正在加载,请稍候…

Linux File Permissions Explained: chmod, chown, and Octal Notation

Understand Linux file permissions from scratch. Learn what rwx means, how octal notation works, and when to use chmod 755 vs 644 vs 777.

Why File Permissions Matter

Every file and directory on a Linux system has an owner and a set of rules controlling who can read, write, or execute it. Get these wrong and you either lock yourself out of your own files or — far worse — leave sensitive data readable by any user on the system.

This guide explains the permission system from first principles, so you stop guessing and start understanding what your ls -la output actually means.

Reading the Permission String

Run ls -la in any directory and you will see something like this:

-rwxr-xr--  1 alice devs  4096 May 10 09:30 deploy.sh
drwxr-x---  2 alice devs  4096 May  8 14:22 config/

The first column is a 10-character string. Break it down:

Position Characters Meaning
1 - or d File type: - = regular file, d = directory
2-4 rwx Owner permissions
5-7 r-x Group permissions
8-10 r-- Others (world) permissions

Each triplet uses three flags:

  • r (read, value 4) — view file contents or list directory
  • w (write, value 2) — modify file or add/remove files in directory
  • x (execute, value 1) — run file as program, or cd into directory
  • - — permission not granted

So rwxr-xr-- means: owner can read/write/execute; group can read/execute; others can only read.

Octal Notation: The Numbers Behind chmod

Each permission triplet maps to a number from 0 to 7 by adding the values of granted permissions:

Octal Binary Permissions
7 111 rwx
6 110 rw-
5 101 r-x
4 100 r--
3 011 -wx
2 010 -w-
1 001 --x
0 000 ---

Three octal digits cover owner, group, and others in that order. So chmod 754 file sets owner to rwx (7), group to r-x (5), others to r-- (4).

The Most Common Permission Modes

chmod 644 — Standard web file. Owner reads and writes; everyone else reads only. Used for HTML, CSS, config files, anything a web server needs to read but not execute.

chmod 755 — Executable script or public directory. Owner has full control; group and others can read and execute but not modify. Use this for shell scripts, binaries, and public directories.

chmod 700 — Private files. Only the owner has any access at all. Use for SSH keys, credential files, and private scripts.

chmod 600 — Sensitive data, no execute needed. SSH private key files must be 600 or SSH will refuse to use them.

chmod 777 — Avoid unless you know exactly why. Anyone on the system can read, write, and execute. Almost never the right choice on a shared or production server.

Symbolic Mode: Letters Instead of Numbers

chmod also accepts a symbolic syntax that is easier to read for targeted changes:

chmod u+x script.sh      # add execute for owner
chmod g-w file.txt       # remove write from group
chmod o=r file.txt       # set others to read-only exactly
chmod a+r file.txt       # add read for all (a = all)
chmod ug+rw,o-rwx data/  # owner+group read/write, others nothing

The letters: u = user (owner), g = group, o = others, a = all three. Operators: + adds, - removes, = sets exactly.

Directories vs Files: A Key Difference

Execute permission means something different on directories. Without x on a directory, you cannot cd into it or access anything inside, even if you have read permission. This is why directories need 755 while their contents can be 644.

# Wrong: breaks directory traversal
chmod -R 644 /var/www/html/

# Correct: X (capital) applies execute only to directories
chmod -R u=rwX,go=rX /var/www/html/

chown: Changing Ownership

chown alice file.txt           # change owner
chown alice:devs file.txt      # change owner and group
chown -R www-data /var/www/    # recursive, common for web servers

Special Permission Bits

setuid (4000) — Executable runs as the file owner, not the caller. The passwd command uses this.

setgid (2000) — New files in a directory inherit the directory group. Useful for shared project folders.

sticky bit (1000) — On directories like /tmp, prevents users from deleting files they do not own.

chmod 4755 /usr/local/bin/mytool  # setuid + 755
chmod 2775 /shared/project/       # setgid + 775
chmod 1777 /tmp                   # sticky + full write

Web Server Permissions Reference

Location Owner Permissions
Application files deploy user 644
Application directories deploy user 755
Shell scripts / binaries deploy user 755
Uploaded content www-data 644
Upload directory www-data 755
.env / credential files deploy user 600
SSH private keys user 600

→ Try the chmod Calculator to convert between octal, symbolic, and readable formats instantly.