🔐 Lesson 3.2: File Permissions
Every file and directory has an owner, a group, and a set of permissions that control who can do what.
🎯 Learning Objectives
- Read and interpret the
rwxpermission string fromls -l - Understand owner, group, and other permission levels
- Change permissions with
chmod(symbolic and octal) - Change file ownership with
chownandchgrp - Know when and why the execute bit matters
Estimated Time: 45 minutes
📑 In This Lesson
Reading Permissions
When you run ls -l, the first column shows the file's permissions:
ls -l
# -rw-r--r-- 1 ray ray 1234 Apr 14 10:00 notes.txt
# drwxr-xr-x 2 ray ray 4096 Apr 14 10:00 projects/Let's break down that first column character by character:
Anatomy of -rw-r--r--
- rw- r-- r--
│ │ │ │
│ │ │ └── Others: read only
│ │ └──────── Group: read only
│ └────────────── Owner: read + write
└─────────────────── Type: - = file, d = directory, l = link- file
d directory
l link"] A --> C["Owner
rw-
read + write"] A --> D["Group
r--
read only"] A --> E["Other
r--
read only"] style B fill:#6366f1,stroke:#4338ca,color:#fff style C fill:#3b82f6,stroke:#2563eb,color:#fff style D fill:#22c55e,stroke:#166534,color:#fff style E fill:#f59e0b,stroke:#b45309,color:#fff
Permission Types: r, w, x
| Letter | Permission | On a File | On a Directory |
|---|---|---|---|
r |
Read | View file contents | List directory contents (ls) |
w |
Write | Modify file contents | Create/delete files in the directory |
x |
Execute | Run the file as a program | Enter the directory (cd) |
- |
None | That permission is denied | That permission is denied |
💡 The Execute Bit on Files
A text file with x can be run as a script. This is why you need chmod +x script.sh before running ./script.sh — Linux won't execute a file unless it has explicit execute permission, no matter what's inside it.
Permission Levels: User, Group, Other
Permissions are checked in a specific order:
the file?"] --> B{"Are you
the owner?"} B -->|Yes| C["Use OWNER
permissions
(first rwx)"] B -->|No| D{"Are you in
the group?"} D -->|Yes| E["Use GROUP
permissions
(second rwx)"] D -->|No| F["Use OTHER
permissions
(third rwx)"] style C fill:#3b82f6,stroke:#2563eb,color:#fff style E fill:#22c55e,stroke:#166534,color:#fff style F fill:#f59e0b,stroke:#b45309,color:#fff
# This file:
# -rw-rw-r-- 1 ray developers 1234 Apr 14 10:00 project.txt
#
# ray (owner) → can read and write
# developers group → can read and write
# everyone else → can only read⚠️ Permission Levels Don't Stack
Linux uses the first matching level. If you're the owner, only the owner permissions apply — even if the group or other permissions are more permissive. This can lead to surprising situations where the owner has less access than others!
chmod — Symbolic Mode
chmod (change mode) modifies file permissions. Symbolic mode uses letters:
| Who | Operator | Permission |
|---|---|---|
u = user (owner)g = groupo = othersa = all |
+ add- remove= set exactly |
r = readw = writex = execute |
# Add execute permission for the owner
chmod u+x script.sh
# Remove write permission from group and others
chmod go-w secret.txt
# Give everyone read permission
chmod a+r readme.txt
# Set exact permissions: owner rwx, group rx, others nothing
chmod u=rwx,g=rx,o= project.sh
# Make a script executable by everyone
chmod +x myscript.sh # shorthand for a+x✅ Symbolic Mode Is Readable
Symbolic mode is great when you want to add or remove specific permissions without affecting the rest. chmod g+w file says exactly what it does: "give the group write access."
chmod — Octal (Numeric) Mode
Octal mode uses a three-digit number where each digit represents one permission level:
| Number | Permission | Binary |
|---|---|---|
0 | --- (none) | 000 |
1 | --x (execute) | 001 |
2 | -w- (write) | 010 |
3 | -wx (write + execute) | 011 |
4 | r-- (read) | 100 |
5 | r-x (read + execute) | 101 |
6 | rw- (read + write) | 110 |
7 | rwx (all) | 111 |
💡 How to Calculate
Just add up: r = 4, w = 2, x = 1. So rwx = 4+2+1 = 7, rw- = 4+2 = 6, r-x = 4+1 = 5, r-- = 4.
