Back to blog

Complete Guide to Linux File Permissions and Ownership for Absolute Beginners

Master Linux file permissions with chmod, chown, and chgrp commands. Learn symbolic and numeric notation, special permissions (SUID, SGID, sticky bit), SELinux contexts, and security best practices with practical examples.

26 min read
#linux#file-permissions#chmod#chown#security#selinux#bash

Introduction

File permissions are the cornerstone of Linux security. Every file and directory has permissions that control who can read, write, or execute them. Understanding and properly configuring these permissions is essential for system security and proper access control.

In this comprehensive guide, you'll learn:

  • How to read and understand Linux permission notation (rwx)
  • Changing permissions with chmod using both symbolic and numeric modes
  • Managing file ownership with chown and chgrp
  • Understanding special permissions: SUID, SGID, and sticky bit
  • Working with SELinux security contexts
  • Security best practices and troubleshooting tips
šŸ’”

Prerequisites: Basic familiarity with the Linux command line. You'll need sudo privileges for ownership changes and some permission modifications.

Understanding File Permissions Basics

Every file and directory in Linux has three types of permissions for three categories of users:

Permission Types (rwx)

SymbolPermissionFor FilesFor Directories
rReadView file contentsList directory contents
wWriteModify file contentsCreate/delete files in directory
xExecuteRun file as program/scriptEnter directory (cd into it)
-No permissionCannot perform actionCannot perform action

User Categories

SymbolCategoryDescription
uUser (Owner)The file owner
gGroupUsers in the file's group
oOthersEveryone else
aAllUser + Group + Others (u+g+o)

Reading Permission Strings

Let's create some test files and examine their permissions:

touch file1.txt
mkdir dir1
ls -l

Output:

total 0
drwxr-xr-x. 2 centos9 centos9 6 Oct  6 18:35 dir1
-rw-r--r--. 1 centos9 centos9 0 Oct  6 18:35 file1.txt

Decoding the Permission String

Let's analyze the permission string for file1.txt: -rw-r--r--

PositionCharactersMeaning
1-File type (- = regular file, d = directory, l = symlink)
2-4rw-Owner permissions: read + write (no execute)
5-7r--Group permissions: read only
8-10r--Others permissions: read only

Complete Line Breakdown:

  • -rw-r--r--: Permission string
  • 1: Number of hard links
  • centos9: Owner username
  • centos9: Group name
  • 0: File size in bytes
  • Oct 6 18:35: Last modification time
  • file1.txt: Filename

For the directory dir1: drwxr-xr-x

  • d: It's a directory
  • rwx: Owner can read, write (add/delete files), and execute (enter directory)
  • r-x: Group can read and execute (list and enter), but not write
  • r-x: Others can read and execute, but not write
šŸ’”

The dot (.) at the end of permissions indicates SELinux security context is applied to the file.

Changing Permissions with chmod (Symbolic Mode)

The chmod command changes file permissions. Symbolic mode uses letters to represent permissions.

Adding Execute Permission to Owner

chmod u+x file1.txt
ls -l

Output:

-rwxr--r--. 1 centos9 centos9 0 Oct  6 18:35 file1.txt

Command Breakdown:

  • chmod: Change mode (permissions) command
  • u+x: Add (+) execute (x) permission to user/owner (u)
  • file1.txt: Target file

What Changed:

  • Owner permissions changed from rw- to rwx
  • The file can now be executed as a program/script by the owner

Removing Group Read Permission

chmod g-r file1.txt
ls -l

Output:

-rwx---r--. 1 centos9 centos9 0 Oct  6 18:35 file1.txt

Command Breakdown:

  • g-r: Remove (-) read (r) permission from group (g)

Result:

  • Group permissions changed from r-- to ---
  • Group members can no longer read the file

Setting Exact Permissions with =

chmod u=rwx,g=rx,o= file1.txt
ls -l

Output:

-rwxr-x---. 1 centos9 centos9 0 Oct  6 18:35 file1.txt

Command Breakdown:

  • u=rwx: Set owner to read, write, execute (exact, replaces existing)
  • g=rx: Set group to read and execute (no write)
  • o=: Set others to nothing (no permissions)
  • Comma-separated for multiple changes in one command

