Permissions

Published

2025-06-26

Caution

This section is under development. Thank you for your patience.

Every file and folder on Linux has rules about who can see it, change it, or run it. Those rules are called permissions, and they’re what keep your data safe and organized. In this chapter, you’ll learn:

  1. What permissions are and why they matter
  2. How to read and understand permission settings
  3. How to change permissions with simple commands
  4. A few handy examples and troubleshooting tips

Why Permissions?

Security and privacy: Imagine you share a computer with someone else. You don’t want them accidentally deleting your photos, and they don’t want you messing with their work documents. Permissions keep each person’s files separate and safe.

Accident prevention: Even on your own machine, permissions protect important system files. If you could delete or change everything without restriction, you might break your system by mistake.

Controlled sharing: When you do want to share, permissions let you decide exactly who can view or edit a file or folder.

Permission Categories

Linux assigns permissions in three categories for every file and folder:

  1. Owner (the user who created or “owns” the file)
  2. Group (a set of users who share access rights)
  3. Others (everyone else on the system)

And there are three types of actions:

  • Read (r): View the contents of a file or list a folder’s contents
  • Write (w): Change a file or add/remove files in a folder
  • Execute (x): Run a file as a program or “enter” a folder to work inside

View Permissions

Open a terminal and type:

ls -l

You’ll see output like this:

-rwxr---r-- 1 alice staff 1024 Jun 25 10:00 report.txt
drwxr-xr-x 2 bob   staff 4096 Jun 24 14:30 projects

Let’s break down the first line (report.txt):

-rwxr--r--
  • The first character (- or d) tells you if it’s a file (-) or directory (d).
  • Next three characters (rwx) are the owner’s permissions.
  • Next three (r--) are the group’s permissions.
  • Last three (r--) are others’ permissions.

So for report.txt:

  • Owner (alice) can read, write, and execute (r w x)
  • Group (staff) can only read (r – –)
  • Others can only read (r – –)

Chang Permissions

To adjust who can do what, use the chmod command. There are two common styles: symbolic (using letters) and numeric (using numbers). We’ll start with symbolic—it’s easier to read.

ls -l data/README.md
# -rw-r--r--@ 1 username  staff  8834 May 14 09:33 data/README.md

The file permissions for data/README.md are stored in the combination of characters and symbols returned from ls -l:

Breakdown of -rw-r--r--@:

# -

The - indicates that the item is a regular file.

# -rw-

The first three characters after the dash represent the user (owner) permissions. The user has read (r) and write (w) permissions but no execute (x) permission.

# -rw-r--

The next three characters represent the group permissions. The group has read (r) permission only, with no write (w) or execute (x) permissions.

# -rw-r--r--

The final three characters represent the permissions for others (everyone else). Like the group, others have only read (r) permission, with no write (w) or execute (x) permissions.

# -rw-r--r--@

The @ symbol indicates that the file has extended attributes, which are additional metadata stored by the operating system.

# -rw-r--r--@ 1

The 1 indicates the count of hard links pointing to the file, which in this case is the file itself. This is typical for regular files that haven’t been explicitly linked elsewhere.

Symbolic Mode

This command adds (+) execute (x) permission to the user (u) of the file.

  • u = owner (you)
  • g = group
  • o = others
  • a = all (owner, group, and others)

And the operations:

  • + to add a permission
  • - to remove a permission
  • = to set exactly those permissions

Examples:

  1. Add write permission for your group on report.txt:
chmod g+w report.txt
  1. Remove execute permission for others on script.sh:
chmod o-x script.sh
  1. Set read/write for owner, read-only for group and others on data.csv:
chmod u=rw,g=r,o=r data.csv

Symbolic Notation

To grant the permissions above (i.e., -rw-r--r--), we can group the arguments to chmod:

chmod u=rw,go=r filename

In this case,

u=rw: specifies that the user (owner) can read and write

go=r: specifies that both the group and others can read, but not write or execute.

We can also use chmod to add permissions with +. The code below grants execute permissions to the user (owner) of the file named data/README.md:

chmod u+x data/README.md

Numeric Mode

Each permission (r, w, x) has a numeric value:

  • r = 4
  • w = 2
  • x = 1

Add them together for each category:

Permission Value
none 0
–x 1
-w- 2
-wx 3
r– 4
r-x 5
rw- 6
rwx 7

A three-digit number (e.g., 750) sets owner, group, and others, in that order.

Example: To give the owner full access, the group read/execute, and others none:

chmod 750 myscript.sh
  • Owner: 7 (rwx)
  • Group: 5 (r-x)
  • Others: 0 (—)

Numeric Notation

To set the permissions of the file data/README.md so that the user can read and execute it, the group can read it, and others have no permissions, we would use:

chmod 750 data/README.md

Here, 7 stands for read (4), write (2), and execute (1) permissions for the user. 5 represents read and execute permissions for the group (4+1), and 0 means no permissions for others.

Both of these examples modify the permissions of data/README.md to enhance or restrict access as specified.

Permission Bits

Beyond basic read/write/execute, Linux has three special bits you may encounter:

  1. Setuid (s on owner’s x) When set on an executable file, this lets users run it with the file owner’s permissions.
  2. Setgid (s on group’s x) Similar to setuid, but for group permissions; on folders, new files inherit the folder’s group.
  3. Sticky bit (t on others’ x) On a folder, users can only delete or rename files they own, even if others have write permission.

You’ll see them as lowercase s or t in the permission string, for example:

-rwsr-xr-x 1 root root 123K May 10  2023 /usr/bin/passwd
drwxrwxrwt 2 root root 4.0K Jun 20  2024 /tmp
  • /usr/bin/passwd uses setuid so you can change your password safely.
  • /tmp uses the sticky bit so everyone can write there, but you can only remove your own files.

A Simple Example

Let’s create a folder where members of the “team” group can freely share files, but nobody else can peek.

  1. Create the group (if it doesn’t exist):
sudo groupadd team
  1. Create the folder:
sudo mkdir /srv/team-files
  1. Change the folder’s group to team:
sudo chown root:team /srv/team-files
  1. Set permissions so owner (root) and group can read/write/enter, others have no access:
sudo chmod 770 /srv/team-files
  1. Enable setgid so new files inherit the group:
sudo chmod g+s /srv/team-files

Now any member of the team group who drops files into /srv/team-files will automatically share them with the rest of the team.

Check and Fix Permissions

See current settings:

ls -ld /path/to/file-or-folder

If you get “Permission denied”:

  1. Check who owns the file and what group it’s in (ls -l).
  2. Verify your user is in the right group (groups).
  3. Adjust with chmod, chown, or chgrp as needed.

Recap

Permissions are your first line of defense in Linux:

  • They protect your personal files.
  • They keep system files safe.
  • They let you share selectively.

With just a few simple commands—ls -l, chmod, chown, and chgrp—you’re in control of who can read, change, or run anything on your system. Practice by examining files on your machine, tweaking permissions in a safe folder, and watching how access changes. In the next chapter, we’ll dive into working with processes, showing you how Linux runs programs and how you can manage them.

See a typo, error, or something missing?

Please open an issue on GitHub.