File and directory permissions on Linux with chmod

Read, write, execute

Linux is multi-user, so files have access controls. Each file or directory has three permission bits:

Read (r) — view the contents (or list the directory)
Write (w) — modify or delete the file (or create/delete entries in the directory)
Execute (x) — run the file as a program (or cd into the directory)

For directories, the meaning is slightly different:

r — list the contents
w — create, rename or delete entries
x — enter the directory (use it as part of a path)

Without these controls, anyone could read or wipe anyone else's files. With them, you can scope access precisely.

chmod

chmod ("change mode") is the command for setting permissions on a file or directory. Only the file's owner or the superuser (root) can change its mode.

There are three categories of who the permissions apply to:

bash

1u — user (owner)2g — group (the file's group)3o — other (everyone else)4a — all (u + g + o)

And three permissions, always in the same order: rwx.

To see the permissions of files in a directory, use ls -l (or ls -all for hidden files too).

bash

1ls -al

bash

1drwxr-x---+ 51 oz   staff  1632 13 Şub 16:39 .2drwxr-xr-x   5 root admin   160 27 Oca 03:42 ..3-r--------   1 oz   staff     9  6 Oca 15:55 .CFUserTextEncoding4-rw-r--r--@  1 oz   staff 12292 10 Sub 15:14 .DS_Store5drwxr-xr-x@  5 oz   staff   160 13 Oca 20:48 .IdentityService6drwx------+ 17 oz   staff   160 13 Şub 16:15 .Trash

Reading the permission string

The first 10 characters look like drwxr-xr-x. Break that down:

bash

1type | user  | group | other2 -   | rwx   | r-x   | r-x

The first character is the file type:

bash

1-   regular file2d   directory3l   symbolic link4b   block special file5c   character special file6p   named pipe (FIFO)7s   socket

After that, three groups of three: owner, group, others. Each is rwx with - substituted for missing perms.

So drwxr-xr-x means:

It's a directory
The owner can read, write, execute
The group and everyone else can read and execute (but not write)

A few more reads:

bash

1drwx------   3 oz   staff    96  2 Şub 11:03 .cups

Directory, only the owner has any access. Even members of the staff group can't enter it.

bash

1-rw-r--r--   1 oz   staff   122  1 Mar 09:30 readme.md

Regular file, owner can read and write, everyone else can only read.

Numeric (octal) mode

Each permission also has a numeric value:

bash

1r = 42w = 23x = 1

Add them up to get the digit for each category. The full mode is three digits — owner, group, other.

bash

1000  ---  no permissions2100  --x  execute only3200  -w-  write only4400  r--  read only5500  r-x  read + execute6600  rw-  read + write7700  rwx  full

A few common patterns:

chmod 644 file — rw-r--r-- (owner can edit, others can read)
chmod 600 file — rw------- (owner-only — what you want for SSH private keys)
chmod 755 dir — rwxr-xr-x (owner full, others can enter and list)
chmod 700 dir — rwx------ (owner-only directory)
chmod 777 file — full perms for everyone (almost always wrong on real systems)

Symbolic mode

The other syntax uses +, -, =:

+ — add the permission
- — remove the permission
= — set exactly this (clears the others)

Examples:

bash

1chmod u+x script.sh           # owner gets execute2chmod go-rw notes.md          # group + others lose read & write3chmod a+r public.txt          # everyone gets read4chmod u=rw,go=r config.yml    # owner: rw, group: r, other: r

Recursive

For an entire directory tree, use -R:

bash

1chmod -R u+rw project/

Be careful — this applies the same mode to files and directories. If you want directories to keep their x bit (so they're traversable) while removing it from files, that needs a find + chmod combo:

bash

1# directories: rwx for owner, rx for others2find project -type d -exec chmod 755 {} \;34# files: rw for owner, r for others5find project -type f -exec chmod 644 {} \;

Or in one shot with the X (capital) symbolic mode, which only adds x to directories and to files that already have x:

bash

1chmod -R u+rwX,go+rX project/

Patterns I use a lot

bash

1chmod 600 ~/.ssh/id_ed25519              # SSH private key2chmod 644 ~/.ssh/id_ed25519.pub          # SSH public key3chmod 700 ~/.ssh                         # SSH directory4chmod +x deploy.sh                       # make a script executable5chmod -R go-rwx /etc/secret-config       # lock down a config tree

Stick to numeric mode for canonical settings (anything documented somewhere) and symbolic mode for quick toggles like +x. Both work — pick whichever reads clearer in context.