# 755: owner rwx, group r-x, others r-x (common for scripts/dirs)
chmod 755 script.sh
# 644: owner rw-, group r--, others r-- (common for regular files)
chmod 644 document.txt
# 700: owner rwx, nobody else (private)
chmod 700 secrets/
# 600: owner rw-, nobody else (private file)
chmod 600 id_rsa
# Apply recursively to a directory and all its contents
chmod -R 755 project/Common Permission Patterns
| Octal | Symbolic | Typical Use |
|---|---|---|
755 | rwxr-xr-x | Executables, public directories |
644 | rw-r--r-- | Regular files (documents, configs) |
700 | rwx------ | Private directories |
600 | rw------- | Private files (SSH keys, secrets) |
775 | rwxrwxr-x | Shared group directories |
664 | rw-rw-r-- | Shared group files |
chown and chgrp
Permissions control what can be done; ownership controls who the permissions apply to.
chown — Change Owner
# Change the owner of a file
sudo chown alice report.txt
# Change owner AND group at the same time
sudo chown alice:developers report.txt
# Change only the group (note the colon before the group name)
sudo chown :developers report.txt
# Recursive — change an entire directory tree
sudo chown -R alice:developers project/chgrp — Change Group
# Change just the group
sudo chgrp developers report.txt
# Recursive
sudo chgrp -R developers project/💡 Why Does chown Require sudo?
Only root can give files away to other users (to prevent users from disguising files as belonging to someone else). You can use chgrp without sudo if you're a member of the target group.
Permissions on Directories
Directory permissions work differently than file permissions, which trips up many beginners:
| Permission | On a Directory | Without It |
|---|---|---|
r (read) |
List contents with ls |
Can't see what's inside |
w (write) |
Create, rename, delete files inside | Can't add or remove files |
x (execute) |
Enter with cd and access files by name |
Can't enter or access anything inside |
⚠️ The Confusing Part
A directory with r but no x lets you list filenames but not actually open or enter anything. A directory with x but no r lets you access files by name but you can't list what's there. Directories almost always need both r and x to be useful.
# Demonstrate directory permissions
mkdir testdir
echo "secret" > testdir/file.txt
# Remove read: can't list but can access by name
chmod u-r testdir
ls testdir/ # Permission denied
cat testdir/file.txt # Works! (if you know the name)
# Remove execute: can list names but nothing else works
chmod u+r,u-x testdir
ls testdir/ # Shows file.txt
cat testdir/file.txt # Permission denied
# Restore both
chmod u+rx testdirSpecial Permissions
Beyond the basic rwx, Linux has three special permission bits you'll encounter:
| Permission | Symbol | What It Does | Example |
|---|---|---|---|
| Setuid | s in owner execute |
File runs as the file's owner, not the person running it | passwd runs as root so it can update /etc/shadow |
| Setgid | s in group execute |
New files in a directory inherit its group | Shared project folders |
| Sticky bit | t in other execute |
Only the file owner can delete files in the directory | /tmp — everyone can write, only owner can delete |
# See setuid in action: passwd has an 's' where you'd expect 'x'
ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root 68208 Apr 14 2026 /usr/bin/passwd
# See the sticky bit on /tmp: 't' at the end
ls -ld /tmp
# drwxrwxrwt 12 root root 4096 Apr 14 10:00 /tmp
# Set sticky bit on a shared directory
chmod +t shared_folder/
# Set setgid on a group directory (new files inherit group)
chmod g+s team_project/💡 You'll Rarely Set These
As a beginner, you mostly just need to recognize special permissions when you see them in ls -l output. The sticky bit (/tmp) and setuid (passwd) are set by the system. You might use setgid on shared project directories.
