Permissions and Ownership: Read, Write, Execute in Practice

Reading permissions with ls -l

Linux controls access to files and directories using permissions (read, write, execute) and ownership (user and group). To inspect them, use:

ls -l

A typical line looks like this:

-rwxr-x--- 1 alice developers  245 Jan 16 10:20 deploy.sh

• The first character shows the type: - file, d directory, l symlink.
• The next 9 characters are permissions in three groups of three: user (owner), group, others.
• alice is the owner (user).
• developers is the owning group.

Break down rwxr-x--- like this:

• User: rwx (read, write, execute)
• Group: r-x (read, execute)
• Others: --- (no access)

What read, write, execute mean for files

• read (r): can view the file contents.
• write (w): can modify the file contents (and truncate it).
• execute (x): can run the file as a program/script (if it has a valid interpreter line like #!/bin/bash for scripts, or is a binary).

What read, write, execute mean for directories (critical detail)

Directory permissions are often the source of confusion. For a directory:

• read (r): can list names inside the directory (e.g., see filenames).
• write (w): can create, delete, or rename entries inside the directory (requires execute as well in practice).
• execute (x): can “enter” the directory and access items inside it (traverse). Without execute, you cannot cd into it or access files within it, even if you know their names.

Example: if a directory has r-- but not x for you, you might be able to list filenames but still get Permission denied when trying to open a file inside. If it has --x but not r, you can access files by exact name (if you already know it) but you cannot list the directory contents.

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...

Download the app

Changing permissions with chmod

chmod changes the permission bits. You can use symbolic mode (readable) or numeric mode (compact and common in scripts).

Symbolic mode: add/remove permissions

Symbolic mode uses:

• Who: u (user), g (group), o (others), a (all)
• Operation: + add, - remove, = set exactly
• Permission: r, w, x

Examples:

# Add execute for the owner (common for scripts you run yourself)  chmod u+x deploy.sh  # Remove write permission from others  chmod o-w report.txt  # Set permissions exactly: user rw, group r, others none  chmod u=rw,g=r,o= file.txt

For directories, you often apply changes recursively:

# Give owner full access, remove all access for group/others (directory itself only) chmod 700 private_dir  # Apply recursively to everything inside (use with care) chmod -R go-rwx private_dir

Numeric mode: 3 digits (or 4 with special bits)

Numeric permissions use a digit per class (user/group/others). Each digit is the sum of:

• 4 = read
• 2 = write
• 1 = execute

Common values:

• 7 = rwx
• 6 = rw-
• 5 = r-x
• 4 = r--
• 0 = ---

Examples:

# Owner can read/write, everyone else can read chmod 644 notes.txt  # Owner can read/write/execute, group and others can read/execute chmod 755 mytool  # Private: only owner has full access chmod 700 private_dir

Tip: for directories, x (execute/traverse) is usually required for access. A directory with 644 is typically not useful because it lacks execute; you can list names but cannot enter it.

Ownership and groups: chown and chgrp

Permissions are evaluated against the file’s owner and group. If you need a different user or group to have access, you may need to change ownership or group ownership (if you have the rights to do so).

Viewing owner and group

ls -l shows owner and group in the middle columns:

-rw-r----- 1 alice developers 1200 Jan 16 10:30 budget.csv

Owner is alice, group is developers.

Changing owner (and optionally group) with chown

chown changes ownership. On most systems, changing the owner requires administrative privileges.

# Change owner (typically requires sudo) sudo chown bob file.txt  # Change owner and group in one command sudo chown bob:developers file.txt  # Change only the group via chown syntax sudo chown :developers file.txt

Safe practice: use chown on files you created in a controlled folder (like your home directory) when learning. Avoid running recursive ownership changes on system directories.

Changing group with chgrp

chgrp changes the owning group. You can usually change a file’s group to a group you are a member of.

# Change group (may or may not require sudo depending on system policy) chgrp developers budget.csv

If you get Operation not permitted, you likely need sudo or you are not allowed to assign that group.

When sudo is appropriate (and when it is not)

sudo runs a command with administrative privileges. Use it when you are intentionally changing system-owned files or performing actions that require admin rights (like changing ownership to another user, or modifying protected directories).

• Appropriate: sudo chown root:root /some/system/file (when you know why).
• Appropriate: installing software, editing system config files, changing permissions in system directories.
• Not appropriate: “fixing” a permission problem in your home directory by blindly using sudo. That can create files owned by root in your home folder, causing future access issues.

If you find yourself repeatedly using sudo for files in your home directory, stop and inspect ownership and permissions first.

Interpreting Permission denied errors

Permission denied usually means one of these:

• You lack the needed permission bit (r, w, or x) for the operation.
• You have permissions on the file but not on a parent directory (missing directory execute/traverse).
• The file is not executable (missing x) but you tried to run it.
• Ownership/group is not what you expect, so you are being treated as “group” or “others” with fewer rights.

Practical checks:

# Check permissions and ownership ls -l target_file  # Check directory permissions (including parents) ls -ld . ls -ld parent_dir  # If a command fails, read the exact path in the error message and inspect that path

Examples of common scenarios:

# Trying to run a script without execute permission:  ./deploy.sh: Permission denied  # Fix: chmod u+x deploy.sh  # Trying to create a file in a directory without write permission:  touch: cannot touch 'private_dir/new.txt': Permission denied  # Fix: adjust directory permissions or ownership

Mini-lab: practice permissions and ownership safely

Do these steps in your home directory so you don’t affect system files.

1) Make a script executable

Create a small script file:

printf '%s
' '#!/bin/bash' 'echo "Hello from a script"' > hello.sh

Check its permissions:

ls -l hello.sh

Try to run it:

./hello.sh

If you see Permission denied, add execute permission for your user:

chmod u+x hello.sh ls -l hello.sh ./hello.sh

Observe how the permission string changes (you should see an x appear in the user section).

2) Lock down a private folder

Create a directory and a file inside it:

mkdir private_lab echo 'top secret' > private_lab/secret.txt

Inspect directory permissions:

ls -ld private_lab ls -l private_lab

Lock it down so only you can access it:

chmod 700 private_lab chmod 600 private_lab/secret.txt ls -ld private_lab ls -l private_lab/secret.txt

What these mean:

• 700 on the directory: only you can list, create/delete, and traverse it.
• 600 on the file: only you can read/write it; no execute bit (it’s not a program).

3) Verify access changes

Verify the permissions are set as intended:

ls -ld private_lab ls -l private_lab/secret.txt

Also verify that “others” have no access by checking the last three permission characters:

• Directory should end with --- for others (e.g., drwx------).
• File should end with --- for others (e.g., -rw-------).

If you have access to another non-privileged user account on the same machine (or can use a controlled test environment), you can attempt to list or read the folder as that user to confirm it fails. If not, rely on the permission bits shown by ls -l and ls -ld.

Optional: practice group-based access (conceptual, safe)

Group permissions are useful when collaborating. Conceptually, the workflow is:

• Ensure a shared group exists and users are members of it (admin task).
• Set the directory group to that shared group.
• Grant group permissions (often rwx on directories, rw on files).

Example commands you might see in a real shared-folder setup:

# Set group ownership (may require sudo) sudo chgrp developers shared_dir  # Allow group members to read/write/traverse chmod 770 shared_dir

If you see Operation not permitted or Permission denied here, it usually indicates you need sudo or you are not allowed to assign that group.