File permissions in Linux are not a formality. They determine whether a web server can read a config, whether a script can write a log, and whether an attacker can execute a file that should only be runnable as root. Understanding permissions once removes half of the typical 'Permission denied' problems.
View Permissions: ls -l
The quickest approach:
ls -l /etc/nginx/nginx.conf
Output:
-rw-r--r-- 1 root root 2893 Feb 01 14:22 nginx.conf
How to Read the Permission String
-rw-r--r-- 1 root root 2893 Feb 01 nginx.conf
First character — file type: - regular file, d directory, l symlink, c character device, b block device.
Next 9 characters — three groups of three:
rw- r-- r--
| | └── others
| └──────── group
└────────────── owner (user)
Each group contains three flags: r (read), w (write), x (execute). A dash - means the permission is absent.
Reading rw-r--r--: owner can read and write, group can only read, others can only read.
The number after permissions is the hard link count. The two following fields are the owner name and group name.
Numeric (Octal) Permissions
Each flag has a numeric value: r=4, w=2, x=1, -=0. Each group's permissions are the sum.
| Number | Symbols | Meaning |
|---|---|---|
| 7 | rwx | full access |
| 6 | rw- | read and write |
| 5 | r-x | read and execute |
| 4 | r-- | read only |
| 0 | --- | no access |
Permissions 755 mean: owner rwx (7), group r-x (5), others r-x (5).
View permissions in numeric format:
stat -c "%a %n" /etc/nginx/nginx.conf
Detailed Metadata: stat
stat shows everything at once — permissions in both formats, owner, group, inode, size, timestamps:
stat /etc/nginx/nginx.conf
The line Access: (0644/-rw-r--r--) shows permissions in both formats simultaneously.
View Directory Permissions
For directories, the x flag means 'enter', not 'execute' — without it, cd into the directory is impossible.
View the directory itself (not its contents):
ls -ld /var/www/html
The -d flag shows the directory as an object rather than listing its contents.
Change Permissions: chmod
Symbolic method:
chmod u+x script.sh
Remove write from group:
chmod g-w file.txt
Set read-only for others:
chmod o=r file.txt
Add execute for everyone:
chmod a+x script.sh
Numeric method (sets all groups at once):
chmod 755 script.sh
chmod 644 config.conf
chmod 600 id_rsa
Recursive:
chmod -R 755 /var/www/html
Change Owner: chown
Change the file owner:
sudo chown www-data file.txt
Change owner and group simultaneously:
sudo chown www-data:www-data /var/www/html
Recursive:
sudo chown -R www-data:www-data /var/www/html
Change only the group:
sudo chgrp developers project/
Special Permissions: setuid, setgid, Sticky Bit
setuid (SUID)
The file runs with the owner's privileges regardless of who executes it. Used in system utilities — for example, passwd runs as any user but modifies /etc/shadow which belongs to root.
chmod u+s /path/to/binary
In ls -l output, s replaces x for the owner: -rwsr-xr-x
setgid (SGID)
On a file: runs with the group's privileges.
On a directory: new files inside inherit the directory's group rather than the creator's group. Useful for shared team folders.
chmod g+s /shared/teamfolder
Output: drwxrwsr-x
Sticky Bit
On a directory: users can only delete their own files, even with write permission on the directory. Classic example — /tmp: anyone can create files there, but cannot delete others' files.
chmod +t /tmp
Output: drwxrwxrwt
Find all files with setuid in the system:
find / -perm -4000 -type f 2>/dev/null
Common Permission Combinations
| Permissions | Use case |
|---|---|
| 600 | Private SSH key (~/.ssh/id_rsa) |
| 644 | Config file, web page (everyone reads, owner writes) |
| 700 | Script for owner only |
| 755 | Executable, public directory |
| 750 | Group directory, no access for others |
| 777 | Full access for everyone — avoid on servers |
Quick Reference
| Task | Command |
|---|---|
| View permissions | ls -l filename |
| Numeric permissions | stat -c "%a %n" filename |
| Detailed metadata | stat filename |
| Directory permissions | ls -ld /path/ |
| Change permissions (symbolic) | chmod u+x filename |
| Change permissions (numeric) | chmod 755 filename |
| Recursive | chmod -R 755 /path/ |
| Change owner | sudo chown user:group filename |
| Set setuid | chmod u+s filename |
| Set setgid | chmod g+s directory |
| Set sticky bit | chmod +t directory |
| Find setuid files | find / -perm -4000 -type f 2>/dev/null |
