What Are Unix File Permissions?
Unix file permissions control who can read, write, and execute files and directories. They are a fundamental part of Unix and Linux security, determining which users and groups can access each file.
Every file and directory has three sets of permissions for three categories of users: the owner (user), the group, and others (everyone else).
The Permission Bits
Each category has three permission bits:
| Symbol | Value | Meaning for Files | Meaning for Directories |
|---|---|---|---|
r |
4 | Read the file content | List directory contents |
w |
2 | Modify the file | Create/delete files in directory |
x |
1 | Execute as a program | Enter the directory (cd) |
- |
0 | Permission denied | Permission denied |
Reading the Permission String
The ls -l command shows permissions as a 10-character string:
-rwxr-xr-- owner group filename
│└──┴──┴──
│ │ │ └── Others: r--, read only (4)
│ │ └───── Group: r-x, read+execute (5)
│ └──────── Owner: rwx, full access (7)
└─────────── File type: - (file), d (directory), l (symlink)
The Octal Notation
Permissions are most commonly expressed as an octal (base-8) number where each digit represents one category (owner, group, others):
Permission Binary Octal
--- 000 0
--x 001 1
-w- 010 2
-wx 011 3
r-- 100 4
r-x 101 5
rw- 110 6
rwx 111 7
So chmod 755 means:
7 = rwx (owner: full access)
5 = r-x (group: read and execute)
5 = r-x (others: read and execute)
Common Permission Patterns
| Octal | Symbolic | Use Case |
|---|---|---|
| 400 | r-------- | Read-only, owner only (private key files) |
| 600 | rw------- | Read/write, owner only (SSH private keys, .env files) |
| 644 | rw-r--r-- | Web files (readable by server, writable by owner) |
| 664 | rw-rw-r-- | Shared team files |
| 700 | rwx------ | Private executable or directory |
| 755 | rwxr-xr-x | Standard executables and public directories |
| 775 | rwxrwxr-x | Shared directory (group can write) |
| 777 | rwxrwxrwx | Anyone can do anything (avoid in production) |
The chmod Command
# Set permissions with octal notation
chmod 755 script.sh
chmod 644 index.html
chmod 600 ~/.ssh/id_rsa
# Set permissions with symbolic notation
chmod u+x script.sh # Add execute for owner
chmod g-w shared.txt # Remove write for group
chmod o=r public.txt # Set others to read-only
chmod a+r document.pdf # Add read for all (a = all = ugo)
# Recursive (apply to directory and all contents)
chmod -R 755 /var/www/html
Special Permission Bits
Beyond the standard rwx bits, Unix has three special permission bits:
Setuid (s on owner execute, octal 4000)
Executable runs with the owner's privileges, not the caller's:
chmod 4755 /usr/bin/sudo
-rwsr-xr-x (s in owner's execute position)
Setgid (s on group execute, octal 2000)
For executables: runs with group's privileges. For directories: new files inherit the directory's group:
chmod 2775 /shared/project
drwxrwsr-x
Sticky bit (t on others execute, octal 1000)
For directories: only the file owner can delete their own files:
chmod 1777 /tmp
drwxrwxrwt (t = sticky bit)
This is why everyone can write to /tmp but cannot delete each other's files.
Default Permissions with umask
The umask (user file creation mask) determines default permissions for new files. It subtracts from the maximum permissions:
Default max for files: 666 (rw-rw-rw-)
Default max for directories: 777 (rwxrwxrwx)
Typical umask: 022
Result for files: 644 (666 - 022)
Result for directories: 755 (777 - 022)
-> Try the chmod Calculator