chmod Command in Linux: Permissions Guide

Quick take: The chmod command changes the read, write, and execute permissions of files and directories in Linux. You can set permissions either symbolically (chmod u+x file) or numerically (chmod 755 file). This guide covers both, plus recursive changes, special bits, and the safe defaults you should actually use.

Introduction

Every file and directory on a Linux system carries a set of permissions that decide who can read it, change it, or run it. The chmod command — short for change mode — is how you adjust those permissions. It is one of the most frequently used commands in day-to-day Linux administration, whether you are securing an SSH key, making a script executable, or fixing a "permission denied" error on a web server.

In this guide you will learn how Linux permissions are structured, how to change them with both symbolic and numeric notation, how to apply changes recursively, and which permission values are safe to use in production.

Understanding Linux File Permissions

Linux permissions apply to three classes of user: the owner (u), the group (g), and others (o) — everyone else. Each class can be granted three permission types: read (r), write (w), and execute (x).

Run ls -l to see them:

ls -l report.sh
-rwxr-xr-- 1 irfan devops 482 Jun 13 09:14 report.sh

Read the first ten characters left to right. The first character is the file type (- for a file, d for a directory). The next nine are three groups of rwx:

• rwx — the owner (irfan) can read, write, and execute.
• r-x — the group (devops) can read and execute, but not write.
• r-- — others can only read.

For directories, the meaning shifts slightly: execute means the ability to enter the directory (cd into it), and read means the ability to list its contents.

chmod Symbolic Mode

Symbolic mode is the most readable way to make a targeted change. It uses a class (u, g, o, or a for all), an operator (+ to add, - to remove, = to set exactly), and the permissions (r, w, x).

# Add execute permission for the owner
chmod u+x script.sh

# Remove write permission from group and others
chmod go-w config.conf

# Give everyone read and execute, nothing else
chmod a=rx public.sh

# Add execute for everyone (a is the default if omitted)
chmod +x deploy.sh

Symbolic mode is ideal when you only want to change one bit without touching the rest. chmod u+x adds execute for the owner and leaves every other permission exactly as it was.

chmod Numeric (Octal) Mode

Numeric (octal) mode sets all permissions at once using a three-digit number. Each digit represents one class — owner, group, others — and is the sum of these values:

• 4 = read (r)
• 2 = write (w)
• 1 = execute (x)

Add them up for each class. For example, read + write + execute = 4 + 2 + 1 = 7, while read + execute = 4 + 1 = 5.

# rwxr-xr-x  — owner full, group and others read+execute
chmod 755 deploy.sh

# rw-r--r--  — owner read+write, everyone else read
chmod 644 index.html

# rw-------  — owner read+write only (private)
chmod 600 ~/.ssh/id_rsa

These three values — 755, 644, and 600 — cover the vast majority of real-world cases. Memorise them and you will rarely need a permission calculator.

Recursive Permissions with -R

The -R (recursive) flag applies a mode to a directory and everything inside it:

chmod -R 755 /var/www/mysite

Be careful: applying a file mode like 644 recursively will strip the execute bit from subdirectories, which then can no longer be entered. The safe pattern is to set files and directories separately using find:

# Directories get 755, files get 644
find /var/www/mysite -type d -exec chmod 755 {} \;
find /var/www/mysite -type f -exec chmod 644 {} \;

Common chmod Examples

A quick reference for the changes you will reach for most often:

# Make a shell script runnable
chmod +x backup.sh

# Lock down a private SSH key (required by ssh)
chmod 600 ~/.ssh/id_rsa

# Standard permissions for a web directory
chmod 755 /var/www/html

# Standard permissions for a web file
chmod 644 /var/www/html/index.html

# Make a directory accessible only to its owner
chmod 700 ~/private

# Remove execute from a file for everyone
chmod a-x notes.txt

Special Permissions (setuid, setgid, sticky)

Beyond the standard nine bits, Linux has three special permissions, set with a leading fourth digit (4 = setuid, 2 = setgid, 1 = sticky):

• setuid (4) — a program runs with the file owner's privileges. Used by tools like passwd.
• setgid (2) — files created in a directory inherit the directory's group. Useful for shared project folders.
• sticky bit (1) — in a shared directory, only a file's owner can delete it. This is why /tmp uses 1777.

# setgid on a shared directory
chmod 2775 /srv/shared

# sticky bit on a public-writable directory
chmod 1777 /srv/uploads

chmod Best Practices and Security

Permissions are a core security control, so treat them deliberately:

• Never use 777. It lets any user modify or run the file. Use the least permission that works.
• Files 644, directories 755 is a safe default for web content and most shared data.
• Private keys and secrets get 600 (or 700 for their directory). Many tools refuse to use a key that is group- or world-readable.
• Prefer symbolic mode for one-off tweaks so you do not accidentally reset other bits.
• Test recursive changes on a copy first — a wrong chmod -R on a system directory can break logins or services.

Final Thoughts

The chmod command becomes second nature once you internalise two things: the 4-2-1 values behind octal notation, and the safe defaults 644, 755, and 600. Symbolic mode handles precise, single-bit changes; numeric mode sets everything at once. Pair chmod with chown to control both what users can do and who owns each file, and you have the foundation of Linux file security.