Fundamentals

File Permissions

chmod demystified β€” who can read, write, and execute files, how permission numbers work, reading ls -l output, SSH key requirements, and advanced SUID/SGID/Sticky bits.

7 sections

permissions mastery

~25 min

estimated reading

Beginner

no prerequisites

What is chmod?

chmod stands for Change Mode. It controls who can do what with a file or folder on Linux. Every file has permissions that determine whether the owner, the group, or everyone else can read it, write to it, or execute it.

The Three Types of People

Every file in Linux has permissions for three categories of people:

πŸ‘€

Owner

The person who created the file. Has the most control over it. Usually you.

πŸ‘₯

Group

A collection of users who share access. Files can belong to a group like 'developers' or 'admins'.

🌍

Others

Everyone else on the system β€” people who are neither the owner nor in the group.

🏒
Think of it this way...

Think of a document at work. The Owner is the person who wrote it β€” they can edit, share, or delete it. The Group is the team (like β€œMarketing”) who can read it but not edit it. Others are everyone else in the company β€” maybe they can't see it at all.

πŸ’‘

Key Takeaway

chmod controls file permissions for three categories: Owner (the creator), Group (a shared team), and Others (everyone else). Each gets their own set of permissions independently. A file can be wide open for the owner but locked for everyone else.

The Three Permissions

For each of the three types of people (owner, group, others), there are exactly three possible permissions: read, write, and execute. Each can be independently turned on or off.

r
πŸ‘οΈ

value = 4

Read

For a File

Open and view the file contents

For a Directory

List what's inside the directory (ls)

w
✏️

value = 2

Write

For a File

Modify, edit, or delete the file

For a Directory

Create, delete, or rename files inside

x
▢️

value = 1

Execute

For a File

Run it as a program or script

For a Directory

Enter the directory (cd)

The Number System

Each permission has a numeric value. You add them together to get the permission number for each person:

PermissionValueMeans
r4Can read the file
w2Can write/modify the file
x1Can execute the file
rw4+2 = 6Read and write
rx4+1 = 5Read and execute
rwx4+2+1 = 7Full access (read, write, execute)
-0No access at all
πŸ’‘

Key Takeaway

r=4, w=2, x=1. Add them to get permission numbers. 7 = full access (4+2+1). 6 = read+write. 5 = read+execute. 4 = read only. 0 = no access. These three digits (one per person type) make up every chmod command.

Reading chmod Numbers

Now that you know the permission values, reading any chmod command becomes straightforward. Every chmod command has 3 digits β€” one for owner, one for group, one for others.

chmod 754 β€” A Full Example

7
rwx β€” Full access
Owner
5
r-x β€” Read & execute
Group
4
r-- β€” Read only
Others

Common chmod Numbers Decoded

chmod 777

Owner

r
w
x

Group

r
w
x

Others

r
w
x

Everyone has full access. Rarely needed. Usually a security risk.

chmod 755

Owner

r
w
x

Group

r
-
x

Others

r
-
x

Owner has full access. Others can read and execute. Common for public scripts.

chmod 700

Owner

r
w
x

Group

-
-
-

Others

-
-
-

Owner only. Nobody else can even see the contents. Used for private folders like ~/.ssh/

chmod 644

Owner

r
w
-

Group

r
-
-

Others

r
-
-

Owner can read+write. Everyone else can only read. Common for config files.

chmod 600

Owner

r
w
-

Group

-
-
-

Others

-
-
-

Owner can read+write. Nobody else has any access. Required for SSH private keys.

🏒
Think of it this way...

chmod 700 = Locked in YOUR personal drawer. Only you can see it.
chmod 755 = Pinned on the notice board. Everyone can READ it, but only you can EDIT it.
chmod 777 = Anybody can read it, edit it, and do whatever they want. (Not safe!)
chmod 600 = In your personal folder. Only you can read and edit. Nobody else even knows it exists.

Quick reference commands
▢️

Click the Play button above to start!

