HolyGhost logoHolyGhost
← cd ..
Learn

Linux File Permissions: Reading rwx Without Fear

Those cryptic strings like rwxr-xr-x are simpler than they look. A beginner friendly guide to Linux file permissions, what the letters and numbers mean, and how to set them safely.

HolyGhost··9 min read

Imagine a shared office with a big filing cabinet. Some drawers you are allowed to open and read. Some you can open, read, and add papers to. A few are locked to everyone except the person whose name is on them. And there is one drawer marked "run these instructions", which only certain people are trusted to actually carry out. Now imagine every single drawer had a tiny label spelling out exactly who could read it, who could change it, and who could act on it. That label, on every file and folder, is what Linux permissions are.

If you are getting into security, you will spend a lot of time on Linux, because so much of the internet runs on it. And Linux file permissions are one of the first things that look completely baffling and then turn out to be genuinely simple. Once the pattern clicks, a string like rwxr-xr-x reads as plainly as a short sentence. This article is that click, taken slowly.

Three groups, three permissions

Here is the whole idea in one breath. Every file and folder answers two questions: who are we talking about, and what are they allowed to do.

For the who, Linux recognises three groups of people:

  • User: the owner of the file, usually whoever created it.
  • Group: a named group of users that the file belongs to. Groups let you say "the design team can touch this" without listing every person.
  • Other: quite literally everyone else on the system who is not the owner and not in that group.

For the what, there are three permissions:

  • r (read): view the contents of the file, or list what is inside a folder.
  • w (write): change the file, or delete it. For a folder, add or remove things inside it.
  • x (execute): run the file as a program. For a folder, this one is slightly different and means "enter it", as in step into it to reach what is inside.

That is genuinely all of it: three groups, and for each group, read, write, execute. Every permission string you will ever see is just those two lists crossed together.

Reading the string

Now let us read a real one. When you run ls -l (that is "list" with the long format option), Linux shows you the permissions for each item on the far left. You will see something like this:

-rwxr-xr-x
 |  |  |  |
 |  |  |  other:  r-x  (read, execute)
 |  |  group:     r-x  (read, execute)
 |  user:         rwx  (read, write, execute)
 (the first character is the file type, - for a file, d for a directory)

Read it left to right in chunks. The very first character is not a permission at all, it tells you the type of thing. A dash means an ordinary file, and a d means a directory, which is Linux for a folder. After that first character come three groups of three letters. The first triple is the user, the second is the group, and the third is other. Within each triple the order is always the same: read, then write, then execute. A dash in any slot means "not allowed".

So rwxr-xr-x unpacks to: the owner can read, write, and run it; the group can read and run it but not change it; and everyone else can also read and run it but not change it. A dash where a letter could be is just a permission switched off.

Read it in threes

The trick that makes this effortless is to mentally chop the nine letters into three groups of three, then read each group in the fixed order read, write, execute. Once you do that a dozen times it becomes automatic, like reading a clock face. rw-r--r--? Owner reads and writes, everyone else only reads. Done.

The numbers: chmod 755

You will also constantly see permissions written as a three digit number, most famously in the command chmod 755. The word chmod is short for "change mode", and mode is just another word for permissions. Do not let the numbers scare you, because they say exactly the same thing as the letters, only in shorthand.

The trick is that each permission is assigned a value:

read = 4,  write = 2,  execute = 1

Those specific numbers are chosen so that no two combinations ever add up to the same total, which means every possible mix of permissions has one unique number. To find the digit for a group of people, you simply add up the values of the permissions they have.

  • 7 = 4 + 2 + 1 = read, write, and execute
  • 5 = 4 + 0 + 1 = read and execute (write is switched off)
  • 6 = 4 + 2 + 0 = read and write (execute is switched off)
  • 4 = read only
  • 0 = nothing at all

A full permission set is three of these digits in a row, in the same order as always: user, then group, then other. So 755 means user gets 7 (rwx), group gets 5 (r-x), and other gets 5 (r-x), which is exactly the rwxr-xr-x we read earlier. The number and the letters are two views of the same thing.

A couple of the combinations are so common that they are worth memorising:

NumberLettersTypical use
644rw-r--r--A normal file: owner can edit, others can only read
755rwxr-xr-xA program or a folder others need to enter
600rw-------A private file only the owner can touch, like an SSH key
700rwx------A private folder or script only the owner can use

That last pattern, keeping secrets locked to the owner alone, comes up a lot in security. An SSH private key with permissions any looser than 600 will actually be refused by the tools that use it, precisely because a leaked key is a serious risk.

Never reach for 777

chmod 777 hands read, write, and execute to absolutely everyone, including "other", which means every account on the machine. It is the lazy fix people reach for to make a permission error disappear, and it is a genuine security hole: anyone on the system can now modify or even replace the file with something malicious. If a file has too little access, work out the least it actually needs and grant exactly that. Never just fling it wide open to all.

The principle underneath: least privilege

There is a bigger idea sitting behind all of this, and it is one of the most important in all of security. It is called least privilege, and it simply means giving each person and each program the smallest set of permissions it needs to do its job, and nothing more. The reason is damage limitation. If an account or a program is ever compromised by an attacker, the harm they can do is capped by whatever that account was allowed to touch. A file locked down to 600 cannot be tampered with by a stranger, because the stranger was never granted write access in the first place. Every time you choose 644 over 777, you are quietly practising least privilege.

A note on the special bits

Beyond the familiar nine letters, you will occasionally bump into some extra behaviour. You do not need to use these on day one, but recognising them will save you confusion, and two of them are classic security concerns.

  • setuid: when this is set on a program, the program runs with the powers of the file's owner rather than the powers of whoever launched it. That sounds abstract, so here is why it matters. A setuid program owned by the all powerful root account will run as root even when an ordinary user starts it. That is sometimes genuinely necessary, but it is also a classic target for privilege escalation, which is an attacker's trick of turning limited access into full control. Treat setuid programs with real respect and know where they are.
  • setgid: the same idea, but for the group rather than the owner. The program runs with the file's group powers.
  • sticky bit: this one goes on shared folders and it stops users from deleting each other's files, even in a folder everyone can write to. It is the reason everybody can drop files into the shared /tmp folder without being able to wipe out one another's work.

Folders behave a little differently

The read, write, and execute permissions mean slightly different things on a folder than on a file. On a folder, read lets you list what is inside, write lets you add or remove items, and execute lets you actually enter the folder to reach anything within it. This is why a folder often needs execute set even though you would never "run" a folder. If you can read a folder but not execute it, you can see the names of the files but not open them.

The takeaway

Linux permissions come down to three groups of people, the user (owner), the group, and other (everyone else), and for each of them three permissions, read, write, and execute. You will see them written as rwx letters, which you read in threes in the fixed order read, write, execute, or as numbers, where read is 4, write is 2, and execute is 1, added up per group. 755 is rwxr-xr-x, 644 is a normal readable file, 600 locks a secret to its owner, and 777 is a mistake waiting to be exploited. Always grant the least access that actually works, which is the principle of least privilege in action, and keep a wary eye on setuid programs, because they run with their owner's power rather than yours. Get comfortable reading these little labels and a genuinely large part of Linux stops feeling mysterious.