chmod Permission Guide: Complete Linux File Permissions Tutorial

Published: June 7, 2026 · 12 min read

Understanding Linux Permissions
Permission Types: Read, Write, Execute
Owner Types: User, Group, Others
Octal (Numeric) Notation
Symbolic Notation
Special Permissions: SUID, SGID, Sticky Bit
Understanding umask
Practical Examples
Security Best Practices

Understanding Linux Permissions

Linux follows a Unix-style permission model where every file and directory has an owner and a set of permissions that control who can read, write, or execute it. This security model is fundamental to Linux's reputation for robust security.

When you list files with ls -la, you'll see permission strings at the start of each line:

$ ls -la
drwxr-xr-x  3 owner group  4096 Jun  7 10:30 documents
-rw-r--r--  1 owner group  2048 Jun  7 10:30 readme.txt
-rwxr-xr-x  2 owner group  4096 Jun  7 10:30 scripts
lrwxrwxrwx  1 owner group    12 Jun  7 10:30 link -> target.txt

The first character indicates the file type, followed by three triplets of permissions.

File Type Indicators

-    Regular file
d    Directory
l    Symbolic link
c    Character device
b    Block device
p    Named pipe (FIFO)
s    Socket

Permission Types: Read, Write, Execute

Each permission triplet contains three permission types:

Read (r or 4)

For files: Allows viewing file contents
For directories: Allows listing directory contents with ls

# File: Can read file contents
$ cat readme.txt
This is the file content.

# Directory: Can list files
$ ls documents/
file1.txt  file2.txt  file3.txt

Write (w or 2)

For files: Allows modifying file contents
For directories: Allows creating, deleting, and renaming files

# File: Can modify file contents
$ echo "new content" > readme.txt

# Directory: Can create/delete files
$ touch documents/newfile.txt
$ rm documents/oldfile.txt

Execute (x or 1)

For files: Allows running the file as a program or script
For directories: Allows entering the directory with cd

# File: Can execute script
$ ./deploy.sh
Deploying application...

# Directory: Can access contents
$ cd documents/
$ cat file1.txt

Owner Types: User, Group, Others

Linux uses three ownership categories:

User (u)

The user who owns the file. By default, the creator of the file becomes its owner.

-rw-r--r--  john developers  readme.txt
     ^
     User (john) has rw- permissions

Group (g)

Members of the file's group. Multiple users can belong to the same group, sharing permissions.

-rw-r--r--  john developers  readme.txt
          ^
          Group (developers) has r-- permissions

Others (o)

Everyone else—users who are neither the owner nor members of the group.

-rw-r--r--  john developers  readme.txt
               ^
               Others have r-- permissions

Checking File Ownership

# View owner and group
$ ls -l readme.txt
-rw-r--r-- 1 owner group 4096 Jun 7 10:30 readme.txt

# Change owner
$ sudo chown newuser readme.txt

# Change group
$ sudo chgrp newgroup readme.txt

# Change both at once
$ sudo chown newuser:newgroup readme.txt

Octal (Numeric) Notation

Octal notation uses numbers 0-7 to represent permissions. Each digit represents one triplet:

User  Group  Others
 rwx   rwx    rwx
 7     7      7

Permission Values

Binary	Octal	Permissions	Description
000	0	---	No permissions
001	1	--x	Execute only
010	2	-w-	Write only
011	3	-wx	Write and execute
100	4	r--	Read only
101	5	r-x	Read and execute
110	6	rw-	Read and write
111	7	rwx	Full permissions

Common Permission Modes

chmod 644   # rw-r--r--  (Owner: read/write, Group/Others: read)
chmod 755   # rwxr-xr-x  (Owner: full, Group/Others: read/execute)
chmod 600   # rw-------  (Owner: read/write only)
chmod 700   # rwx------  (Owner: full access only)
chmod 775   # rwxrwxr-x  (Shared group access)
chmod 664   # rw-rw-r--  (Group collaboration)

Symbolic Notation

Symbolic notation uses letters and symbols for more intuitive permission changes:

Who:    u (user/owner), g (group), o (others), a (all)
Action: + (add), - (remove), = (set exactly)
Perm:   r (read), w (write), x (execute)

Basic Operations

# Add execute permission for owner
chmod u+x script.sh

# Remove write permission for group
chmod g-w file.txt

# Set read-only for others
chmod o=r readme.txt

# Add execute to all (user, group, others)
chmod a+x program

# Remove all permissions for others
chmod o= file.txt

Multiple Changes

# Add read and execute to group, remove write from others
chmod g+rx,o-rwx script.sh

# Add write to user and group
chmod ug+w file.txt

# Set same permissions as owner for group
chmod g=u file.txt

Copying Permissions

# Make group permissions same as user
chmod g=u script.sh

# Make others permissions same as group
chmod o=g file.txt

Special Permissions: SUID, SGID, Sticky Bit

Beyond the basic 9 permission bits, Linux supports three special permission bits that modify behavior in important ways.