Watch the commands execute step by step

πŸ’‘

Key Takeaway

chmod 3-digit format: digit 1 = owner, digit 2 = group, digit 3 = others. Each digit is the sum of r(4) + w(2) + x(1). 7 = full, 5 = read+execute, 4 = read only, 0 = no access. Most files are 644 (owner rw, others r). Most scripts are 755 (owner rwx, others rx). Private keys are 600.

Reading Permission Strings

When you run ls -l, you see permission strings like -rwxr-xr--. At first they look cryptic, but they follow a simple pattern you can decode in seconds once you know the structure.

The Permission String Structure

-rwxr-xr-- 1 charith charith 1024 Feb 18 10:30 notes.txt
-

Type

'-' = regular file 'd' = directory

rwx

Owner

r=read, w=write, x=execute 7 = full access

r-x

Group

r=read, -=no write, x=execute 5 = read+execute

r--

Others

r=read, -=no write, -=no execute 4 = read only

The First Character β€” File or Directory?

First character meaning

First CharacterMeaning
dDirectory (folder) β€” drwxr-xr-x
-Regular file β€” -rwxr-xr--

Real Examples from ls -la

ls -la output β€” decoded
▢️

Click the Play button above to start!

Watch the commands execute step by step

🀯

Did You Know?

The very first character tells you immediately whether something is a file or folder. d means directory, - means regular file. Just look at the very first character β€” d for directory, - for file. Simple!

πŸ’‘

Key Takeaway

Permission strings have 10 characters: 1 type character + 3 owner + 3 group + 3 others. d = directory, - = regular file. Each group of 3 shows r (read), w (write), x (execute), or - (no permission). Read them left to right: type, owner, group, others.

Common Examples & Real-World Use

Let's connect everything to real situations you'll encounter. These are the most common permission patterns and exactly when and why you'd use each one.

πŸ”‘

Your personal SSH private key

chmod 600-rw-------

ONLY you can read and write. No group, no others. If anyone else can read your private key, SSH refuses to use it β€” it's compromised.

πŸ“œ

A shell script you want to run

chmod 755-rwxr-xr-x

You have full control (edit + run). Others can run it but not modify it. Standard for publicly available programs.

βš™οΈ

A website config file

chmod 644-rw-r--r--

You can edit it. Web server process (different user) can read it. Nobody else can write to it. Standard for non-executable files.

πŸ“

Your ~/.ssh/ directory

chmod 700drwx------

Only you can see what's inside. No group, no others. SSH requires this β€” it won't work if others can list your .ssh folder.

πŸ‘₯

A shared team folder

chmod 775drwxrwxr-x

You and your group can do everything (create, delete, edit). Others can only read. Good for collaborative team directories.

πŸ’‘

Key Takeaway

The most important chmod values to memorize: 600 for private files (SSH keys), 700 for private directories (.ssh/), 644 for config files, 755 for scripts and programs. These cover 90% of real-world situations.

SSH & Permissions

SSH has the strictest permission requirements of any common tool. It will flat-out refuse to work if your key files have incorrect permissions β€” this is intentional, and it makes you safer.

⚠️

Warning

If you get β€œPermissions are too open” or β€œWARNING: UNPROTECTED PRIVATE KEY FILE!” β€” SSH is rejecting your key because the file permissions are wrong. Fix them with the commands below. This is the most common SSH error beginners hit.

Required SSH Permissions

SSH file permission requirements

File/FolderRequired PermissionWhy
~/.ssh/ directory700 (drwx------)Only you can list what's inside β€” prevents others seeing your keys
~/.ssh/id_rsa (private key)600 (-rw-------)Only you can read β€” if others can read it, it's compromised
~/.ssh/id_rsa.pub (public key)644 (-rw-r--r--)Public key is meant to be shared β€” others can read it
~/.ssh/authorized_keys600 (-rw-------)SSH server rejects it if group or others can write to it
~/.ssh/config600 (-rw-------)Config file with connection settings β€” keep it private
Fixing SSH permissions
▢️

Click the Play button above to start!

Watch the commands execute step by step

πŸ’‘

Key Takeaway

SSH requires: ~/.ssh/ = 700, private key = 600, public key = 644, authorized_keys = 600. If you get SSH permission errors, these are the first thing to check and fix. SSH refuses loose permissions as a security feature β€” it's protecting your access.

