File permissions
Key takeaways
Every file on Linux grants three permissions — read, write, execute
(rwx) — to three classes of people: the user (owner), the group, and
other (everyone else). You read those permissions with ls -l, change them
with chmod, and change who owns the file with chown. Reading and adjusting
that grid is core Linux, and it decides whether a script runs, a secret stays
private, or a whole folder is even reachable. New to owners and groups? Start with
users & groups.
Permissions are how a multi-user system keeps people out of each other’s files and stops a stray program from touching what it shouldn’t. The model is small — three permissions times three classes of people — but it shows up everywhere, so it is worth reading fluently rather than guessing.
Reading ls -l
Run ls -l and every file gets a line that begins with a ten-character string:
-rw-r--r-- 1 matt staff 1420 Jul 17 09:31 notes.txt
That first block, -rw-r--r--, is the whole permission story. Read it in pieces:
- Character 1 is the file type:
-for a regular file,dfor a directory,lfor a symbolic link. - Characters 2–4 are the user (owner) permissions:
rw-. - Characters 5–7 are the group permissions:
r--. - Characters 8–10 are the other (everyone else) permissions:
r--.
So -rw-r--r-- is a regular file whose owner can read and write it, while the
group and everyone else can only read it. A dash in any slot means that
permission is switched off.
What r, w, x mean
For an ordinary file the three letters are straightforward:
- r (read) — view the file’s contents.
- w (write) — change or overwrite the contents.
- x (execute) — run the file as a program.
That last one matters for scripts. A shell script is just a text file until it has
the execute bit; without x the shell refuses to run it directly, no matter
how correct the code inside is. Getting a script to run for the first time is
exactly this problem — see
your first shell script.
…and for directories
The same three letters mean something different on a directory, and this is the part that surprises people:
- r (read) — list the names of the entries inside.
- w (write) — create, rename, or delete entries inside it.
- x (execute) — enter the directory and reach the files within (traverse
it, e.g. to
cdin or open a file by path).
The twist is x: without it you cannot enter a folder even if you can read its
listing, and a folder with x but no r lets you open a file if you already
know its name but not list what is there. Because deleting a file is a change to
its directory, whether you can remove a file depends on the folder’s w, not
the file’s own permissions.
Changing permissions — chmod
chmod (“change mode”) sets the permission bits, and it takes two styles.
Symbolic style names a class (user, group, other, all), an operator
(+ add, - remove, = set exactly), and the letters:
chmod u+x script.sh # give the owner execute
chmod go-w notes.txt # remove write from group and other
chmod a+r report.txt # let everyone read it
Octal style sets all three classes at once with a three-digit number. Each digit is the sum of read = 4, write = 2, execute = 1:
| rwx | binary | value | grants |
|---|---|---|---|
--- |
000 | 0 | nothing |
r-- |
100 | 4 | read |
r-x |
101 | 5 | read, execute |
rw- |
110 | 6 | read, write |
rwx |
111 | 7 | read, write, execute |
Put three of those digits together — one for user, group, other — and you have a mode:
chmod 755 script.sh # rwxr-xr-x owner all, others read+run
chmod 644 notes.txt # rw-r--r-- owner read/write, others read
chmod 600 secret.key # rw------- owner only, nobody else
Changing ownership — chown & chgrp
Permissions decide what each class can do; ownership decides who is in which class. chown (“change owner”) sets the user (and optionally the group), and chgrp sets just the group:
chown matt notes.txt # matt is now the owner
chown matt:staff notes.txt # owner matt, group staff
chgrp staff notes.txt # change only the group
Handing a file to another user normally needs administrator rights, so these are usually run with sudo — covered next in sudo & becoming root safely.
Common patterns & pitfalls
A few modes cover almost everything:
- 644 (
rw-r--r--) — the default for ordinary files: you edit, others read. - 755 (
rwxr-xr-x) — directories, and scripts or programs everyone should run. - 600 (
rw-------) — secrets like private keys and password files; owner only.
The habit to avoid is chmod 777. It hands read, write, and execute to every
account and service on the machine, which makes a permission error vanish by
removing the protection entirely — including letting anyone overwrite the file.
When something won’t open, work out the narrowest grant that fixes it (often just
adding x to a directory, or 644 to a file) rather than opening it to the world.
Quick check: a file's permissions read -rwxr-xr--. What can "other" do with it?
Recap
- Every file grants rwx to three classes: user, group, other.
ls -lshows a ten-character string: file type plus threerwxtriples.- On files rwx means read / modify / run; a script needs the execute bit.
- On directories rwx means list / create-delete / enter — the
xbit catches people out. - chmod changes permissions (symbolic like
u+x, or octal where r=4, w=2, x=1). - chown and chgrp change ownership; use 644, 755, 600 as your defaults and avoid reflexive 777.
Next up: sudo & becoming root safely