Complete Guide to Linux Permissions: chmod and chown

Introduction / Why This Matters

In Linux, permissions are a fundamental security mechanism. They define who can read, modify, or execute files and directories. Misconfigured permissions can lead to leaks of sensitive data, program errors, or an inability to share resources. This guide will help you master the full cycle of permission management: from viewing current settings to fine-tuning with ACLs. You'll be able to secure your system and flexibly configure access for different users and groups.

Requirements / Preparation

Before you begin, ensure you have:

Access to a Linux terminal (any distribution: Ubuntu, CentOS, Debian, Arch, etc.).
Basic command-line skills (navigation, file creation).
Administrator privileges (sudo) to change ownership (chown) and set some advanced permissions (ACL). For basic chmod, sudo is usually not required if you are the file's owner.

Step 1: Understanding Current Permissions

Before changing anything, you need to know how to read the current settings. The main command is ls -l. It displays detailed information about files.

$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2564 Feb 16 10:30 /etc/passwd

Let's break down the output:

-rw-r--r-- — this is the permission string (10 characters).
- First character (-): file type (- — regular file, d — directory, l — symlink).
- The next 9 characters are split into three triplets of 3 characters: owner (user), group, others.
- r — read, w — write, x — execute, - — permission absent.
- Example: rw- — read and write, but no execute.
1 — number of hard links.
root root — file owner and group.
2564 — size in bytes.
Feb 16 10:30 — last modification date and time.
/etc/passwd — file name.

Key rule: Permissions are applied in order: owner > group > others. The system checks who you are (owner, group member, or neither) and applies the first matching triplet.

Step 2: Changing Owner and Group (chown Command)

Often you need to change who owns a file. This is done with the chown command.

Basic syntax:

sudo chown [new_owner] [file]

Examples:

# Change only the owner
sudo chown alice script.sh

# Change both owner and group
sudo chown alice:developers script.sh

# Change only the group (owner remains the same)
sudo chown :developers script.sh

# Recursively for a directory and all its contents
sudo chown -R alice:developers /project/

⚠️ Important: Changing the owner almost always requires sudo privileges. A regular user cannot "take" a file from another user.

Step 3: Changing Permissions (chmod Command)

The most common operation is setting rwx permissions. This is done with the chmod command. There are two main methods: numeric (octal) and symbolic.

Numeric (Octal) Mode

Here, each position (owner, group, others) is set with a digit from 0 to 7, which is the sum of values: r=4, w=2, x=1.

Digit	Permissions (rwx)
0	---
1	--x
2	-w-
3	-wx
4	r--
5	r-x
6	rw-
7	rwx

Example:

# Give owner full permissions (rwx=7), group and others read and execute (r-x=5)
chmod 755 script.sh

# Allow full access to everyone (UNSAFE, only for shared folders!)
chmod 777 shared_folder/

# Owner: read/write, group: read-only, others: none
chmod 640 config.conf

Symbolic Mode

A more flexible method where you explicitly specify for whom (u — user, g — group, o — others, a — all) and which permissions (r, w, x) to add (+), remove (-), or set exactly (=).

Examples:

# Add execute (x) for the owner
chmod u+x script.sh

# Remove write (w) from group and others
chmod go-w important.log

# Give group full permissions (rwx), others read-only
chmod g=rwx,o=r file.txt

# Set exact permissions: owner rwx, group and others r-x
chmod a=rx,u+w file.sh  # equivalent to 755

Step 4: Advanced Permissions (ACL)

The standard model (owner/group/others) is often insufficient. For fine-grained control (e.g., giving a specific user ivan access to a particular file), Access Control Lists (ACL) are used.

Check if ACL support is enabled on your partition (usually enabled by default for ext4):
```
mount | grep ' / ' | grep acl
```
If there is output — you're good.
Set an ACL for the file report.pdf so that user ivan can read and write it:
```
sudo setfacl -m u:ivan:rw- report.pdf
```
View the current ACL:
```
getfacl report.pdf
```
The output will include the standard permissions and a line with the custom setting:
```
user:ivan:rw-
```
Remove an ACL for a user:
```
sudo setfacl -x u:ivan report.pdf
```

💡 Tip: ACLs are especially useful for shared network folders (/srv/share), where you need to grant access to several specific users without creating separate groups.

Step 5: Practical Examples

Now let's apply our knowledge to common tasks.

Example 1: Make a script executable

You have a script deploy.sh, but running ./deploy.sh gives "Permission denied".

# 1. Check current permissions
ls -l deploy.sh
# Output: -rw-r--r-- 1 user user 1234 ... deploy.sh (no x)

# 2. Add execute permission for the owner
chmod u+x deploy.sh

# 3. Verify the result
ls -l deploy.sh
# Output: -rwxr--r-- 1 user user 1234 ... deploy.sh

Example 2: Allow write access for the developers group

You want all members of the devs group to be able to edit the file config.ini.

# 1. Ensure the file belongs to the devs group
ls -l config.ini
# Output: -rw-r--r-- 1 alice devs ... config.ini

# 2. If the group is already devs, simply give the group write permission
chmod g+w config.ini
# Permissions now: -rw-rw-r-- (764). Group devs can read and write.

# 3. (Optional) If the file should be read-only for others
chmod o-r config.ini
# Final: -rw-rw---- (760)

Example 3: Create a secure shared folder with sticky bit

You are creating a folder /shared/uploads where everyone can upload files, but only they themselves or root can delete them.

mkdir /shared/uploads
# Give everyone write and read access (for uploading)
chmod 777 /shared/uploads
# Enable sticky bit (t in permissions for "others")
chmod +t /shared/uploads
# Check: drwxrwxrwt (last character is 't' instead of 'x')
ls -ld /shared/uploads

Now any user can create a file in this folder, but cannot delete or rename a file created by another user.

Verification

After making changes, always verify:

Basic permissions: ls -l [file/directory] — ensure owner, group, and triplets (rwx) match expectations.
ACL (if used): getfacl [file] — check for presence and correctness of user:[name]:[permissions] entries.
Functionality: Try to perform the action as the intended user (e.g., read, write, or execute the file). For testing, you can use sudo -u [user] [command].

Common Issues

Operation not permitted error with chown or chmod:
- You didn't use sudo (if changing a file you don't own).
- The filesystem is mounted with nosuid or nodev options (rare).
- The file has the immutable flag set (chattr +i file). Remove it: sudo chattr -i file.
ACLs are not applied:
- The filesystem does not support ACLs (see Step 4). You need to remount with the acl option.
- You didn't use sudo for setfacl (required to modify ACLs on other users' files).
chmod changes don't affect access:
- You are trying to change permissions on a file located on a mounted network resource (NFS, Samba). Permissions may be managed server-side.
- You are not the file's owner and you don't have sudo.
Access is still denied after chmod 777:
- Check SELinux/AppArmor. They can block access regardless of standard permissions. Temporarily disable for diagnosis (not in production!): sudo setenforce 0 (for SELinux).

F.A.Q.

What's the difference between chmod 755 and 777?

How to recursively change permissions on an entire folder with files?

What are sticky bit and setgid?

How to check if ACL support is enabled in the filesystem?

Hints

Analyze current permissions

Change owner and group

Set permissions using chmod

Work with advanced ACLs

Practical examples