File Permissions
Reading Permissions
Section titled “Reading Permissions”ls -la# -rwxr-xr-- 1 krav users 4096 Mar 01 12:00 script.sh# ╰──╯╰──╯╰──╯# user group other| Character | Meaning |
|---|---|
r | Read (4) |
w | Write (2) |
x | Execute (1) |
- | No permission (0) |
First character: file type (- file, d directory, l symlink).
Octal Notation
Section titled “Octal Notation”Each permission group (user/group/other) is a digit 0–7:
| Octal | Binary | Permissions |
|---|---|---|
| 7 | 111 | rwx |
| 6 | 110 | rw- |
| 5 | 101 | r-x |
| 4 | 100 | r-- |
| 3 | 011 | -wx |
| 2 | 010 | -w- |
| 1 | 001 | --x |
| 0 | 000 | --- |
Example: 755 = rwxr-xr-x (owner: full, group: read+execute, others: read+execute).
chmod — Change Permissions
Section titled “chmod — Change Permissions”Octal mode
Section titled “Octal mode”chmod 755 script.sh # rwxr-xr-xchmod 644 config.txt # rw-r--r--chmod 600 private.key # rw-------chmod 700 ~/.ssh # rwx------Symbolic mode
Section titled “Symbolic mode”chmod u+x script.sh # Add execute for userchmod g-w file.txt # Remove write for groupchmod o-rwx secret.txt # Remove all for otherschmod a+r public.txt # Add read for all (user+group+other)chmod u=rwx,g=rx,o= file # Set explicitlyRecursive
Section titled “Recursive”chmod -R 755 /var/www/htmlchown — Change Ownership
Section titled “chown — Change Ownership”chown krav file.txt # Change ownerchown krav:users file.txt # Change owner and groupchown :users file.txt # Change group onlychown -R krav:www-data /var/www # Recursivechgrp — Change Group
Section titled “chgrp — Change Group”chgrp users file.txtchgrp -R www-data /var/wwwCommon Permission Patterns
Section titled “Common Permission Patterns”| Octal | Symbolic | Use case |
|---|---|---|
644 | rw-r--r-- | Regular files (configs, text) |
755 | rwxr-xr-x | Scripts, executables, directories |
700 | rwx------ | Private directories (~/.ssh) |
600 | rw------- | Private keys, sensitive configs |
400 | r-------- | Read-only private files (SSH keys) |
666 | rw-rw-rw- | World-writable file (avoid in production) |
777 | rwxrwxrwx | World-writable + executable (almost never correct) |
750 | rwxr-x--- | Shared directory within a group |
Directories vs Files
Section titled “Directories vs Files”Permissions mean different things for directories:
| Permission | File | Directory |
|---|---|---|
r | Read contents | List contents (ls) |
w | Modify contents | Create/delete files inside |
x | Execute as program | Enter (cd into) the directory |
A directory needs x to be traversable — r alone lets you list but not access.
Special Bits
Section titled “Special Bits”| Bit | Octal prefix | On file | On directory |
|---|---|---|---|
| SUID | 4 | Runs as the file owner, not the caller | — |
| SGID | 2 | Runs as the file’s group | New files inherit directory’s group |
| Sticky | 1 | — | Only file owner can delete their files |
# Set SUIDchmod 4755 /usr/bin/passwd # s in user execute: -rwsr-xr-x
# Set SGID on directorychmod 2755 /shared # s in group execute: drwxr-sr-x
# Set sticky bitchmod 1755 /tmp # t in other execute: drwxr-xr-t
# Find SUID binaries (security audit)find / -perm -4000 -type f 2>/dev/nullDefault permissions for new files are controlled by umask. Subtracted from 666 (files) or 777 (directories).
umask # Show current (e.g. 0022)umask 0027 # New files: 640, new dirs: 750| umask | New file | New directory |
|---|---|---|
0022 | 644 | 755 |
0027 | 640 | 750 |
0077 | 600 | 700 |