PublishedMay 22, 2026

Step-by-Step Guide to Managing Permissions With Chmod in Linux

Ready to start learning?

▼

One bad chmod command can break a deployment, expose a private key, or lock a team out of a shared folder. In Linux, Linux permissions are not a side topic; they are part of file security and day-to-day system stability. If you manage servers, scripts, containers, or user home directories, you need to know exactly what changes when permissions change.

This guide walks through command-line tools for managing permissions with chmod in a practical way. You will learn how permission bits work, how to read them, how symbolic and numeric modes differ, and how to apply the right settings to files, directories, and recursive trees without causing avoidable damage.

Key Takeaway

chmod changes access rights, not ownership. If the wrong user owns the file, chmod is not the fix; chown may be the right tool.

Understanding Linux File Permissions

Linux file permissions are built around three actions: read, write, and execute. Read lets you open a file or list a directory. Write lets you modify a file or create and delete entries in a directory. Execute means something different depending on whether you are dealing with a file or a directory.

There are also three user classes: owner, group, and others. The owner is the account that owns the file. The group represents a shared access category. Others are everyone else on the system. When you run ls -l, you will see a permission string such as -rwxr-xr--. The first character tells you the file type, and the next nine characters represent permissions in three blocks of three.

How to read the permission string

First character: file type, such as - for a file or d for a directory.
Next three: owner permissions.
Next three: group permissions.
Last three: permissions for others.

For example, -rw-r--r-- means the owner can read and write, the group can read, and everyone else can read. A directory with drwxr-x--- means the owner can enter and modify contents, the group can enter and list contents, and others have no access.

File permissions and directory permissions behave differently. On a file, execute means the file can be run as a program or script. On a directory, execute means you can traverse into it and access items inside it if you already know their names. Without execute on a directory, even read access may not be enough to access files inside that directory.

Special permission bits add another layer: setuid, setgid, and the sticky bit. These change how programs run or how directories behave, and they matter in shared systems. They are not used every day, but when they are present, they can affect access in ways that surprise people who only know the basic read/write/execute model.

For a solid reference on permission behavior and file system access principles, the Linux Foundation documentation and the Red Hat Enterprise Linux docs are practical starting points: Linux Foundation and Red Hat Documentation.

How Chmod Works

chmod is the Linux command used to modify permission bits on files and directories. It does not change who owns the file. It only changes who can read, write, or execute it. That distinction matters because a file can have perfect permissions for the wrong owner and still behave badly in production.

Permission changes take effect immediately. The kernel does not wait for a reboot or a service restart to apply them. Once chmod changes a file’s mode, the new access rules apply the next time a user or process tries to open or execute it. That means a web server, cron job, or deployment script can succeed or fail instantly after a permission change.

Most permission problems are not “mystery Linux issues.” They are usually a mismatch between the access a file has and the access a process actually needs.

Before changing permissions, inspect the current state. Use ls -l, stat file, and if needed, namei -l /path/to/file to check every directory in the path. A common mistake is adjusting the final file but ignoring a parent directory that blocks traversal.

chmod supports two main styles: symbolic mode and numeric mode. Symbolic mode is readable and precise for small edits. Numeric mode is faster when you already know the exact permission set you want. Both are valid, and both are standard parts of Linux permissions management.

The GNU coreutils manual documents chmod behavior clearly, and the NIST guidance on secure configuration reinforces the least-privilege mindset that should guide permission changes: GNU Coreutils chmod and NIST CSRC.

Using Symbolic Mode

Symbolic mode uses letters to describe what you want to change. A command like chmod u+x file adds execute permission for the user class, while chmod g-w file removes write permission from the group class. This style is useful when you want a small, targeted adjustment without recalculating the entire permission set.

Symbolic mode syntax

u = user or owner
g = group
o = others
a = all three classes
+ = add permission
– = remove permission
= = set exactly this permission and replace existing values for that class
r = read
w = write
x = execute

Examples are straightforward. chmod u+x deploy.sh makes a deployment script executable for the owner. chmod g-w report.txt removes write access from the group. chmod o-r secret.log removes read access from everyone else. If you want to define a precise set, use the equals sign: chmod u=rw,go=r file.

Symbolic mode is especially useful for file security when you want a minimal change. Suppose a script already has the correct read and write bits, but it is missing execute. You do not want to recalculate 755 if all you need is one flag. Use chmod +x or chmod u+x and move on.

