Linux File Permissions & chmod: Complete Guide

Understanding Linux Permissions

Every file and directory on a Linux system has three sets of permissions controlling who can read, write, and execute it. These permissions apply to three categories of users: the file owner, the group, and everyone else (others).

Run ls -l in any directory and you will see something like -rwxr-xr--. This 10-character string tells the full permissions story. The first character is the file type (- for regular file, d for directory, l for symlink). The next nine characters are three groups of three: owner, group, others.

Each group of three has the same order: read (r), write (w), execute (x). A dash (-) means that permission is not granted. So rwxr-xr-- means the owner can read, write, and execute; the group can read and execute; others can only read.

Numeric (Octal) Mode

Each permission has a numeric value: read = 4, write = 2, execute = 1. You add them together for each user category to get a three-digit number.

• 7 = read (4) + write (2) + execute (1) = full access
• 6 = read (4) + write (2) = read and write
• 5 = read (4) + execute (1) = read and execute
• 4 = read only
• 0 = no access

So chmod 755 script.sh sets owner to rwx (7), group to r-x (5), others to r-x (5). This is the standard permission for executable scripts and public directories.

Common permission sets:

• 644 — Standard file (owner reads/writes, everyone else reads). Used for HTML, CSS, images, config files.
• 755 — Executable/directory (owner full access, everyone else reads/executes). Used for scripts, directories, binaries.
• 600 — Private file (owner only). Used for SSH keys, secrets, credentials.
• 700 — Private directory (owner only). Used for ~/.ssh and other sensitive directories.
• 444 — Read-only for everyone. Used for files that should never be accidentally modified.

Symbolic Mode

The symbolic mode uses letters and operators instead of numbers:

chmod u+x script.sh — Add execute permission for the user (owner).

chmod g-w file.txt — Remove write permission from the group.

chmod o=r file.txt — Set others to read-only (removes any existing permissions and sets exactly r).

The targets are: u (user/owner), g (group), o (others), a (all three). The operators are: + (add), - (remove), = (set exactly).

Symbolic mode is handy when you want to change one specific permission without affecting the rest. chmod u+x only adds owner execute — it does not touch group or others. With numeric mode, you must specify all three groups every time.

Directory Permissions

Permissions mean something slightly different for directories:

• Read (r): List the directory contents (ls works).
• Write (w): Create, rename, or delete files inside the directory.
• Execute (x): Enter the directory (cd works) and access files by name.

A directory with r-- lets you list file names but not access them. A directory with --x lets you access files by name if you know them, but not list the contents. You almost always want both r and x together for directories.

Special Permissions

• Setuid (4xxx): When set on an executable, it runs with the file owner's permissions instead of the executing user's. chmod 4755 program. This is how /usr/bin/passwd can modify /etc/shadow despite being run by a regular user.
• Setgid (2xxx): When set on a directory, new files inherit the directory's group instead of the creator's primary group. Useful for shared project directories.
• Sticky bit (1xxx): When set on a directory, only the file owner can delete or rename their files. /tmp uses this (chmod 1777) so users can create temp files but not delete each other's.

Security Best Practices

• Never use 777 in production. It gives every user on the system full access. There is almost always a more restrictive permission that works.
• SSH keys must be 600 (private key) and 644 (public key). SSH refuses to use keys with broader permissions.
• Web server files should be 644 (files) and 755 (directories). The web server user needs read access but should not need write access.
• Use chmod -R with caution. Recursive permission changes can break things — applying 644 recursively removes execute from directories, making them inaccessible.

Calculate permissions instantly with our Chmod Calculator. Toggle checkboxes for each permission and get the numeric and symbolic representation immediately.