownership and preserve permissions
sudo chown alice file.txt && chmod 644 file.txt
# View current ownership
ls -l file.txtPro Tips: Most chown operations require sudo since only root can change file owners. When setting up web servers or shared directories, always chown first, then chmod. Use chown -R carefully - verify your target directory before running.
Understanding umask and Default Permissions
The umask sets default permissions for new files and directories. It works by subtracting permissions from the base maximum (666 for files, 777 for directories).
# Check current umask
$ umask
0022
# Set umask for current session
umask 0027
# Test it - create a file and directory
$ touch testfile.txt
$ mkdir testdir
$ ls -l
-rw-r----- testfile.txt (640)
drwxr-x--- testdir/ (750)
# Set umask permanently
# Add to ~/.bashrc or ~/.profile:
umask 0022
# Set different umask for scripts
#!/bin/bash
umask 0077
# Now all files created by script are privatePro Tips: The leading 0 in umask values (0022) indicates octal notation. Set restrictive umask (0077) for security-sensitive environments. Remember: umask subtracts permissions, so higher umask = more restrictive (fewer permissions).
Your First Steps to Permission Mastery
Understanding permissions comes from practice, not memorization. Follow these three steps to build real-world skills.
Practice Reading Permissions
Run ls -l in different directories (/home, /var, /etc) and practice decoding permission strings. Try to predict what each file's permissions allow before checking. Within a week, reading permissions will be instant.
Create a Test Environment
Make a practice directory and create test files. Practice chmod with both numeric (chmod 755) and symbolic (chmod u+x) notation. Try different permission combinations and verify with ls -l. This hands-on practice builds real understanding.
Audit Your Important Files
Check permissions on ~/.ssh/, important scripts, and configuration files. Fix any issues: SSH keys should be 600, executables 755, configs 644. Use find ~/.ssh -ls to see all permissions at once. This practical audit reinforces good permission hygiene.
Master Linux Permissions and System Security
This guide covers essential permissions. The Practical Linux Handbook includes advanced permission topics, special permissions, ACLs, and complete system administration.
What You'll Learn:
- Complete permission system mastery (chmod, chown, umask)
- Special permissions (setuid, setgid, sticky bit)
- Access Control Lists (ACLs) for fine-grained control
- User and group management
- Security best practices and hardening
Beyond Permissions:
- 70+ Linux commands with detailed examples
- File operations and system monitoring
- Network administration and troubleshooting
- Shell scripting and automation basics
- 3 bonus editor cheat sheets (Vim, Nano, Emacs)
Frequently Asked Questions
What's the difference between chmod 755 and chmod +x?
chmod 755 sets exact permissions (rwxr-xr-x), replacing whatever was there. chmod +x only adds execute permission, keeping existing read/write permissions intact. Use 755 when you want specific permissions, +x when you just want to make something executable.
Why can't I change file ownership without sudo?
Only root (superuser) can change file owners in Linux. This prevents users from circumventing disk quotas or framing other users. You can change group ownership if you belong to the target group, but changing the owner always requires sudo.
What does the 's' or 't' mean in permission strings?
These are special permissions. 's' in owner position (rws) is setuid (runs with owner's permissions). 's' in group position is setgid (inherits directory group). 't' at the end (rwt) is sticky bit (only owner can delete files). Common on /tmp directory.
How do I fix 'Permission denied' errors?
First, check permissions with ls -l. Verify you're the owner or in the correct group. For files, ensure you have needed permission (r to read, w to write, x to execute). For directories, ensure you have execute permission to access. Use sudo if you need root access.
What permissions should I use for a shared team directory?
Create a group for your team, set directory ownership to that group with chown :teamname, then use chmod 2775. The '2' sets setgid so new files inherit the group. 775 gives full access to owner and group, read/execute to others. Use umask 0002 for team members.
Can I see who has access to a file?
Use ls -l to see permissions, owner, and group. getfacl shows advanced ACLs if set. To see who belongs to a group, use getent group groupname. For comprehensive access review, check both traditional permissions and ACLs (if your system uses them).
Continue Your Linux Journey
Frequently Asked Questions
What are the basic Linux file permissions?
Linux has three permission types — read (r), write (w), and execute (x) — applied to three classes: owner, group, and others. Run `ls -l` to view them. Each file shows a 10-character string like `-rwxr-xr--` representing type and all nine permission bits.
How to give full permission to a file in Linux?
`chmod 777 filename` grants read, write, and execute to everyone. For most cases, `chmod 755 filename` (owner full, others read+execute) is safer. Use `chmod a+rwx filename` for the symbolic equivalent of 777.
What is the default file permission in Linux?
New files are created with 644 (rw-r--r--) and directories with 755 (rwxr-xr-x). This is controlled by the umask, which defaults to 022 and subtracts from 666 for files and 777 for directories.
Is the execute permission ever set on files by default?
No. Files are created without execute permission by default. You must explicitly add it with `chmod +x filename`. Only directories have execute set by default — it allows you to enter the directory.
How do I view permissions of a file in Linux?
Run `ls -l filename`. The first 10 characters show permissions: the first is the file type (`-` for file, `d` for directory), then three groups of rwx for owner, group, and others. Use `stat filename` for more detail.
How do I give write permission to a file in Linux?
`chmod u+w filename` adds write for the owner, `chmod g+w filename` for the group, `chmod o+w filename` for others. To give write to everyone at once: `chmod a+w filename` or `chmod 666 filename`.
What is the difference between file and directory permissions in Linux?
For files: r means read the contents, w means modify the contents, x means execute as a program. For directories: r means list the files inside, w means create or delete files inside, x means enter the directory with `cd`. You need x on a directory to access anything inside it.
Ready to Master Linux Permissions?
Join thousands who've transformed from confused about permissions to confident managing Linux security with The Practical Linux Handbook.