File permissions

Key takeaways Every file on Linux grants three permissions — read, write, execute (rwx) — to three classes of people: the user (owner), the group, and other (everyone else). You read those permissions with ls -l, change them with chmod, and change who owns the file with chown. Reading and adjusting that grid is core Linux, and it decides whether a script runs, a secret stays private, or a whole folder is even reachable. New to owners and groups? Start with users & groups.

Permissions are how a multi-user system keeps people out of each other’s files and stops a stray program from touching what it shouldn’t. The model is small — three permissions times three classes of people — but it shows up everywhere, so it is worth reading fluently rather than guessing.

Reading ls -l

Run ls -l and every file gets a line that begins with a ten-character string:

-rw-r--r--  1 matt  staff  1420 Jul 17 09:31 notes.txt

That first block, -rw-r--r--, is the whole permission story. Read it in pieces:

  • Character 1 is the file type: - for a regular file, d for a directory, l for a symbolic link.
  • Characters 2–4 are the user (owner) permissions: rw-.
  • Characters 5–7 are the group permissions: r--.
  • Characters 8–10 are the other (everyone else) permissions: r--.

So -rw-r--r-- is a regular file whose owner can read and write it, while the group and everyone else can only read it. A dash in any slot means that permission is switched off.

What r, w, x mean

For an ordinary file the three letters are straightforward:

  • r (read) — view the file’s contents.
  • w (write) — change or overwrite the contents.
  • x (execute) — run the file as a program.

That last one matters for scripts. A shell script is just a text file until it has the execute bit; without x the shell refuses to run it directly, no matter how correct the code inside is. Getting a script to run for the first time is exactly this problem — see your first shell script.

…and for directories

The same three letters mean something different on a directory, and this is the part that surprises people:

  • r (read)list the names of the entries inside.
  • w (write)create, rename, or delete entries inside it.
  • x (execute)enter the directory and reach the files within (traverse it, e.g. to cd in or open a file by path).

The twist is x: without it you cannot enter a folder even if you can read its listing, and a folder with x but no r lets you open a file if you already know its name but not list what is there. Because deleting a file is a change to its directory, whether you can remove a file depends on the folder’s w, not the file’s own permissions.

Changing permissions — chmod

chmod (“change mode”) sets the permission bits, and it takes two styles.

Symbolic style names a class (user, group, other, all), an operator (+ add, - remove, = set exactly), and the letters:

chmod u+x script.sh      # give the owner execute
chmod go-w notes.txt     # remove write from group and other
chmod a+r report.txt     # let everyone read it

Octal style sets all three classes at once with a three-digit number. Each digit is the sum of read = 4, write = 2, execute = 1:

rwx binary value grants
--- 000 0 nothing
r-- 100 4 read
r-x 101 5 read, execute
rw- 110 6 read, write
rwx 111 7 read, write, execute

Put three of those digits together — one for user, group, other — and you have a mode:

chmod 755 script.sh      # rwxr-xr-x  owner all, others read+run
chmod 644 notes.txt      # rw-r--r--  owner read/write, others read
chmod 600 secret.key     # rw-------  owner only, nobody else

Changing ownership — chown & chgrp

Permissions decide what each class can do; ownership decides who is in which class. chown (“change owner”) sets the user (and optionally the group), and chgrp sets just the group:

chown matt notes.txt          # matt is now the owner
chown matt:staff notes.txt    # owner matt, group staff
chgrp staff notes.txt         # change only the group

Handing a file to another user normally needs administrator rights, so these are usually run with sudo — covered next in sudo & becoming root safely.

Common patterns & pitfalls

A few modes cover almost everything:

  • 644 (rw-r--r--) — the default for ordinary files: you edit, others read.
  • 755 (rwxr-xr-x) — directories, and scripts or programs everyone should run.
  • 600 (rw-------) — secrets like private keys and password files; owner only.

The habit to avoid is chmod 777. It hands read, write, and execute to every account and service on the machine, which makes a permission error vanish by removing the protection entirely — including letting anyone overwrite the file. When something won’t open, work out the narrowest grant that fixes it (often just adding x to a directory, or 644 to a file) rather than opening it to the world.

Quick check: a file's permissions read -rwxr-xr--. What can "other" do with it?

Recap

  • Every file grants rwx to three classes: user, group, other.
  • ls -l shows a ten-character string: file type plus three rwx triples.
  • On files rwx means read / modify / run; a script needs the execute bit.
  • On directories rwx means list / create-delete / enter — the x bit catches people out.
  • chmod changes permissions (symbolic like u+x, or octal where r=4, w=2, x=1).
  • chown and chgrp change ownership; use 644, 755, 600 as your defaults and avoid reflexive 777.

Next up: sudo & becoming root safely