“Permission denied.” These two words have frustrated more Linux beginners than perhaps any other error message in the Unix world. Whether you’re trying to execute a script, modify a configuration file, or access a directory, permission issues can bring your workflow to a grinding halt. Understanding Linux file permissions and ownership isn’t just about memorizing commands—it’s about grasping the fundamental security model that keeps Unix-like systems stable and secure.
This comprehensive guide will transform you from someone who fears permission errors into a confident troubleshooter who can diagnose and resolve ownership and permission problems efficiently. We’ll cover the essential tools (chmod, chown, umask), explore real-world scenarios, and provide practical solutions you can apply immediately.
Understanding the Linux Permission Model
Before diving into troubleshooting, let’s establish a solid foundation. Linux uses a permission system based on three fundamental concepts: users, groups, and others. Every file and directory has an owner (user) and belongs to a group. Permissions are then assigned for three categories:
- User (u): The file owner
- Group (g): Members of the file’s group
- Other (o): Everyone else on the system
Each category can have three types of permissions:
- Read (r): View file contents or list directory contents
- Write (w): Modify file contents or create/delete files in a directory
- Execute (x): Run a file as a program or enter a directory
When you run ls -l, you see these permissions displayed as a 10-character string. The first character indicates the file type (- for regular files, d for directories), followed by three groups of three characters representing user, group, and other permissions respectively.
bashCopy-rwxr-xr– 1 john developers 1024 Nov 15 10:30 script.sh drwxr-x— 2 john developers 4096 Nov 15 10:25 project/
In the first example, script.sh is owned by user john and group developers. The owner has read, write, and execute permissions (rwx), the group has read and execute (r-x), and others have only read permission (r–).
The chmod Command: Changing Permissions
The chmod (change mode) command is your primary tool for modifying file permissions. It works with both symbolic and numeric notation, each having its advantages in different situations.
Symbolic Notation
Symbolic notation uses letters and symbols to represent permissions changes:
bashCopy# Grant execute permission to the owner chmod u+x script.sh # Remove write permission from group and others chmod go-w document.txt # Set exact permissions: owner gets all, group gets read/execute, others get nothing chmod u=rwx,g=rx,o= sensitive_file # Add read permission for everyone chmod a+r public_info.txt
The symbolic method is intuitive and perfect for making incremental changes. Use + to add permissions, – to remove them, and = to set exact permissions.
Numeric (Octal) Notation
Numeric notation uses three-digit numbers where each digit represents the permissions for user, group, and other respectively:
- 4 = read (r)
- 2 = write (w)
- 1 = execute (x)
Add these values together to get the permission digit:
- 7 (4+2+1) = rwx (read, write, execute)
- 6 (4+2) = rw- (read, write)
- 5 (4+1) = r-x (read, execute)
- 4 = r– (read only)
- 0 = — (no permissions)
bashCopy# Full permissions for owner, read/execute for group, read-only for others chmod 754 script.sh # Read/write for owner and group, no access for others chmod 660 private_document.txt # Common web directory permissions chmod 755 /var/www/html/ # Secure file permissions chmod 600 ~/.ssh/id_rsa
Numeric notation is faster for setting complete permission sets and is commonly used in scripts and documentation.
Advanced chmod Options
The chmod command offers several useful flags:
bashCopy# Recursive: apply permissions to directory and all contents chmod -R 755 /home/user/public_html/ # Verbose: show what changes are being made chmod -v 644 *.txt # Changes only: show only files that were actually changed chmod -c 755 scripts/* # Reference file: copy permissions from another file chmod –reference=template.sh new_script.sh
The chown Command: Changing Ownership
While chmod handles permissions, chown (change owner) manages file ownership. Ownership problems often cause permission issues even when the permission bits look correct.
