Linux File Permissions Explained
Linux's permission system controls who can read, write, or execute every file and directory. It looks cryptic at first (-rwxr-xr-x), but once you see the pattern, it's actually quite elegant.
Reading ls -la Output
$ ls -la /usr/bin/python3
-rwxr-xr-x 1 root root 5437776 Jan 15 12:00 /usr/bin/python3
│└──┘└──┘└──┘
│ U G O ← User, Group, Other permissions
└── file type (- = regular, d = directory, l = symlink)
The permission string has 10 characters:
- Character 1: file type (
-file,ddirectory,lsymlink) - Characters 2-4: User (owner) permissions
- Characters 5-7: Group permissions
- Characters 8-10: Other (everyone else) permissions
Each group of 3 uses r (read), w (write), x (execute), or - (denied).
What r, w, x Actually Mean
| Permission | On a File | On a Directory |
|---|---|---|
| r (read) | Read file contents | List directory contents (ls) |
| w (write) | Modify file contents | Create/delete files inside |
| x (execute) | Run as a program | Enter directory (cd into it) |
Why do directories need execute permission to cd into them?
The
x bit on a directory means "traverse" — you need it to access anything inside. You can have r without x on a directory (you'd see filenames but can't access them), or x without r (you can access files if you know their names, but can't list them).
Octal Notation — The Numbers
Each permission is a bit: r=4, w=2, x=1. Add them up for each group:
755 → rwxr-xr-x
7 = 4+2+1 = rwx (owner: full)
5 = 4+0+1 = r-x (group: read + execute)
5 = 4+0+1 = r-x (other: read + execute)
644 → rw-r--r--
6 = 4+2+0 = rw- (owner: read + write)
4 = 4+0+0 = r-- (group: read only)
4 = 4+0+0 = r-- (other: read only)
600 → rw------- (owner only, common for SSH keys)
chmod and chown
# chmod — change permissions
chmod 755 script.sh # set to rwxr-xr-x
chmod +x script.sh # add execute for everyone
chmod u+x,g-w file.txt # symbolic: user+exec, group-write
chmod -R 644 /var/www/html # recursive
# chown — change owner
chown alice file.txt # change owner to alice
chown alice:staff file.txt # change owner and group
chown -R www-data /var/www # recursive
umask — Default Permissions
Why do new files never get execute permission by default?
The
umask (user file creation mask) subtracts permissions from the maximum. Default umask is usually 022. New files start at 666, new dirs at 777. Subtract umask: 666 - 022 = 644 for files, 777 - 022 = 755 for dirs.
umask # show current umask (e.g., 0022)
umask 027 # set new umask (group gets no write, others get nothing)
Special Bits: SUID, SGID, Sticky
| Bit | On File | On Directory | Example |
|---|---|---|---|
| SUID (4000) | Run as file owner | Rarely used | /usr/bin/passwd runs as root |
| SGID (2000) | Run as file group | New files inherit group | Shared project directories |
| Sticky (1000) | Ignored | Only owner can delete their files | /tmp — you can't delete others' temp files |
ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root ... ← 's' in user execute = SUID set
chmod 4755 myscript # set SUID
chmod 1777 /tmp # sticky bit on /tmp
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.