File permissions explained (Linux)

Topic: Security basics

Linux file permissions are read, write, execute for owner, group, and others. Use chmod and chown to set them; restrict sensitive files (keys, config) to owner-only read. Use this when fixing permission denied or securing config and keys.

Intent: How-to

Quick answer

  • Permissions are owner (u), group (g), others (o); each has read (r), write (w), execute (x). chmod 600 file gives owner read-write, no one else. chmod 755 dir gives owner rwx, others rx (for directories, x means enter).
  • Sensitive files (private keys, config with secrets) should be 600 or 400 so only the owner can read. Directories containing them should be 700 so only the owner can list. Do not use 777 or 666 for anything sensitive.
  • chown and chgrp set owner and group. Run services as a dedicated user and set ownership so only that user (and root) can read the service config and keys.

Prerequisites

Steps

  1. Read permission notation

    ls -l shows mode (e.g. -rw-r--r--). First character is type (- file, d directory); then ugo rwx. Numeric: 4=read, 2=write, 1=execute; sum per group (e.g. 600 = rw-------).

  2. Set with chmod and chown

    chmod 600 key.pem (owner read-write). chmod 755 script.sh (owner rwx, others rx). chown user:group file. For dirs, x means can cd and list; without x you cannot list entries.

  3. Harden sensitive files

    Private keys and config with secrets: chmod 600, chown service_user. Parent dirs: 700 so only owner can list. Avoid world-writable (777, 666) and world-readable for secrets.

  4. Verify

    ls -l and stat file; confirm owner and mode. Run the app as the service user and confirm it can read; run as another user and confirm access is denied.

Summary

Understand u/g/o and r/w/x; use chmod and chown to restrict sensitive files to owner-only. Use this when securing config and keys or fixing permission denied.

Prerequisites

Steps

Step 1: Read permission notation

Use ls -l and numeric modes (4=r, 2=w, 1=x). Interpret owner, group, others.

Step 2: Set with chmod and chown

chmod 600 for keys and secrets; chown for service user. Use 755 for dirs that must be traversed.

Step 3: Harden sensitive files

Keys and secret config: 600, owner service user. Parent dirs: 700. No world-writable for sensitive paths.

Step 4: Verify

Check ls -l and stat; confirm the service can read and others cannot.

Verification

Sensitive files are 600 (or 400); dirs are 700; service runs as the correct user and can read; others cannot.

Troubleshooting

Permission denied — Check owner and group; ensure the running user is owner or in group and mode allows read (and execute for dirs). Service cannot read — Fix ownership or add the service user to the file group with read permission.

Next steps

Continue to