SUID (Set User ID) — 4 or s

When set on an executable, the program runs with the owner's permissions, not the user's. Common for system commands like passwd.

# Binary representation: 4000
chmod 4755 program    # Adds SUID
chmod u+s program    # Symbolic form

# Example: passwd needs root privileges to modify /etc/shadow
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root  54256 Mar 15 09:00 /usr/bin/passwd
         ^
         The 's' indicates SUID

SGID (Set Group ID) — 2 or s

For executables: Program runs with group's permissions
For directories: New files inherit the directory's group

# Binary representation: 2000
chmod 2755 program    # Adds SGID
chmod g+s program    # Symbolic form

# Directory example: Shared project folder
$ ls -ld /shared/project
drwxrwsr-x  2 team group  4096 Jun  7 10:30 /shared/project
       ^
       New files automatically get 'team' group

Sticky Bit — 1 or t

On directories, only the owner of a file can delete or rename it, even if others have write permission. Essential for shared directories like /tmp.

# Binary representation: 1000
chmod 1777 /shared    # Adds sticky bit
chmod +t /shared     # Symbolic form

# Example: /tmp directory
$ ls -ld /tmp
drwxrwxrwt  10 root root  4096 Jun  7 10:30 /tmp
          ^
          The 't' indicates sticky bit
          (others have execute + sticky bit shown as 't')

Special Permission Modes

Octal	Symbolic	Result
4755	u+s,755	SUID + rwxr-xr-x
2755	g+s,755	SGID + rwxr-xr-x
1755	+t,755	Sticky bit + rwxr-xr-x
6755	u+s,g+s,755	SUID + SGID + rwxr-xr-x

Understanding umask

The umask (user file creation mask) determines the default permissions for newly created files and directories. It's a subtraction mechanism that removes permissions from the maximum allowed.

Default Maximum Permissions

Files: 666 (rw-rw-rw-)
Directories: 777 (rwxrwxrwx)

Common umask Values

umask 022   # Default for most systems
            # Files: 666 - 022 = 644 (rw-r--r--)
            # Dirs:  777 - 022 = 755 (rwxr-xr-x)

umask 002   # For collaborative environments
            # Files: 666 - 002 = 664 (rw-rw-r--)
            # Dirs:  777 - 002 = 775 (rwxrwxr-x)

umask 077   # For maximum security
            # Files: 666 - 077 = 600 (rw-------)
            # Dirs:  777 - 077 = 700 (rwx------)

Setting umask

# View current umask
$ umask
0022

# Set for current session
$ umask 027

# Set permanently (add to ~/.bashrc or ~/.profile)
echo "umask 027" >> ~/.bashrc
source ~/.bashrc

Practical Examples

Web Server Files

# Static files (read-only for everyone)
chmod 644 index.html styles.css script.js

# Directories (read and execute for everyone)
chmod 755 css js images

# Uploads directory (writable by web server)
chmod 775 uploads
chown www-data:www-data uploads

Scripts and Executables

# Make script executable for owner, readable for others
chmod 755 deploy.sh

# Personal scripts (owner only)
chmod 700 backup.sh

# Shell scripts with read access for group
chmod 750 script.sh

SSH Keys and Sensitive Files

# Private key (most restrictive)
chmod 600 ~/.ssh/id_rsa

# Public key (can be shared)
chmod 644 ~/.ssh/id_rsa.pub

# SSH directory
chmod 700 ~/.ssh

# Config files
chmod 600 ~/.ssh/config

Application Deployment

# Source code (read-only)
chmod -R 644 .
find . -type d -exec chmod 755 {} \;

# Executables
chmod 755 bin/start.sh
chmod 755 bin/stop.sh

# Logs (writable by app)
chmod 775 logs
chown app:app logs

# PID files
chmod 775 /var/run/app.pid

Security Best Practices

Principle of Least Privilege

Grant only the permissions necessary for the task
Start restrictive, open up only when needed
Regularly audit permissions with find

# Find world-writable files (security risk!)
find /path -type f -perm 0002

# Find SUID files (potential security issues)
find /path -type f -perm +4000

# Check for files with no owner
find /path -nouser -o -nogroup

Common Security Mistakes

# NEVER do this - world writable anything is dangerous!
chmod 777 file.txt
chmod -R 777 /var/www

# NEVER do this - executable scripts with write access
chmod 777 script.sh
chmod 666 script.sh

# BE CAREFUL with recursive chmod
chmod -R 755 /var/www/html  # Make everything executable!
# Better:
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;

Recommended Permissions by File Type

File Type	Owner	Group	Others	Use Case
Regular files	rw-	r--	r--	Default for data files
Scripts	rwx	r-x	r-x	Executable scripts
Private keys	rw-	---	---	SSH keys, certificates
Config files	rw-	r--	---	Application configs
Directories	rwx	r-x	r-x	Standard directories

Calculate and visualize permissions easily with the JieBang chmod Calculator tool.

Try chmod Calculator Online →