Linux File Permissions
Master Unix/Linux permissions, ACLs, and access control security
Understanding Linux Permissions
Permission Model
Linux uses a discretionary access control (DAC) model with three permission types:
| Permission | Octal Value | Description |
|---|---|---|
| Read | 4 | View file contents, list directory contents |
| Write | 2 | Modify file data, add or remove entries in a directory |
| Execute | 1 | Run a file as a program, enter and traverse a directory |
Permission Entities
| Entity | Symbol | Description | Example Command |
|---|---|---|---|
| Owner (User) | u | The file owner | chmod u+w file |
| Group | g | Group members | chmod g-x file |
| Others | o | Everyone else | chmod o+r file |
| All | a | All three entities | chmod a+x file |
Reading Permission Output
-rw-r--r-- 1 user group 1024 Dec 1 10:00 file.txt- - : File type (- = file, d = directory, l = link)
- rw- : Owner permissions (read, write, no execute)
- r-- : Group permissions (read only)
- r-- : Others permissions (read only)
Tip: execute (
x) on a directory means “allowed to enter and access files inside.” You need both read and execute to list and open files.Directory vs. File Permissions
$ ls -ld projects scripts.sh
drwxr-x--- 2 alice devs 4096 Jan 10 09:00 projects
-rwxr-xr-- 1 alice devs 512 Jan 10 09:00 scripts.sh
projectsis a directory: members ofdevscan enter and list the folder, everyone else denied.scripts.shis a file: owner and group can run it, others can only read.
Common Scenarios
| Use Case | Example Path | Permissions | Meaning |
|---|---|---|---|
| Team project config file | /srv/app/config.yaml | 640 | Owner can change it, group can read, everyone else blocked. |
| Private notes directory | ~/notes | 700 | Only you can open the directory or list files. |
| Shared scripts folder | /opt/tools | 755 | Everyone can run scripts, but only owner can modify. |
| Upload dropbox | /srv/uploads | 733 | Owner has full control; others can enter and create files but not list contents. |
Practice: Decode the Permissions
Review each string and decide who can read, write, or execute. Think about files versus directories and how the bits combine.
| Permission String | Interpretation Prompt |
|---|---|
-rw-r----- | Who can modify this file? What does the group have? |
drwxr-x--- | Can non-team members enter this directory? |
-rwxr-xr-- | Is this safe to run as a shared script? |
Common Permissions
| Octal | Symbolic | Use Case |
|---|---|---|
755 | rwxr-xr-x | Executable files, directories |
750 | rwxr-x--- | Team scripts, private services |
644 | rw-r--r-- | Regular files |
640 | rw-r----- | Configs readable by group |
600 | rw------- | Private files (SSH keys) |
700 | rwx------ | Private directories |
664 | rw-rw-r-- | Group-editable files |
777 | rwxrwxrwx | Avoid! Security risk |
2775 | rwxrwsr-x | Shared project directories (SGID) |
1777 | rwxrwxrwt | Temp directories (sticky bit) |
⚠️ Security Tips
- Never use 777 permissions
- SSH keys must be 600
- Home directories: 700 or 750
- Web files: not writable by web server
- Review SUID/SGID files regularly