What are file and directory permissions in Linux?
Understanding File and Directory Permissions in Linux: A Comprehensive Guide
Introduction
Permissions in Linux are a crucial part of the system’s security model, ensuring that only authorized users and processes can access or modify files and directories. These permissions are managed using a system of ownership and permissions for each file and directory. Understanding how to manipulate these permissions is fundamental for any Linux user or administrator. This article delves deeply into Linux file and directory permissions, explaining their structure and providing examples of how to modify and inspect them.
1. Basic Structure of Permissions
In Linux, each file and directory has three types of owners and three types of permissions. These are:
- Owners:
- User (u): The owner of the file. By default, the creator of a file is its owner.
- Group (g): Every file belongs to a group. Users who are part of this group can be granted specific access to the file.
- Others (o): Everyone else who has access to the system but is neither the owner nor part of the group.
- Permissions:
- Read (r): Allows reading the contents of a file or listing the contents of a directory.
- Write (w): Allows modifying a file or adding/removing files in a directory.
- Execute (x): Allows running a file if it’s a script or binary, or accessing files within a directory.
2. Understanding the Permission Notation
Permissions are represented in two forms:
- Symbolic notation
- Octal notation
2.1 Symbolic Notation
In symbolic notation, file and directory permissions are displayed as a string of 10 characters when you run the ls -l command. For example:
$ ls -l filename
-rwxr-xr–
This string can be broken down as:
- The first character represents the file type:
- –: regular file
- d: directory
- l: symbolic link
- b: block device
- c: character device
- The next three characters represent the owner’s (user) permissions.
- The following three represent the group’s permissions.
- The last three represent the permissions for others (world).
In the example above:
- rwx: The owner has read, write, and execute permissions.
- r-x: The group has read and execute permissions, but no write permission.
- r–: Others have only read permission.
2.2 Octal Notation
In octal notation, permissions are represented by a three-digit number, where each digit is the sum of permission bits:
- Read = 4
- Write = 2
- Execute = 1
For example, the permission rwxr-xr– in symbolic notation corresponds to 754 in octal notation:
- Owner (rwx) = 7 (4 + 2 + 1)
- Group (r-x) = 5 (4 + 1)
- Others (r–) = 4 (4)
3. Viewing File and Directory Permissions
You can view the permissions of a file or directory using the ls command with the -l option:
$ ls -l
-rwxr-xr– 1 amit users 4096 Sep 25 10:00 script.sh
drwxr-xr-x 2 amit users 4096 Sep 25 10:05 mydir
In this example:
- script.sh is a regular file with rwxr-xr– permissions.
- mydir is a directory with rwxr-xr-x permissions.
4. Changing Permissions with chmod
The chmod command is used to change file and directory permissions.
4.1 Changing Permissions Using Symbolic Mode
In symbolic mode, you can specify which owner (user, group, others) you want to modify and which permission to add or remove.
Example: Granting Execute Permission to a File for the Owner
$ chmod u+x script.sh
$ ls -l script.sh
-rwxr-xr– 1 amit users 4096 Sep 25 10:00 script.sh
In this case, the +x adds execute permission to the user (owner) for the file script.sh.
Example: Removing Write Permission for Others
$ chmod o-w script.sh
$ ls -l script.sh
-rwxr-xr– 1 amit users 4096 Sep 25 10:00 script.sh
Here, the o-w removes the write permission for others.
4.2 Changing Permissions Using Octal Mode
In octal mode, you specify permissions for all three sets (user, group, others) at once.
Example: Setting rwxr-xr– Permissions (754)
$ chmod 754 script.sh
$ ls -l script.sh
-rwxr-xr– 1 amit users 4096 Sep 25 10:00 script.sh
Example: Setting rwxrwxr-x Permissions (775)
$ chmod 775 mydir
$ ls -ld mydir
drwxrwxr-x 2 amit users 4096 Sep 25 10:05 mydir
5. Ownership and the chown Command
In addition to permissions, Linux uses ownership to manage access to files and directories. Each file or directory has an owner and a group associated with it. The chown command changes the owner and group of a file.