Warning

The most common symbolic-mode mistake is using = when you meant +. chmod g=rw replaces group permissions. chmod g+rw only adds them.

For secure configuration advice and broader access-control context, Microsoft’s security documentation and the OWASP guidance on secure file handling are useful references: Microsoft Learn and OWASP.

Using Numeric Mode

Numeric mode uses octal values to represent permissions. The mapping is simple: read = 4, write = 2, and execute = 1. Add them together for each class. That is how you get common values like 644, 755, 600, and 700.

Value	Meaning
`644`	Owner can read and write; group and others can read
`755`	Owner can read, write, and execute; group and others can read and execute
`600`	Owner can read and write; no access for group or others
`700`	Owner can read, write, and execute; no access for group or others

To calculate a mode, think in blocks. If the owner needs read, write, and execute, that block is 7. If the group needs read and execute, that block is 5. If others need only read, that block is 4. Put those together and you get 754.

Numeric mode is often faster when you already know the standard you want. A web directory often needs 755 because the server needs execute on directories to traverse them. A private key usually needs 600. A shell script often needs 700 or 755 depending on whether others need to run it.

Use numeric mode carefully on directories. chmod 755 project on a top-level project folder may be fine for a shared web root, but it could be too open for a folder containing secrets or development notes. The right answer depends on actual access needs, not on what seems convenient.

CompTIA® and Cisco® both emphasize the importance of understanding permission models and access control in operational environments. For formal security guidance, see CompTIA’s certification objectives and Cisco’s documentation on access control concepts: CompTIA Certifications and Cisco.

Changing Permissions on Files

One of the most common uses of chmod is making a script executable. If you have a shell script named backup.sh, you can run chmod +x backup.sh or chmod 755 backup.sh. The first option adds execute without changing the rest of the mode. The second sets a full permission pattern.

Typical file permission choices

Executable script: often 755 if other users need to run it, or 700 if only the owner should use it.
Text document: often 644 so the owner can edit it and others can read it.
Sensitive config file: often 600 so only the owner can read and write it.

Documents should usually be readable but not writable by everyone. That is why 644 is common for shared reference files, website content, and static assets. If a file contains passwords, API keys, SSH private material, or application secrets, tighter permissions are safer. A configuration file with credentials should usually be locked down to 600 unless a service account or group requirement says otherwise.

After you run chmod, verify the result. Use ls -l filename for a quick check or stat filename if you want exact mode details. Verification is not optional. It is how you catch a mistaken permission before it becomes a service outage or a data exposure.

When changing multiple files, wildcards can help, but they can also create messes. chmod 644 *.txt is fine if you know the directory contents. chmod -R with a loose pattern is where people get into trouble. Always confirm what files match before running a wide command.

Note

For sensitive data, the safest default is to start restrictive and open access only when a process or team requirement clearly demands it.

For secure file handling patterns, AWS and Microsoft both provide strong official guidance on protecting secrets and service credentials: AWS Documentation and Microsoft Security Documentation.

Changing Permissions on Directories

Directory permissions are where many Linux permission problems begin. On a directory, read means you can list entries, write means you can create or delete entries, and execute means you can enter or traverse the directory. Without execute, the directory is effectively blocked, even if you can see its name.

This is why a project folder may need r-x for collaborators. They need to list files and enter subdirectories, but they may not need to delete anything. A shared upload folder may need rwx for a service account or group, but that choice should be deliberate because write on a directory is powerful. It allows file creation, deletion, and renaming inside that path.

Examples of useful directory modes

Project folder for team reading: 755 or 750
Shared collaboration folder: often 770 with a controlled group
Private working folder: 700
Temporary upload folder: tightly managed, sometimes with sticky bit controls

Granting overly broad write access is risky. If everyone can write to a directory, anyone can replace or remove files depending on the exact setup. On a server, that can become an integrity problem fast. Use group-based sharing when possible, and keep ownership and permissions aligned with real operational needs.

The official documentation on Linux file systems and permission handling from Red Hat is a useful operational reference here, especially when you are deciding what users need to do versus what they merely need to view: Red Hat Documentation.

Recursive Permission Changes

The -R option applies chmod recursively through a directory tree. That is useful when you have a project with many subfolders and consistent permission needs. It is also one of the fastest ways to break a working environment if you apply the wrong mode to the wrong tree.

