What Are File Permissions in Simple Terms
Every file on a Linux system has a lock with three sets of keys. The first set belongs to the owner — the user who created the file or was assigned ownership. The second set belongs to the group — a collection of users who share access. The third set is for everyone else on the system.
For each set of keys, there are three doors: read (look inside), write (change contents), and execute (run as a program). A permission is simply which doors which key set can open.
How It Works
The permission model is stored in the inode as a 12-bit value. The first 9 bits are the basic permissions (3 per level). The final 3 are the special bits (setuid, setgid, sticky).
Reading the full permission string:
◈ DIAGRAM
- r w x r - x r - -| | | | | || +--own---+ +--grp---+ +--other--+|+-- type: - file, d dir, l link r (read) = 4w (write) = 2x (execute) = 1- (none) = 0 Owner: rwx = 7Group: r-x = 5Other: r-- = 4Octal: 754What each permission does by context:
Bash
For regular files: r = open and read the file contents w = modify or truncate the file contents x = execute as a program or script For directories: r = list the directory contents (ls) w = create, rename, or delete files inside x = enter the directory (cd) and access files inside Note: directory x (traverse) is required to accessanything inside, even if you have r on the files.chmod — changing permissions:
Bash
## Symbolic modechmod u+x script.sh ## add execute to ownerchmod go-w file.txt ## remove write from group and otherchmod a=r readme.txt ## set everyone to read onlychmod u+x,g=r,o= private.sh ## owner executes, group reads, other nothing ## Octal mode (faster once learned)chmod 644 config.txt ## -rw-r--r--chmod 755 script.sh ## -rwxr-xr-xchmod 600 private.key ## -rw-------chmod 700 ~/.ssh/ ## drwx------ ## Recursive (all files in directory)chmod -R 644 /var/www/html/chmod -R 755 /var/www/html/## Better: set files 644 and dirs 755 separatelyfind /var/www/html/ -type f -exec chmod 644 {} \;find /var/www/html/ -type d -exec chmod 755 {} \;Special permission bits:
Bash
## Setuid: file runs as its owner, not the callerls -la /usr/bin/passwd## -rwsr-xr-x 1 root root -- the 's' in owner execute position = setuid## passwd needs root to modify /etc/shadow, but any user runs itchmod u+s filename # or chmod 4755 filename ## Setgid on directory: new files inherit directory groupchmod g+s /shared/team-dir/## All files created here get the directory's group automatically ## Sticky bit on directory: only file owner can delete their filesls -la /tmp## drwxrwxrwt -- the 't' in other execute position = sticky## You can write to /tmp but cannot delete others' fileschmod +t /shared/public/Practical Commands
Bash
## View permissionsls -la filenamestat filename ## Change permissionschmod 644 filechmod u+x script.shchmod -R 755 directory/ ## Change ownerchown user filechown user:group filechown -R user:group directory/ ## Check umask (default permission mask)umask ## Find files with specific permissionsfind / -perm 777 -type f 2>/dev/null ## world-writable filesfind / -perm -4000 -type f 2>/dev/null ## setuid binariesfind / -perm -2000 -type f 2>/dev/null ## setgid binariesTroubleshooting
| Symptom | Command | What to Look For |
|---|---|---|
| Permission denied reading file | ls -la filename |
Does user have r bit? |
| Cannot execute script | ls -la script.sh |
Does user have x bit? |
| SSH key rejected | ls -la ~/.ssh/ |
Key file should be 600, dir 700 |
| Web server 403 Forbidden | ls -la /var/www/html/ |
www-data needs r and x on path |
PLACEMENT PRO TIP**Tip:** When you get a permission denied error, check every directory in the path, not just the file. If any directory in `/var/www/html/app/index.html` is missing the execute bit for the web server user, the request fails even if the file itself has correct permissions.
COMMON MISTAKE / WARNING**Security:** Audit setuid and setgid files regularly on production servers. They run with elevated privileges regardless of who calls them. An unexpected setuid binary is a major security red flag: `find / -perm -4000 -type f 2>/dev/null`.