Linux File Permissions: How to Manage Access with chmod, chown, and chgrp
In Linux, permissions are a key part of the operating system’s security approach and file management. They define who is allowed to access files and directories and which actions those users can take. Knowing how to read and control permissions is important for administrators, developers, and anyone working on Linux machines.
This tutorial walks you through setting permissions with the chmod command (for changing file modes), chown (for changing file ownership), and chgrp (for changing group ownership). Once you’re comfortable with these Linux commands, you can protect files, enforce access rules, and reduce the risk of unauthorized access to sensitive data across your Linux systems.
Understanding Linux Permissions
Linux permissions are expressed using three groups of letters or numbers, and each group maps to a different class of user. This layered permission model is a central part of Linux security because it enables precise control over access to files and directories.
The three sets are:
- User (u): The file or directory owner. Usually this is the creator of the item, but ownership can be reassigned.
- Group (g): A set of users that share the same permission level for the file or directory. Groups make it easier to manage access for multiple users.
- Others (o): All remaining users on the system who are not the owner and are not part of the assigned group.
For each category, Linux uses three core permission types:
- Read (r or 4): Allows viewing file contents or listing the contents of a directory.
- Write (w or 2): Allows editing file contents or creating and deleting files inside a directory.
- Execute (x or 1): Allows running a file as a program or entering/accessing a directory.
The permissions shown by ls -l appear as a 10-character string. The first character indicates the file type (for example, – for a regular file, d for a directory, l for a symbolic link, and so on). The next nine characters are split into three sets of three, representing permissions for the owner, the group, and others. Each set contains combinations of:
- r for read permission
- w for write permission
- x for execute permission
- – for no permission
For example, -rwxr-xr– breaks down like this:
- The first character – shows it is a regular file.
- The next three characters rwx are the owner permissions: read, write, and execute.
- The next three characters r-x are the group permissions: read and execute.
- The last three characters r– are the permissions for others: read only.
Being able to interpret this string output is essential for controlling permissions correctly on Linux systems.
Note: Keep your most commonly used linux commands handy with our 50+ Linux commands cheat sheet.
Numeric Representation of Permissions
Linux permissions can also be written using numeric (octal) notation, which is a compact way to set permissions for owner, group, and others in one step:
- 4 means read
- 2 means write
- 1 means execute
These values are added together to form permission combinations:
- 7 (4+2+1) = read, write, execute
- 6 (4+2) = read, write
- 5 (4+1) = read, execute
- 4 = read only
- 3 (2+1) = write, execute
- 2 = write only
- 1 = execute only
- 0 = no permissions
For example, chmod 755 applies:
- Owner: 7 (read, write, execute)
- Group: 5 (read, execute)
- Others: 5 (read, execute)
This numeric approach makes it quick to apply detailed permission sets using a simple three-digit value.
Special Permissions
In addition to standard read, write, and execute permissions, Linux includes special permission bits that provide extra control:
SUID (Set User ID)
When enabled on an executable, it runs using the file owner’s permissions instead of the permissions of the user who launches it.
- Set with: chmod u+s filename or chmod 4xxx filename (where xxx represents other permissions)
- Example: chmod 4755 /usr/bin/passwd
SGID (Set Group ID)
When enabled on an executable, it runs with the permissions of the file’s group. When applied to a directory, new files created inside inherit the directory’s group ownership.
- Set with: chmod g+s filename or chmod 2xxx filename (where xxx represents other permissions)
- Example: chmod 2775 /shared/project_dir
Sticky Bit
When set on a directory, files inside can only be removed by their owners, the directory owner, or the root user.
- Set with: chmod +t directory or chmod 1xxx directory (where xxx represents other permissions)
- Example: chmod 1777 /tmp
These special permissions can be used together. For instance, to apply SGID and the sticky bit to a directory, you can use: chmod 3775 directory (3 = 2+1, meaning SGID + sticky bit).
Special permission bits provide added control and are especially valuable for system executables and shared folder scenarios.
How to Check Permissions
To view file and directory permissions, use ls -l. The -l option means “long” format and includes details such as permissions, ownership, size, and last modification time.
ls -l /path/to/file
For more detailed information about a file or directory, use stat. The stat command reports file system status details including file type, permissions, ownership, and timestamps. With -c, you can control the output format.
stat /path/to/file
Some common flags for ls and stat include:
ls flags
- -l (long): Shows detailed information about the file or directory.
- -a (all): Includes hidden files and directories in the output.
- -d (directory): Lists only the directory entry itself, not the directory contents.
stat flags
- -c (format): Defines the output format. For example, -c %A displays permissions in a readable format.
- -f (filesystem): Shows information about the filesystem containing the file, rather than the file itself.
- -t (terse): Outputs in a compact format that is useful for scripts to parse.
