← Back to Blog
Guides2026-03-2210 min read

Linux File Permissions and chmod Explained: The Complete Guide

File permissions are the foundation of Linux security. Every file and directory has an owner, a group, and permission bits that control who can read, write, and execute. Getting these wrong leads to security vulnerabilities or broken applications.

The Permission Model

Every file has three permission sets, each with three bits:

-rwxr-xr-- 1 alice developers 4096 Mar 25 10:00 deploy.sh
│├─┤├─┤├─┤
│ │  │  └── Others (everyone else): read only
│ │  └───── Group (developers): read + execute
│ └──────── Owner (alice): read + write + execute
└────────── File type (- = file, d = directory, l = symlink)
  • r (read = 4): View file contents / list directory contents
  • w (write = 2): Modify file / create/delete files in directory
  • x (execute = 1): Run file as program / enter directory (cd)

Octal Notation

Each permission set is represented by a single octal digit (0-7) by adding the values:

rwx = 4 + 2 + 1 = 7
rw- = 4 + 2 + 0 = 6
r-x = 4 + 0 + 1 = 5
r-- = 4 + 0 + 0 = 4
--- = 0 + 0 + 0 = 0

Common permission sets:

  • 755 — Owner: rwx, Group: r-x, Others: r-x. Standard for directories and scripts.
  • 644 — Owner: rw-, Group: r--, Others: r--. Standard for regular files.
  • 700 — Owner: rwx, Group: ---, Others: ---. Private directories (like ~/.ssh).
  • 600 — Owner: rw-, Group: ---, Others: ---. Private files (like SSH keys, .env).
  • 750 — Owner: rwx, Group: r-x, Others: ---. Shared team directories.
  • 666 — Everyone can read/write. Almost never correct.
  • 777 — Everyone can do everything. Never use in production.

Use our chmod calculator to convert between symbolic and octal notation instantly.

chmod Command

Octal Mode

chmod 755 deploy.sh          # rwxr-xr-x
chmod 644 config.json        # rw-r--r--
chmod 600 ~/.ssh/id_ed25519  # rw------- (SSH key)
chmod 700 ~/.ssh             # rwx------ (SSH directory)
chmod -R 755 /var/www/html   # recursive

Symbolic Mode

chmod u+x script.sh          # add execute for owner
chmod g-w file.txt           # remove write for group
chmod o-rwx secret.key       # remove all for others
chmod a+r readme.md          # add read for all (a = all)
chmod u=rwx,g=rx,o=r file    # set exact permissions

chown and chgrp

chown alice file.txt              # change owner
chown alice:developers file.txt   # change owner and group
chown -R www-data:www-data /var/www  # recursive
chgrp developers project/         # change group only

Special Permissions: SUID, SGID, Sticky Bit

SUID (Set User ID) — 4xxx

When set on an executable, it runs with the file owner's permissions instead of the user who executed it. Classic example: /usr/bin/passwd has SUID so regular users can change their own password (which requires writing to /etc/shadow, owned by root).

chmod 4755 /usr/bin/passwd   # -rwsr-xr-x
# The 's' in the owner execute position indicates SUID

Security risk: A SUID binary with a vulnerability gives attackers root access. Audit SUID files regularly: find / -perm -4000 -type f

SGID (Set Group ID) — 2xxx

On a directory, new files inherit the directory's group instead of the creator's primary group. Essential for shared team directories.

chmod 2775 /shared/project   # drwxrwsr-x
# The 's' in group execute position indicates SGID

Sticky Bit — 1xxx

On a directory, only the file owner (or root) can delete files, even if others have write permission. Used on /tmp to prevent users from deleting each other's temp files.

chmod 1777 /tmp              # drwxrwxrwt
# The 't' in others execute position indicates sticky bit

umask: Default Permission Mask

The umask determines default permissions for newly created files and directories. It subtracts permissions from the maximum (666 for files, 777 for directories).

umask 022    # Files: 644, Directories: 755 (default on most systems)
umask 077    # Files: 600, Directories: 700 (strict, for sensitive environments)
umask 002    # Files: 664, Directories: 775 (team-friendly)

Permission Errors and Fixes

# "Permission denied" when running a script
chmod +x script.sh

# Web server can't read files
chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;

# SSH "Permissions too open" error
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/*.pub
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/config

Calculate chmod Values Instantly

Toggle permission checkboxes and get the octal value, or enter an octal value and see the symbolic representation. Plus common presets for files, directories, and SSH.

Open Chmod Calculator

The Bottom Line

Linux permissions are not complex once you understand the rwx model and octal notation. Use 644 for files, 755 for directories, 600/700 for sensitive files, and never use 777 in production. Audit SUID binaries regularly and set umask appropriately for your environment.

Related tools: Chmod Calculator, SSH Keys Guide (permissions are critical for SSH), and 50+ more free tools.