Unix File Permissions Explained: chmod, Octal Notation and Symbolic Mode
Every Linux developer eventually needs to understand permissions. This guide explains rwx, octal values, chmod, and the special bits — clearly and with real examples.
What are Unix file permissions?
In Unix and Linux systems, every file and directory has an associated set of permission bits that control who can read, write, and execute it. Permissions are assigned to three categories of users: the owner of the file, the group assigned to the file, and others (everyone else on the system).
You can see a file's permissions with ls -l:
-rwxr-xr-- 1 pankaj developers 4096 Jan 15 10:00 deploy.shReading the permission string
The first ten characters break down as follows:
- rwx r-x r--
│ │ │ └── others: read only
│ │ └────── group: read + execute
│ └────────── owner: read + write + execute
└──────────── file type: - = regular file, d = directory, l = symlinkEach group of three characters uses the letters r (read), w (write), and x (execute). A dash - means that permission is not granted.
What each permission means
For files
- r (read, 4) — can read the file contents
- w (write, 2) — can modify or delete the file
- x (execute, 1) — can run the file as a programme or script
For directories
- r (read, 4) — can list the directory contents (
ls) - w (write, 2) — can create, rename, or delete files inside the directory
- x (execute, 1) — can enter the directory (
cd) and access files within it
Octal notation
Each of the three permission bits (r, w, x) has a numeric value: r=4, w=2, x=1. Add them together for each category to get the octal digit:
rwx= 4+2+1 = 7r-x= 4+0+1 = 5r--= 4+0+0 = 4---= 0+0+0 = 0
So -rwxr-xr-- = 754 in octal notation.
Common permission values and their uses
| Octal | Symbolic | Typical use |
|---|---|---|
| 755 | rwxr-xr-x | Executables, web server directories |
| 644 | rw-r--r-- | Regular files, HTML, configuration |
| 600 | rw------- | SSH private keys, secret config files |
| 700 | rwx------ | Private scripts, user home directories |
| 777 | rwxrwxrwx | World-writable — avoid in production |
| 444 | r--r--r-- | Read-only files (documentation, assets) |
Using chmod
chmod (change mode) sets file permissions. It accepts both octal and symbolic forms:
# Octal: set exactly to 755
chmod 755 deploy.sh
# Symbolic: add execute for owner
chmod u+x deploy.sh
# Symbolic: remove write from group and others
chmod go-w config.json
# Symbolic: set read-only for everyone
chmod a=r readme.txt
# Recursive: apply to a directory and all contents
chmod -R 644 /var/www/htmlSymbolic notation uses u (user/owner), g (group), o (others), a (all); operators + (add), - (remove), = (set exactly).
The special permission bits
- setuid (4000) — when set on an executable, it runs with the file owner's privileges rather than the caller's. Example:
passwdmust write to/etc/shadow(root-owned) even when run by a normal user. Use with extreme caution. - setgid (2000) — on an executable, runs with the group's privileges. On a directory, new files created inside inherit the directory's group, which is useful for shared project directories.
- sticky bit (1000) — on a directory, prevents users from deleting files they do not own, even if they have write permission on the directory. Classic example:
/tmpis world-writable but sticky, so users cannot delete each other's temp files.
chmod 1777 /tmp # world-writable + sticky
chmod 2775 /shared # group-write + setgidumask — default permissions
When a file or directory is created, it starts with maximum permissions (666 for files, 777 for directories) minus the umask value. A typical umask of 022 means new files get 644 and new directories get 755. Check your current umask with the umask command and set it in ~/.bashrc or /etc/profile.