Save 15% on All Hosting Services

Test your skills and get Discount on any hosting plan

Use code: Skills Get Started
FAQ’s Sections
Linux Operating Systems Virtual Servers

Understanding Linux File Permissions and How to Manage Them

Linux file permissions are one of the most fundamental — and most misunderstood — aspects of system administration. Whether you're managing a production web server, deploying applications, or writing automation scripts, a solid grasp of the Linux permission model is non-negotiable. Get it wrong, and you risk data breaches, broken deployments, or locked-out services. Get it right, and you have a powerful, granular security framework working in your favor.

This guide covers everything you need to know: how the permission model works, how to read and modify permissions, how to manage ownership, and how to handle advanced permission bits like SUID, SGID, and the sticky bit.

The Linux File Permission Model Explained

Every file and directory in a Linux system is assigned a set of access rights. These rights are divided across three user classes and three permission types.

The Three User Classes

ClassDescription
ownerThe user who owns the file
groupAll users belonging to the file's assigned group
othersEveryone else on the system

The Three Permission Types

PermissionSymbolMeaning
readrView file contents or list directory contents
writewModify a file or directory
executexRun a file as a program, or enter/traverse a directory

Together, these nine bits (three classes × three permissions) define the complete access control profile for every object in the filesystem.

How to View File Permissions with ls -l

The quickest way to inspect permissions is with the ls -l command:

ls -l myscript.sh

Example output:

-rwxr-xr-- 1 alice devs 2048 Jan 25 10:00 myscript.sh

Here's how to read that permission string character by character:

CharactersMeaning
-File type (- = regular file, d = directory, l = symlink)
rwxOwner permissions: read, write, execute
r-xGroup permissions: read, execute (no write)
r--Others permissions: read only

So in this example, alice (the owner) has full access, members of the devs group can read and execute the file, and everyone else can only read it.

Changing Permissions with chmod

The chmod command modifies file permissions. It supports two modes: symbolic and numeric (octal).

Symbolic Mode

Symbolic mode uses letters and operators to add (+), remove (-), or set (=) permissions:

chmod u+x myscript.sh      # Add execute permission for the owner
chmod g-w myscript.sh      # Remove write permission from the group
chmod o=r myscript.sh      # Set read-only for others (exactly)
chmod a+x myscript.sh      # Add execute for all (owner, group, others)

The target classes are: u (user/owner), g (group), o (others), a (all).

Numeric (Octal) Mode

Each permission type has a numeric value: r = 4, w = 2, x = 1. You add them together to get a single digit per class.

OctalBinaryPermissions
7111rwx
6110rw-
5101r-x
4100r--
0000---

Common examples:

chmod 755 myscript.sh   # Owner: rwx | Group: r-x | Others: r-x
chmod 644 file.txt      # Owner: rw- | Group: r-- | Others: r--
chmod 700 script.sh     # Owner: rwx | Group: --- | Others: ---
chmod 600 secret.key    # Owner: rw- | Group: --- | Others: ---

> Quick reference: 755 is the standard for public-facing scripts and directories. 644 is the standard for readable configuration files. 600 is ideal for private keys and sensitive credentials.

Managing Ownership with chown and chgrp

Permissions only make sense in the context of ownership. The chown and chgrp commands let you assign files to the correct user and group.

Change the File Owner

chown alice file.txt

Change the Group

chgrp devs file.txt

Change Both Owner and Group Simultaneously

chown bob:admins file.txt

Apply Changes Recursively

The -R flag applies ownership changes to a directory and all its contents — essential when setting up web server document roots:

chown -R www-data:www-data /var/www/html/

This is a critical step when deploying web applications on a VPS Hosting environment, ensuring your web server process has the correct access to serve files.

Special Permission Bits: SUID, SGID, and Sticky Bit

Beyond the standard nine permission bits, Linux supports three special modes that modify default behavior in important ways.

1. SUID — Set User ID

Applies to: Executable files

When the SUID bit is set on an executable, it runs with the privileges of the file's owner, not the user who launched it.

chmod u+s /usr/bin/passwd

ls -l output:

-rwsr-xr-x 1 root root 54256 Jan 10 08:00 /usr/bin/passwd

Notice the s in place of the owner's x. This is how /usr/bin/passwd can update /etc/shadow (a root-owned file) even when run by a regular user.

> Security note: Be very cautious about setting SUID on custom scripts. A misconfigured SUID binary is a classic privilege escalation vector.

2. SGID — Set Group ID

Applies to: Executable files and directories

  • On files: The file runs with the group privileges of the file's group owner.
  • On directories: New files created inside the directory automatically inherit the directory's group, rather than the creating user's primary group.
chmod g+s /opt/project

ls -l output:

drwxr-sr-x 2 alice devs 4096 Jan 25 10:00 /opt/project

SGID on directories is extremely useful for shared development folders where multiple team members need consistent group ownership on all new files.