Basic chown Usage
bashCopy# Change owner only chown john file.txt # Change owner and group chown john:developers file.txt # Change group only (note the colon prefix) chown :developers file.txt # Recursive ownership change chown -R apache:apache /var/www/html/ # Verbose output chown -v john:users *.log
Common Ownership Scenarios
Web Server Files: Web servers typically run under specific users (apache, www-data, nginx). Files must be owned correctly for the server to read them:
bashCopy# Apache on CentOS/RHEL chown -R apache:apache /var/www/html/ # Apache on Ubuntu/Debian chown -R www-data:www-data /var/www/html/ # Nginx chown -R nginx:nginx /usr/share/nginx/html/
User Home Directories: When copying files as root, ownership often needs correction:
bashCopy# Fix ownership after copying files as root cp /root/backup/* /home/john/ chown -R john:john /home/john/ # Alternative: copy with preserved ownership cp -a /root/backup/* /home/john/
Shared Directories: For collaborative work, you might need shared group ownership:
bashCopy# Create shared directory mkdir /shared/project chown :developers /shared/project chmod 775 /shared/project # Set group sticky bit so new files inherit group ownership chmod g+s /shared/project
Understanding umask: Default Permissions
The umask command controls default permissions for newly created files and directories. It’s often overlooked but crucial for preventing permission problems before they occur.
How umask Works
umask uses a subtraction model. The default permissions (666 for files, 777 for directories) have the umask value subtracted from them:
bashCopy# Check current umask umask # Output: 0022 # This means: # New files: 666 – 022 = 644 (rw-r–r–) # New directories: 777 – 022 = 755 (rwxr-xr-x)
Setting umask
bashCopy# Set umask for current session umask 027 # New files: 666 – 027 = 640 (rw-r—–) # New directories: 777 – 027 = 750 (rwxr-x—) # More restrictive umask umask 077 # New files: 666 – 077 = 600 (rw——-) # New directories: 777 – 077 = 700 (rwx——) # Set umask permanently in ~/.bashrc or ~/.profile echo “umask 027” >> ~/.bashrc
Common umask Values
- 022: Default on many systems. Owner gets full access, group and others get read access
- 002: Good for shared environments. Owner and group get full access, others get read access
- 027: More secure. Owner gets full access, group gets read access, others get nothing
- 077: Very secure. Only owner gets any access
Real-World Troubleshooting Examples
Let’s explore common permission problems and their solutions through practical scenarios.
Scenario 1: “Permission Denied” When Running Scripts
Problem: You download a script and try to run it:
bashCopy$ ./backup.sh bash: ./backup.sh: Permission denied
Diagnosis: Check the permissions:
bashCopy$ ls -l backup.sh -rw-r–r– 1 john john 1024 Nov 15 10:30 backup.sh
The script lacks execute permission.
Solution:
bashCopy# Add execute permission for the owner chmod u+x backup.sh # Or use numeric notation chmod 755 backup.sh # Verify the fix $ ls -l backup.sh -rwxr-xr– 1 john john 1024 Nov 15 10:30 backup.sh $ ./backup.sh # Script now runs successfully
Scenario 2: Web Server Can’t Access Files
Problem: Your web server returns “403 Forbidden” errors.
Diagnosis: Check file ownership and permissions:
bashCopy$ ls -la /var/www/html/ total 12 drwxr-xr-x 2 root root 4096 Nov 15 10:00 . drwxr-xr-x 3 root root 4096 Nov 15 09:30 .. -rw——- 1 john john 1024 Nov 15 10:00 index.html
The web server (running as www-data) can’t read files owned by john with 600 permissions.
Solution:
bashCopy# Change ownership to web server user chown www-data:www-data /var/www/html/index.html # Set appropriate permissions chmod 644 /var/www/html/index.html # For directories, ensure they’re executable chmod 755 /var/www/html/ # Verify the fix $ ls -la /var/www/html/ -rw-r–r– 1 www-data www-data 1024 Nov 15 10:00 index.html
Scenario 3: Can’t Create Files in Directory
Problem: Users can’t create files in a shared directory:
bashCopy$ touch /shared/project/newfile.txt touch: cannot touch ‘/shared/project/newfile.txt’: Permission denied
Diagnosis: Check directory permissions:
bashCopy$ ls -ld /shared/project/ drwxr-xr-x 2 root developers 4096 Nov 15 10:00 /shared/project/
The directory is owned by root, and group members only have read and execute permissions, not write.
Solution:
bashCopy# Give write permission to the group chmod g+w /shared/project/ # Or use numeric notation chmod 775 /shared/project/ # Set group sticky bit so new files inherit group ownership chmod g+s /shared/project/ # Verify the fix $ ls -ld /shared/project/ drwxrwsr-x 2 root developers 4096 Nov 15 10:00 /shared/project/
Scenario 4: SSH Key Permission Problems
Problem: SSH refuses to use your private key:
bashCopy$ ssh user@server @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for ‘/home/john/.ssh/id_rsa’ are too open.
Diagnosis: SSH requires strict permissions on private keys:
bashCopy$ ls -l ~/.ssh/ -rw-r–r– 1 john john 1679 Nov 15 10:00 id_rsa -rw-r–r– 1 john john 394 Nov 15 10:00 id_rsa.pub
Solution:
bashCopy# Set correct permissions for SSH directory and files chmod 700 ~/.ssh/ chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub chmod 644 ~/.ssh/authorized_keys # if it exists # Verify the fix $ ls -la ~/.ssh/ drwx—— 2 john john 4096 Nov 15 10:00 . -rw——- 1 john john 1679 Nov 15 10:00 id_rsa -rw-r–r– 1 john john 394 Nov 15 10:00 id_rsa.pub
Scenario 5: Database Files Permission Issues
Problem: Database service fails to start due to permission errors.
Diagnosis: Check database directory ownership:
bashCopy$ ls -ld /var/lib/mysql/ drwxr-xr-x 2 root root 4096 Nov 15 10:00 /var/lib/mysql/
The MySQL service runs as the mysql user but the data directory is owned by root.
Solution:
bashCopy# Change ownership to mysql user chown -R mysql:mysql /var/lib/mysql/ # Set appropriate permissions chmod 750 /var/lib/mysql/ chmod 640 /var/lib/mysql/* # Verify the fix $ ls -ld /var/lib/mysql/ drwxr-x— 2 mysql mysql 4096 Nov 15 10:00 /var/lib/mysql/
Advanced Permission Concepts
Special Permissions
Beyond basic read, write, and execute permissions, Linux supports special permission bits:
Setuid (SUID): When set on executable files, the program runs with the owner’s privileges:
bashCopy# Set SUID bit chmod u+s /usr/bin/passwd chmod 4755 /usr/bin/passwd # numeric notation # Check for SUID bit (s in owner execute position) $ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 54256 Mar 27 2019 /usr/bin/passwd
Setgid (SGID): On files, runs with group privileges. On directories, new files inherit the directory’s group:
bashCopy# Set SGID on directory chmod g+s /shared/project/ chmod 2755 /shared/project/ # numeric notation # Check for SGID bit (s in group execute position) $ ls -ld /shared/project/ drwxr-sr-x 2 root developers 4096 Nov 15 10:00 /shared/project/
Sticky Bit: On directories, only file owners can delete their files:
bashCopy# Set sticky bit (like /tmp directory) chmod +t /shared/temp/ chmod 1755 /shared/temp/ # numeric notation # Check for sticky bit (t in other execute position) $ ls -ld /shared/temp/ drwxr-xr-t 2 root root 4096 Nov 15 10:00 /shared/temp/
Access Control Lists (ACLs)
For more granular permissions beyond the basic user/group/other model, Linux supports ACLs:
bashCopy# Check if filesystem supports ACLs mount | grep acl # View ACLs getfacl filename # Set ACL for specific user setfacl -m u:alice:rw filename # Set ACL for specific group setfacl -m g:developers:rx filename # Remove ACL setfacl -x u:alice filename # Remove all ACLs setfacl -b filename
Read More: Disk Space by Directory in Linux
Troubleshooting Methodology
When facing permission problems, follow this systematic approach:
1. Identify the Error
Read error messages carefully. Common indicators:
- “Permission denied”
- “Operation not permitted”
- “Access denied”
- HTTP 403 Forbidden errors
2. Check Current Permissions
bashCopy# For files ls -l filename # For directories ls -ld directory/ # Recursive listing ls -lR directory/ # Check ownership and permissions together stat filename
