Skip to content
Programming Languages
Bash / Shell Tutorials
Bash Permissions & Users — Complete Guide to Linux File Security

Bash Permissions & Users — Complete Guide to Linux File Security

DodaTech Updated Jun 4, 2026 9 min read

Linux is a multi-user system where every file and process belongs to a user and group, and permissions control who can read, write, or execute — essential for security in shared environments.

What You’ll Learn

  • Read and interpret permission strings like -rwxr-xr-x
  • Change permissions with chmod using symbolic and octal modes
  • Change file ownership with chown and chgrp
  • Run commands safely with sudo
  • Manage users and groups
  • Set default permissions with umask

Why Permissions Matter

Without permissions, any user could read your SSH private keys, delete system files, or modify running programs. Durga Antivirus Pro relies on strict permissions to protect its virus definition databases — if those files were world-writable, malware could disable the antivirus by corrupting its signatures. DodaZIP uses group permissions to let developers read logs while restricting write access to administrators only.

Learning Path 

    flowchart LR
  A[Shell Scripts] --> B[Permissions & Users<br/>You are here]
  B --> C[System Monitoring]
  C --> D[Networking]
  D --> E[Compression]
Prerequisites: You should know Bash like ls -l and navigating the filesystem. A multi-user Linux is helpful but not required.

How Permissions Work — The Security Triad

Think of every file as having a security guard at the door. The guard checks three things about you (your identity) and then checks a list of three permission slots for the file.

The three identities:

  • Owner (u) — the user who created the file
  • Group (g) — users in the file’s group
  • Others (o) — everyone else

The three permissions:

  • Read (r) — view contents
  • Write (w) — modify or delete
  • Execute (x) — run as a program or enter a directory
    flowchart TD
  A[File/Directory] --> B[Owner (u)]
  A --> C[Group (g)]
  A --> D[Others (o)]
  B --> E[r: read, w: write, x: execute]
  C --> E
  D --> E

Reading Permissions — The Secret Code

Run ls -l and you see strings like -rwxr-xr-x. Let’s decode them:

ls -l
# -rwxr-xr-x  1 alice developers  1234 Jun 6 12:00 script.sh
- r w x  r - x  r - x
│ └┬┘   └┬┘   └┬┘
│  │     │     └── Others: r-x (read + execute)
│  │     └──────── Group: r-x (read + execute)
│  └────────────── Owner: rwx (read + write + execute)
└────────────────── Type: - = file, d = directory, l = symlink

Breaking it down:

  • Position 1: file type (- = file, d = directory, l = symbolic link)
  • Positions 2-4: owner permissions
  • Positions 5-7: group permissions
  • Positions 8-10: others permissions

A dash means “no permission.” So r-x means read and execute, but not write.

Permissions Meaning by Type

PermissionOn a FileOn a Directory
r (read)View file contentList files inside
w (write)Modify contentAdd/delete files
x (execute)Run as a programEnter with cd

Crucial insight: To access any file inside a directory, you need execute (x) on that directory. That’s why home directories are typically drwx------ (700) or drwxr-xr-x (755). Without x, you can’t cd into it.

chmod — Changing Permissions

chmod (change mode) modifies the permission bits. Think of it as reprogramming the security guard’s instructions.

Symbolic Mode

Symbolic mode uses letters: who (u/g/o/a), operator (+/-/=), and permission (r/w/x).

# Add execute for the owner
chmod u+x script.sh

# Remove write for the group
chmod g-w file.txt

# Add read for everyone else
chmod o+r file.txt

# Add execute for all (owner, group, others)
chmod a+x script.sh

# Same as above — a is the default
chmod +x script.sh

# Give owner all permissions, group read+execute, others nothing
chmod u=rwx,g=rx,o= script.sh

# Recursive — change a directory and everything inside
chmod -R u+rwx folder/

Numeric (Octal) Mode

Each permission has a number: read=4, write=2, execute=1. Add them up for each identity.

NumberBinaryPermissionsMeaning
7111rwxFull access
6110rw-Read + write
5101r-xRead + execute
4100r–Read only
0000No access
# 755 = owner:7 (rwx), group:5 (r-x), others:5 (r-x)
chmod 755 script.sh

# 644 = owner:6 (rw-), group:4 (r--), others:4 (r--)
chmod 644 file.txt

# 600 = owner:6 (rw-), others:0 (---)
chmod 600 secret.txt

# 700 = owner:7 (rwx), no one else
chmod 700 private/

Common Permission Recipes

ModeUse CaseWhy
755Scripts, programsOwner can edit; everyone can run
644Text files, configsOwner edits; everyone reads
600SSH keys, passwordsOnly owner sees it
700Private directoriesOnly owner enters
777Never use thisWorld-writable = disaster waiting

chown — Changing Ownership

chown (change owner) transfers ownership. This requires sudo because only root can give away files.

# Change the owner
sudo chown alice file.txt

# Change owner and group at once
sudo chown alice:developers file.txt

# Change only the group (leave owner as is)
sudo chown :developers file.txt

# Recursive — change every file in a project
sudo chown -R alice:developers /home/alice/project

chgrp — Changing Group 

# Change the group of a file
sudo chgrp developers file.txt

# Recursive
sudo chgrp -R developers /project/src

sudo — Superuser Do

sudo lets you run a single command as root (or another user) without logging in as root. It’s like a temporary permission badge.