5.1 Changing the Owner
To change the owner of a file or directory, use:
$ sudo chown newowner filename
For example:
$ sudo chown root script.sh
$ ls -l script.sh
-rwxr-xr– 1 root users 4096 Sep 25 10:00 script.sh
5.2 Changing the Group
To change the group of a file or directory, use:
$ sudo chown :newgroup filename
For example:
$ sudo chown :admins script.sh
$ ls -l script.sh
-rwxr-xr– 1 root admins 4096 Sep 25 10:00 script.sh
5.3 Changing Both Owner and Group
You can change both the owner and group at the same time:
$ sudo chown newowner:newgroup filename
For example:
$ sudo chown amit:developers script.sh
$ ls -l script.sh
-rwxr-xr– 1 amit developers 4096 Sep 25 10:00 script.sh
6. Directory Permissions
The permissions on directories control whether a user can list, create, delete, or access files within the directory.
6.1 Read Permission on a Directory
If a user has read permission on a directory, they can list its contents using the ls command.
$ ls mydir
file1 file2 file3
6.2 Write Permission on a Directory
Write permission allows a user to create or delete files within the directory.
$ touch mydir/newfile
$ rm mydir/file1
6.3 Execute Permission on a Directory
Execute permission on a directory allows a user to enter the directory and access its files.
$ cd mydir
Without execute permission, you cannot enter the directory, even if you have read permission.
6.4 Setting Permissions for Directories
You can set permissions for directories in the same way as files using the chmod command.
Example: Granting Full Access to a Directory for the Owner
$ chmod 700 mydir
$ ls -ld mydir
drwx—— 2 amit users 4096 Sep 25 10:05 mydir
7. Special Permission Bits
There are three special permission bits in Linux: SUID, SGID, and the sticky bit. These are used in specific situations to modify the default behavior of the system.
7.1 SUID (Set User ID)
The SUID bit allows a file to be executed with the permissions of the file’s owner, rather than the user who executes it.
The SUID (Set User ID) bit is a special permission in Linux that allows users to execute a file with the privileges of the file’s owner, rather than the privileges of the user executing the file. This feature is typically used on executable files to grant temporary elevated privileges to the user running the file.
How SUID Works
When the SUID bit is set on an executable file, any user who runs that file inherits the file owner’s permissions. For example, if a file owned by the root user has the SUID bit set, any user executing that file will temporarily gain root privileges for the duration of the command.
Example: Setting the SUID Bit
$ chmod u+s script.sh
$ ls -l script.sh
-rwsr-xr– 1 amit users 4096 Sep 25 10:00 script.sh
7.2 SGID (Set Group ID)
The SGID bit on a file allows the file to be executed with the permissions of the file’s group. On a directory, it forces all files created inside the directory to inherit the group of the directory, rather than the group of the user who creates the file.
The SGID (Set Group ID) bit is a special permission in Linux that affects both files and directories, but it behaves differently depending on whether it’s set on a file or a directory. Like the SUID bit, SGID is used to modify the default permission behavior in certain situations. SGID is primarily concerned with group permissions.
1. How SGID Works
- On Files: When the SGID bit is set on an executable file, users who run the file will execute it with the permissions of the file’s group, rather than their own group. This can be useful in situations where you want users to have group-level privileges when running specific programs.
- On Directories: When the SGID bit is set on a directory, all files created within that directory inherit the group of the directory, rather than the default group of the user who creates the file. This is especially useful in shared group environments where files created by different users need to have the same group permissions.
Example: Setting the SGID Bit on a Directory
$ chmod g+s mydir
$ ls -ld mydir
drwxrwsr-x 2 amit users 4096 Sep 25 10:05 mydir
7.3 Sticky Bit
The Sticky Bit is a special permission in Linux that is primarily used on directories to control file deletion. When the sticky bit is set on a directory, only the owner of a file, the owner of the directory, or the root user can delete or rename the files within that directory, even if other users have write permissions to the directory.
The sticky bit is commonly used in shared directories where multiple users need write access but should not be allowed to delete or modify each other’s files.
1. How the Sticky Bit Works
In a directory with write permissions for multiple users, anyone can normally delete or modify files inside that directory. However, when the sticky bit is set, only:
- The file’s owner,
- The owner of the directory, or
- The root user can delete or rename the files inside the directory.
This is especially useful in directories like /tmp, where multiple users create files, and you want to prevent one user from deleting or tampering with another user’s files.
The sticky bit is set on directories to prevent users from deleting files they don’t own, even if they have write permission on the directory. This is commonly used in directories like /tmp.
Example: Setting the Sticky Bit
$ chmod +t mydir
$ ls -ld mydir
drwxrwxrwt 2 amit users 4096 Sep 25 10:05 mydir
8. Recursive Permissions with chmod and chown
Sometimes, you need to change permissions or ownership recursively for all files and subdirectories within a directory. This can be done using the -R option with chmod or chown.
