Master Linux File Permissions: From “Permission denied” to Full Control

Understanding the Basics

Linux is a multi‑user operating system where every file belongs to a user and a group, and may be accessed by others. The three ownership categories are:

Owner (u) : the file creator, e.g., personal scripts.

Group (g) : the user group that owns the file, e.g., shared project code.

Others (o) : all remaining users, e.g., system configuration files.

A special identifier a (all) represents the combination of u+g+o.

Three Basic Rights

Read (r, value 4) : view file contents or list directory entries ( ls).

Write (w, value 2) : modify file contents or create/delete files in a directory.

Execute (x, value 1) : run a program/script or enter a directory ( cd).

For directories, the execute bit allows you to "enter" the directory; without it, you can only see the names.

Permission Notations

Symbolic Notation

Running ls -l shows lines such as:

drwxr-xr-x  3 user group 4096 Mar 20 10:00 Documents
-rw-r--r--  1 user group  256 Mar 20 10:00 notes.txt

The first column can be broken down to reveal owner, group, and others permissions.

Numeric Notation

Each right maps to a digit (r=4, w=2, x=1). Adding the three digits for a category yields a number between 0 and 7. Combining owner, group, and others numbers gives a three‑digit mode, e.g.: rwx → 4+2+1 = 7 rw- → 4+2+0 = 6 r-x → 4+0+1 = 5 r-- → 4+0+0 = 4 -wx → 0+2+1 = 3 -w- → 0+2+0 = 2 --x → 0+0+1 = 1 --- → 0+0+0 = 0

Thus rwxr-xr-x equals 755 and rw-r--r-- equals 644.

Changing Permissions with chmod

Symbolic Mode (recommended for beginners)

# Add execute permission for the owner
chmod u+x script.sh

# Add read permission for everyone
chmod a+r file.txt

# Remove write permission from others
chmod o-w config.conf

# Set multiple permissions at once
chmod u=rwx,g=rx,o=r file.txt

Symbols: + – add permission - – remove permission = – set exact permission (overwrites existing)

Numeric Mode (concise and fast)

# Set 755 permissions
chmod 755 script.sh

# Set 644 permissions
chmod 644 document.txt

# Recursively set a directory tree
chmod -R 755 /var/www/html

Practical Scenarios

Scenario 1: Running a script fails with "Permission denied". After checking with ls -l, add the execute bit using chmod +x install.sh and the script runs.

Scenario 2: Editing /etc/hosts requires root; prepend sudo to the editor command.

Scenario 3: Bulk set web directory permissions: find /var/www/html -type d -exec chmod 755 {} \; and

find /var/www/html -type f -exec chmod 644 {} \;

Changing Ownership with chown and chgrp

Sometimes you need to change the file owner or group.

# Change file owner
sudo chown alice report.txt

# Change owner and group
sudo chown alice:developers project.txt

# Recursively change a directory
sudo chown -R www-data:www-data /var/www/html

# Change file group
sudo chgrp developers project.txt

# Recursively change group
sudo chgrp -R developers /opt/project

Typical use cases include web server directories (owner www-data or nginx), shared project folders, and data migration where ownership must be restored.

Special Permission Bits

SUID (Set User ID, value 4)

When set, the program runs with the file owner's privileges. Example: /usr/bin/passwd is owned by root and has the s bit, allowing ordinary users to modify /etc/shadow after authentication.

# Set SUID on a program
chmod 4755 /path/to/program
# or
chmod u+s /path/to/program

SGID (Set Group ID, value 2)

For directories, newly created files inherit the directory's group. Useful for shared team directories.

# Set SGID on a shared directory
chmod 2775 /shared/project
# or
chmod g+s /shared/project

Sticky Bit (value 1)

When set on a directory, only the file owner (or root) can delete or rename files inside. Commonly used on /tmp.

# Set sticky bit on /tmp
chmod 1777 /tmp
# or
chmod +t /tmp

Design Principles

Least‑privilege principle: grant only necessary rights; avoid 777.

Files 644, directories 755: safe default configuration.

Sensitive files 600: e.g., SSH keys, password files.

Shared directories with SGID: ensure group access for team members.

FAQ

Why does sudo let me do anything?

sudo

runs commands as the root user, which bypasses all file‑permission checks.

Is 777 safe?

No. It gives read, write, and execute rights to everyone and poses serious security risks. Use only for temporary testing.

What is the difference between file and directory permissions?

File permissions control reading, writing, and executing the file itself. Directory permissions control listing, creating, deleting, and entering files within the directory.

How to view my current permissions?

whoami
groups
id

Next Topic Preview

Having mastered file permissions, the next article will dive into Linux user and group management, covering user creation, group handling, and configuring sudo privileges.