Understanding Linux Permissions


Linux is a multiuser operating system. In a multiuser environment, it is necessary to ensure that a user cannot access or modify files or directories that they arent supposed to. File permissions provide a protection mechanism for controlling access to files and directories.

Linux's file security model is based on that of Unix. Each file or directory can be accessed or modified by the user who created it, or a group of users who have been given permission to do so. Permissions can also be defined for other users that do not belong to either of these two categories.

In this guide, we will go over how file permissions work in Linux for beginners. We'll cover how you can view the permissions associated with files and directories and also how you can change them.


To follow this guide, you’ll need access to a Linux or Mac machine. You’ll need some familiarity with using the terminal to execute commands.

If you aren’t familiar with using the terminal, feel free to take advantage of the resources available at Linux Academy to get up to speed. These resources are listed at the end of this guide.

Getting Started

Before we delve deeper into permissions, there are a few concepts to cover. As mentioned before, the file or directory can be accessed or modified by the user who created it (the owner), a group of users who are allowed to do so, or other users who aren’t either of the two. There are three types of permissions — read, write, and execute. Let’s look at all of these in detail.


Users are people who use the operating system. The operating system recognizes each user by their unique user ID or uid. This information is stored in the /etc/passwd file. Each line in this file contains information about the users of system such as their username, uid, group ID, their home directory, etc.


Groups are a collection of users. For example, the users from the accounts department can be added to the accounts group. Grouping users together makes it easier to manage permissions. For example, when the accounts group is given read-only access to a certain file, all the users in that group are automatically given that access. This is simpler than having to individually assign permissions to each user who is in the accounts department.

Information about groups is stored in /etc/group file. Each line of this file contains information like the name of the group, the ID of the group or gid, the username of the members, etc.

Types of Permissions

There are three types of permissions - read, write, and execute. Read permission allows the user to view the contents of a file. Write permission allows the user to overwrite or append new data to the file or delete it. The execute permission allows the user to execute the code contained in the file.

Now that we have covered some of the basics, let’s go ahead with viewing and modifying permissions.

Viewing Permissions

Open your terminal and execute the following command:

me@home:~$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2627 Aug 1 16:55 /etc/passwd

passwd is a regular file so the first character is a dash. The next three characters show the permissions for the owner - read, write, but not execute. The next three characters show the permission for the group - only read. All other users can only read the file. The first ‘root’ is the name of the owner and the second ‘root’ is the name of the group whose users can read this file. 

Now execute the following command:

me@home:~$ ls -l /bin/ls
-rwxr-xr-x 1 root root 126584 Feb 18 2016 /bin/ls

The command executed above shows the permissions associated with the ls command. The last r-x means that everybody is allowed to execute the code inside it. Finally, execute the following command:

me@home:~$ ls -l /
drwxr-xr-x 2 root root 12288 Oct 21 23:06 bin

We’re listing everything in the / directory. The output shows the permissions for the /bin directory. Since it is a directory, the first character is “d”.

The permissions are stored in the inode associated with the file or directory. The permissions take 9 bits; 3 for each of user, owner, and others.

Changing Permissions

chmod (change mode) command is used to change the permissions associated with a file or directory. The permissions can be changed either by using numeric or alphanumeric options along with chmod. Let’s begin by creating a file and changing its permissions. Execute the following commands:

me@home:~$ touch script.sh
me@home:~$ ls -l script.sh
-rw-rw-r-- 1 me me 0 Oct 28 11:09 script.sh

The touch command made an empty file named script.sh. The file has been created with permissions rw-rw-r--. This is a script file in which we’ll write some commands a little later. To execute the script, we need to add the execute permission. Execute the following commands:

me@home:~$ chmod 755 script.sh
me@home:~$ ls -l script.sh
-rwxr-xr-x 1 me me0 Oct 28 11:09 script.sh

To use chmod, you specify the permissions to be associated with the file and the path to the file. Since the file is in the same directory as we are, we just specify the name. The permissions here are represented by 755. This gives read, write, and execute permission to the owner, and read and execute permissions to the group and others. Here’s what the numbers mean:

0 - No permissions granted.

4 - Read permission granted.

2 - Write permission granted.

1 - Execute permission granted.

Since we want to give the owner read, write, and execute permissions, we add together 4, 2, and 1 and specify a 7 in the first place. Similarly, we specify a 5 for group and others to give them read and execute permission.

The permissions always follow the order of user, group, and others. So the first 7 applies to the user, the 5 applies to the group and the last 5 applies to others.

Permissions can be written using the alphanumeric options as:

me@home:~$ chmod u+rwx,g+rx,o+rx script.sh

The + and - operators are used to either add or remove permissions. The different combinations can be separated by commas or can be grouped together. The above command can be written more compactly as:

me@home:~$ chmod u+rwx,go+rx script.sh

Here, group and others will be given the read and execute permission. When using alphanumeric options, user is represented by u, group by g, and others by o. The read permission is represented by r, write by w, and execute by x.