For example, chmod -R 755 /var/www/project may seem convenient, but it can create problems if the tree includes config files, uploads, or private keys. A recursive change does not distinguish between code, secrets, and writable data unless you plan for that structure in advance. That is why you should inspect the tree before changing it.

Safer recursive workflows

List the directory structure first with find or tree.
Test the command on a small subset.
Apply the change only after checking the result.
Verify with ls -lR or targeted stat checks.

A better workflow is often to combine tools. Use find to target only specific file types, such as scripts or HTML files, and leave secrets alone. For example, a deployment directory might need executable permissions on scripts and read-only permissions on static assets, but the config folder should stay locked down.

Recursive chmod is not a cleanup tool. It is a precision tool. Use it only when you know the tree well enough to predict every affected path.

For secure automation and file-system hygiene, the CISA and NIST resources on system hardening and configuration management are useful references: CISA and NIST CSRC.

Practical Real-World Examples

Real permission work is usually about solving a specific access problem. A web project may need static assets readable by the server, scripts executable, and config files hidden from everyone except the application account. A secure SSH private key needs strict file security. A shared team folder needs collaboration without chaos. chmod is the tool that lets you express those rules in the filesystem.

Example scenarios

Web project: set static files to 644 and scripts to 755.
Private SSH key: use chmod 600 id_rsa so only the owner can read it.
Shared team folder: use group permissions like 770 on the directory and manage group membership carefully.
Deployment script: use chmod +x deploy.sh or chmod 755 deploy.sh.
Permission denied fix: check both the file and every parent directory, then adjust the exact missing permission.

Suppose a developer gets “permission denied” when running a script. The fix may be one of several things: the script lacks execute permission, the directory path lacks execute permission, or the user does not have ownership or group access. chmod helps when the mode is wrong. It does not help if the ownership is wrong or the user is outside the intended group.

For example, if a deployment script is stored in /opt/app/bin, the script itself may need 755, but the directories leading to it also need traverse permission. If a private config file contains database credentials, 600 is a strong baseline. If a team needs to edit release notes in a shared folder, group write can make sense, but only if the group is tightly controlled.

For operational reference on access control and service accounts, review official vendor documentation and workforce guidance from the BLS to understand how these skills map to real roles and responsibilities: BLS Computer and Information Technology Occupations.

Common Mistakes and Best Practices

One of the fastest ways to create a security issue is using 777 as a default answer. It gives read, write, and execute to everyone. In almost every production case, that is too broad. If you think you need it, stop and confirm the actual access requirement first.

Common mistakes to avoid

Using 777 casually: this weakens file security and makes tampering easy.
Removing execute from directories: this blocks traversal and can make paths unusable.
Using chmod instead of chown: if the wrong user owns the file, fix ownership first.
Skipping verification: always confirm changes with ls -l or stat.

Least privilege should be the default rule. Give the smallest permission set that still lets the file or directory function. If a file is only read by a service, do not make it world-writable. If a team needs collaborative editing, use group ownership and permission structure instead of opening the path to everyone.

When deciding between chmod and chown, ask one question: is the problem about who owns the file or what access that file allows? If ownership is wrong, change the owner. If access is too open or too closed, adjust permissions. Mixing those up is a common source of wasted time during incident response.

Pro Tip

Before you change a production path, test the same chmod command on a dummy file or staging directory. You will catch mistakes before they matter.

For best-practice alignment, the OWASP secure configuration guidance and CIS-style hardening principles are useful. They reinforce the same rule: keep permissions narrow and intentional. See OWASP Top Ten and CIS.

Advanced Permission Topics

Once you are comfortable with basic chmod usage, the next layer is special permission behavior. setuid lets a program run with the file owner’s privileges. setgid can cause new files in a directory to inherit the directory’s group. The sticky bit is important on shared directories because it prevents users from deleting files they do not own, even if they have write access to the directory.

Setgid is especially useful in collaborative folders. If a team share uses a specific group, setgid helps keep group ownership consistent across newly created files. That reduces permission drift and cuts down on manual cleanup. Sticky bit is common in temporary areas where many users can create files, but only file owners should be able to remove them.

How umask and ACLs fit in

umask controls default permissions when new files and directories are created. It works before chmod enters the picture. In other words, umask shapes the starting point, and chmod adjusts afterward. If your environment keeps creating files with permissions you do not want, review umask first.

