Linux File Permissions Explained: A Complete chmod Guide

Every file and directory on a Linux or macOS system carries a set of permissions that controls who can read it, write to it, or execute it. Getting these permissions right is the difference between a secure server and one that leaks data or gets compromised. Yet the notation — chmod 755, ls -la output showing -rwxr-xr-- — can feel opaque until you understand the model underneath. This guide explains Unix file permissions from first principles.

You can calculate permission values and convert between octal and symbolic notation instantly with the BrowseryTools chmod Calculator — free, no sign-up, everything runs in your browser.

The Unix Permissions Model: Owner, Group, Other

Unix assigns every file and directory three permission sets, each covering a different audience:

• Owner (user) — the user account that owns the file. Typically the user who created it.
• Group — a named group of users. The file belongs to one group; all members of that group share the group permissions.
• Other (world) — everyone else on the system who is neither the owner nor in the group.

Within each of these three sets, there are three permission bits: read (r), write (w), and execute (x). That gives nine permission bits in total, which map directly to the nine characters you see after the file type indicator in ls -la output.

Reading ls -la Output

When you run ls -la, each line starts with a 10-character string like -rwxr-xr--. Here is how to read it:

-  rwx  r-x  r--
^  ^^^  ^^^  ^^^
|  |    |    └── other:  read only
|  |    └─────── group:  read + execute
|  └──────────── owner:  read + write + execute
└─────────────── file type: - = file, d = directory, l = symlink

A dash - in a permission position means that permission is not granted. So r-x means read and execute are allowed, but write is not.

What Read, Write, Execute Mean for Files vs Directories

The three permission bits mean different things depending on whether they apply to a file or a directory:

• File read (r) — can read the file contents (cat, less, open in an editor).
• File write (w) — can modify or truncate the file. Note: deleting a file is controlled by the parent directory's write permission, not the file's own write bit.
• File execute (x) — can run the file as a program or script. Without this bit, ./script.sh returns "Permission denied" even if you can read it.
• Directory read (r) — can list the directory contents (ls). Without it, you know the directory exists but cannot see what is inside.
• Directory write (w) — can create, rename, or delete files inside the directory. This is why you can delete a file you do not own if you have write access to its parent directory.
• Directory execute (x) — can enter the directory (cd) and access files inside it if you know their names. This is sometimes called the "search bit." A directory with r-- lets you list filenames but not access them; a directory with --x lets you access files by name but not list them.

Octal Notation: 755, 644, 777

Each permission set (owner, group, other) is three bits. Three bits can represent values from 0 to 7 — exactly one octal digit. This is why permissions are written as three octal digits, one per audience:

Bit values:  r = 4,  w = 2,  x = 1

rwx = 4+2+1 = 7
r-x = 4+0+1 = 5
r-- = 4+0+0 = 4
--- = 0+0+0 = 0

chmod 755 → owner: 7 (rwx), group: 5 (r-x), other: 5 (r-x)
chmod 644 → owner: 6 (rw-), group: 4 (r--), other: 4 (r--)
chmod 600 → owner: 6 (rw-), group: 0 (---), other: 0 (---)

You never need to memorize every combination — use the BrowseryTools chmod Calculator to check what any octal value means or to build the right value for your situation.

Symbolic Notation: u+x, g-w, o=r

Symbolic mode lets you modify permissions relative to their current state, without specifying all three sets at once. The format is [who][operator][permissions]:

• Who: u (owner/user), g (group), o (other), a (all three)
• Operator: + (add), - (remove), = (set exactly)
• Permissions: r, w, x

chmod u+x script.sh       # add execute for owner only
chmod g-w config.txt      # remove write from group
chmod o=r public.html     # set other to read-only exactly
chmod a+r file.txt        # add read for everyone
chmod u=rwx,g=rx,o=       # equivalent to chmod 750

Common Permission Patterns Explained

• 755 (rwxr-xr-x) — Standard for executables and directories. Owner can do everything; everyone else can read and execute (or enter a directory) but not write. The default for web server document root directories and public scripts.
• 644 (rw-r--r--) — Standard for regular files. Owner can read/write; everyone else can only read. Good for web assets, configuration files that do not contain secrets, and most static content.
• 600 (rw-------) — Owner can read/write; nobody else can do anything. Required for SSH private keys (~/.ssh/id_rsa). SSH will refuse to use a key file that has looser permissions.
• 700 (rwx------) — Owner can do everything; nobody else has any access. Good for private scripts and directories containing sensitive data.
• 400 (r--------) — Read-only for the owner; completely locked for everyone else. Used for immutable configuration files and certificates where accidental writes would be harmful.

Why 777 Is Dangerous

chmod 777 gives read, write, and execute permission to every user on the system. This means any process running as any user — including a compromised web application, a malicious script in a shared hosting environment, or any other user on the machine — can modify or execute the file. In a web server context, a PHP file with 777 permissions allows any other process to overwrite it with malicious code. Never use 777 in production. If you are using it to "fix a permissions error," the real fix is to give the right user or group ownership of the file instead.

Setuid, Setgid, and Sticky Bit

Beyond the nine standard bits, there are three special bits that appear as a fourth leading digit in four-digit octal notation:

• Setuid (4xxx) — when set on an executable, the program runs with the file owner's privileges, not the caller's. /usr/bin/passwd uses this to let regular users write to /etc/shadow, which is owned by root.
• Setgid (2xxx) — on an executable, runs with the file's group privileges. On a directory, new files created inside inherit the directory's group rather than the creator's primary group — useful for shared project directories.
• Sticky bit (1xxx) — on a directory, prevents users from deleting files they do not own, even if they have write access to the directory. /tmp has the sticky bit set (chmod 1777) so users can create their own temp files but cannot delete each other's.

chmod Recursive (-R) and Real-World Examples

The -R flag applies a permission change recursively to a directory and all its contents. Use it with care — applying the same permissions to both files and directories is often wrong because directories need the execute bit to be enterable, while regular files usually should not have execute:

# Web server: directories need 755, files need 644
find /var/www/html -type d -exec chmod 755 {} ;
find /var/www/html -type f -exec chmod 644 {} ;

# Fix SSH key permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub
chmod 644 ~/.ssh/authorized_keys

# Make a deploy script executable
chmod +x deploy.sh

When you are unsure what octal value to use, the BrowseryTools chmod Calculator lets you click checkboxes for owner, group, and other permissions and immediately see the resulting octal value and symbolic notation.