File Permissions Explained
A misconfigured file permission is one of the most common causes of two completely opposite problems on Ubuntu: a service failing because it cannot read its own config file, and a security breach because a sensitive file was readable by everyone. Understanding permissions properly — not just copying chmod 777 and moving on — is a foundational skill.
Reading permissions with ls
# View permissions for a file
ls -la /etc/nginx/nginx.confOutput
-rw-r--r-- 1 root root 1823 Jun 10 09:00 /etc/nginx/nginx.conf
↑↑↑↑↑↑↑↑↑↑
│└────────┘└── Group permissions (r--)
│ └──────── Owner permissions (rw-)
└────────────── File type (-=file, d=dir, l=symlink)The 10-character permission string breaks down as:
- r w - r - - r - -
↑ ↑↑↑ ↑↑↑ ↑↑↑
│ │││ │││ └── Others: read only
│ │││ └────── Group: read only
│ └────────── Owner: read + write
└──────────── File type: regular file (-)The three permission sets
| Set | Applies to | Example |
|---|---|---|
| Owner (user) | The user who owns the file | root owns /etc/passwd |
| Group | Members of the file’s group | www-data group for web files |
| Others | Everyone else on the system | All other users |
# See who owns a file and what group it belongs to
stat /etc/nginx/nginx.confOutput (relevant lines)
File: /etc/nginx/nginx.conf
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)Permission bits explained
Each permission set has three bits: read (r), write (w), and execute (x). The meaning of each bit depends on whether it is applied to a file or a directory.
| Bit | On a file | On a directory |
|---|---|---|
r (4) | Can read file contents | Can list directory contents (ls) |
w (2) | Can modify file contents | Can create, delete, rename files in the directory |
x (1) | Can execute as a program | Can enter the directory (cd) and access files inside |
The octal (numeric) notation represents each permission set as a number 0–7:
| Octal | Binary | Symbolic | Meaning |
|---|---|---|---|
| 7 | 111 | rwx | Read, write, execute |
| 6 | 110 | rw- | Read and write |
| 5 | 101 | r-x | Read and execute |
| 4 | 100 | r-- | Read only |
| 3 | 011 | -wx | Write and execute (rare) |
| 2 | 010 | -w- | Write only (rare) |
| 1 | 001 | --x | Execute only (rare) |
| 0 | 000 | --- | No permissions |
So chmod 644 means: owner=rw (6), group=r (4), others=r (4).
Changing permissions with chmod
# Octal notation (most common in practice)
chmod 644 config.conf # -rw-r--r-- (config files)
chmod 755 script.sh # -rwxr-xr-x (executable scripts)
chmod 700 private.key # -rwx------ (private files, owner only)
chmod 600 ~/.ssh/id_rsa # -rw------- (private SSH key)
# Apply recursively to a directory
chmod -R 755 /var/www/html
# Symbolic notation (easier to read for small changes)
chmod u+x script.sh # Add execute for owner
chmod g-w file.txt # Remove write from group
chmod o-r secret.txt # Remove read from others
chmod a+r public.txt # Add read for all (owner, group, others)
# View result
ls -la config.conf⚠️ WARNING: Never use
chmod 777on files in a web directory. It gives every user on the system (and potentially code running as the web server) the ability to write to those files. The correct permissions for web content are typically644for files and755for directories, with the owner set to the deployment user, notwww-data.
Changing ownership with chown
# Change the owner of a file
sudo chown irfan file.txt
# Change owner and group
sudo chown irfan:developers file.txt
# Change only the group
sudo chown :www-data /var/www/html
# Change owner recursively on a directory
sudo chown -R www-data:www-data /var/www/html
# Verify the change
ls -la /var/www/htmlOutput
drwxr-xr-x 2 www-data www-data 4096 Jun 10 09:00 /var/www/htmlA common production pattern for web applications: the deployment user owns the files (so they can update them), and www-data is the group with read access. The web server never needs write access to serve files.
Special permissions: SUID, SGID, sticky bit
Beyond the basic rwx bits, three special permission bits alter execution behaviour:
| Bit | Octal | On executable files | On directories |
|---|---|---|---|
| SUID (Set UID) | 4000 | Run as the file’s owner, not the calling user | No standard effect |
| SGID (Set GID) | 2000 | Run as the file’s group | New files inherit the directory’s group |
| Sticky bit | 1000 | No standard effect | Only the owner can delete files they own |
# SUID example: /usr/bin/passwd runs as root even when called by a normal user
ls -la /usr/bin/passwdOutput
-rwsr-xr-x 1 root root 59976 Jan 1 09:00 /usr/bin/passwd
↑
s = SUID bit set (runs as root)# Sticky bit example: /tmp — users can only delete their own files
ls -la / | grep tmpOutput
drwxrwxrwt 20 root root 4096 Jun 10 09:00 tmp
↑
t = sticky bit (only file owners can delete)# Find all SUID files on the system (security audit)
find / -perm /4000 -type f 2>/dev/null
# Set SGID on a shared directory
chmod 2775 /srv/shared
# New files created here inherit the directory's groupCommon permission patterns
| Use case | Permissions | Command |
|---|---|---|
| Web content files | -rw-r--r-- | chmod 644 |
| Web content directories | drwxr-xr-x | chmod 755 |
| Shell scripts | -rwxr-xr-x | chmod 755 |
| Private config files (keys, passwords) | -rw------- | chmod 600 |
| SSH private key | -rw------- | chmod 600 |
| SSH authorized_keys | -rw------- | chmod 600 |
| User home directory | drwx------ | chmod 700 |
| Shared team directory | drwxrwsr-x | chmod 2775 |
Conclusion
File permissions control who can read, write, and execute every file on the system. The octal notation — 644 for config files, 755 for scripts and directories, 600 for private keys — is what you will use every day. When a service fails to start, check file ownership and permissions on its config files first. When tightening security, use find / -perm /4000 to audit SUID files and remove any that should not be there.
FAQ
Why should administrators understand File Permissions Explained?+
Because this topic affects planning decisions, server lifecycle, compatibility, support expectations, or how you reason about Ubuntu systems before making operational changes.
Do I need a lab for this topic?+
A lab is useful for checking commands and seeing the concept on a real Ubuntu machine, but the main value is understanding the decision, tradeoff, or system behavior clearly.
How should I use this knowledge in production?+
Use it to make better choices, document why those choices were made, and avoid rushed changes that ignore support windows, compatibility, stability, or operational risk.
Need help with Ubuntu administration?
Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.
Hire Me for Support