>
← Back to Linux

Linux Permissions Explained: chmod, chown, and umask

Linux file permissions control who can read, write, and execute files. Three core tools manage these permissions: chmod changes permissions, chown changes ownership, and umask sets default permissions for new files. Understanding these prevents security breaches and misconfigured systems.

Understanding Linux File Permissions Basics

Every file and directory in Linux has three permission categories: owner (user), group, and others. Each category has three permission types: read (r), write (w), and execute (x). When you run ls -l, you'll see output like this:

-rw-r--r-- 1 alice staff 4096 Jul 3 10:45 document.txt

Breaking this down: the first character - indicates it's a file (not a directory). The next nine characters represent permissions: rw-r--r--. The first three characters rw- are owner permissions (read and write). The next three r-- are group permissions (read-only). The last three r-- are other/world permissions (read-only).

Permissions translate to numeric values: read = 4, write = 2, execute = 1. So rw- equals 6 (4+2), r-- equals 4. The full permission rw-r--r-- becomes 644 in octal notation.

The chmod Command: Changing Permissions

chmod modifies file and directory permissions using two methods: octal notation and symbolic notation.

Octal Notation

Octal notation uses three or four digits to set permissions. Each digit represents permissions for user, group, and others respectively.

chmod 755 script.sh

This sets: owner has read, write, execute (7); group has read, execute (5); others have read, execute (5). It's ideal for scripts and executables.

chmod 644 file.txt

This sets: owner has read, write (6); group has read (4); others have read (4). Standard for regular files.

You can also use four digits to set special permissions (setuid, setgid, sticky bit). For example, chmod 4755 sets the setuid bit, useful for programs that need elevated privileges.

Symbolic Notation

Symbolic notation uses letters and operators, which is more readable and precise. The format is [who][operator][permission].

chmod u+x script.sh

This adds execute permission for the owner (user). u = user, g = group, o = others, a = all.

chmod g-w file.txt

This removes write permission from the group.

chmod o=r document.pdf

This sets others' permissions to read-only, removing any existing permissions.

chmod a+r config.conf

This adds read permission for everyone (all).

Symbolic notation is safer when you're making incremental changes because it doesn't accidentally reset unmodified permissions. With octal notation, you must specify all three digits each time.

Recursive Permission Changes

Use the -R flag to recursively change permissions on directories and their contents:

chmod -R 755 /var/www/html/

This is dangerous if misused. A common mistake is making all files executable. Use chmod -R u+rwX,g+rX,o+rX instead, where capital X only applies execute to directories and existing executables.

The chown Command: Changing Ownership

chown changes file and directory ownership. Only the root user can change ownership; regular users can't give away their files.

sudo chown alice document.txt

This changes the owner to alice, keeping the group unchanged.

sudo chown alice:staff document.txt

This changes both owner to alice and group to staff.

sudo chown :staff document.txt

This changes only the group to staff, leaving the owner unchanged.

sudo chown -R alice:staff /home/alice/project/

The -R flag recursively changes ownership of directories and contents. This is essential when transferring project directories between users.

A practical example: a web server runs as the www-data user, so you'd use sudo chown -R www-data:www-data /var/www/html to ensure proper ownership for web content.

Understanding umask: Default Permissions

umask sets the default permissions for newly created files and directories. It's a mask that subtracts from the system's default values.

The default umask for most systems is 0022. This means new files get 644 permissions (666 - 022 = 644) and new directories get 755 permissions (777 - 022 = 755). Files don't start with execute permissions; directories do (to allow entering them).

To check your current umask:

umask

This displays your current umask value. To temporarily change it:

umask 0077

This creates new files with 600 permissions (666 - 077 = 600) and directories with 700 permissions (777 - 077 = 700), restricting access to the owner only.

To make umask changes permanent, add them to your shell configuration file. For bash, edit ~/.bashrc or ~/.bash_profile:

umask 0077

For system-wide defaults, modify /etc/profile or /etc/login.defs, though this requires root access and affects all users.

The umask matters in multi-user environments where security is critical. Developers often use 0077 to prevent others from reading their code, while shared systems might use 0022 to allow group collaboration.

Practical Permission Scenarios

Here are real-world permission configurations:

Web Server Document Root: The www-data user must read and execute files, but shouldn't write them. Other users shouldn't access them:

sudo chown -R www-data:www-data /var/www/html
chmod -R 755 /var/www/html

SSH Key File: SSH keys require strict permissions. Public keys are readable by anyone; private keys are owner-only:

chmod 644 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/id_rsa

SSH refuses to work if your private key is world-readable—it's a security feature.

Shared Project Directory: Multiple developers need read and write access:

sudo chown -R :developers /projects/webapp
chmod -R 775 /projects/webapp

Setuid Executable: A program needs elevated privileges when run by regular users:

sudo chown root:root /usr/bin/sudo
sudo chmod 4755 /usr/bin/sudo

The leading 4 sets the setuid bit, allowing the program to run with owner privileges.

Common Mistakes and Troubleshooting

Never use chmod 777 except for temporary debugging. It grants full permissions to everyone, creating massive security holes.

Don't recursively change permissions on system directories. chmod -R 777 / will break your entire Linux system. Always target specific directories.

If a script won't execute, check three things: Is it owned by the current user (or do you have permission)? Does it have execute permissions? Is it located on a mounted filesystem without noexec (common with /tmp on some systems)?

If you can't access a file you created, your umask might be too restrictive. Check with umask and adjust if needed. You can always fix individual files with chmod.

When transferring files between users, verify both ownership and permissions. A file owned by root with 600 permissions is inaccessible to other users, even if they're in the owner group.

Security Best Practices

Principle of least privilege: Grant only the minimum permissions needed. A config file shouldn't be world-readable if it contains secrets. A directory shouldn't be world-writable unless it's explicitly meant for shared temp files.

Regularly audit permissions on sensitive files:

find /etc -type f -perm -g+w -o -perm -o+w

This finds files in /etc that are group-writable or world-writable—usually a red flag.

Be cautious with setuid and setgid bits. They're powerful but dangerous if misconfigured. Only use them when absolutely necessary, and ensure the owning user is trusted.

For web applications, never make files writable by the web server unless they genuinely need to be (like upload directories). This limits damage if the web server is compromised.

Frequently Asked Questions

What's the difference between chmod and chown?

chmod changes file permissions (who can read, write, execute), while chown changes file ownership (who owns the file). Permissions determine access; ownership determines who has permission to change those permissions. You can change permissions on your own files, but you can't change ownership except to yourself (and root can transfer ownership to anyone).

Why do directories need execute permissions?

Execute permission on a directory means you can enter it and access its contents. Without execute permission, you can't list files inside or access files within it, even if you have read permission on the directory itself. That's why directories typically have 755 or 700 permissions, which include the execute bit for the appropriate users.

How do I safely change permissions recursively?

Use the capital X option: chmod -R u+rwX,g+rX,o-rwx /path. This adds read/write for owner, read for group, and removes everything for others. The capital X only applies execute to directories and already-executable files, preventing you from accidentally making all files executable.

Can I change file permissions if I don't own the file?

Only if you're the owner or root. Regular users can't change permissions on files they don't own. If you need permission changes on someone else's file, ask the owner to change it, or contact a system administrator. This is a crucial Linux security feature preventing privilege escalation.

Mastering chmod, chown, and umask is fundamental to Linux administration. These three tools handle 99% of permission tasks you'll encounter. Start with octal notation for initial setup, use symbolic notation for adjustments, and