Linux File Permissions Explained: A Beginner's Guide to chmod
File permissions are one of the first things you encounter when working with Linux servers — and one of the most common sources of confusion. Whether you're deploying a web application, managing a VPS, or writing a shell script, understanding how Linux permissions work and how to use the chmod command is essential. This guide breaks it all down with clear explanations, practical examples, and a cheat sheet you can bookmark.
How Linux File Permissions Work
Every file and directory on a Linux system has three sets of permissions:
- Owner (u) — the user who created or owns the file.
- Group (g) — a defined group of users that share access to the file.
- Others (o) — everyone else on the system.
Each set can have three types of permission: Read (r), Write (w), and Execute (x). That gives us a 3×3 matrix of permissions — nine individual flags that control who can do what with the file.
What Read, Write, and Execute Mean
For files:
- Read (r) — view the file contents (cat, less, head)
- Write (w) — modify the file contents (edit, truncate, overwrite)
- Execute (x) — run the file as a program or script
For directories:
- Read (r) — list the directory contents (ls)
- Write (w) — create, delete, or rename files inside
- Execute (x) — enter the directory (cd) and access files inside
Reading Permission Strings
When you run ls -l, you see permission strings like -rwxr-xr-x. Here's how to read them:
-rwxr-xr-x
│└┬┘└┬┘└┬┘
│ │ │ │
│ │ │ └── Others: r-x (read + execute)
│ │ └───── Group: r-x (read + execute)
│ └──────── Owner: rwx (read + write + execute)
└────────── Type: - (regular file)
d = directory
l = symbolic linkEach set of three characters represents one role. A letter means the permission is granted; a dash means it's denied. So rw- means read and write but not execute.
Numeric (Octal) Notation
Instead of letters, permissions can be expressed as a three-digit number where each digit is the sum of the permission values:
4
Read (r)
2
Write (w)
1
Execute (x)
0
None
Add the values together for each role. For example:
7= 4 + 2 + 1 = read + write + execute (rwx)6= 4 + 2 = read + write (rw-)5= 4 + 1 = read + execute (r-x)4= 4 = read only (r--)0= no permissions (---)
Common Permission Combinations
| Numeric | Symbolic | Description | Typical Use |
|---|---|---|---|
| 644 | rw-r--r-- | Owner read/write, others read | Regular files (HTML, CSS, images) |
| 755 | rwxr-xr-x | Owner full, others read/execute | Directories, scripts, executables |
| 600 | rw------- | Owner read/write only | SSH keys, credentials, .env files |
| 700 | rwx------ | Owner full access only | Private scripts, .ssh directory |
| 777 | rwxrwxrwx | Full access for everyone | Temporary debugging only (security risk) |
| 444 | r--r--r-- | Read-only for everyone | Immutable config files, public keys |
The chmod Command
The chmod (change mode) command sets file permissions. It can be used with either numeric or symbolic notation:
# Numeric notation chmod 755 script.sh # Owner: rwx, Group: r-x, Others: r-x chmod 644 index.html # Owner: rw-, Group: r--, Others: r-- chmod 600 .env # Owner: rw-, Group: ---, Others: --- # Symbolic notation chmod u+x script.sh # Add execute for owner chmod g-w config.txt # Remove write for group chmod o+r readme.txt # Add read for others chmod a+r public.html # Add read for all (a = all) chmod u=rwx,go=rx dir/ # Set exact permissions # Recursive (apply to directory and all contents) chmod -R 755 /var/www/html/
Symbolic Notation Explained
Symbolic notation uses letters and operators:
- Who: u (owner), g (group), o (others), a (all)
- Operator: + (add), - (remove), = (set exactly)
- Permission: r (read), w (write), x (execute)
Real-World Scenarios
Setting Up a Web Server
# Web root directory chmod 755 /var/www/html # HTML, CSS, JS, images (readable by web server) chmod 644 /var/www/html/*.html chmod 644 /var/www/html/css/*.css chmod 644 /var/www/html/js/*.js # CGI scripts (need execute) chmod 755 /var/www/cgi-bin/*.cgi # Config files with passwords (owner only) chmod 600 /var/www/.env chmod 600 /var/www/config/database.yml
SSH Key Security
# SSH directory chmod 700 ~/.ssh # Private key (MUST be 600 or SSH refuses to use it) chmod 600 ~/.ssh/id_rsa # Public key chmod 644 ~/.ssh/id_rsa.pub # Authorized keys file chmod 600 ~/.ssh/authorized_keys
Security Best Practices
- Never use 777 in production — it gives full access to every user on the system. If you need 777 to make something work, the real problem is file ownership or your application's user configuration.
- Credentials and private keys must be 600 — SSH will refuse to use a private key with permissions looser than 600.
- Use the principle of least privilege — give the minimum permissions needed. Start restrictive (644/755) and only add permissions if required.
- Be careful with recursive chmod —
chmod -R 755makes every file executable, which is rarely what you want. Use find to target files and directories separately.
Key Takeaways
- Linux permissions control read, write, and execute access for three roles: owner, group, and others.
- Numeric notation (644, 755) uses three digits where each is the sum of read (4) + write (2) + execute (1).
- 644 is the default for files, 755 for directories and scripts, 600 for sensitive files.
- Never use 777 in production. If something doesn't work, fix ownership first (chown), not permissions.
- The chmod command accepts both numeric and symbolic notation — numeric is faster, symbolic is more readable.
Calculate File Permissions Instantly
Use the interactive chmod calculator to toggle permissions with checkboxes, see the numeric and symbolic notation in real time, and copy the chmod command with one click.
Try These Free Tools
Related Articles
The Complete Guide to JWT Tokens for Web Developers
Everything web developers need to know about JWT tokens — the three parts explained, authentication flows, access vs refresh tokens, security best practices, and common vulnerabilities.
5 Free Online Tools Every Developer Needs
Discover the essential free online tools that every developer should bookmark — from JSON formatting and regex testing to Base64 encoding and UUID generation.
Why You Need a Strong Password (And How to Generate One)
Most passwords are cracked in seconds. Learn how hackers break passwords, what makes a strong password, and how to generate uncrackable passwords instantly.