Understanding Linux file permissions (how to find them, read them, and change them) is an important part of maintaining and securing your systems.

File permissions are core to the security model used by Linux systems. They determine who can access files and directories on a system and how. This article provides an overview of Linux file permissions, how they work, and how to change them.

How do you view Linux file permissions?

The ls command along with its -l (for long listing) option will show you metadata about your Linux files, including the permissions set on the file.

$ ls -l

drwxr-xr-x. 4 root root    68 Jun 13 20:25 tuned
-rw-r--r--. 1 root root  4017 Feb 24  2022 vimrc

In this example, you see two different listings. The first field of the ls -l output is a group of metadata that includes the permissions on each file. Here are the components of the vimrc listing:

• File type: -
• Permission settings: rw-r--r--
• Extended attributes: dot (.)
• User owner: root
• Group owner: root

The fields “File type” and “Extended attributes” are outside the scope of this article, but in the featured output above, the vimrc file is a normal file, which is file type - (that is, no special type).

The tuned listing is for a d, or directory, type file. There are other file types as well, but these two are the most common. Available attributes are dependent on the filesystem format that the files are stored on. For Red Hat Enterprise Linux 7, 8, and 9, the default filesystem format is XFS.

How do you read file permissions?

This article is about the permission settings on a file. The interesting permissions from the vimrc listing are:

rw-r--r–

This string is actually an expression of three different sets of permissions:

• rw-
• r–
• r–

The first set of permissions applies to the owner of the file. The second set of permissions applies to the user group that owns the file. The third set of permissions is generally referred to as “others.” All Linux files belong to an owner and a group.

When permissions and users are represented by letters, that is called symbolic mode. For users, u stands for user owner, g for group owner, and o for others. For permissions, r stands for read, w for write, and x for execute.

When the system is looking at a file’s permissions to determine what information to provide you when you interact with a file, it runs through a series of checks:

1. It first checks to see whether you are the user that owns the file. If so, then you are granted the user owner’s permissions, and no further checks will be completed.
2. If you are not the user that owns the file, next your group membership is validated to see whether you belong to the group that matches the group owner of the file. If so, then you’re covered under the group owner field of permissions, and no further checks will be made.
3. “Others” permissions are applied when the account interacting with the file is neither the user owner nor in the group that owns the files. Or, to put it another way, the three fields are mutually exclusive: You can not be covered under more than one of the fields of permission settings on a file.

Permissions go beyond the different types of people that can interact with a file. Each user gets an expression that includes the three basic types of permissions. In the example above, the owner of the file is given the following permissions:

rw-

Each character in the expression indicates whether a specific permission is granted or not. In the example above, read (r) permission and write (w) permission have been granted on the file. However, the execute permission (x) is not granted, which is why there’s a - sign in the expression. The permission in this field is disabled.

Consider the group owner’s permissions in this example:

r--

The read (r) permission is granted to members of the group, but write and execute have both been disabled.

What are octal values?

When Linux file permissions are represented by numbers, it’s called numeric mode. In numeric mode, a three-digit value represents specific file permissions (for example, 744.) These are called octal values. The first digit is for owner permissions, the second digit is for group permissions, and the third is for other users. Each permission has a numeric value assigned to it:

• r (read): 4
• w (write): 2
• x (execute): 1

In the permission value 744, the first digit corresponds to the user, the second digit to the group, and the third digit to others. By adding up the value of each user classification, you can find the file permissions.

For example, a file might have read, write, and execute permissions for its owner, and only read permission for all other users. That looks like this:

• Owner: rwx = 4+2+1 = 7
• Group: r– = 4+0+0 = 4
• Others: r– = 4+0+0 = 4

The results produce the three-digit value 744.

What do Linux file permissions actually do?

I’ve talked about how to view file permissions, who they apply to, and how to read what permissions are enabled or disabled. But what do these permissions actually do in practice?

Read (r)

Read permission is used to access the file’s contents. You can use a tool like cat or less on the file to display the file contents. You could also use a text editor like Vi or view on the file to display the contents of the file. Read permission is required to make copies of a file, because you need to access the file’s contents to make a duplicate of it.

Write (w)

Write permission allows you to modify or change the contents of a file. Write permission also allows you to use the redirect or append operators in the shell (> or >>) to change the contents of a file. Without write permission, changes to the file’s contents are not permitted.

Execute (x)

Execute permission allows you to execute the contents of a file. Typically, executables would be things like commands or compiled binary applications. However, execute permission also allows someone to run Bash shell scripts, Python programs, and a variety of interpreted languages.

There are other ways to execute the contents of a file without execute permission. For example, you could use an interpreter that has execute permission to read a file with instructions for the interpreter to execute. An example would be invoking a Bash shell script:

$ bash script.sh

The executable being run is bash. The script.sh file is read by the Bash interpreter, and its commands are executed. The content in this article is general purpose, but in Linux, there are often additional ways to accomplish tasks.