# Run a command as root
sudo apt update

# Run as a different user
sudo -u www-data command

# Get a root shell (use carefully!)
sudo -i

# Re-run the last command with sudo
sudo !!
sudo rm -rf / will destroy your entire system. There is no confirmation dialog that saves you from this. Always read the command before pressing Enter.

Users and Groups — Identities 

# Who am I right now?
whoami

# Detailed identity info
id
# uid=1000(alice) gid=1000(alice) groups=1000(alice),4(adm),27(sudo)

# List all users (each line = one user)
cat /etc/passwd

# List all groups
cat /etc/group

# What groups am I in?
groups

# What groups is alice in?
groups alice

# Add a new user
sudo useradd -m -s /bin/bash bob
sudo passwd bob

# Delete a user (and their home directory)
sudo userdel -r bob

# Add a user to a group
sudo usermod -aG docker alice

# Create a new group
sudo groupadd developers

The -aG in usermod is critical. -a means “append” — without it, the user is removed from all other groups.

umask — Default Permissions

umask sets the default permissions for newly created files and directories. It’s like a subtraction mask — it removes permissions from the maximum (666 for files, 777 for directories).

# Check current umask
umask
# 022

# Each new file gets: 666 - 022 = 644 (rw-r--r--)
# Each new dir gets:  777 - 022 = 755 (rwxr-xr-x)

# Set a more restrictive mask
umask 077
# Files: 600 (rw-------), Dirs: 700 (rwx------)

Common Mistakes

1. Using 777 permissions

World-writable files are a security hole. Anyone on the system can modify them. Never use chmod 777. Use 755 or 644 instead.

2. Forgetting sudo for system commands 

chown alice file.txt            # Permission denied!
sudo chown alice file.txt       # Works

3. Not making scripts executable 

./script.sh                     # Permission denied
chmod +x script.sh && ./script.sh  # Works

4. Confusing symbolic and numeric modes

chmod 755 sets exact permissions. chmod +x only adds execute. They’re not the same.

5. Using sudo unnecessarily

Running everything as root risks accidental system damage. Only use sudo when you get a permission error.

6. Wrong SSH key permissions

SSH private keys must be 600 (-rw-------). If the key has group or world permissions, SSH refuses to use it for security.

Practice Questions

  1. What does chmod 755 mean? Owner: rwx (7), Group: r-x (5), Others: r-x (5). Standard for executable files.

  2. What is the difference between chmod and chown? chmod changes permissions (read/write/execute). chown changes ownership (which user/group owns the file).

  3. What permissions does a directory need to let you enter it? Execute (x) permission. Without it, cd fails even if you can see the directory exists.

  4. Why must SSH private keys be 600? SSH refuses to use a key that’s readable by anyone except the owner. If group or others can read it, an attacker who compromises another account could steal it.

  5. What does umask 077 do? Sets default permissions so new files are 600 (owner read/write only) and new directories are 700 (owner full access only).

Challenge: Create a shared directory /tmp/dev-project where a group called devteam can read and write files, but others cannot even list the directory. Set the group ownership and permissions correctly. Then test by creating a file and verifying another user (or simulated user) can modify it.

FAQ

What is the difference between chmod and chown?
chmod changes the permission flags (r/w/x). chown changes the user and group that own the file. Think of chmod as changing the lock, chown as changing who holds the key.
How do I make a file executable?
chmod +x file.sh or chmod 755 file.sh. Then run with ./file.sh.
What is the root user?
The superuser (UID 0) with unrestricted access to everything on the system. Use sudo to run individual commands as root instead of logging in as the root user directly.
What does chmod 600 mean?
Owner can read and write. Nobody else has any access. Standard for SSH private keys and password files.
How do I add a user to a group?
sudo usermod -aG groupname username. The -a (append) flag is essential — without it, the user is removed from all other groups.
What is umask?
The default permission mask that subtracts from the base permissions (666 for files, 777 for directories). umask 022 gives 644 for files.

Try It Yourself

Open your terminal and experiment with permissions in a safe directory:

# Create a practice directory
mkdir -p /tmp/permissions-practice
cd /tmp/permissions-practice

# Create a file and check its permissions
touch test.txt
ls -l test.txt
# -rw-r--r-- (644 default)

# Make it executable
chmod +x test.txt
ls -l test.txt
# -rwxr-xr-x

# Remove all permissions for others
chmod o-rwx test.txt
ls -l test.txt
# -rwxr-x---

# Try to read it as "other" — simulate with sudo
sudo -u nobody cat test.txt 2>&1 || echo "Permission denied as expected"

# Restore permissions and clean up
chmod 644 test.txt
rm -rf /tmp/permissions-practice

What’s Next

TutorialWhat You’ll Learn
System MonitoringMonitor processes, disk, and memory
NetworkingSecurely connect and transfer files with SSH, SCP
Linux User AdministrationAdvanced user/group management and policies
Cyber Security File SecurityHardening file systems, auditing permissions

What’s Next

Congratulations on completing this Bash Permissions tutorial! Here’s where to go from here:

  • Practice daily — Consistency is more important than long study sessions
  • Build a project — Apply what you learned by building something real
  • Explore related topics — Check out other tutorials in the same category
  • Join the community — Discuss with other learners and share your progress

Remember: every expert was once a beginner. Keep coding!

Previous Bash Shell Scripts — Complete Guide to Writing Reusable Automation Next Bash System Monitoring — Complete Guide to Linux Performance Analysis

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Bash / Shell Tutorials