linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
Index
Categories
All entries
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
home/linux/kb/File system/file-permissions

kb/filesystem ── File system ── beginner

File permissions: rwx and chmod

Every file has three permission sets: for the owner, the group, and others. Each set is three bits: read (r), write (w), execute (x). You change them with `chmod`.

view as markdownaka: permissions, rwx, chmod

Structure

When ls -l ~/.bashrc prints -rw-r--r-- 1 student student 3771 ..., it reads like this:

  • - is the object type (- file, d directory, l symlink, c/b device)
  • rw- are the owner's permissions (user)
  • r-- are the group's permissions
  • r-- are the permissions for everyone else (other)

Each set is three flags:

bitmeaning for a filemeaning for a directory
rread the contentslist the files (ls)
wchange the contentscreate/delete/rename files inside
xrun as a programenter the directory (cd) and reach files by full path

One detail: on a directory, r without x means "I see the names but cannot enter and read individual files." It is rare, but it happens.

Octal notation

Each set is encoded as a single digit 0-7: r=4 + w=2 + x=1.

moderwxmeaning
7rwxeverything
6rw-read+write
5r-xread+execute
4r--read only
0---nothing

A file's full permissions are three digits, for example 644 = rw-r--r--, 755 = rwxr-xr-x.

Commands

bash
chmod 600 file.txt           # rw------- (only the owner reads/writes)
chmod +x script.sh            # add execute for everyone (u+g+o)
chmod u+x,g-w file            # symbolic form: u/g/o + a (all)
chmod -R go-w /var/www         # recursively remove write for group and other

chown: owner and group

chmod changes permissions. The owner is changed by chown:

bash
sudo chown alice file.txt              # change the owner
sudo chown alice:developers file.txt   # owner + group
sudo chown -R www-data: /var/www        # recursively

umask: permissions for new files

When a program creates a file (touch, > redirect), the real permissions are desired_mode & ~umask. The default umask 022 means new files are created without write for group and other, so 0666 & ~022 = 0644.

Special bits: setuid, setgid, sticky

Besides the usual rwx there are three extra bits (a 4th octal digit):

  • setuid on an executable file: the program starts with the effective UID of the file's owner, not of the user who runs it. This is how sudo, passwd, and ping work
  • setgid on a directory: new files inside inherit the directory's group (useful for shared folders)
  • sticky bit on a directory: only the owner of a file inside can delete it, even if others have write on the directory. This is how /tmp is protected
bash
ls -ld /tmp /usr/bin/sudo
# drwxrwxrwt  ... /tmp           ← t = sticky
# -rwsr-xr-x  ... /usr/bin/sudo  ← s = setuid

§ команды

bash
stat -c '%a %n' file.txt

Print permissions in octal form (for example `644 file.txt`)

bash
chmod 600 ~/.ssh/id_rsa

Lock the private SSH key away from everyone but the owner, a hard requirement of sshd

bash
umask

The current file-creation mask in this shell

bash
find / -perm -4000 2>/dev/null

Find every setuid binary on the system (important for a security audit)

§ см. также

  • inodeInodeAn inode is a filesystem record that holds metadata and pointers to a file's data blocks. The filename lives separately, in a directory, and simply points to the inode.
  • posix-aclPOSIX ACL: extended access permissionsPOSIX ACL extends the classic rwx permissions: you can grant access to many users and groups without reshuffling the owner and group. setfacl writes, getfacl reads. A default ACL on a directory is inherited by its children.
  • extended-attributesExtended attributes (xattr): arbitrary file metadataxattr are key-value metadata on an inode beyond stat. 4 namespaces: user (open), trusted (root), system (ACL), security (SELinux, capabilities). getfattr reads, setfattr writes.
  • hard-linkHard linkHard link is a second name for the same [[inode]]. Both names are equal: the file lives as long as at least one of them exists.

§ упоминается в уроках

  • ›beginner-02-files-and-text
  • ›beginner-04-pipes-and-redirects
  • ›beginner-05-permissions
  • ›beginner-06-users-and-groups
  • ›beginner-12-shell-scripting
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies