Linux is a multi-user operating system. Every file and directory has an owner and an associated permission set that controls exactly who can read, modify, or execute it. This model is the foundation of Linux security — and a topic that appears frequently in cloud and DevOps certification exams.
Reading the Permission String
Run ls -l and you'll see output like this:
-rw-r--r-- 1 alice devs 2048 Apr 10 09:30 report.txt
drwxr-xr-x 2 alice devs 4096 Apr 10 09:00 scripts/The first 10 characters break down as:
| Position | Meaning | Example |
|---|---|---|
| 1 | File type | - file, d directory, l symlink |
| 2–4 | Owner permissions | rw- = read+write |
| 5–7 | Group permissions | r-- = read only |
| 8–10 | Others permissions | r-- = read only |
Permission characters: r = read, w = write, x = execute, - = not set.
Numeric (Octal) Notation
Each permission is a bit with a value:
| Symbol | Value |
|---|---|
r | 4 |
w | 2 |
x | 1 |
- | 0 |
Add the values for each group: rwx = 7, rw- = 6, r-- = 4, --- = 0.
Common modes:
755→rwxr-xr-x— owner full, others read+execute. Standard for scripts and directories.644→rw-r--r--— owner read+write, others read only. Standard for config files.600→rw-------— owner only. Use for SSH keys and secrets.777→rwxrwxrwx— everyone full access. Avoid unless absolutely necessary.
chmod — Changing Permissions
# Numeric mode
chmod 755 deploy.sh # rwxr-xr-x
chmod 644 config.yaml # rw-r--r--
chmod 600 ~/.ssh/id_rsa # rw------- (required by SSH)
# Symbolic mode
chmod +x script.sh # add execute for everyone
chmod g+w shared.txt # add write for group
chmod o-r private.txt # remove read from others
chmod u=rwx,g=rx,o= prog # set explicitly
# Recursive
chmod -R 755 /var/www/html/chown — Changing Ownership
chown alice file.txt # change owner to alice
chown alice:devs file.txt # change owner and group
chown -R www-data /var/www/ # recursive change (web server files)
chgrp devs project/ # change group onlyOnly root (or a user with sudo) can change ownership.
Special Permissions
setuid (s on owner execute)
Runs the file as its owner, not the calling user. Used for commands like passwd that need root access briefly:
ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root ... /usr/bin/passwdsticky bit (t on others execute)
On a directory, only the file's owner can delete it, even if others have write access. Used on /tmp:
ls -ld /tmp
# drwxrwxrwt ... /tmpumask — Default Permissions
New files inherit permissions based on the umask (permission mask). The default umask of 022 means new files get 644 and new directories get 755:
umask # display current umask
umask 027 # set umask: new files get 640, directories get 750Understanding permissions is critical when configuring web servers, SSH, secrets management, and containerised workloads. The next lesson covers processes — how to see what's running and how to control it.