Result:

  • Owner: rwx (full access)
  • Group: r-x (read and execute)
  • Others: --- (no access)
šŸ’”

Symbolic Operators:

  • + : Add permission
  • - : Remove permission
  • = : Set exact permission (replaces all existing)

Changing Permissions with chmod (Numeric Mode)

Numeric (octal) mode uses numbers to represent permissions. Each permission type has a value:

PermissionValueBinary
Read (r)4100
Write (w)2010
Execute (x)1001
No permission (-)0000

How to Calculate:

  • Add values for desired permissions
  • rwx = 4 + 2 + 1 = 7
  • rw- = 4 + 2 + 0 = 6
  • r-x = 4 + 0 + 1 = 5
  • r-- = 4 + 0 + 0 = 4

Setting Permissions to 755

chmod 755 file1.txt
ls -l

Output:

-rwxr-xr-x. 1 centos9 centos9 0 Oct  6 18:35 file1.txt

Permission Breakdown:

PositionNumberCalculationResultCategory
1st digit74 + 2 + 1rwxOwner
2nd digit54 + 0 + 1r-xGroup
3rd digit54 + 0 + 1r-xOthers

Use Case: 755 is common for executables and directories - owner has full control, others can read and execute.

Setting Permissions to 600

chmod 600 file1.txt
ls -l

Output:

-rw-------. 1 centos9 centos9 0 Oct  6 18:35 file1.txt

Permission Breakdown:

  • 6 (owner): 4 + 2 = rw- (read + write)
  • 0 (group): --- (no permissions)
  • 0 (others): --- (no permissions)

Use Case: 600 is ideal for private files like SSH keys, config files with passwords - only owner can access.

Common Numeric Permission Values

ValueSymbolicMeaningCommon Use
755rwxr-xr-xOwner: RWX, Group/Others: RXExecutables, directories
644rw-r--r--Owner: RW, Group/Others: RRegular files, documents
700rwx------Owner: RWX, Group/Others: nothingPrivate executables
600rw-------Owner: RW, Group/Others: nothingSSH keys, sensitive config
777rwxrwxrwxEveryone: RWXāš ļø Insecure! Avoid in production
666rw-rw-rw-Everyone: RWāš ļø Insecure! Avoid in production

Changing File Ownership with chown

The chown command changes file ownership. Only root or users with sudo can change ownership.

Changing File Owner

sudo chown root file1.txt
ls -l file1.txt

Output:

-rw-------. 1 root centos9 0 Oct  6 18:35 file1.txt

Command Breakdown:

  • sudo: Execute with superuser privileges (required for ownership changes)
  • chown: Change owner command
  • root: New owner username
  • file1.txt: Target file

What Changed:

  • Owner changed from centos9 to root
  • Group remains centos9
  • Now only root can read/write this file (permissions are 600)

Changing Owner and Group Simultaneously

You can change both owner and group in one command:

sudo chown user:users file1.txt

Syntax: chown owner:group filename

  • user: New owner
  • users: New group (separated by colon)
šŸ’”

Recursive Changes: Use chown -R to change ownership of directories and all their contents recursively. Example: sudo chown -R user:group /path/to/directory

Changing Group Ownership with chgrp

The chgrp command changes only the group ownership:

sudo chgrp wheel file1.txt
ls -l

Output:

-rw-------. 1 root wheel 0 Oct  6 18:35 file1.txt

Command Breakdown:

  • chgrp: Change group command
  • wheel: New group name (common admin group on RHEL/CentOS)
  • file1.txt: Target file

Result:

  • Group changed from centos9 to wheel
  • Owner remains root
  • Members of the wheel group now have group-level access (currently none due to 600 permissions)

Special Permissions: SUID, SGID, and Sticky Bit

Beyond standard rwx permissions, Linux has three special permission bits with powerful security implications.

SUID (Set User ID) - Executes as Owner

SUID allows a user to execute a file with the permissions of the file's owner.

