Linux File Permissions & User Management: Hands‑On Guide to chmod, chown, and useradd

Why permissions matter

A colleague’s deployment script failed with “Permission denied” because the file had the default 644 mode, a typical mistake for newcomers.

01. Reading permissions – ls -l

The ten‑character string (e.g., -rw-r--r--) breaks down into file type, owner (u), group (g), and others (o) permissions. r = read, w = write, x = execute; - means the bit is unset. A trailing t on a directory (e.g., /tmp/) indicates the sticky bit, allowing only the file’s owner to delete files within that directory.

02. Changing permissions – chmod

chmod

supports numeric and symbolic modes. Numeric values are sums of r=4, w=2, x=1: 755 → rwxr-xr-x (common for scripts and directories) 644 → rw-r--r-- (common for config files) 777 → rwxrwxrwx (use with extreme caution)

Symbolic mode allows fine‑grained tweaks, e.g.:

chmod +x script.sh          # add execute for everyone
chmod u+x script.sh         # add execute for owner only
chmod go-w file.txt         # remove write for group and others

Recursive changes use the -R flag:

chmod -R 755 /var/www/html/

03. Changing ownership – chown

chown

changes file owner and group using the user:group syntax (the colon is mandatory). Examples:

chown :nginx file.txt      # change only group
chown nginx file.txt       # change only owner
chown -R www-data:www-data /var/www/   # recursive change

04. Default permissions – umask

The default 644 for files and 755 for directories come from the umask value. It subtracts a mask from the maximum permissions (666 for files, 777 for directories). For example, umask 022 yields 644 and 755. Setting a stricter mask such as 027 removes read permission for “others” on new files; it can be configured in /etc/profile for high‑security servers.

⚠️ Common pitfalls

Running chmod -R 777 / by mistake (e.g., missing a slash) can render a system unusable and may require a reinstall. Always double‑check paths before using chmod or chown, especially with the -R option.

05. Creating users – useradd

Typical options: -m: create a home directory -s /bin/bash: set login shell -c: add a comment -G: supplementary groups (comma‑separated) -u: specify UID

06. Modifying users – usermod

When adding a group, the -a (append) flag is required; otherwise the user is removed from all other groups.

usermod -aG sudo devuser1    # ✅ append to sudo group
usermod -G sudo devuser1     # ❌ replaces all groups with sudo only

Use -L to lock a user (adds ! before the password hash) and -U to unlock.

07. Setting passwords – passwd

When entering a password, the terminal shows no echo; press Enter after typing. passwd -e forces a password change on the next login, useful for new hires.

08. Group management and queries

Group creation and deletion:

groupadd -g 2000 devops    # create group with GID 2000
groupdel devops            # delete group

Query user information with id and current user with whoami:

id devuser1
uid=1001(devuser1) gid=1001(devuser1) groups=1001(devuser1),1002(developers),992(docker),27(sudo)

whoami
root

09. Real‑world scenario – provisioning a new developer

For a new front‑end developer, the directory is prepared with chmod 2775. The leading 2 sets the SGID bit, causing newly created files to inherit the webdev group, enabling collaborative editing without further permission tweaks. The SGID effect is visible as an s in the ls -ld output ( drwxrwsr-x).

Summary of essential commands

ls -l

– view permissions (use -ld for directories) chmod – modify permissions (numeric or symbolic, -R for recursion) chown – change owner/group (numeric user:group, -R optional) umask – set default permission mask ( -S shows symbolic mask) useradd – create user (common flags -m -s -G -c -u) usermod – modify user (remember -a when adding groups, -L/-U to lock/unlock) passwd – set or force password change ( -e) groupadd / groupdel – manage groups id / whoami – query user identity