Understanding Unix File Permissions (chmod)
File permissions are one of the most fundamental security features of Unix and Linux systems. Whether you're deploying a web application, managing a server, or writing shell scripts, understanding file permissions is essential. This guide breaks down everything you need to know about Unix permissions and the chmod command.
The Basics: Read, Write, Execute
Every file and directory in Unix has three types of permissions:
- Read (r): View the contents of a file, or list the contents of a directory
- Write (w): Modify or delete a file, or create/delete files within a directory
- Execute (x): Run a file as a program, or enter a directory (use
cd)
Permission Groups: Owner, Group, Others
Permissions are assigned to three groups of users:
- Owner (u): The user who owns the file
- Group (g): Users belonging to the file's group
- Others (o): All other users on the system
When you run ls -l, you see permissions displayed as a 10-character string:
-rwxr-xr-- 1 alice devteam 4096 Feb 10 09:00 script.sh
Let's break this down:
-— File type (- = regular file, d = directory, l = symlink)rwx— Owner permissions: read, write, executer-x— Group permissions: read, execute (no write)r--— Others permissions: read only
Octal (Numeric) Notation
Each permission has a numeric value:
| Permission | Symbol | Value |
|---|---|---|
| Read | r | 4 |
| Write | w | 2 |
| Execute | x | 1 |
| None | - | 0 |
You add the values together for each group. For example:
rwx= 4 + 2 + 1 = 7r-x= 4 + 0 + 1 = 5r--= 4 + 0 + 0 = 4
So the permission rwxr-xr-- translates to 754 in octal.
🔢 Calculate permissions visually: Wootils Chmod Calculator — toggle checkboxes and instantly see the octal value and chmod command.
Common Permission Sets
| Octal | Symbolic | Use Case |
|---|---|---|
| 755 | rwxr-xr-x | Executable scripts, public directories |
| 644 | rw-r--r-- | Regular files (HTML, CSS, images) |
| 600 | rw------- | Private files (SSH keys, config with secrets) |
| 700 | rwx------ | Private executable scripts |
| 775 | rwxrwxr-x | Shared project directories |
| 666 | rw-rw-rw- | World-writable files (use with caution!) |
| 777 | rwxrwxrwx | Full access for everyone (avoid on production!) |
| 400 | r-------- | Read-only for owner (e.g., SSH private keys) |
The chmod Command
The chmod command changes file permissions. You can use either octal or symbolic notation.
Octal Mode
chmod 755 script.sh # rwxr-xr-x chmod 644 index.html # rw-r--r-- chmod 600 .env # rw-------
Symbolic Mode
chmod u+x script.sh # Add execute for owner chmod g-w file.txt # Remove write for group chmod o+r document.pdf # Add read for others chmod a+r file.txt # Add read for all (a = all) chmod u=rwx,g=rx,o=r file # Set exact permissions
Recursive Changes
chmod -R 755 /var/www/html # Apply to directory and all contents chmod -R u+rwX /var/www/html # Uppercase X: execute only for directories
Note: The uppercase X is a useful trick — it adds execute permission only to directories (not regular files), which is usually what you want when applying permissions recursively.
Special Permissions: SUID, SGID, Sticky Bit
Beyond the basic rwx permissions, Unix has three special permission bits:
SUID (Set User ID) — 4xxx
When set on an executable, it runs with the permissions of the file owner, not the user who runs it. The classic example is /usr/bin/passwd, which needs root access to modify /etc/shadow.
chmod 4755 program # -rwsr-xr-x
SGID (Set Group ID) — 2xxx
On executables, it runs with the group's permissions. On directories, new files inherit the directory's group instead of the creator's primary group. Useful for shared project directories.
chmod 2775 /shared # drwxrwsr-x
Sticky Bit — 1xxx
On directories, only the file owner can delete or rename their files, even if others have write permission. The /tmp directory uses this.
chmod 1777 /tmp # drwxrwxrwt
Practical Examples for Web Developers
If you deploy web applications on Linux servers, here are the most common permission scenarios:
Web Server Files
# Website files owned by www-data
chown -R www-data:www-data /var/www/html
# Directories: 755 (server needs to enter them)
find /var/www/html -type d -exec chmod 755 {} \;
# Files: 644 (server needs to read them)
find /var/www/html -type f -exec chmod 644 {} \;
SSH Keys
chmod 700 ~/.ssh # Directory chmod 600 ~/.ssh/id_rsa # Private key chmod 644 ~/.ssh/id_rsa.pub # Public key chmod 644 ~/.ssh/authorized_keys
Application Config
chmod 600 .env # Environment variables with secrets chmod 644 config.yml # Non-sensitive config
Common Permission Errors
If you see these errors, permissions are usually the culprit:
Permission denied— You lack the required permission (check withls -la)403 Forbidden— Web server can't read the file (check file and directory permissions)bash: ./script.sh: Permission denied— Script lacks execute permission (chmod +x script.sh)
Using the Chmod Calculator
Instead of memorizing octal values, use a visual calculator:
- Open the Wootils Chmod Calculator
- Toggle the checkboxes for read, write, and execute for each group
- See the octal value and full chmod command instantly
- Copy the command and paste it into your terminal
🔢 Try it now: Chmod Calculator — visual, instant, free.
Conclusion
Unix file permissions are simple in concept but powerful in practice. The key takeaways:
- Files have read, write, and execute permissions for owner, group, and others
- Use octal notation (like 755, 644) for quick permission setting
- Never use 777 on production servers
- Protect sensitive files (SSH keys, .env) with restrictive permissions (600 or 400)
- Use a chmod calculator when in doubt