What style you use is just a matter of preference.

Now, execute the following:

me@home:~$ echo "echo hello" >> script.sh
me@home:~$ ./script.sh

Without the appropriate permissions, you wouldn’t have been able to execute the script.

bash: ./script.sh: Permission denied

We’ve only modified the permissions associated with the file script.sh. Permissions are also associated with directories. However, since directories are different from files, each of the permissions means something different. Here’s a quick comparison of how the permissions differ in meaning when associated with a file or a directory:


File - View the contents of the file.

Directory - See the files, directories, and subdirectories.


File - Overwrite or append new content. Delete the file.

Directory - Add or remove files and directories.


File - Run the code within the file.

Directory - Navigate into the directory, execute program within a directory.

Default Permissions

When we create a file, it’s given a permission of rw-rw-r-- by default and a directory is given the permissions rwxrwxr-x. These permissions are determined by umask. The umask command is used to view or set the file creation mask. Execute the following command to view the default umask:

me@home:~$ umask
me@home:~$ 0002

Ignoring the first 0, the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and 644 (rw-rw-r--) for a file. We can also change the default permissions associated with files and directories by using the umask command. Execute the following commands:

me@home:~$ umask 777
me@home:~$ touch script2.sh
me@home:~$ ls -l script2.sh
me@home:~$ ---------- 1 me me 0 Oct 28 16:35 script2.sh

As you can see, the default permissions have changed. These changes to default permission, however, are temporary. If you close and reopen the terminal to create a new file or directory, they will be created with the default permissions that were mentioned earlier. If you want to make the umask permanent, add it to your ~/.bashrc file.

Access Control Lists

Sometimes, basic file and directory permissions aren’t enough and you need a more flexible way to set permissions. Access Control Lists, or ACL for short, provide a more robust and flexible way to assign permissions. ACL allow a user to give permissions to other

setfacl is used to set an ACL for a file and getfacl is used to view it. Only the owner of the file can change the ACL associated with it.

Note that the file system must be mounted with ACL enabled for them to be used.

Viewing ACL

To view the ACL associated with the script file, execute the following command:

me@home:~$ getfacl -l script.sh
# file: script.sh
# owner: me
# group: me

Setting ACL

To set the ACL for the file, use the setfacl command. You modify the ACL by using the -m flag and remove the ACL using the -x flag.

The following command gives the user john read, write, and execute access to the script file.

me@home:~$ setfacl -m u:john:rwx script.sh
me@home:~$ getfacl script.sh
# file: script.sh
# owner: me
# group: me

The u indicates that the ACL permissions are being modified for a user. This is followed by the username and the permissions to grant.

You can also set group permissions using setfacl using the g flag. The following command gives the accounts group read, write, and execute access to the script file.

me@home:~$ setfacl -m g:accounts:rwx script.sh
me@home:~$ getfacl script.sh
# file: script.sh
# owner: me
# group: me

Running ls -l on the script file will show you an additional + being displayed along with the permissions. This indicates that an ACL is associated with this file

me@home:~$ ls -l script.sh
-rwxrwxr-x+ 1 me me 0 Oct 28 21:31 script.sh

Removing ACL

You can remove an existing permission using the -x flag. To remove the user john, execute the following command:

me@home:~$ setfacl -x u:john script.sh

Similarly, you can remove a group using the g option followed by the name of the group.

me@home:~$ setfacl -x g:accounts script.sh

This brings us to the end of the guide on Linux permissions. The following section lists the resources available on Linux Academy that will help you with this guide.

Additional Resources

If you are new to the Linux operating system, take a look at the Linux Essentials course available at Linux Academy. The course will give you a basic understanding of Linux and give you a gentle introduction to the command line.


If you’d like to master the terminal, have a look at Mastering Linux Command Line:


To take your skills to the expert level, take a look at Linux by Example from Novice to Pros:


Of course, Linux Academy offers a wide range of online training in Linux and many other topics like AWS, DevOps, Azure, and Big Data

  • post-author-pic
    Terrence C

    Great guide!

  • post-author-pic
    David G

    Very good! Congrats! :)

  • post-author-pic
    Evan L

    Great job!  For completeness, you may want to mention the 't' bit on directories, used so that only the owner of the file can delete or rename a file.  This bit is usually set on shared directories like /tmp.   The 's' setuid/setgid bit could be mentioned for completeness.  And my favorite addition to chmod ... +X, when X is capital, it means to only set execute permission on directories, not anything else.  Very useful for recursive permission changes!

  • post-author-pic
    Sola O

    Thanks a lot for this very well done Guide! *clap *clap . The ACCESS CONTROL LISTS section, I don't see that as being part of the LA Linux Essentials Course or as an objective on the official LPI site for the Linux Essentials exam, but i'll learn it anyway. Thanks again Fasih.