8.1 Changing Permissions Recursively
$ chmod -R 755 mydir
This command will apply 755 permissions to mydir and all files and subdirectories inside it.
8.2 Changing Ownership Recursively
$ sudo chown -R amit:users mydir
This will change the ownership of mydir and all its contents to the user amit and the group users.
9. Default Permissions: umask
The umask (user file creation mode mask) is a command and a system setting in Linux that controls the default file and directory permissions when they are created. The umask defines which permission bits are not set on newly created files or directories. It essentially “masks” certain permissions to prevent them from being automatically granted.
When you create a file or directory, the system starts with a default set of permissions and then subtracts the umask value from these defaults to determine the final permissions for the new file or directory.
1. How umask Works
In Linux, by default:
- New files are created with
666(read and write for everyone), but the umask can reduce this. - New directories are created with
777(read, write, and execute for everyone), but again, the umask can reduce this.
The umask subtracts bits from these defaults to set the final permissions. For example, a umask of 022 means that write permission for the group and others is masked off (i.e., removed).
Default File and Directory Permissions
- Files:
666(read and write for user, group, and others) - Directories:
777(read, write, and execute for user, group, and others)
The umask defines which permissions to subtract from the default. For example:
- A umask of
022subtracts write permissions for the group and others. - A umask of
077subtracts all permissions for the group and others.
The default permissions for newly created files and directories are determined by the umask value. The umask sets which permission bits are not set on new files and directories.
To view the current umask, use:
$ umask
0022
This value indicates that write permission is removed for the group and others.
Umask 002 (Common for Shared Group Environments)
A umask of 002 is commonly used in collaborative group environments. It allows files to be created with group-write permissions, enabling team members to modify each other’s files while still restricting others outside the group.
Example:
- Files:
664(rw-rw-r–) - Directories:
775(rwxrwxr-x)
This allows group members to read, write, and execute files, while preventing others from making modifications.
Umask 007 (No Permissions for Others)
A umask of 007 removes all permissions for others, ensuring that only the owner and group can access files and directories. This is useful for more private or sensitive data.
Example:
- Files:
660(rw-rw—-) - Directories:
770(rwxrwx—)
This configuration prevents users outside the owner and group from reading or writing to the files and directories.
Important Notes About umask
- Execute Permissions: The umask does not add execute permissions by default. For files, you will need to manually set execute permissions if necessary (e.g.,
chmod +x script.sh). Directories will have execute permissions based on the calculated umask. - Security Considerations: It’s important to set a secure umask value on systems where multiple users share resources. A loose umask (such as
000, which grants full access to everyone) can result in unintended file sharing and potential data leakage.
Example : File Creation with umask 022
If the umask is 022, the default file permissions (666) will be reduced by the umask:
Default file permission: 666
umask: 022
—————–
Final file permission: 644 (rw-r–r–)
—————–
For directories, the default permission is 777, so the result will be:
Default directory permission: 777
umask: 022
—————–
Final directory permission: 755 (rwxr-xr-x)
Example : File Creation with umask 077
If the umask is 077, the result is as follows:
For files:
Default file permission: 666
umask: 077
—————–
Final file permission: 600 (rw——-)
For directories:
Default directory permission: 777
umask: 077
—————–
Final directory permission: 700 (rwx——)
4. Permanent umask Settings
To set a permanent umask value that applies every time you log in, you need to add the umask command to one of your shell’s initialization files.
For example, for a Bash shell, add the following line to your ~/.bashrc, ~/.bash_profile, or /etc/profile file:
umask 027
This ensures that the umask is set to 027 for every new shell session.
Conclusion
Understanding file and directory permissions in Linux is essential for managing system security and ensuring that users have appropriate access to files and directories. By mastering the chmod, chown, and ls commands, along with special permission bits like SUID, SGID, and the sticky bit, you can effectively control access to files and directories. The umask command allows you to control default permissions, ensuring that your system remains secure by default.