Special Permission Bits

Beyond the standard 3 digits, chmod can take a 4th digit at the front for three special permission bits: SUID, SGID, and the Sticky Bit. These are advanced but important β€” you'll see them on real systems.

🎫
4th digit = 4chmod 4755

SUID β€” Set User ID

What it does: When you run this file, it runs as the file's OWNER β€” not as you.

Real example: The passwd command lets regular users change their own password. But passwords are stored in /etc/shadow, which only root can edit. passwd has SUID set β€” so when you run it, it temporarily runs as root to edit the shadow file.

Analogy: You're an employee, but you have a special key card that temporarily gives you manager-level access for one specific task only.

🏷️
4th digit = 2chmod 2775

SGID β€” Set Group ID

What it does: New files created inside this folder automatically inherit the folder's group instead of the creator's group.

Real example: A shared team project folder with SGID set: when any developer creates a file inside it, it gets tagged with the 'developers' group automatically β€” even if that developer normally belongs to a different group.

Analogy: A shared team folder β€” anything you put inside automatically gets tagged with the team name, not your personal name.

πŸ“Œ
4th digit = 1chmod 1777

Sticky Bit

What it does: In a shared folder, you can only delete YOUR OWN files β€” not other people's.

Real example: /tmp is a folder where ALL users can create temporary files. Without sticky bit, anyone could delete anyone else's files. With chmod 1777 (sticky), you can only delete files you own.

Analogy: A community fridge at work. Everyone can put their lunch in it, but you can only throw away your own food β€” not someone else's.

Quick Summary

4th Digit Special Bits

4th DigitNameWhat It Does
4SUIDFile runs as the owner (not you) β€” chmod 4755
2SGIDNew files in folder inherit the folder's group β€” chmod 2775
1Sticky BitYou can only delete your own files in shared folder β€” chmod 1777
πŸ’‘

Key Takeaway

Special bits (4th digit): SUID(4) makes files run as their owner β€” used for commands like passwd that need temporary root access. SGID(2) auto-tags new files with the folder's group β€” great for team projects. Sticky Bit(1) protects shared folders so users can only delete their own files β€” used on /tmp.

File Permissions Quiz

1 / 6

What does chmod stand for?

Permissions Flashcards

Click any card to flip and reveal the definition.

What does chmod do?

chmod (Change Mode) controls who can read, write, and execute a file or folder on Linux. It uses 3 digits representing owner, group, and others.

What are the 3 permission values?

Read = 4, Write = 2, Execute = 1. Add them to combine: 6 = read+write, 5 = read+execute, 7 = read+write+execute (full access).

What does chmod 755 mean?

Owner: 7 (rwx = full access). Group: 5 (r-x = read+execute). Others: 5 (r-x = read+execute). Common for public scripts and programs.

What does chmod 600 mean?

Owner: 6 (rw- = read+write). Group: 0 (no access). Others: 0 (no access). Used for private files like SSH keys.

What does chmod 700 mean?

Owner: 7 (rwx = full access). Group: 0 (no access). Others: 0 (no access). Used for private folders like ~/.ssh/

What does the first character in a permission string mean?

The file type. '-' = regular file, 'd' = directory (folder). Example: 'drwxr-xr-x' starts with 'd' so it's a directory. '-rwxr-xr--' starts with '-' so it's a regular file.

What are the required SSH key permissions?

~/.ssh/ directory: 700 (owner only). Private key (id_rsa): 600 (owner read+write only). SSH refuses to work if these are wrong β€” it's a security feature.

What is SUID?

Set User ID (digit 4). Makes a file run as its owner's permissions instead of yours. Example: passwd has SUID so users can change their own password even though the password file is owned by root.

What is SGID?

Set Group ID (digit 2). New files created inside an SGID folder automatically inherit the folder's group instead of the creator's group. Great for team shared folders.

What is the Sticky Bit?

Sticky Bit (digit 1). In shared folders, you can only delete your own files β€” not other people's. Example: /tmp has the sticky bit so everyone can create temp files but can't delete each other's.

Back to Fundamentals