Real-World Example: passwd Command

which passwd
ls -l /usr/bin/passwd

Output:

/usr/bin/passwd
-rwsr-xr-x. 1 root root 32648 Aug 10  2021 /usr/bin/passwd

Notice the 's' in owner execute position: -rwsr-xr-x

Why This Matters:

  • The passwd command must modify /etc/shadow (owned by root, 000 permissions)
  • Regular users can't normally write to /etc/shadow
  • The SUID bit (s) allows passwd to run with root privileges
  • When user runs passwd, it temporarily executes as root to modify the password file

Setting SUID:

chmod u+s filename    # Symbolic
chmod 4755 filename   # Numeric (4 prefix enables SUID)
āš ļø

Security Warning: SUID files running as root are potential security risks. An exploited SUID root binary can grant attackers root access. Only use SUID when absolutely necessary and audit regularly.

SGID (Set Group ID) - For Group Collaboration

SGID has different behaviors for files vs. directories:

For Directories (Most Common Use):

mkdir shared_dir
sudo chmod g+s shared_dir
ls -l

Output:

drwxr-sr-x. 2 centos9 centos9 6 Oct  6 18:40 shared_dir

Notice the 's' in group execute position: drwxr-sr-x

What SGID Does for Directories:

  • Any file created inside shared_dir inherits the directory's group
  • Without SGID: files get the creator's primary group
  • With SGID: files get centos9 group (the directory's group)
  • Perfect for team collaboration directories

Setting SGID:

chmod g+s directory   # Symbolic
chmod 2755 directory  # Numeric (2 prefix enables SGID)

For Files:

  • File executes with the group permissions of the file's group
  • Less common than directory SGID
  • Used for specific multi-user application scenarios

Sticky Bit - Prevent Deletion by Others

The sticky bit is primarily used on directories to restrict deletion.

Common Example: /tmp Directory

sudo chmod +t /tmp
ls -ld /tmp

Output:

drwxrwxrwt. 44 root root 8192 Oct  6 18:40 /tmp

Notice the 't' in others execute position: drwxrwxrwt

What Sticky Bit Does:

  • On /tmp: Everyone can create files (world-writable)
  • BUT: Users can only delete their own files
  • Without sticky bit: Any user could delete anyone's files in a world-writable directory
  • With sticky bit: Only file owner, directory owner, or root can delete files

Setting Sticky Bit:

chmod +t directory    # Symbolic
chmod 1777 directory  # Numeric (1 prefix enables sticky bit)

Use Case: Shared directories where multiple users create files but shouldn't be able to delete each other's files.

Special Permissions Numeric Reference

Special BitNumeric ValueSymbolPositionExample
SUID4sOwner execute4755 = rwsr-xr-x
SGID2sGroup execute2755 = rwxr-sr-x
Sticky Bit1tOthers execute1777 = rwxrwxrwt
šŸ’”

Capital Letter Meaning: If you see capital S or T, it means the special bit is set but execute permission is not. Example: rwSr--r-- means SUID is set but owner can't execute (usually a mistake).

Understanding SELinux Security Contexts

SELinux (Security-Enhanced Linux) provides Mandatory Access Control (MAC), adding another layer beyond traditional permissions.

Viewing SELinux Context

ls -Z file1.txt

Output:

unconfined_u:object_r:user_home_t:s0 file1.txt

SELinux Context Fields:

FieldValueDescription
Userunconfined_uSELinux user (unconfined = less restricted)
Roleobject_rSELinux role (object_r for files)
Typeuser_home_tMost important: file type context (user home file)
Levels0MLS/MCS level (sensitivity level)

Installing SELinux Management Tools

sudo dnf install policycoreutils-python-utils

Output:

Last metadata expiration check: 2:12:11 ago on Mon 06 Oct 2025 04:31:31 PM PKT.
Package policycoreutils-python-utils-3.6-3.el9.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!

This package provides semanage, restorecon, and other SELinux management utilities.

