chmod and chown
Once you understand the rwx permission model, chmod and chown are the two commands you use to actually manage it. chmod ('change mode') sets the read/write/execute permission bits on a file or directory, either by giving explicit octal numbers or by using symbolic operators that add, remove, or set specific permissions for owner, group, or other. chown ('change owner') and its sibling chgrp change which user and/or group owns a file — an operation that (outside of some containerized/rootless setups) normally requires root privileges, since arbitrarily reassigning ownership could otherwise be used to bypass disk quotas or access controls.
Cricket analogy: chmod is like a groundsman deciding who can bat, bowl, or field on a pitch (read/write/execute), set with a quick numeric code or by adjusting one rule at a time; chown is like transferring ownership of the ground itself to a new club, which normally requires the board's (root's) approval.
chmod: octal vs. symbolic mode
Octal mode sets all nine permission bits at once by specifying a 3-digit number (see file-permissions-explained for how r=4, w=2, x=1 sum together), which is fast when you know exactly what final permissions you want. Symbolic mode instead uses the syntax [ugoa][+-=][rwx], letting you target u (user/owner), g (group), o (other), or a (all), then add (+), remove (-), or set exactly (=) specific permission letters — this is useful when you want to change just one bit without recomputing the whole octal number, and it also supports X (execute only if it's already a directory or already executable for someone), handy for recursive operations that shouldn't make plain files executable.
Cricket analogy: Octal mode is like calling out a final field placement in one shout ('755'), while symbolic mode u+x is like adjusting just one fielder's position without redoing the whole field; X is like only letting a substitute run if they're already an active fielder, useful when repositioning the whole team.
# Octal mode: set exact permissions
chmod 755 deploy.sh # rwxr-xr-x — owner full, others read+execute
chmod 600 ~/.ssh/id_rsa # rw------- — private key, owner only
chmod 644 index.html # rw-r--r-- — typical web-readable file
# Symbolic mode: adjust specific bits without recomputing everything
chmod u+x deploy.sh # add execute for the owner
chmod go-w /etc/hosts # remove write for group and other
chmod a+r report.pdf # add read for everyone
chmod u=rwx,g=rx,o= project/ # set owner rwx, group r-x, other nothing
# Recursive: set directories to 755 and files to 644 safely using find
find /srv/www -type d -exec chmod 755 {} +
find /srv/www -type f -exec chmod 644 {} +
# Or use chmod's own recursive capital-X trick (adds x only where already a dir/executable)
chmod -R u+rwX,g+rX,o+rX /srv/wwwchown and chgrp: changing ownership
chown changes a file's owning user, its owning group, or both at once using the user:group syntax; omitting the user (:group) changes only the group, which is equivalent to what chgrp does on its own. Like chmod, chown supports -R for recursive changes down a directory tree. Because reassigning ownership is a privileged operation, you'll almost always need sudo unless you happen to be root already.
Cricket analogy: chown is like transferring a player from one franchise to another and optionally reassigning their squad group in one move (user:group), omitting the user changes only the squad; -R reassigns an entire academy's roster recursively, and you'll need board (sudo) approval unless you're already the board.
# Change owner only
sudo chown deploy /srv/app/config.yml
# Change owner and group together
sudo chown deploy:webapps /srv/app/config.yml
# Change group only (equivalent to chgrp webapps ...)
sudo chown :webapps /srv/app/config.yml
sudo chgrp webapps /srv/app/config.yml
# Recursively hand an entire directory tree to a service account
sudo chown -R www-data:www-data /var/www/mysite
# Reference another file's ownership instead of naming user/group explicitly
sudo chown --reference=/srv/app/config.yml /srv/app/secrets.ymlBeyond the basic rwx bits, chmod also supports three special bits: setuid (4000, runs an executable with the file owner's privileges — classic example: /usr/bin/passwd, shown as an 's' in the owner execute slot), setgid (2000, runs with the group's privileges on executables, or makes new files in a directory inherit the directory's group — widely used for shared team directories), and the sticky bit (1000, shown as 't' on directories like /tmp, which restricts deletion of files inside to their own owner even if others have write access).
chmod -R 777 anything is almost always the wrong fix for a 'permission denied' error — it grants read, write, and execute to literally everyone, including other unprivileged users and, on a compromised system, an attacker's process. Prefer the narrowest permission that actually solves the problem (e.g. adding the right group and using 750/770), and use chmod -R u+rwX,g+rX style adjustments or find ... -exec chmod with separate rules for files vs. directories instead of a blanket 777.
- chmod changes permission bits using octal numbers (e.g. 755) or symbolic operators (u/g/o/a with +/-/=).
- Symbolic mode's capital X sets execute only on directories or files already executable for someone — safer for recursive chmod.
- chown changes owner and/or group with user:group syntax; omitting the user (:group) changes only the group.
- chgrp changes only the group and is equivalent to
chown :group. - Both chmod and chown support -R for recursive operation down a directory tree, and both usually require sudo when changing ownership.
- Avoid chmod 777 as a quick fix — it grants full access to everyone and is a common security misstep; prefer narrowly scoped permissions.
Practice what you learned
1. Which chmod command sets a private SSH key to be readable and writable by the owner only, with no access for anyone else?
2. What does `chown deploy:webapps file.txt` do?
3. What is the effect of `chmod u+x script.sh`?
4. Why is `chmod -R 777` on a web application directory generally considered a bad practice?
5. What does the setgid bit do when applied to a directory (rather than an executable file)?
Was this page helpful?
You May Also Like
File Permissions Explained (rwx)
Understand the Linux permission model — read, write, and execute bits for owner, group, and others — and how ls -l output maps to those permissions.
Users, Groups, and sudo
Learn how Linux organizes access through users and groups, how to create and manage them, and how sudo grants temporary elevated privileges safely and auditably.
Package Management (apt and yum)
Learn how Debian/Ubuntu's apt and RHEL/CentOS's yum/dnf install, update, and remove software, resolve dependencies, and manage repositories.
Disk Usage and Management (df, du, mount)
Learn how to inspect filesystem capacity, measure directory sizes, and understand how block devices get attached to the Linux directory tree via mounting.
Related Reading
Related Study Notes in DevOps
Browse all study notesNginx Study Notes
DevOps · 30 topics
DevOpsAnsible Study Notes
DevOps · 30 topics
DevOpsAdvanced Kubernetes Study Notes
Kubernetes · 30 topics
DevOpsAdvanced Bash Scripting Study Notes
Bash · 30 topics
DevOpsApache Kafka Study Notes
Kafka · 30 topics
DevOpsDocker & Kubernetes Study Notes
YAML · 40 topics