  • post-author-pic
    Ofrates C. S

    Great job! thanks a lot for sharing this information.

  • post-author-pic
    Surya Prathap P

    Thanks  , I believe this line needs to be corrected.

    the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and 644 (rw-rw-r--) for a file

    the umask value of 002 maps to the permission 775 (rwxrwxr-x) for a directory and 664 (rw-rw-r--) for a file

  • post-author-pic
    Harlan R

    Great information, well documented. 

  • post-author-pic
    Georgi N

    Very helpful!

  • post-author-pic
    Richard P

    I refer to this a lot still, but it's kinda like a little cheat sheet for me. Love it.

  • post-author-pic
    Nasser A

    Good tutorial :+1

  • post-author-pic
    Martin M

    Good guide, clear explanation. :-)

  • post-author-pic
    Jonatas P

    very useful!!

  • post-author-pic
    Eduardo L

    Very nice, Thanks.

  • post-author-pic
    Thy L

    Wow, it is very userful for me 

  • post-author-pic
    Hunter F

    Awesome! Thank you for your contribution! 

  • post-author-pic
    Matt S

    Nice job on this guide, Fasih!

  • post-author-pic
    Thy L

    I am Linix Beginer and I agree with Surya Prathap Pendyala "the umask value of 002 maps to the permission 775 (rwxrwxr-x) for a directory and 664 (rw-rw-r--) for a file"; It is the very userful for me thank so much for sharing your idea. 

  • post-author-pic
    Aditi G

    umask 002 = 775 or 755 for drectories?

  • post-author-pic
    Marc M

    My understanding is that 002 will correspond to 775 because the permissions and the mask will always add up to 777 (as a way to double check). 

  • post-author-pic
    Aditi G

    Thank you Marc for clarifying :) In the section 'Default Permissions' of this article, you will need to make corrections. There is a typo I believe as you have mentioned 755.

  • post-author-pic
    Hunter F

    Awesome Guide!!! 

  • post-author-pic
    Dante M

    Great guide for a long times Window user!!!  Made a few things simple for me!! Great job dude! Thnx

  • post-author-pic
    Gerlando L

    Great work! 

    Why don't you add also a section about special file permissions? (I mean setuid, setgid and Sticky Bit) 

  • post-author-pic
    Lane W

    This is a super helpful guide. Thank you!

  • post-author-pic
    Iain R

    Just to check - it states "the umask value of 002 maps to the permission 755 (rwxrwxr-x) for a directory and 644 (rw-rw-r--) for a file" should this not be 775 and 664? The umask 002 only changes the Other permission doesn't it? 

  • post-author-pic
    Umapathy R

    Excellent guide for a quick 15 mins read., Loved it

  • post-author-pic
    Scott S

    Very helpful. Thank you.

  • post-author-pic
    Cameron T

    Could a section to this page be added to explian how umask works? I would like to know why a umask of 002 equates to permissions of 755. 

  • post-author-pic
    Russell P

    Clear and concise presentation!  Thanks;-]

  • post-author-pic
    Robert N

    I really enjoyed this post, thank you so much!!!

  • post-author-pic
    Gurpreet S

    To the point. :)

  • post-author-pic
    Cnpl S

    great tutorial. :)

  • post-author-pic
    Nayana H

    Great Tutorial !

  • post-author-pic
    Ramanan S

    Better you include linux special file permission (set UID, set GID and sticky bit)

  • post-author-pic
    Andrey R

    Yeah, with special file permissions it will be a full guide about linux file permissions)

  • post-author-pic
    Kerwin S

    Short and to the point. Excellent article  Fasih.

  • post-author-pic

    short explanation with examples , its good.

  • post-author-pic
    Ofrates S

    Great article...

  • post-author-pic
    Valerie H

    Thank you!

  • post-author-pic
    Roy P

    Thank you for this. Just a note on an error I experienced. Running getfacl with the -l (ell flag) did not work and produced an error. Running getfacl without the flag worked perfectly though. Thanks again.

  • post-author-pic

    This is a really great document. Do you happen to have this as a PDF or word Doc. I would love to be able to print this and use it as a reference.

  • post-author-pic
    Chen T

    super clear , super good !

  • post-author-pic
    Bob S

    Wow, what a great document! Well done Fasih!

  • post-author-pic
    Denise L

    very nice!

  • post-author-pic
    Michael C

    I love the community guides. Good job. We have two new Engineers, both transitioning from heavy Windows into Linux oriented workloads, referring them to the community generated guides makes my life easier.   :)

  • post-author-pic
    Teddy B

    Great reminder. Thanks a lot !

    I think there's a mistake in the "default permissions" paragraph :
    755 (rwxrwxr-x) for a directory and 644 (rw-rw-r--)...
    It should be : 
    755 (rwxr-xr-x) for a directory and 644 (rw-r--r--)...

Looking For Team Training?

Learn More