Error 404 Learning Guide

Permissions Explained

Basic Linux permissions explained in a simple way.

Use this page to understand file ownership, groups, read/write/execute permissions, and common permission problems.

Why permissions matter

Linux uses permissions to control who can read, change, or run files.

Permissions help protect:

system files
user files
configuration files
scripts
SSH keys
logs
application data

Check permissions

Use:

ls -l

Example:

-rw-r--r-- 1 user group 1234 Jun 10 10:00 file.txt
drwxr-xr-x 2 user group 4096 Jun 10 10:00 directory

File type

The first character shows the file type:

- = regular file
d = directory
l = symbolic link

Example:

-rw-r--r-- = regular file
drwxr-xr-x = directory
lrwxrwxrwx = symbolic link

Permission groups

Permissions are split into three groups:

owner
group
others

Example:

-rw-r--r--

Split:

owner: rw-
group: r--
others: r--

Permission letters

r = read
w = write
x = execute

For files:

read    = view file content
write   = modify file content
execute = run file as a program/script

For directories:

read    = list directory content
write   = create/delete/rename files inside
execute = enter/access the directory

Directory execute permission is important. Without it, you may not be able to access files inside the directory.

Numeric permissions

Permissions can also be shown as numbers.

r = 4
w = 2
x = 1

Examples:

7 = 4+2+1 = read/write/execute
6 = 4+2   = read/write
5 = 4+1   = read/execute
4 = 4     = read only
0 = no permission

Common examples:

755 = owner rwx, group r-x, others r-x
644 = owner rw-, group r--, others r--
600 = owner rw-, group ---, others ---
700 = owner rwx, group ---, others ---

Common permission examples

Normal text/config file

chmod 644 file.txt

Meaning:

owner can read/write
group can read
others can read

Private file

chmod 600 file.txt

Meaning:

only owner can read/write

Good for sensitive files.

Script

chmod 755 script.sh

Meaning:

owner can read/write/execute
group can read/execute
others can read/execute

Private directory

chmod 700 directory

Meaning:

only owner can enter/read/write

Change permissions

chmod MODE FILE

Examples:

chmod 644 file.txt
chmod 755 script.sh
chmod 700 ~/.ssh

Recursive change:

chmod -R 755 /path

Use recursive changes carefully.

Change owner

sudo chown USER:GROUP FILE

Example:

sudo chown user:user file.txt

Recursive owner change:

sudo chown -R USER:GROUP /path

Use recursive ownership changes carefully.

Check user and groups

id USERNAME

Example:

id user

Show current user:

whoami

Add user to a group

sudo usermod -aG GROUPNAME USERNAME

Example:

sudo usermod -aG wheel USERNAME

The user may need to log out and log back in for group changes to apply.

Special permissions

setuid

Shows as s in owner execute position.

Example:

-rwsr-xr-x

This allows a file to run with the owner’s privileges.

Be careful with setuid.

setgid

Shows as s in group execute position.

Example:

-rwxr-sr-x

On directories, setgid can make new files inherit the directory group.

Example:

chmod g+s /shared/directory

sticky bit

Shows as t.

Example:

drwxrwxrwt

Common on:

/tmp

It means users can create files, but only file owners/root can delete their own files.

SSH permission examples

SSH is strict about permissions.

Common correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

If permissions are too open, SSH key login may fail.

Troubleshooting permission denied

When you see:

Permission denied

Check:

whoami
id
ls -l FILE
ls -ld DIRECTORY

Also check parent directories:

namei -l /path/to/file

This shows permissions for each part of the path.

Common causes

wrong file owner
wrong group
missing execute permission on directory
file not executable
SSH key permissions too open
user not in required group
SELinux context issue
filesystem mounted read-only

Check if filesystem is read-only

findmnt /mount/point

or:

mount | grep "ro,"

SELinux note

Sometimes permissions look correct, but access is still denied because of SELinux.

Basic checks:

getenforce
sestatus

Check logs:

sudo ausearch -m avc -ts recent

If SELinux is involved, do not blindly disable it. Understand the denial first.

First command set

whoami
id
ls -l FILE
ls -ld DIRECTORY
namei -l /path/to/file
getfacl FILE
findmnt /mount/point
getenforce

Dangerous actions

Be careful with:

chmod -R 777
chmod -R
chown -R
changing ownership of system folders
changing permissions on /etc, /usr, /var, /home
disabling SELinux blindly

Avoid:

chmod 777 file

unless you understand exactly why it is needed.