The chmod Command in Linux: A Complete Guide to File Permissions

Introduction / Why This Matters

The chmod (change mode) command is a fundamental security management tool in Linux. It defines who can read, modify, or execute files and directories. Understanding chmod is critically important for:

• System Security: Preventing unauthorized access to configuration files, passwords, or scripts.
• Proper Program Operation: Many services and scripts require specific permissions to run (e.g., +x).
• Collaboration: Setting access for different user groups in a multi-user environment.

This guide will transform you from a beginner who blindly types chmod 777 into a confident user who understands the permission system.

Requirements / Preparation

Before you begin, ensure that:

1. You have access to a Linux terminal (locally or via SSH).
2. You know the absolute or relative path to the target file or directory.
3. You have permissions to modify the attributes of that file. This usually requires you to be the file's owner or a user with elevated privileges (root/sudo).
4. You understand the basic structure of the ls -l command output (e.g., -rwxr-xr--).

Step-by-Step Guide

Step 1: Understanding the Permission System (rwx)

Permissions in Linux are divided into three user categories:

• u (user/owner) — the file's owner.
• g (group) — the group the file belongs to.
• o (others) — all other system users.
• a (all) — all three categories (all users).

For each category, there are three types of permissions:

• r (read) — read the file's contents or list files in a directory.
• w (write) — modify the file's contents or create/delete files in a directory.
• x (execute) — run the file as a program or traverse the directory.

Example: -rwxr-xr--

• Owner (u): rwx (all permissions)
• Group (g): r-x (read and execute, no write)
• Others (o): r-- (read only)

Step 2: Two Main Ways to Set Permissions

Method A: Symbolic (Letter) Mode

Convenient for adding/removing specific permissions without overwriting all. Syntax: chmod [category][operator][permissions] file

• Category: u, g, o, a (optional, defaults to a).
• Operator: + (add), - (remove), = (set exactly).
• Permissions: r, w, x.

Examples:

# Grant execute permission to EVERYONE (u, g, o)
chmod +x script.sh

# Give owner write permission, remove write from group and others
chmod u+w,g-w,o-w important.conf

# Set permissions ONLY for owner: rw, for group and others: r
chmod u=rw,g=r,o=r document.txt

Method B: Numeric (Octal) Mode

More compact, used to set the full permission set at once. Each permission type (rwx) corresponds to a digit:

• r = 4
• w = 2
• x = 1
• No permission = 0

The sum of these digits for each category (u, g, o) gives the final three-digit code.

Examples:

• rwx = 4+2+1 = 7
• rw- = 4+2+0 = 6
• r-x = 4+0+1 = 5
• r-- = 4+0+0 = 4

Common Codes:

• 755 — Owner: full permissions (rwx). Group & Others: read & execute (r-x). Standard for executables and public directories.
• 644 — Owner: read/write (rw-). Group & Others: read only (r--). Standard for regular text files (configs, HTML).
• 700 — Only the owner has full permissions. Maximum isolation.
• 777 — Full permissions for EVERYONE. Dangerous! Use only in extreme cases (e.g., a shared temporary directory).

How to use:

chmod 755 script.sh     # Set permissions to rwxr-xr-x
chmod 644 config.ini    # Set permissions to rw-r--r--
chmod 700 .ssh/         # Lock down the .ssh folder for everyone except the owner

Step 3: Working with Directories and Recursion

By default, chmod changes permissions only on the specified file. For directories and nested files, use the -R (recursive) flag.

Important: Recursively applying chmod to complex structures (e.g., /var/www or /home) can break the system if you set overly restrictive or overly permissive permissions. Always verify the path.

# Recursively grant read and execute permissions to all in the /opt/app directory
chmod -R 755 /opt/app

# Recursively remove execute permission from all .txt files in the current folder
chmod -R a-x *.txt

Tip: For directories, the x permission is necessary to access their contents. Often you need to combine: find /path -type d -exec chmod 755 {} \; (for directories) and find /path -type f -exec chmod 644 {} \; (for files).

Step 4: Special Bits (SUID, SGID, Sticky)

These rarely used but powerful bits are set with a fourth digit in numeric mode or via symbols (s, t).

• SUID (Set User ID) — 4xxx (e.g., 4755). When an executable file with SUID is run, it operates with the permissions of its owner, not the user who launched it. Example: /usr/bin/passwd.

  chmod 4755 /usr/bin/some_suid_binary
  # Or symbolic: chmod u+s /usr/bin/some_suid_binary
  

• SGID (Set Group ID) — 2xxx (e.g., 2775). For files: works like SUID but for the group. For directories: new files created in that directory inherit the directory's group, not the creating user's group. Useful for shared folders.

  chmod 2775 /shared/project_folder
  

• Sticky Bit — 1xxx (e.g., 1777). In a directory with the sticky bit (/tmp is the classic example), a user can only delete or rename their own files, even if they have write permission on the directory.

  chmod 1777 /tmp
  # Or symbolic: chmod o+t /tmp
  

Step 5: Practical Examples and Scenarios

1. Make a script executable:

   chmod +x deploy.sh
   

2. Prevent other users from reading a private file:

   chmod 600 ~/.ssh/id_rsa
   

3. Allow the developers group to write to a shared project directory:

   chmod 775 /var/projects/myapp
   # Ensure the directory's group is 'developers': chgrp developers /var/projects/myapp
   

4. Quickly open read and execute access for all (e.g., for public web content):

   chmod -R a+rX /var/www/html
   # The `X` (uppercase) flag sets `x` only on directories and on files that already have at least one `x`.
   

5. Remove execute permission from all executable files in the bin folder:

   chmod a-x /home/user/bin/*
   

Verifying the Result

After applying chmod, always check the result:

ls -l [file_or_directory]

What to look for:

1. The permission string (e.g., -rwxr-xr--).
2. The link count (second column) for directories — after a recursive change, it shouldn't change drastically unless you modified sticky/SGID bits.
3. Ensure the owner (chown) and group haven't changed accidentally.

Functional test: Try to perform the action for which you granted permission (e.g., run the script ./script.sh or write data to the file as another user, if that was the goal).

Potential Issues

• Operation not permitted or Permission denied: You are not the file's owner and are not working as root (sudo). Use sudo chmod ... or change the owner (sudo chown).
• File doesn't become executable: You used chmod +x on a file that isn't a valid executable (e.g., a plain text file without a shebang #!/bin/bash or a binary file). Check its contents.
• System becomes inaccessible after chmod -R: You accidentally removed x permissions from critical system directories (/bin, /usr, /etc). This can make commands unrunnable. Recovery: Boot into recovery mode or use a LiveCD and manually fix permissions. For Debian/Ubuntu, standard permissions can be restored via dpkg --get-selections | grep -E '^[^ ]+[[:space:]]+install$' | awk '{print $1}' | xargs dpkg -L | xargs chmod -c a+rX (this is a complex operation; it's better to search for specific packages).
• chmod: changing permissions of ‘...’: Read-only file system: The filesystem is mounted in "read-only" mode (e.g., due to errors). You need to check and remount it with write permissions (mount -o remount,rw /), possibly running fsck.
• Recursion (-R) doesn't follow symbolic links: By default, chmod -R does not traverse symbolic links. To change permissions on the files the links point to, rather than the links themselves, use chmod -R -h (not available on all implementations) or handle links separately with find.