File and Directory Permission Basics
Let’s take a closer look at the permission string shown by running ls -l script.sh:
-rwxr-xr-- 1 user group 4096 Apr 25 10:00 script.sh
The first character – indicates script.sh is a regular file. If it were a directory, you would see d instead.
The next three characters rwx describe the owner (user) permissions. In this case, the owner has:
- r (read) permission, letting them view the file’s contents.
- w (write) permission, letting them edit the file.
- x (execute) permission, letting them run the file as a program.
The next three characters r-x describe group permissions. Here, the group has:
- r (read) permission, allowing them to view the file’s contents.
- x (execute) permission, allowing them to run the file as a program.
- No w (write) permission, meaning they cannot change the file.
The last three characters r– define permissions for others. In this case, others have:
- r (read) permission, allowing them to view the file’s contents.
- No w (write) or x (execute) permission, meaning they cannot edit or run it.
Numeric equivalents
In Linux, permissions can also be described using numeric (octal) notation. Each permission is assigned a value:
- r (read) = 4
- w (write) = 2
- x (execute) = 1
By summing these values, you can represent different permission combinations. For example:
- rwx (read, write, execute) = 7 (4+2+1)
- rw- (read, write) = 6 (4+2)
- r– (read) = 4
Using this system, 755 breaks down as:
- Owner: 7 (rwx) = read, write, execute
- Group: 5 (r-x) = read, execute
- Others: 5 (r–) = read
So, permission 755 matches rwxr-xr-x.
To apply permissions using numeric notation, use chmod followed by the number. For example, to apply 755 to a file or directory, use chmod 755 filename.
The chmod Command: Symbolic and Numeric Modes
The chmod command changes the mode (permissions) of a file or directory and can be used in either numeric or symbolic form.
Numeric Mode
The examples below show how to use chmod in numeric mode for files and directories:
chmod 755 filename
# Sets the permissions of 'filename' to rwxr-x, allowing the owner to read, write, and execute, the group to read and execute, and others to read and execute.
chmod 644 document.txt
# Sets the permissions of 'document.txt' to rw-r--, allowing the owner to read and write, the group to read, and others to read.
chmod 700 private.sh
# Sets the permissions of 'private.sh' to rwx------, allowing the owner to read, write, and execute, and denying all permissions to the group and others.
Symbolic Mode
chmod u+x script.sh # This command adds execute permission for the user (owner) of the file 'script.sh', allowing them to run the script.
chmod g-w file.txt # This command removes write permission for the group associated with the file 'file.txt', ensuring that group members cannot modify the file.
chmod o=r file.txt # This command sets the permissions for others (all users except the owner and group members) to read-only for the file 'file.txt', allowing them to view the file's contents but not modify or execute it.
Examples of chmod Usage
The chmod command is a flexible and powerful way to control permissions in Linux. Below are examples that show how chmod can be used to create specific permission setups.
Giving Read-Only Permission to a User in Linux
To grant a user read-only access to a file, you can apply numeric mode 400. This results in r–, meaning the owner can read the file but cannot write to it or execute it.
chmod 400 file.txt
Giving Write Permission to a Folder in Linux for a User
To allow a user to write into a folder, use symbolic mode u+w. This adds write permission for the directory owner so they can change the folder’s contents.
chmod u+w /path/to/folder
Making a Script Executable
To make a script runnable, apply symbolic mode +x. This adds execute permission for the script owner so the script can be executed.
chmod +x deploy.sh
These examples highlight how chmod can be adapted for different users and practical permission scenarios.
How to Use chown and chgrp
The chown and chgrp commands are core tools for controlling ownership in Linux. Knowing how to use them helps maintain correct access control, ensuring that files and directories remain available only to permitted users.
The chown Command
The chown command changes the owner of a file or directory. You can assign a new owner and optionally set the group as well, so the right user or team has access. The basic chown syntax is:
sudo chown username file.txt
In this example, username becomes the new owner of file.txt. To set both owner and group in one command, use:
sudo chown username:groupname file.txt
This sets the owner of file.txt to username and the group to groupname.
The chgrp Command
The chgrp command updates only the group ownership of a file or directory while leaving the file owner unchanged. The basic chgrp syntax is:
sudo chgrp groupname file.txt
In this example, groupname becomes the new group owner of file.txt.
Recursive Permissions in Linux
In Linux, recursive permissions make it possible to apply permission changes to a directory and everything inside it in a single step. This approach is especially helpful when managing large directory structures that contain many files and subdirectories.
Basic Syntax
The general syntax for setting recursive permissions is:
chmod -R permissions directory
Here, permissions represents the permission value you want to assign, and directory refers to the target directory where the changes should be applied.
