File Permissions and Ownership in Linux: A Complete Guide
By Mason Goulding · · Updated
File permissions and ownership sit at the core of Linux security. Every single action—whether opening a log file, running a script, or serving a web page—depends on permissions being set correctly. If permissions are too loose, attackers gain footholds. If they’re too strict, your own apps break. That tension is why sysadmins and developers alike need fluency in chmod, chown, and umask.
This article provides a comprehensive yet practical walkthrough. We’ll demystify how Linux represents access rights, explain octal and symbolic modes, show how to manage ownership and groups, and illustrate advanced concepts like the sticky bit. Along the way, I’ll include copy-paste-ready examples and call out security best practices so you can avoid common mistakes.
1. The Linux Permission Model
At its simplest, Linux permissions are a set of bits attached to every file or directory. These bits describe what actions three categories of users can perform:
- User (u): the file’s owner.
- Group (g): the group associated with the file.
- Others (o): everyone else on the system.
Each category may have read (r), write (w), and execute (x) bits. Directories use x differently: it means you can enter the directory and traverse it. Without it, even if you can read filenames, you cannot access their contents.
ls -l
-rwxr-xr-- 1 mason devs 4096 Sep 9 09:00 deploy.sh
Here, mason (the owner) can read, write, and execute. Members of the devs group can read and execute, while everyone else can only read.
2. chmod: Modifying Permissions
The chmod command changes file or directory permissions. It supports two syntaxes:
- Symbolic:
chmod u+x script.sh - Octal:
chmod 755 script.sh
Symbolic mode is intuitive: you add or remove rights for user (u), group (g), or others (o) using +, -, or =. Octal mode encodes permissions as numbers: read=4, write=2, execute=1. Add them together for each class.
# remove write for group
chmod g-w file.txt
# set read/write for owner, read-only for group/others
chmod 644 notes.txt
# give execute to all
chmod a+x build.sh
When deploying web apps, most static files should be 644, while scripts and binaries should be 755. Avoid 777—world-writable files are a security hazard.
3. chown: Setting File Ownership
Permissions only make sense in context of ownership. Every file has a user owner and an associated group. The chown command lets you change these attributes.
# change owner
sudo chown mason file.txt
# change owner and group
sudo chown mason:devs project/
# recursive change for web root
sudo chown -R www-data:www-data /var/www
Why does this matter? If your web server runs as www-data, but files belong to root, the service may not be able to read them. Aligning ownership prevents 403 errors and security misconfigurations.
4. umask: Controlling Default Permissions
Whenever you create a new file, Linux applies a mask (umask) to determine default permissions. By default, files start as 666 (rw-rw-rw-) and directories as 777 (rwxrwxrwx). The umask subtracts permissions.
# check current umask
umask
# common safe defaults
umask 022 # results in 644 files, 755 dirs
umask 027 # 640 files, 750 dirs
For multi-user environments, 027 is recommended: it blocks “others” from touching your files. For single-user desktops, 022 strikes a balance.
5. Advanced Permissions
Linux offers special bits beyond the standard rwx model:
- SUID: Executes with file owner’s privileges. Example:
/usr/bin/passwd. - SGID: On directories, new files inherit the group.
- Sticky bit: Only file owners may delete inside a directory, common in
/tmp.
# set sticky bit
chmod +t /shared
# SGID on directory
chmod g+s /projectThese bits are powerful but risky. Misapplied SUID binaries are prime privilege-escalation targets.
6. Best Practices
- Scripts:
755 - Configs with secrets:
640or stricter - Avoid
777 - Audit risky files:
find / -perm -o=w
Permissions interact with broader system security. Combine them with TLS, headers, and integrity checks. For more, see All About Headers and Subresource Integrity.