Exercises
🏋️ Exercise 1: Read Permissions
For each permission string, identify who can do what:
-rwxr-xr-- 1 alice developers report.sh
-rw------- 1 bob bob secrets.txt
drwxrwxr-x 2 alice developers shared/💡 Answers
report.sh: alice can read/write/execute; developers group can read/execute; others can only read.
secrets.txt: bob can read/write; nobody else can do anything.
shared/: alice can do everything; developers can do everything; others can list and enter but can't create/delete files.
🏋️ Exercise 2: chmod Practice
# Create test files
touch public.txt private.txt script.sh
# Make public.txt readable by everyone
chmod 644 public.txt
ls -l public.txt # -rw-r--r--
# Make private.txt accessible only to you
chmod 600 private.txt
ls -l private.txt # -rw-------
# Make script.sh executable
chmod 755 script.sh
ls -l script.sh # -rwxr-xr-x
# Same results using symbolic mode:
chmod a+r public.txt
chmod go-rwx private.txt
chmod u+x,go+rx script.sh🏋️ Exercise 3: Octal ↔ Symbolic Translation
Convert between octal and symbolic:
| Octal | Symbolic |
|---|---|
777 | ? |
640 | ? |
| ? | rwxr-x--- |
| ? | r--r--r-- |
💡 Answers
777 = rwxrwxrwx | 640 = rw-r----- | rwxr-x--- = 750 | r--r--r-- = 444
🏋️ Exercise 4: Ownership
# Create a file and check ownership
touch teamfile.txt
ls -l teamfile.txt
# Your username is both owner and group
# Change the group (if you're in a group like "sudo")
sudo chgrp sudo teamfile.txt
ls -l teamfile.txt
# Change both owner and group
sudo chown root:root teamfile.txt
ls -l teamfile.txt
# Take it back
sudo chown $USER:$USER teamfile.txt
# Clean up
rm teamfile.txtKnowledge Check
❓ Question 1
What does the permission string -rwxr-x--- mean?
❓ Question 2
What is the octal value for rw-r--r--?
❓ Question 3
What does the x (execute) permission mean on a directory?
❓ Question 4
Why does chown require sudo?
Quick Reference
| Command | What It Does | Example |
|---|---|---|
ls -l |
Show permissions, owner, group | ls -l file.txt |
chmod |
Change permissions | chmod 755 script.sh |
chmod +x |
Make a file executable | chmod +x run.sh |
chown |
Change owner (and optionally group) | sudo chown alice:devs file |
chgrp |
Change group only | sudo chgrp devs file |
chmod -R |
Apply recursively | chmod -R 755 project/ |
stat |
Detailed file info including permissions | stat file.txt |
Summary
🎉 Key Takeaways
- Every file has three permission levels: owner, group, and other
- Three permission types: r (read), w (write), x (execute)
chmodchanges permissions — use symbolic (u+x) or octal (755)- Memorize the big three:
644for files,755for scripts/dirs,600for secrets chownchanges who owns a file;chgrpchanges its group- Directory permissions work differently —
xmeans "enter",wmeans "create/delete files inside" - Special permissions (setuid, setgid, sticky bit) exist — recognize them, set them rarely
🍎 On macOS
chmod, chown, chgrp, and ls -l all work the same way on macOS. The rwx permission model is identical since macOS is Unix-based. macOS also has an extended ACL system (you may see a + after the permission string in ls -l) — use ls -le to view ACLs.
🎉 Module 3 Complete!
You now understand Linux users, groups, and the permission system that keeps everything secure. This knowledge is essential for everything from running scripts to managing servers.
🚀 What's Next?
Module 4 covers viewing and editing files — you'll learn cat, less, head, tail, grep, and the text editors nano and vim.