3. Sticky Bit

Applies to: Directories

When the sticky bit is set on a directory, only the file's owner (or root) can delete or rename that file — even if other users have write permission on the directory.

chmod +t /shared/folder

ls -ld output for /tmp:

drwxrwxrwt 10 root root 4096 Jan 28 12:00 /tmp

The t at the end indicates the sticky bit is active. This is why /tmp is world-writable but users can't delete each other's temporary files.

Understanding umask — Default Permission Control

When a new file or directory is created, Linux doesn't give it maximum permissions. Instead, it applies a umask (user file creation mask) that subtracts permissions from the default.

Check Your Current umask

umask

Common output: 0022

How umask Works

ObjectDefault MaximumWith umask `0022`Result
File666 (rw-rw-rw-)666 - 022644 (rw-r–r–)
Directory777 (rwxrwxrwx)777 - 022755 (rwxr-xr-x)

> Note: Linux never sets the execute bit on newly created files by default, regardless of umask.

Set a Temporary umask

umask 0077    # New files: 600 (rw-------), New dirs: 700 (rwx------)

This is useful in scripts that create sensitive temporary files. For a permanent change, add the umask command to your shell's profile file (e.g., ~/.bashrc or /etc/profile).

Recursive Permission Fixes

A common real-world task is resetting permissions across an entire project directory — for example, after a bad deployment or an FTP upload that mangled permissions. The key is to set different permissions for directories and files, since directories need the execute bit to be traversable.

# Set all directories to 755
find /var/www/myapp -type d -exec chmod 755 {} ;

# Set all files to 644
find /var/www/myapp -type f -exec chmod 644 {} ;

If your application has specific executable scripts, fix those separately afterward:

chmod 755 /var/www/myapp/bin/*.sh

This pattern is essential for anyone managing web hosting environments. If you're running PHP, Python, or Node.js applications on a VPS with cPanel, incorrect file permissions are one of the most common causes of 403 Forbidden errors and failed script execution.

Practical Permission Reference for Common Scenarios

ScenarioRecommended PermissionsCommand
Public web files (HTML, CSS, JS)644chmod 644 index.html
Web directories755chmod 755 /var/www/html
PHP/Python scripts644 or 755Depends on execution method
Private SSH keys600chmod 600 ~/.ssh/id_rsa
.ssh directory700chmod 700 ~/.ssh
Shared project directory2775 (SGID)chmod 2775 /opt/project
World-writable temp directory1777 (sticky)chmod 1777 /tmp/shared
Configuration files with secrets600chmod 600 .env

Linux File Permissions and Server Security

Understanding file permissions isn't just an academic exercise — it has direct, practical implications for server security and stability.

Common security mistakes to avoid:

  • Setting 777 on web directories. This gives everyone read, write, and execute access — a critical vulnerability if your server is compromised or if PHP code injection is possible.
  • Leaving world-readable configuration files. Files like .env, wp-config.php, or database credentials should be 600 or 640 at most.
  • Ignoring ownership. Even if permissions look correct, if the wrong user owns a file, your web server or application daemon may not be able to read it.
  • Recursive chown on system directories. Running chown -R carelessly on /etc or /usr can break your entire system.

If you're running a production environment on Dedicated Servers, implementing a strict permission policy is one of the first hardening steps you should take after initial setup.

For teams managing multiple sites or applications, VPS Control Panels can simplify permission management through graphical file managers, though command-line proficiency remains essential for advanced configurations.

Quick Command Reference

# View permissions
ls -l filename
ls -ld directory/

# Change permissions (symbolic)
chmod u+x file        # Add execute for owner
chmod g-w file        # Remove write for group
chmod o=r file        # Set read-only for others
chmod a+r file        # Add read for all

# Change permissions (numeric)
chmod 755 file        # rwxr-xr-x
chmod 644 file        # rw-r--r--
chmod 600 file        # rw-------
chmod 700 file        # rwx------

# Change ownership
chown user file
chgrp group file
chown user:group file
chown -R user:group directory/

# Special bits
chmod u+s file        # Set SUID
chmod g+s directory   # Set SGID
chmod +t directory    # Set sticky bit

# umask
umask                 # Show current umask
umask 0022            # Set umask for session

# Recursive fixes
find /path -type d -exec chmod 755 {} ;
find /path -type f -exec chmod 644 {} ;

Conclusion

Linux file permissions form the backbone of system security, multi-user access control, and reliable application deployment. The model is elegant in its simplicity — three classes, three permission types, a handful of special bits — yet powerful enough to secure everything from a personal development machine to a high-traffic production server.

Mastering chmod, chown, umask, and the special permission bits gives you the confidence to deploy applications correctly, troubleshoot access errors quickly, and harden your servers against unauthorized access.

Whether you're getting started with Shared Web Hosting or scaling up to a fully managed VPS Hosting environment, a solid understanding of Linux file permissions is one of the highest-leverage skills you can develop as a system administrator or developer. Invest the time to understand it deeply — your servers (and your users) will thank you.