3. Identify the Required Access
Determine what type of access is needed:
- Read: Viewing file contents, listing directory contents
- Write: Modifying files, creating/deleting files in directories
- Execute: Running programs, entering directories
4. Check Process User Context
Identify which user needs access:
bashCopy# Check current user whoami # Check groups groups # For services, check process owner ps aux | grep service_name
5. Apply Appropriate Solution
Choose the right tool:
- Use chmod for permission changes
- Use chown for ownership changes
- Consider umask for default permissions
- Use sudo for temporary elevated privileges
6. Verify the Fix
Always test your changes:
bashCopy# Test file access cat filename # Test directory access ls directory/ # Test script execution ./script.sh # Check service status systemctl status service_name
Best Practices and Security Considerations
Principle of Least Privilege
Grant only the minimum permissions necessary:
bashCopy# Good: Specific permissions chmod 644 config.txt # Read-only for group/others chmod 700 private_script.sh # Owner-only access # Avoid: Overly permissive chmod 777 filename # Never do this unless absolutely necessary
Regular Permission Audits
Periodically review file permissions:
bashCopy# Find world-writable files (potential security risk) find /home -type f -perm -002 -ls # Find SUID files find /usr -type f -perm -4000 -ls # Find files with unusual permissions find /etc -type f ! -perm 644 ! -perm 640 ! -perm 600 -ls
Backup Before Changes
Always backup critical files before changing permissions:
bashCopy# Backup permissions getfacl -R /important/directory > permissions_backup.txt # Restore permissions if needed setfacl –restore=permissions_backup.txt
Use Groups Effectively
Leverage groups for shared access:
bashCopy# Create project group groupadd project_team # Add users to group usermod -a -G project_team alice usermod -a -G project_team bob # Set group ownership chown -R :project_team /shared/project/ chmod -R g+w /shared/project/
Automation and Scripting
For repetitive permission tasks, create scripts:
bashCopy#!/bin/bash # web_permissions.sh – Set correct web server permissions WEB_ROOT=”/var/www/html” WEB_USER=”www-data” WEB_GROUP=”www-data” # Set ownership chown -R $WEB_USER:$WEB_GROUP $WEB_ROOT # Set directory permissions find $WEB_ROOT -type d -exec chmod 755 {} ; # Set file permissions find $WEB_ROOT -type f -exec chmod 644 {} ; # Make scripts executable find $WEB_ROOT -name “*.sh” -exec chmod 755 {} ; echo “Web permissions updated successfully”
Conclusion
Mastering Linux file permissions and ownership is essential for any system administrator or developer working in Unix-like environments. The key to success lies in understanding the underlying concepts, using the right tools (chmod, chown, umask), and following a systematic troubleshooting approach.
Remember these fundamental principles:
- Always understand what permissions are needed before making changes
- Use the principle of least privilege
- Test your changes thoroughly
- Document permission requirements for your applications
- Regular audits help maintain security
With the knowledge and examples provided in this guide, you’re now equipped to tackle permission problems confidently. Whether you’re dealing with web server configurations, database permissions, or user access issues, you have the tools and understanding to diagnose and resolve these challenges effectively.
The “permission denied” error doesn’t have to be a nightmare anymore—it’s simply a problem with a systematic solution. Practice these concepts in a safe environment, and soon you’ll find yourself troubleshooting permission issues with confidence and expertise.