ACLs, or Access Control Lists, are more flexible than classic chmod permissions. They let you give specific users or groups additional access without changing the basic owner/group/others model. When chmod is too blunt for the problem, ACLs may be the better option. That matters on shared storage, application hosts, and mixed-access environments.

Permissions also affect services, scripts, and automation tasks. A service account may fail because a log directory is too restrictive. A cron job may fail because the script is not executable. A backup process may fail because it cannot traverse one directory in the path. These are permission issues, not application bugs.

For technical reference, the GNU coreutils docs cover chmod and related mode behavior, while Microsoft Learn and AWS documentation offer examples of secure automation and secrets handling in service contexts: GNU Coreutils Manual, Microsoft Learn, and AWS Documentation.

Conclusion

chmod is one of the most practical Linux command-line tools you will use, but it works best when you understand what it actually controls. It changes Linux permissions, not ownership. It affects file security immediately. And it behaves differently on files and directories, which is where many mistakes happen.

The core habit is simple: inspect first, change second, verify last. Use symbolic mode for targeted edits. Use numeric mode when you know the exact permission set. Be careful with recursive changes. Avoid broad permissions unless the use case truly requires them. And remember that directory execute permission is often the hidden piece behind “permission denied” errors.

Practice on test files and directories before touching important paths. That habit pays off every time you manage servers, shared project folders, deployment scripts, or sensitive config files. If you want to build stronger Linux administration skills, ITU Online IT Training recommends pairing chmod knowledge with ownership, ACLs, and secure configuration practices so you can troubleshoot access problems faster and with less risk.

For continued study, review the official documentation from Linux Foundation, Red Hat, GNU coreutils, NIST, and OWASP, then apply what you learn on a staging system before production.

CompTIA®, Cisco®, Microsoft®, AWS®, and ISC2® are trademarks of their respective owners.

[ FAQ ]

Frequently Asked Questions.

What is the purpose of the chmod command in Linux?

The chmod command in Linux is used to change the permissions of files and directories. Permissions control who can read, write, or execute a file or directory, thereby managing access rights for users and groups.

Proper use of chmod is essential for maintaining system security and ensuring that only authorized users can modify or execute certain files. Incorrect permissions can lead to security vulnerabilities or prevent legitimate access, making understanding chmod vital for system administrators and developers.

How do permission bits work in Linux, and what do they represent?

In Linux, permissions are represented by permission bits that specify read (r), write (w), and execute (x) rights for three categories: owner, group, and others. These bits are often displayed as a string of characters like rwxr-xr– or as octal numbers such as 755.

Each set of permissions corresponds to a digit in the octal notation: 4 for read, 2 for write, and 1 for execute. For example, permission 7 (4+2+1) grants read, write, and execute rights, while 5 (4+1) grants read and execute rights only. Understanding this system is key to correctly managing file permissions with chmod.

What are some best practices for using chmod safely in Linux?

When managing permissions with chmod, always apply the principle of least privilege—grant only the permissions necessary for a user or process to function. This minimizes security risks and accidental access.

Before making changes, double-check the current permissions and consider testing in a non-production environment. Use symbolic mode (e.g., u+r, g-w) for clarity and precision, especially when modifying specific user categories. Avoid overly permissive settings like 777 unless absolutely required, as they can expose sensitive data or allow unauthorized execution.

Can improper use of chmod break system functionality or security?

Yes, incorrect chmod commands can lead to serious issues such as exposing private keys, locking out users, or breaking application deployments. For example, setting permissions too permissively on sensitive files can make them accessible to unauthorized users.

Conversely, overly restrictive permissions might prevent legitimate users or processes from accessing necessary files, causing system failures or service disruptions. It is crucial to understand the specific permissions needed for each file or directory and to verify changes carefully to maintain both security and system stability.

What are the differences between symbolic and numeric modes in chmod?

Chmod supports two modes for setting permissions: symbolic and numeric. Symbolic mode uses characters like u (user), g (group), o (others), and a (all), combined with operators (+, -, =) to modify specific permissions, such as u+r or g-w.

Numeric mode uses octal values (like 755 or 644) to represent permission combinations in a compact form. Numeric mode is often quicker for applying standard permission sets, while symbolic mode provides more precise control when adjusting individual permissions.