Understanding Linux File Permissions: A Practical Guide

 

Linux permissions explained simply. rwx, octal modes, chmod examples, sticky bit, SetUID. No prior experience needed.

File permissions are the core access control mechanism on Linux systems. Every file and directory has an owner, a group, and a set of rules that determine who can read, write, or execute it. Misunderstanding these rules is a leading cause of broken services, data leaks, and accidental deletions.

This guide explains why permissions work the way they do, then shows how to inspect and modify them safely.

Prerequisites

• Access to a Linux terminal

• A user account with sudo privileges (for system-wide changes)

• A test directory you own (e.g., ~/permissions-test)

The Anatomy of a Permission String

Run ls -l in any directory. You’ll see lines like this:

text

-rw-r--r-- 1 alice developers 1042 Mar 10 12:34 notes.txt
drwxr-x--- 2 alice developers 4096 Mar 10 12:34 projects

The first ten characters are the permission string. Break it down:

Each triplet uses r (read), w (write), x (execute). A dash - means the permission is absent.

Examples:

rwx – read, write, and execute

r-x – read and execute, but no write

r-- – read only

For directories, x means traverse (ability to cd into it or access files inside). A directory without x is effectively locked, even with r.

Numeric (Octal) Mode Explained

Permissions are also expressed as three octal digits. Each permission bit has a value:

Sum them per triplet. Example: rwx = 4+2+1 = 7, r-x = 4+0+1 = 5, r-- = 4+0+0 = 4.

-rw-r--r-- becomes:

Owner: rw- = 4+2+0 = 6

Group: r-- = 4+0+0 = 4

Others: r-- = 4+0+0 = 4 → 644

drwxr-x--- → Owner 7, Group 5, Others 0 → 750

Viewing and Changing Permissions

Check current permissions

bash

ls -l <file-or-directory>
# Example output: -rw-r--r-- 1 alice alice 0 Mar 10 12:34 data.txt

Change permissions with chmod

Symbolic method (easier for beginners):

bash

chmod u+x script.sh        # Add execute for owner (user)
chmod g-w config.conf      # Remove write for group
chmod o=r data.txt         # Set others to read-only (overwrites)
chmod a+x program          # Add execute for everyone (all)

Numeric method (precise and script-friendly):

bash

chmod 644 data.txt         # rw-r--r--
chmod 750 private_dir      # rwxr-x---
chmod 600 secret.key       # rw-------

Change ownership

bash

chown <username> file.txt                    # Change owner
chown :<groupname> file.txt                  # Change group only
chown <username>:<groupname> file.txt        # Change both
chown -R <username> /path/to/directory       # Recursive (use with caution)

Special Permissions (Sticky Bit, SetUID, SetGID)

These are less common but essential for specific system behaviors.

Set sticky bit on a shared directory:

bash

mkdir /shared
chmod 1777 /shared   # drwxrwxrwt
ls -ld /shared       # Note the 't' at the end

Verification & Testing

Before changing permissions on important files:

1. Dry-run your recursive changes (no actual change):

1. bash

   chmod -R -v --changes 750 /path/to/dir  # -v shows what *would* happen? No — actually --dry-run doesn't exist for chmod. Better:
   find /path/to/dir -type f -exec chmod --changes 640 {} \;  # Simulate with --changes, then run without

2. Test access as a different user:

1. bash

   sudo -u <otheruser> cat /path/to/file    # Test read
   sudo -u <otheruser> touch /path/to/file  # Test write

3. Check effective permissions (including ACLs):

1. bash

   namei -l /path/to/file   # Shows permissions of every parent directory
   getfacl /path/to/file    # If extended ACLs are used

---

Common Pitfalls and How to Avoid Them

🚨 Warning: Never run chmod -R 777 /, chown -R user:user /, or chmod -R -x /bin. These can break your system irrecoverably.

When to Use umask

The umask sets default permissions for newly created files and directories. It subtracts from base defaults (666 for files, 777 for directories).

bash

umask                   # Show current value (e.g., 0022)
umask 0027              # New files: 640, new dirs: 750 (common for shared work)

Add to ~/.bashrc or ~/.profile to make persistent.

Typical umask values:

022 (default on many distros) → files 644, dirs 755

002 (shared group) → files 664, dirs 775

077 (private) → files 600, dirs 700

Further Reading (Built-in Documentation)

bash

man chmod          # Full spec, including special bits and octal
man chown          # Ownership changes and symlink handling
info coreutils 'File permissions'   # More detailed GNU documentation
man umask          # Default permission mask

For real-world exploration, create a test directory and experiment:

bash

mkdir ~/perm-test && cd ~/perm-test
touch a.txt
mkdir dir
chmod 000 a.txt    # Try to read it (you can't)
chmod 600 a.txt    # Restore access

---

Suggested reading:

The Linux Command Line, 2nd Edition , William E. Shotts Jr - Amazon 

Linux Bible, 11th Edition , Christopher Negus - Amazon 

How Linux Works, 3rd Edition, Brian Ward - Amazon

 

Livro sugerido:  PT-BR

Shell Script Profissional ,  Aurelio Marinho Jargas - Amazon