Changing SELinux Context

sudo chcon -t httpd_sys_content_t file1.txt

Command Breakdown:

  • chcon: Change context command
  • -t: Specify type field
  • httpd_sys_content_t: Apache web server content type
  • This would allow Apache to serve this file (if permissions also allow)

Restoring Default SELinux Context

sudo restorecon -v file1.txt

Output:

Relabeled /home/centos9/Razzaq-Labs-II/random/random/permissions/file1.txt from unconfined_u:object_r:httpd_sys_content_t:s0 to unconfined_u:object_r:user_home_t:s0

Command Breakdown:

  • restorecon: Restore context to default policy
  • -v: Verbose (show what changed)

What Happened:

  • Context type changed from httpd_sys_content_t back to user_home_t
  • Based on file location (/home/centos9), SELinux knows it should be user_home_t
  • This fixes incorrect contexts that might prevent access
šŸ’”

When SELinux Blocks Access: If permissions look correct but access is denied, check SELinux. Use restorecon -Rv /path to fix contexts or ausearch -m avc -ts recent to view denial logs.

Troubleshooting Permission Issues

Permission Denied Errors

When you see "Permission denied":

  1. Check current permissions:

    ls -l filename
    • Verify you have required permission (r for read, w for write, x for execute)
    • Check if you're owner, in group, or other

  2. Verify your user identity:

    whoami
id
    • Confirm your username and group memberships

  3. Check SELinux context if permissions seem correct:

    ls -Z filename
getenforce  # Check if SELinux is enforcing
    • Even with correct permissions, wrong SELinux context blocks access
    • Check /var/log/audit/audit.log for SELinux denials

Ownership Changes Not Working

If chown or chgrp fails:

  1. Ensure you have root/sudo:

    • Only root can change file ownership
    • Use sudo chown or sudo chgrp

  2. Verify user/group exists:

    getent passwd username
getent group groupname
    • User/group must exist in the system
    • Check /etc/passwd and /etc/group

Special Bits Not Showing

Understanding special bit display:

PermissionWith ExecuteWithout Execute
SUID (owner)s (lowercase)S (uppercase)
SGID (group)s (lowercase)S (uppercase)
Sticky (others)t (lowercase)T (uppercase)

Example:

  • rwsr-xr-x: SUID set, owner has execute (correct)
  • rwSr-xr-x: SUID set, owner has no execute (usually a mistake)

Best Practices for File Permissions

Security Best Practices

  1. Follow Principle of Least Privilege

    • Grant minimum permissions necessary
    • Avoid 777 (world-writable) and 666 permissions
    • Use 750 or 640 instead of 755/644 for sensitive files

  2. Protect Sensitive Files

    • SSH keys: 600 (~/.ssh/id_rsa)
    • SSH config: 644 (~/.ssh/config)
    • Password files: 600 (configuration files with credentials)
    • Home directories: 700 or 750

  3. Audit SUID/SGID Files Regularly

    find / -perm -4000 -type f 2>/dev/null  # Find SUID files
find / -perm -2000 -type f 2>/dev/null  # Find SGID files
    • Review list for unauthorized SUID/SGID binaries
    • Potential security risk if exploited

  4. Use Groups for Shared Access

    • Create dedicated groups for projects/teams
    • Use SGID on shared directories
    • Avoid making files world-readable/writable

  5. Set Proper Umask

    • Default umask 022: files created as 644, directories as 755
    • Restrictive umask 027: files as 640, directories as 750
    • Set in ~/.bashrc or system-wide /etc/profile

Operational Best Practices

  1. Document Permission Decisions

    • Record why specific permissions were set
    • Document SUID/SGID requirements
    • Maintain permission standards for your organization

  2. Use Symbolic Mode for Clarity

    • chmod u+x script.sh is clearer than chmod 755
    • Easier to understand intent
    • Less prone to typos

  3. Recursive Changes with Caution

    • chmod -R 755 /path affects everything underneath
    • Can break things if applied incorrectly
    • Use find for selective changes: 
      find /path -type f -exec chmod 644 {} \;  # Files only
find /path -type d -exec chmod 755 {} \;  # Directories only

  4. Test Permission Changes

    • Test on non-production first
    • Verify application still works after changes
    • Have rollback plan ready

  5. Regular Permission Audits

    • Review file permissions periodically
    • Check for world-writable files: find / -perm -002 -type f
    • Monitor changes to critical system files

Common Permission Patterns

Use CasePermissionSymbolicExample
Public web content644rw-r--r--HTML, images
Executable scripts755rwxr-xr-xShell scripts, binaries
Private config files600rw-------SSH keys, passwords
Private directories700rwx------~/.ssh directory
Shared project dir2775rwxrwsr-xTeam collaboration
Temporary shared1777rwxrwxrwt/tmp, /var/tmp

