Why File Permissions Matter
Every file and directory on a Linux system has an owner and a set of rules controlling who can read, write, or execute it. Get these wrong and you either lock yourself out of your own files or — far worse — leave sensitive data readable by any user on the system.
This guide explains the permission system from first principles, so you stop guessing and start understanding what your ls -la output actually means.
Reading the Permission String
Run ls -la in any directory and you will see something like this:
-rwxr-xr-- 1 alice devs 4096 May 10 09:30 deploy.sh
drwxr-x--- 2 alice devs 4096 May 8 14:22 config/
The first column is a 10-character string. Break it down:
| Position | Characters | Meaning |
|---|---|---|
| 1 | - or d | File type: - = regular file, d = directory |
| 2-4 | rwx | Owner permissions |
| 5-7 | r-x | Group permissions |
| 8-10 | r-- | Others (world) permissions |
Each triplet uses three flags:
- r (read, value 4) — view file contents or list directory
- w (write, value 2) — modify file or add/remove files in directory
- x (execute, value 1) — run file as program, or cd into directory
- - — permission not granted
So rwxr-xr-- means: owner can read/write/execute; group can read/execute; others can only read.
Octal Notation: The Numbers Behind chmod
Each permission triplet maps to a number from 0 to 7 by adding the values of granted permissions:
| Octal | Binary | Permissions |
|---|---|---|
| 7 | 111 | rwx |
| 6 | 110 | rw- |
| 5 | 101 | r-x |
| 4 | 100 | r-- |
| 3 | 011 | -wx |
| 2 | 010 | -w- |
| 1 | 001 | --x |
| 0 | 000 | --- |
Three octal digits cover owner, group, and others in that order. So chmod 754 file sets owner to rwx (7), group to r-x (5), others to r-- (4).
The Most Common Permission Modes
chmod 644 — Standard web file. Owner reads and writes; everyone else reads only. Used for HTML, CSS, config files, anything a web server needs to read but not execute.
chmod 755 — Executable script or public directory. Owner has full control; group and others can read and execute but not modify. Use this for shell scripts, binaries, and public directories.
chmod 700 — Private files. Only the owner has any access at all. Use for SSH keys, credential files, and private scripts.
chmod 600 — Sensitive data, no execute needed. SSH private key files must be 600 or SSH will refuse to use them.
chmod 777 — Avoid unless you know exactly why. Anyone on the system can read, write, and execute. Almost never the right choice on a shared or production server.
Symbolic Mode: Letters Instead of Numbers
chmod also accepts a symbolic syntax that is easier to read for targeted changes:
chmod u+x script.sh # add execute for owner
chmod g-w file.txt # remove write from group
chmod o=r file.txt # set others to read-only exactly
chmod a+r file.txt # add read for all (a = all)
chmod ug+rw,o-rwx data/ # owner+group read/write, others nothing
The letters: u = user (owner), g = group, o = others, a = all three. Operators: + adds, - removes, = sets exactly.
Directories vs Files: A Key Difference
Execute permission means something different on directories. Without x on a directory, you cannot cd into it or access anything inside, even if you have read permission. This is why directories need 755 while their contents can be 644.
# Wrong: breaks directory traversal
chmod -R 644 /var/www/html/
# Correct: X (capital) applies execute only to directories
chmod -R u=rwX,go=rX /var/www/html/
chown: Changing Ownership
chown alice file.txt # change owner
chown alice:devs file.txt # change owner and group
chown -R www-data /var/www/ # recursive, common for web servers
Special Permission Bits
setuid (4000) — Executable runs as the file owner, not the caller. The passwd command uses this.
setgid (2000) — New files in a directory inherit the directory group. Useful for shared project folders.
sticky bit (1000) — On directories like /tmp, prevents users from deleting files they do not own.
chmod 4755 /usr/local/bin/mytool # setuid + 755
chmod 2775 /shared/project/ # setgid + 775
chmod 1777 /tmp # sticky + full write
Web Server Permissions Reference
| Location | Owner | Permissions |
|---|---|---|
| Application files | deploy user | 644 |
| Application directories | deploy user | 755 |
| Shell scripts / binaries | deploy user | 755 |
| Uploaded content | www-data | 644 |
| Upload directory | www-data | 755 |
| .env / credential files | deploy user | 600 |
| SSH private keys | user | 600 |
→ Try the chmod Calculator to convert between octal, symbolic, and readable formats instantly.