Unix File Permissions Explained
Every file and directory on a Unix or Linux system has an associated set of permissions that control who can read, write, or execute it. These permissions are divided into three classes:
- Owner (user) -- the account that created the file or was explicitly assigned ownership via
chown. - Group -- any user who belongs to the file's assigned group. Groups let teams share access without opening files to everyone.
- Others (world) -- every other account on the system that is neither the owner nor a member of the group.
Within each class, three permission bits can be toggled independently:
- Read (r) -- view the contents of a file, or list the entries in a directory.
- Write (w) -- modify or delete a file, or add and remove entries in a directory.
- Execute (x) -- run a file as a program or script, or traverse (enter) a directory with
cd.
The combination of three classes and three bits gives nine individual permission flags. You can inspect them with ls -l, which prints a ten-character string like -rwxr-xr-x. The first character indicates the file type (a dash for regular files, d for directories), and the remaining nine characters show the permissions for owner, group, and others in that order.
Numeric vs Symbolic Notation
Unix permissions can be expressed in two interchangeable notations. Numeric (octal) notation represents each class as a single digit from 0 to 7. Each permission bit has a fixed value: read = 4, write = 2, execute = 1. You sum the values for the permissions you want. For example, read + write + execute = 4 + 2 + 1 = 7, while read + execute = 4 + 1 = 5.
A three-digit octal like 755 breaks down as: owner = 7 (rwx), group = 5 (r-x), others = 5 (r-x). This is what you pass to the chmod command -- for example, chmod 755 deploy.sh.
Symbolic notation uses the letters r, w, and x grouped into three triplets. A dash (-) in any position means that permission is denied. So rwxr-xr-x is the symbolic equivalent of 755. Symbolic notation is also used with chmod for incremental changes: chmod g+w file.txt adds write permission for the group without affecting other bits.
Both notations describe exactly the same underlying permission state. Numeric is compact and common in scripts and documentation; symbolic is easier to read at a glance and useful for targeted modifications.
Common Permission Patterns
Most server configurations rely on a handful of well-known permission values:
644(rw-r--r--) -- the standard for regular files. The owner can read and write; everyone else can only read. HTML, CSS, images, and most configuration files typically use this mode.755(rwxr-xr-x) -- the standard for directories and executable scripts. The owner has full control; others can read and execute (or traverse directories) but not modify.600(rw-------) -- restricted to the owner only. Use this for sensitive files like SSH private keys,.envfiles, and database credentials.700(rwx------) -- owner-only with execute. Ideal for private script directories or the.sshfolder itself.777(rwxrwxrwx) -- full access for everyone. This is a security risk and should never be used in production. If a deployment guide tells you tochmod 777, treat it as a red flag and find a more restrictive alternative.
A good rule of thumb: start with the most restrictive permissions that still let the application work, then widen only where necessary. On web servers, directories generally need 755 and files need 644 unless a script must be executed directly.
Related Tools
If you work with chmod values, you may also find these tools useful:
- Binary to Decimal Converter -- since each octal digit maps to three binary bits, converting between binary and decimal helps visualize how permission flags are stored internally.
- Number Base Converter -- convert between octal, decimal, hexadecimal, and binary in one place. Handy for verifying chmod values or working with bitmask calculations.
- Hash Generator -- generate SHA-256, MD5, and other hashes for file integrity checks, a common companion task when setting up secure file permissions on a server.