Understanding File Permissions

Reading the ls -l Output

Every file and directory in Linux has a set of permissions that control who can read, write, and execute it. You can see these permissions by running ls -l:

$ ls -l
-rw-r--r--  1 john staff  4096 Mar  1 10:30 report.txt
drwxr-xr-x  3 john staff  4096 Feb 28 14:00 projects
-rwxr-x---  1 john staff   512 Feb 25 09:00 backup.sh

That first column of characters is the permission string. Let's break it down piece by piece:

-  rwx  r-x  ---
|   |    |    |
|   |    |    +-- Other (everyone else)
|   |    +------- Group (members of the file's group)
|   +------------ Owner (the user who owns the file)
+---------------- File type (- = file, d = directory, l = symlink)

💡

Three groups of three.

After the file type character, the remaining 9 characters are always three groups of three: owner permissions, group permissions, and other (everyone else) permissions. Each group follows the same rwx pattern.

What r, w, and x Mean

Each permission letter controls a specific type of access. The meaning differs slightly between files and directories:

For Files

r (read) View the file's contents. Without this, commands like cat and less will fail.

w (write) Modify or overwrite the file's contents. Also needed to delete the file (along with write on the parent directory).

x (execute) Run the file as a program or script. A script without execute permission cannot be run directly.

For Directories

r (read) List the directory's contents with ls. Without this, you cannot see what is inside.

w (write) Create, rename, or delete files within the directory. This is a powerful permission.

x (execute) Enter the directory with cd and access files inside it. Without this, the directory is completely inaccessible.

A dash (-) in any position means that permission is not granted. For example:

r--    = read only
rw-    = read and write, but not execute
r-x    = read and execute, but not write
---    = no access at all

⚠️

Directory execute (x) is often overlooked.

A directory with r-- permissions lets you list file names but not open or read any of them. You need x to actually enter the directory and access its contents. This is why directories almost always have x set for at least the owner.

Owner, Group, and Other

Linux uses a three-tier access model. Every file has an owner (a single user) and a group (a single group). Everyone else falls into "other."

$ ls -l report.txt
-rw-r--r--  1 john staff  4096 Mar  1 10:30 report.txt

In this example:

john is the owner -- has rw- (read and write)
staff is the group -- has r-- (read only)
Everyone else -- has r-- (read only)

When Linux checks permissions, it follows this order: if you are the owner, the owner permissions apply. If you are not the owner but belong to the file's group, the group permissions apply. Otherwise, the "other" permissions apply. Only one set applies -- they do not add together.

💡

Check your groups.

Run groups to see which groups your user belongs to. Run id for a more detailed view including your user ID and all group IDs. This helps you understand which permission tier applies to you for any file.

Changing Permissions with chmod

The chmod (change mode) command modifies file permissions. There are two ways to use it: symbolic mode (letters) and numeric mode (numbers).

Symbolic Mode

Symbolic mode uses letters to specify who gets what permissions. The format is: chmod [who][operator][permissions] file

Who: u, g, o, a u = owner, g = group, o = other, a = all three

Operator: +, -, = + adds a permission, - removes it, = sets it exactly

Permissions: r, w, x Read, write, execute -- as described above

# Give the owner execute permission
chmod u+x script.sh

# Remove write permission from group and other
chmod go-w report.txt

# Give everyone read permission
chmod a+r public-file.txt

# Set exact permissions: owner=rwx, group=rx, other=nothing
chmod u=rwx,g=rx,o= project-dir

Numeric (Octal) Mode

Numeric mode represents permissions as a three-digit number. Each digit is the sum of its permission values:

4 Read (r)

2 Write (w)

1 Execute (x)

Add the values together for each position (owner, group, other):

7 = 4+2+1 = rwx  (full access)
6 = 4+2   = rw-  (read and write)
5 = 4+1   = r-x  (read and execute)
4 = 4     = r--  (read only)
0 = 0     = ---  (no access)

# Set permissions to rwxr-xr-x (755)
chmod 755 script.sh

# Set permissions to rw-r--r-- (644)
chmod 644 document.txt

# Set permissions to rwx------ (700)
chmod 700 private-dir

# Set permissions to rw------- (600)
chmod 600 secret-key.pem

Common Permission Patterns

Certain permission numbers appear again and again in Linux. Memorize these and you will be able to handle most situations:

755 Standard for directories and executable scripts. Owner has full control; everyone else can read and enter/execute but not modify.

644 Standard for regular files. Owner can read and write; everyone else can only read.

700 Private directory. Only the owner has any access. Common for ~/.ssh.

600 Private file. Only the owner can read and write. Required for SSH private keys.

444 Read-only for everyone. Used for files that should never be modified accidentally.

⚠️

SSH keys require strict permissions.

SSH private keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519) must be set to 600. If the permissions are too open, SSH will refuse to use the key and display a warning: "Permissions are too open." Always run chmod 600 ~/.ssh/id_* after creating or copying keys.

Summary

In this tutorial, you learned the fundamentals of Linux file permissions:

How to read the permission string in ls -l output
What r, w, and x mean for files and directories
The three-tier model: owner, group, and other
How to change permissions with chmod using symbolic and numeric modes
Common permission patterns: 755, 644, 700, 600

🎉

Excellent!

Understanding permissions is a cornerstone of Linux security. You now know how to read and set permissions to control exactly who can access your files. This knowledge will be essential as you work with system administration, scripting, and server management.