Join our Linux Administration Training here

Cybersecurity Architect | Cloud-Native Defense | AI/ML Security | DevSecOps
𝐖𝐢𝐭𝐡 𝟐𝟑+ 𝐲𝐞𝐚𝐫𝐬 𝐨𝐟 𝐞𝐱𝐩𝐞𝐫𝐭𝐢𝐬𝐞 𝐢𝐧 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐜𝐥𝐨𝐮𝐝-𝐧𝐚𝐭𝐢𝐯𝐞 𝐝𝐞𝐟𝐞𝐧𝐬𝐞, 𝐈 𝐚𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭 𝐫𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐭 𝐝𝐢𝐠𝐢𝐭𝐚𝐥 𝐞𝐜𝐨𝐬𝐲𝐬𝐭𝐞𝐦𝐬 𝐛𝐲 𝐢𝐧𝐭𝐞𝐠𝐫𝐚𝐭𝐢𝐧𝐠 𝐙𝐞𝐫𝐨 𝐓𝐫𝐮𝐬𝐭, 𝐭𝐡𝐫𝐞𝐚𝐭 𝐢𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞, 𝐚𝐧𝐝 𝐩𝐫𝐨𝐚𝐜𝐭𝐢𝐯𝐞 𝐫𝐢𝐬𝐤 𝐦𝐢𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧 𝐢𝐧𝐭𝐨 𝐞𝐯𝐞𝐫𝐲 𝐥𝐚𝐲𝐞𝐫 𝐨𝐟 𝐢𝐧𝐟𝐫𝐚𝐬𝐭𝐫𝐮𝐜𝐭𝐮𝐫𝐞.
My journey began in network security (firewalls, IDS/IPS) and evolved through Linux/Windows hardening, IAM, and DevSecOps—bridging security with agile development. Today, I specialize in securing multi-cloud (AWS/Azure/GCP) environments.
𝐀𝐬 𝐚 𝐭𝐫𝐮𝐬𝐭𝐞𝐝 𝐚𝐝𝐯𝐢𝐬𝐨𝐫, 𝐈 𝐡𝐞𝐥𝐩 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧𝐬:
✔️ Align security investments with business objectives (reducing TCO while maximizing cyber ROI).
✔️ Prioritize risks executives care about—translating technical vulnerabilities into financial/operational impact.
✔️ Optimize team workflows by merging DevSecOps agility with governance rigor—no more “security vs. speed” trade-offs.
𝐂𝐨𝐫𝐞 𝐒𝐭𝐫𝐞𝐧𝐠𝐭𝐡𝐬 & 𝐃𝐢𝐟𝐟𝐞𝐫𝐞𝐧𝐭𝐢𝐚𝐭𝐢𝐨𝐧:
𝘌𝘯𝘥-𝘵𝘰-𝘦𝘯𝘥 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘢𝘳𝘤𝘩𝘪𝘵𝘦𝘤𝘵𝘶𝘳𝘦—𝘧𝘳𝘰𝘮 𝘯𝘦𝘵𝘸𝘰𝘳𝘬 𝘩𝘢𝘳𝘥𝘦𝘯𝘪𝘯𝘨 𝘵𝘰 𝘈𝘐-𝘥𝘳𝘪𝘷𝘦𝘯 𝘵𝘩𝘳𝘦𝘢𝘵 𝘥𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯.
𝐌𝐮𝐥𝐭𝐢-𝐂𝐥𝐨𝐮𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: Deep expertise in AWS/Azure/GCP security tools (Kubernetes, CSPM, CWPP).
𝐓𝐡𝐫𝐞𝐚𝐭 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 & 𝐅𝐨𝐫𝐞𝐧𝐬𝐢𝐜𝐬: Proactive hunting, incident response, and post-breach analysis.
𝐙𝐞𝐫𝐨 𝐓𝐫𝐮𝐬𝐭 & 𝐈𝐀𝐌: Architecting least-privilege access, PKI, and micro-segmentation.
𝐀𝐈/𝐌𝐋 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: Securing LLMs, MLOps pipelines, and data lakes against adversarial attacks.
𝐑𝐞𝐜𝐞𝐧𝐭 𝐂𝐨𝐧𝐬𝐮𝐥𝐭𝐢𝐧𝐠 𝐏𝐫𝐨𝐣𝐞𝐜𝐭𝐬 – 𝐀𝐠𝐞𝐧𝐭𝐢𝐜 𝐀𝐈 & 𝐀𝐈 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲:
✔️ Led security architecture for a GenAI‑powered Agentic AI system (autonomous task‑planning agents using LangChain & AutoGPT). Designed guardrails against prompt injection, tool‑calling abuse, and data exfiltration via agent‑to‑agent communication. Result: Zero security breaches across 10k+ agentic transactions.
✔️ Advised a fintech firm on AI supply chain security – hardened their LLM fine‑tuning pipeline (Hugging Face + AWS SageMaker) against model poisoning and backdoor attacks. Implemented real‑time anomaly detection for model inputs using statistical outlier scoring.
Let’s connect and discuss the future of secure, intelligent infrastructure.