Examples of Recursive Permissions
The examples below show how to apply recursive permissions to a directory and all of its contents.
chmod -R 755 /var/www/html
This command assigns the permission value 755 to the /var/www/html directory and everything within it. The owner receives read, write, and execute permissions, while the group and others are granted read and execute access.
chown -R user:group /var/www/html
This command updates the ownership of /var/www/html and all its contents, assigning ownership to user and setting the group to group. This ensures that the defined user and group have proper access rights across the entire directory tree.
Common Use Cases
Web Hosting Folder Setup
When configuring a web hosting environment, it is important that the web server has the correct permissions to read and serve files. For instance, assigning 755 to /var/www/html allows the server to read and execute files while preventing unauthorized write access from others.
chmod -R 755 /var/www/html
Deploying a Script
When releasing a script, you must ensure it has execution rights. For example, if you have a deployment script named deploy.sh, you can assign permission 755 so it can be executed properly.
chmod 755 deploy.sh
This configuration enables the owner to read, write, and execute the script, while other users can read and execute it.
Setting Group Access for Collaboration
In collaborative projects, multiple users often need shared access to the same directory. To support teamwork, group ownership and permissions can be configured accordingly. Suppose you have a directory called project and want members of the developers group to read, write, and execute files inside it.
chown -R :developers project
chmod -R 775 project
The first command assigns the group ownership of the project directory and its contents to developers. The second command sets permissions so that the group can read, write, and execute, while others are limited to read and execute access.
Common Errors and Solutions
Setting 777 Everywhere
Applying permission 777 to all files and directories poses a serious security risk. It allows anyone to read, modify, and execute content, potentially leading to unauthorized changes or system compromise.
Solution: Apply more restrictive permissions that match the specific requirements of each file or directory. For instance, use 755 for directories and 644 for files so that owners can write while others only have read access.
chmod -R 755 /path/to/directory
chmod -R 644 /path/to/file
Forgetting Execute Permission on Scripts
If execute permissions are missing on scripts, they cannot be run, which may result in errors or unexpected failures.
Solution: Add execute permission for the relevant users or groups. For example, to grant execute permission to the owner:
chmod u+x script.sh
Breaking Web/App Access with Incorrect Permissions
Incorrect permission settings on web or application directories can block server access, causing service errors or downtime.
Solution: Ensure the web server user has proper ownership and permissions. For example, to configure access for the Apache web server in /var/www/html:
chown -R www-data:www-data /var/www/html
chmod -R 755 /var/www/html
Best Practices
DOs
| Recommendation | Description | Example Command |
|---|---|---|
| Apply the least-privilege principle | Begin with minimal permissions to maintain security. | chmod 755 directory |
| Use groups for collaboration | Assign group permissions to simplify teamwork. | chown -R :group directory |
| Review recursive commands carefully | Confirm the impact of recursive operations to avoid accidental changes. | ls -lR directory |
DON’Ts
| Avoid | Description | Example Command |
|---|---|---|
| Using chmod 777 unnecessarily | Do not use chmod 777 unless absolutely required, as it introduces security risks. | chmod 755 directory |
| Skipping execute permission on scripts | Remember to apply execute permission (chmod +x) for scripts to function properly. | chmod +x script.sh |
| Over-restricting application files | Avoid limiting permissions so much that applications cannot access required files. | chmod 644 file.txt |
FAQs
1. How do you set permissions in Linux?
Permissions in Linux are configured using the chmod command. It allows you to adjust access rights for files and directories. For example, to grant the owner full access and allow the group and others to read and execute, use:
chmod 755 filename
This sets permissions to rwxr-xr-x, which corresponds to numeric value 755.
2. What is chmod 755 or 777?
chmod 755 assigns read, write, and execute permissions to the owner, while the group and others receive read and execute access. This is a typical setting for directories and executable files.
chmod 777 grants read, write, and execute permissions to everyone—owner, group, and others. This is discouraged because it allows unrestricted modification and execution.
Example of chmod 777:
chmod 777 filename
This results in rwxrwxrwx, equivalent to numeric value 777.
3. What is chmod 666 or 777?
chmod 666 allows everyone to read and write but not execute. It is uncommon because it prevents execution of files.
chmod 777, as explained earlier, enables full read, write, and execute access for all users.
Example of chmod 666:
chmod 666 filename
This sets permissions to rw-rw-rw-, matching numeric value 666.
4. What is the meaning of chmod 400?
chmod 400 allows only the owner to read the file and denies all access to group members and others. This restrictive setting is suitable for confidential files.
Example of chmod 400:
chmod 400 filename
This produces r——–, corresponding to numeric value 400.
Conclusion
Managing permissions in Linux is a fundamental part of maintaining system security and proper administration. By understanding permission models and using commands such as chmod, chown, and chgrp effectively, you can ensure that files and directories remain accessible only to authorized users while keeping your Linux environment stable and secure.
