Linux file permissions control who can read, write, and execute a file or
directory. Every file has three permission groups — owner, group, and others —
and three permission types — read, write, execute. This reference covers how to
read a permission string, octal and symbolic notation, special bits, and the
most common chmod commands.
Quick format: -rwxr-xr-- breaks down as:
-— file type (-file,ddirectory,lsymlink)rwx— owner permissionsr-x— group permissionsr--— others permissions
Permission Types
| Symbol | Octal | Meaning on a File | Meaning on a Directory |
|---|---|---|---|
r | 4 | Read the file | List directory contents |
w | 2 | Write / modify the file | Create, delete, rename files inside |
x | 1 | Execute the file | Enter (cd into) the directory |
- | 0 | Permission not set | Permission not set |
Octal Notation
Each permission group is the sum of its active bits.
| Octal | Binary | Permissions |
|---|---|---|
0 | 000 | --- none |
1 | 001 | --x execute only |
2 | 010 | -w- write only |
3 | 011 | -wx write + execute |
4 | 100 | r-- read only |
5 | 101 | r-x read + execute |
6 | 110 | rw- read + write |
7 | 111 | rwx read + write + execute |
Reading a three-digit octal like 755:
| Digit | Who | Permissions |
|---|---|---|
7 | Owner | rwx |
5 | Group | r-x |
5 | Others | r-x |
Common Permission Values
The codes you'll use or encounter most often.
| Octal | Symbolic | Typical Use |
|---|---|---|
777 | rwxrwxrwx | Everyone can do everything (avoid in production) |
755 | rwxr-xr-x | Web directories, executables |
750 | rwxr-x--- | Owner full, group read/execute, others none |
700 | rwx------ | Private executable — only the owner |
664 | rw-rw-r-- | Shared group file |
644 | rw-r--r-- | Standard file — owner writes, all can read |
640 | rw-r----- | Config files with sensitive data |
600 | rw------- | SSH keys, private files |
444 | r--r--r-- | Read-only for everyone |
400 | r-------- | Read-only, owner only (e.g., PEM files) |
Symbolic Notation
An alternative to octal — more readable for targeted changes.
| Part | Options | Meaning |
|---|---|---|
| Who | u | User (owner) |
g | Group | |
o | Others | |
a | All (u + g + o) | |
| Operator | + | Add permission |
- | Remove permission | |
= | Set exactly (replace) | |
| What | r | Read |
w | Write | |
x | Execute |
Symbolic chmod examples
| Command | What it does |
|---|---|
chmod u+x file | Add execute for the owner |
chmod g-w file | Remove write from group |
chmod o=r file | Set others to read-only |
chmod a+r file | Add read for everyone |
chmod u+x,g-w file | Multiple changes at once |
chmod a-x file | Remove execute from everyone |
chmod ug=rw file | Set owner and group to read+write |
Common chmod Commands
| Task | Command |
|---|---|
| Make a script executable | chmod +x script.sh |
| Secure an SSH private key | chmod 600 ~/.ssh/id_rsa |
| Standard web file | chmod 644 index.html |
| Standard web directory | chmod 755 /var/www/html |
| Private config file | chmod 640 config.env |
| Restrict to owner only | chmod 700 ~/private |
| Apply recursively | chmod -R 755 /var/www |
| Read-only for all | chmod 444 file.txt |
Special Bits
Beyond the standard rwx, three extra bits control elevated behaviors.
| Bit | Octal | Symbol | Effect |
|---|---|---|---|
| Setuid | 4 (prefix) | s in owner execute | File runs as the file's owner, not the caller |
| Setgid | 2 (prefix) | s in group execute | File runs as the group; on dirs, new files inherit the group |
| Sticky bit | 1 (prefix) | t in others execute | On dirs, only the owner can delete their own files (e.g., /tmp) |
Special bit examples
| Command | Meaning |
|---|---|
chmod 4755 file | Setuid + 755 |
chmod 2755 dir | Setgid + 755 |
chmod 1777 /tmp | Sticky bit + 777 |
chmod u+s file | Add setuid symbolically |
chmod g+s dir | Add setgid symbolically |
chmod +t dir | Add sticky bit symbolically |
Viewing Permissions
| Task | Command |
|---|---|
| List files with permissions | ls -l |
| List all including hidden | ls -la |
| Show permissions as octal | stat -c "%a %n" file |
| Show full stat info | stat file |
| Find files with a permission | find . -perm 644 |
| Find world-writable files | find . -perm -o+w |
Ownership (chown & chgrp)
Permissions only make sense alongside ownership — who is the "owner" and which "group" does the file belong to.
| Task | Command |
|---|---|
| Change owner | chown user file |
| Change owner and group | chown user:group file |
| Change group only | chgrp group file |
| Recursive ownership change | chown -R user:group /var/www |
| View current owner | ls -l file |
Golden Rules
- Never use
777in production — it grants full access to everyone on the system, including potential attackers. - SSH keys must be
600— SSH will refuse to use a private key that is readable by others. - Prefer symbolic for targeted changes —
chmod g+xis safer than octal when you only want to add one permission without touching the rest. - Use
-Rwith caution — recursive chmod changes every file and directory under the path; files and directories usually need different permissions. - Sticky bit protects shared dirs — use
1777on shared directories like/tmpso users can't delete each other's files.
Frequently Asked Questions
What does chmod 755 mean?
The owner has full read, write, and execute permissions (7 = rwx), while
the group and others can only read and execute (5 = r-x). This is the
standard permission for web directories and executables.
What is the difference between chmod 644 and 755?
644 gives the owner read and write (rw-) and everyone else read-only
(r--), making it right for files like HTML or config that need to be read
but not executed. 755 adds execute, making it right for directories and
scripts.
Why does SSH say "permissions are too open"?
SSH requires private key files to be readable only by the owner. Fix it with
chmod 600 ~/.ssh/id_rsa.
What is the sticky bit?
The sticky bit on a directory means only a file's owner can delete or rename
it, even if others have write access to the directory. It's commonly set on
/tmp.
What is setuid?
Setuid makes an executable run with the file owner's privileges rather than the
caller's. It's how commands like passwd can write to /etc/shadow even when
run by a regular user.
What is the difference between chown and chmod?
chmod changes the permissions on a file (what actions are allowed). chown
changes who owns the file (which user and group the permission bits apply to).