Permissions & Ownership
Who can read, write, or execute — and why it matters.
Permissions & Ownership
Every file and directory on a Unix system has an owner, a group, and a set of permission bits. These three pieces together determine who can read, write, or execute it.
Analogy
Unix permissions are like keys to an office building. Every room has three distinct keys hanging by the door: one for the room's named occupant, one that works for anyone on their team, and one for the general cleaning staff. Each key can have up to three teeth filed in: "look inside," "move furniture," "use the equipment." A directory is a hallway rather than a room — the "use the equipment" tooth becomes "you're allowed to walk down this hallway to reach the rooms beyond". File a tooth off a key and that class of person loses exactly that ability, nothing more.
The three classes
| Class | Who |
|---|---|
| user (u) | The file's owner |
| group (g) | Members of the file's group |
| other (o) | Everyone else |
The three bits
| Bit | Symbol | Octal value | On a file | On a directory |
|---|---|---|---|---|
| read | r |
4 | Read the file contents | List the directory with ls |
| write | w |
2 | Modify the file | Create or delete files inside |
| execute | x |
1 | Run as a program | Traverse (enter the directory) |
The execute bit on a directory deserves special attention. Without it you cannot cd into the directory, even if you can list it.
Reading permission strings
ls -la shows a 10-character string for each entry:
-rwxr-xr-- 1 alice staff 4096 Apr 22 10:00 script.sh
Position 1 is the file type (- = regular file, d = directory, l = symlink). Positions 2–4 are user bits, 5–7 are group bits, 8–10 are other bits.
Numeric (octal) mode
Each class's three bits form a 3-bit number. r=4, w=2, x=1:
| Mode | String | Meaning |
|---|---|---|
755 |
rwxr-xr-x |
Owner full, group and other can read+execute |
644 |
rw-r--r-- |
Owner can read+write, everyone else read-only |
600 |
rw------- |
Owner read+write, nobody else can do anything |
777 |
rwxrwxrwx |
Everyone can do everything — almost always wrong |
chmod — changing permissions
# Numeric
chmod 755 script.sh
# Symbolic: who + op + bits
chmod u+x script.sh # add execute for owner
chmod go-w script.sh # remove write from group and other
chmod a=r file.txt # set read-only for everyone
chmod +x script.sh # shorthand: adds execute for all (same as a+x)
chown — changing ownership
chown alice file.txt # change owner
chown alice:staff file.txt # change owner and group
chown -R www-data /var/www # recursive
Only root can transfer ownership to another user.
Why scripts need +x
The kernel only runs a file as a program if the execute bit is set for the calling user. Without it:
$ ./deploy.sh
bash: ./deploy.sh: Permission denied
$ chmod +x ./deploy.sh
$ ./deploy.sh
# works
Setuid, setgid, and sticky bit
These are three special bits beyond the standard nine:
- setuid (4 before the mode, e.g.
4755): The program runs as its owner, not as the calling user. Used bysudo,passwd. - setgid (2 before): The program runs as the file's group. On a directory, new files inherit the directory's group.
- sticky bit (1 before): On a directory (
/tmp), only the file's owner can delete it, even if others have write permission.