Command Cheat Sheet

Permission Commands

CommandPurposeExample
chmodChange file permissionschmod 755 file.sh
chownChange file ownersudo chown user:group file
chgrpChange file groupsudo chgrp developers file
ls -lList files with permissionsls -l /path
ls -ldShow directory permissions (not contents)ls -ld /tmp
umaskView/set default permission maskumask 022
getfaclGet ACL (extended permissions)getfacl file
setfaclSet ACL (extended permissions)setfacl -m u:user:rwx file

chmod Symbolic Mode

CommandMeaningResult
chmod u+x fileAdd execute for ownerOwner can execute
chmod g-w fileRemove write from groupGroup can't modify
chmod o=r fileSet others to read onlyOthers: read only
chmod a+x fileAdd execute for allEveryone can execute
chmod u=rwx,go=rx fileOwner rwx, group/others rxSame as 755

chmod Numeric Values Quick Reference

OctalBinarySymbolicMeaning
0000---No permissions
1001--xExecute only
2010-w-Write only
3011-wxWrite + Execute
4100r--Read only
5101r-xRead + Execute
6110rw-Read + Write
7111rwxRead + Write + Execute

SELinux Commands

CommandPurposeExample
ls -ZView SELinux contextls -Z file
chconChange SELinux contextsudo chcon -t httpd_sys_content_t file
restoreconRestore default contextsudo restorecon -Rv /path
getenforceCheck SELinux modegetenforce
setenforceSet SELinux modesudo setenforce 0 (permissive)
ausearchSearch SELinux audit logsausearch -m avc -ts recent
semanageManage SELinux policysudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"

Finding Files by Permission

CommandPurpose
find / -perm -4000 -type fFind all SUID files
find / -perm -2000 -type fFind all SGID files
find / -perm -002 -type fFind world-writable files
find / -perm -002 -type dFind world-writable directories
find /home -perm 777Find files with exactly 777 permissions

Summary

In this comprehensive guide, you've mastered Linux file permissions and ownership:

āœ… Understanding permission notation (rwx) for users, groups, and others āœ… Reading and interpreting ls -l output with file types and permissions āœ… Changing permissions with chmod using both symbolic and numeric modes āœ… Managing ownership with chown for users and chgrp for groups āœ… Understanding special permissions: SUID, SGID, and sticky bit āœ… Working with SELinux security contexts and troubleshooting access issues āœ… Implementing security best practices for file protection āœ… Troubleshooting common permission-related problems

File permissions are fundamental to Linux security. Proper configuration protects sensitive data, prevents unauthorized access, and ensures system integrity. Always follow the principle of least privilege and regularly audit your permissions.

What's Next?

Expand your Linux security knowledge with these related topics:

  • Access Control Lists (ACLs): Fine-grained permissions beyond owner/group/other
  • File Attributes: Immutable and append-only files with chattr and lsattr
  • Audit System: Track file access and modifications with auditd
  • Mandatory Access Control: Deep dive into SELinux policies and contexts
  • Filesystem Security: Encrypted filesystems, secure mounting options

Master file permissions to build secure and well-managed Linux systems!

Owais

Written by Owais

I'm an AIOps Engineer with a passion for AI, Operating Systems, Cloud, and Securityā€”sharing insights that matter in today's tech world.

I completed the UK's Eduqual Level 6 Diploma in AIOps from Al Nafi International College, a globally recognized program that's changing careers worldwide. This diploma is:

  • āœ… Available online in 17+ languages
  • āœ… Includes free student visa guidance for Master's programs in Computer Science fields across the UK, USA, Canada, and more
  • āœ… Comes with job placement support and a 90-day success plan once you land a role
  • āœ… Offers a 1-year internship experience letter while you studyā€”all with no hidden costs

It's not just a diplomaā€”it's a career accelerator.

šŸ‘‰ Start your journey today with a 7-day free trial

About Me

Related Articles

Continue exploring with these handpicked articles that complement what you just read

More Reading

One more article you might find interesting

ā† Back to All Posts