Every file and directory on a Unix or Linux system has an associated set of permissions that control who can read, write, or execute it. When you run ls -l, you see a string like -rwxr-xr-x at the start of each line. Understanding this notation — and the underlying permission model — is essential for any developer or system administrator working with Unix-like systems.
The Permission String
The permission string has ten characters. The first character indicates the file type: - for a regular file, d for a directory, l for a symbolic link. The remaining nine characters are three groups of three, representing permissions for the owner, the group, and everyone else (other). Each group has three bits: r (read), w (write), and x (execute). A dash in a position means that permission is not granted.
- r (read): view file contents or list directory contents.
- w (write): modify file contents or create/delete files in a directory.
- x (execute): run a file as a program, or enter a directory with cd.
- Owner (user): the user who owns the file.
- Group: users who belong to the file's group.
- Other: everyone else on the system.
Octal Notation
Each permission group maps to a 3-bit number. Read is 4 (binary 100), write is 2 (binary 010), execute is 1 (binary 001). Add them together to get the octal digit for each group. rwx is 4+2+1=7, r-x is 4+0+1=5, r-- is 4+0+0=4. The full permission string rwxr-xr-x becomes 755. This octal notation is what you use with chmod: chmod 755 script.sh sets those permissions.
Common Permission Patterns
- 644 (-rw-r--r--): owner can read/write; others can only read. Standard for web files and config files.
- 755 (-rwxr-xr-x): owner can read/write/execute; others can read/execute. Standard for scripts and directories.
- 600 (-rw-------): only the owner can read/write. Used for private key files (SSH keys).
- 700 (-rwx------): only the owner has any access. Used for private directories.
- 777 (-rwxrwxrwx): everyone has full access. Avoid this; it is a security risk.
Symbolic chmod Syntax
chmod also accepts symbolic notation: chmod u+x script.sh adds execute permission for the owner (u). chmod go-w file.txt removes write permission from group and other. chmod a+r file.txt adds read permission for all. The letters are u (user/owner), g (group), o (other), and a (all). The operators are + (add), - (remove), and = (set exactly). Symbolic notation is easier to read than octal for incremental changes.
Directory Permissions
Directory permissions work differently from file permissions. Read on a directory allows listing its contents (ls). Write on a directory allows creating, deleting, and renaming files inside it — regardless of the permissions on those files. Execute on a directory allows entering it and accessing files inside it by path. You can have a directory where you can enter it (x) and access files by name but cannot list what is inside (no r). This is used to share specific files without exposing the full directory listing.