File Permissions and Ownership (chmod, chown, umask)

Published on November 18, 2025 by Team SKY | Tags: DevOps

Linux file permissions and ownership form the foundation of system security. Understanding how to properly manage who can read, write, and execute files is crucial for system administration, security, and multi-user environments. This guide covers chmod, chown, and umask with practical examples.

Understanding Linux File Permissions

When you run ls -l, you see permission information like this:

-rw-r--r-- 1 user group 2048 Nov 18 10:30 example.txt
👤

User (Owner)

The user who owns the file. Has three permission bits:

r
w
x

Read, Write, Execute permissions for the file owner.

👥

Group

The group associated with the file. Has three permission bits:

r
-
x

Permissions for users in the file's group.

🌍

Others (World)

All other users on the system. Has three permission bits:

r
-
-

Permissions for everyone else.

Permission Types Explained

Symbol Permission File Directory Octal
r Read View file content List directory contents 4
w Write Modify file content Create/delete files in directory 2
x Execute Run as program Access directory (cd into it) 1
- No permission Cannot access Cannot access 0

Octal Notation System

Permissions are often represented using octal (base-8) numbers:

rwx r-x r-- = 111 101 100 = 7 5 4
User: rwx (4+2+1=7), Group: r-x (4+0+1=5), Others: r-- (4+0+0=4)
Quick Reference: Common permission combinations:
755 - Owner: rwx, Group: r-x, Others: r-x (executables, directories)
644 - Owner: rw-, Group: r--, Others: r-- (regular files)
700 - Owner: rwx, Group: ---, Others: --- (private files)
777 - Everyone: rwx (dangerous - avoid in production)

chmod: Change File Permissions

🔧

Symbolic Method

Use letters to specify permissions for u(ser), g(roup), o(thers), a(ll)

chmod [who][operator][permissions] file

Examples:

  • chmod u+x script.sh - Add execute for owner
  • chmod go-w file.txt - Remove write for group & others
  • chmod a+r document.pdf - Add read for everyone
  • chmod u=rw,g=r,o= config.txt - Set specific permissions
🔢

Octal Method

Use numbers to represent permission sets (0-7)

chmod [octal] file

Examples:

  • chmod 755 script.sh - rwxr-xr-x
  • chmod 644 file.txt - rw-r--r--
  • chmod 600 secret.txt - rw------- (private)
  • chmod 750 directory/ - rwxr-x--- (shared with group)
🔄

Recursive Changes

Apply permissions to directories and their contents recursively

chmod -R [permissions] directory

Examples:

  • chmod -R 755 /var/www/ - Recursive 755
  • chmod -R u+w ~/projects/ - Add write for owner
  • chmod -R go-rwx ~/private/ - Remove all group/other perms

chown: Change File Ownership

👤

Change Owner

Transfer file ownership to another user

chown [user] file

Examples:

  • chown john file.txt - Change owner to john
  • chown john:staff document.pdf - Change owner and group
  • sudo chown root /etc/config - Change to root (requires sudo)
👥

Change Group

Change the group association of files

chown :[group] file

Examples:

  • chown :developers script.sh - Change group to developers
  • chown john:developers app.py - Change both owner and group
  • chgrp www-data /var/www/ - Alternative group change command
🌐

Recursive Ownership

Change ownership recursively for directories

chown -R [user]:[group] directory

Examples:

  • chown -R john:developers ~/project/ - Recursive ownership
  • sudo chown -R www-data:www-data /var/www/ - Web server ownership
  • chown -R :staff /shared/data/ - Recursive group change
Important: Changing file ownership typically requires root privileges. Use sudo when changing ownership of system files or files owned by other users. Be cautious with recursive ownership changes as they can affect many files.

umask: Default File Permissions

The umask (user mask) determines default permissions for newly created files and directories.

🎭

Understanding Umask

Umask is subtracted from maximum permissions to get default permissions

umask [value]

Calculation:

  • Files max: 666 (rw-rw-rw-)
  • Directories max: 777 (rwxrwxrwx)
  • With umask 022: Files: 644, Directories: 755
⚙️

Common Umask Values

Typical umask settings for different security needs

umask 022 # Most common

Values:

  • 022 - Files: 644, Directories: 755 (standard)
  • 002 - Files: 664, Directories: 775 (group-writable)
  • 077 - Files: 600, Directories: 700 (private)
  • 027 - Files: 640, Directories: 750 (secure)
🔧

Setting Umask

Configure umask for current session or permanently

umask 002 # Set for session

Permanent Setup:

  • Add to ~/.bashrc: umask 002
  • System-wide: /etc/profile or /etc/bash.bashrc
  • Check current: umask

Special Permissions

🆔

SetUID (s)

File executes with owner's privileges, not executor's

chmod u+s file

Example: chmod 4755 /usr/bin/passwd

Use Case: Programs that need elevated privileges (passwd, sudo)

👥

SetGID (s)

Files inherit directory's group, executed with group's privileges

chmod g+s directory

Example: chmod 2755 /shared/

Use Case: Shared directories where files should maintain group ownership

🍁

Sticky Bit (t)

Only file owner can delete files in directory

chmod +t directory

Example: chmod 1777 /tmp

Use Case: World-writable directories like /tmp

Security Best Practices

  • Principle of Least Privilege: Grant only necessary permissions
  • Avoid 777: Never use 777 permissions in production
  • Secure Home Directories: Use 700 for user home directories
  • Web Files: Use 644 for files, 755 for directories in web roots
  • Scripts: Use 755 for executable scripts
  • Configuration Files: Use 600 for sensitive config files
  • Regular Audits: Periodically check permissions with find / -perm /o=w

Practical Examples and Exercises

Hands-On Practice

# 1. Create test files and check permissions
touch file1.txt file2.txt
mkdir test_dir
ls -l

# 2. Change permissions using symbolic notation
chmod u+x file1.txt
chmod go-w file2.txt
chmod a+r test_dir/
ls -l

# 3. Change permissions using octal notation
chmod 755 file1.txt
chmod 600 file2.txt
chmod 750 test_dir/
ls -l

# 4. Change ownership (requires sudo for system users)
sudo chown root file1.txt
sudo chown :sudo file2.txt
ls -l

# 5. Work with umask
umask
touch newfile.txt
mkdir newdir
ls -l newfile.txt newdir

# 6. Check special permissions
ls -l /usr/bin/passwd  # Notice SetUID bit
ls -ld /tmp           # Notice Sticky bit

Useful Permission Commands

Permission Inspection:
ls -l filename - View permissions
stat filename - Detailed file information
getfacl filename - View Access Control Lists
id - Check your user and group IDs

Permission Management:
find /path -perm 644 - Find files with specific permissions
find /path -user username - Find files owned by user
find /path -group groupname - Find files by group
chmod --reference=file1 file2 - Copy permissions from one file to another

Key Takeaways

File permissions and ownership are fundamental to Linux security. Master chmod for permission management, chown for ownership control, and umask for setting default permissions. Always follow the principle of least privilege, regularly audit permissions, and understand the security implications of special permissions like SetUID and Sticky Bit.

Next Step: Explore Access Control Lists (ACL) for more granular permission control beyond the standard user-group-other model.