CoursesLinux essentialsPermissions & ownership

Reading & setting permissions

rwx, octal, and chmod at a glance.

Beginner14 min · lesson 14 of 25

Linux permissions are the heart of its security model, and they are simpler than they look. Every file has three sets of permissions — for the owner, the group, and everyone else (others) — and each set has three bits: read (r), write (w), and execute (x). ls -l prints them as a nine-character string, which you read in three triads. Once you can glance at rwxr-x--- and know exactly who can do what, a huge amount of Linux security becomes legible.

terminal
$ ls -l script.sh
-rwxr-x--- 1 deploy devs 512 Jul 3 10:00 script.sh
# │└┬┘└┬┘└┬┘ └─┬──┘ └┬─┘
# │ │ │ │ │ └ group name
# │ │ │ │ └ owner name
# │ │ │ └ others: --- (nothing)
# │ │ └ group: r-x (read, execute)
# │ └ owner: rwx (read, write, execute)
# └ file type: - = file, d = directory, l = symlink

Octal: permissions as numbers

The same permissions are often written as three digits, because each triad is a number: read=4, write=2, execute=1, added together. So rwx = 7, rw- = 6, r-x = 5, r-- = 4. A mode like 0640 means owner rw- (6), group r-- (4), others --- (0). chmod uses either form. Learning the common values — 644 for a normal file, 600 for a private one, 755 for a program or directory, 700 for a private directory — covers almost everything.

terminal
$ chmod 600 ~/.ssh/id_ed25519 # private key: owner rw, nobody else — required
$ chmod 644 index.html # normal file: owner rw, everyone reads
$ chmod 755 deploy.sh # program/dir: owner all, others read+execute
$ chmod u+x,go-w script.sh # symbolic: add execute for user, remove write for group/other

Execute means something different on directories

On a file, x means "can be run as a program." On a directory, x means "can enter it / traverse into it," and r means "can list its contents" — so a directory can be listable but not enterable, or enterable but not listable, depending on the bits. This trips people up: if you cannot cd into a directory you can see, it is missing execute; if you can cd in but ls fails, it is missing read. Directory permissions gate access to everything inside.

World-writable and world-readable secrets are findings
Two permission mistakes cause real incidents: a world-writable file (others have w) anyone can modify — imagine a world-writable script that runs as root — and a world-readable secret (others have r) like a config with a password that every user can read. SSH will even refuse to use a private key that is not 600. Scan for both (find / -perm -0002 for world-writable), and default sensitive files to 600 or 640.