Every file has three permissions (read, write, execute) for three classes of user (owner, group, other). That nine-bit grid is the whole model. Read it straight off ls -l:
Reading the grid
Take -rw-r--r--:
- Character 1 is the type:
-file,ddirectory,lsymlink. - Characters 2-4 are the owner's permissions:
rw-= read, write, no execute. - Characters 5-7 are the group's:
r--= read only. - Characters 8-10 are other (everyone else):
r--= read only.
So -rw-r--r-- means the owner can read and write; everyone else can only read. That is the default for a normal file, and the octal for it is 644.
The octal shorthand
Each rwx triplet is a number: read = 4, write = 2, execute = 1. Add them up per class:
| Symbolic | Octal | Meaning |
|---|---|---|
rwx | 7 | read + write + execute |
rw- | 6 | read + write |
r-x | 5 | read + execute |
r-- | 4 | read only |
--- | 0 | nothing |
So three digits describe the whole grid:
- 644 (
rw-r--r--), normal file: owner edits, others read. - 755 (
rwxr-xr-x), script or directory: owner full, others read/run. - 600 (
rw-------), private file, like an SSH key: owner only. - 700 (
rwx------), private directory: only the owner can enter.
chmod 644 notes.txt
chmod 755 deploy.sh
chmod 600 ~/.ssh/id_ed25519Worked the other way, chmod 750 deploy.sh reads as owner 7 (rwx = 4+2+1), group 5 (r-x = 4+1), other 0 (---): the owner can read, write, and run it, the group can read and run it, everyone else gets nothing.
To read a file's mode as the octal number directly, instead of decoding the rwx string by eye:
stat -c '%a %n' deploy.sh # Linux, prints e.g. 750 deploy.sh
stat -f '%A %N' deploy.sh # macOS / BSD equivalentSymbolic chmod, when you want to change one bit
Numeric sets all nine bits at once. Symbolic changes just what you name, which is safer when you do not want to disturb the rest:
chmod u+x deploy.sh # add execute for the owner (u)
chmod go-w shared.txt # remove write for group and other
chmod a+r public.txt # add read for all (a = ugo)u owner, g group, o other, a all; + add, - remove, = set exactly.
Execute means different things for files and directories
This is the part that confuses everyone. On a file, the execute bit (x) means "can be run as a program". On a directory, x means "can enter / traverse it" (cd into it, access files inside by name). A directory you can read but not execute lets you list names but not actually reach the files. That is why directories are 755 (with x) and not 644. The capital-X form on chmod -R exists exactly for this; see chmod recursively.
FAQ
See also
- How to make a file executable (chmod +x): the single most common chmod.
- How to chmod recursively: apply modes down a tree, and the capital-X trick.
- How to change file owner and group (chown): the other half, who owns it.
- Linux umask explained: the permissions new files are born with.
- setuid, setgid, and the sticky bit: the special fourth digit.
Sources
Authoritative references this article was fact-checked against.
