File Permissions Explained (rwx)
Linux is a multi-user operating system at its core, and its permission model is what makes it safe for many users (and processes) to share one filesystem. Every file and directory has an owner (a user), a group, and a set of permission bits controlling three kinds of access — read (r), write (w), and execute (x) — for three categories of accessor: the owning user, the owning group, and everyone else ('other'). This nine-bit rwx model, inherited from early Unix, is deceptively simple but underpins nearly all access control on a standard Linux system, from protecting your SSH private key to preventing an unprivileged web server process from overwriting system files.
Cricket analogy: Like a stadium that lets the home team captain (owner) into the dressing room, the whole squad (group) onto the practice nets, and the general public (other) only into the stands, Linux's rwx model grants different access levels to different categories of people on the same shared ground.
Reading permissions with ls -l
Running ls -l shows a ten-character string like -rwxr-xr-- at the start of each line. The first character indicates the file type (- for regular file, d for directory, l for symbolic link, among others). The remaining nine characters are three rwx triplets in order: owner, group, other. Each triplet position is either the letter (r, w, or x) if that permission is granted, or a dash (-) if it is not. So -rwxr-xr-- means: it's a regular file; the owner can read, write, and execute; the group can read and execute but not write; and everyone else can only read.
Cricket analogy: Reading -rwxr-xr-- is like reading a scorecard header: the first symbol says it's a completed innings (not abandoned), then three blocks show what the captain, the rest of the squad, and the press box are each permitted to do with the scorebook.
$ ls -l /usr/bin/passwd /etc/shadow /home/alice/notes.txt
-rwsr-xr-x 1 root root 68208 Jan 10 2025 /usr/bin/passwd
-rw-r----- 1 root shadow 1823 Jul 8 09:12 /etc/shadow
-rw-r--r-- 1 alice alice 512 Jul 9 07:40 /home/alice/notes.txt
# Decode /etc/shadow's permissions: rw-r-----
# owner (root): read, write
# group (shadow): read only
# other: no access at allWhat r, w, and x mean for files vs. directories
The three permission bits mean subtly different things depending on whether they apply to a regular file or a directory. On a file: r lets you read its contents (e.g. with cat), w lets you modify or truncate it, and x lets you execute it as a program or script. On a directory, though: r lets you list the names of entries inside it (ls), w lets you create, rename, or delete entries inside it (which is why deleting a file actually depends on the containing directory's permissions, not the file's own), and x (often called the 'search' or 'traverse' bit) lets you cd into it or access files inside it by path at all — without x on a directory, even knowing a file's exact full path won't let you open it.
Cricket analogy: The 'x' bit on a directory is like the gate to the players' pavilion: even if you know exactly which locker holds the bat (the file's path), you can't reach it without permission to walk through the pavilion gate itself, separate from being allowed to open the locker.
Numeric (octal) notation
Permissions are frequently expressed as a 3-digit octal number instead of the rwx letters, because each rwx triplet maps directly onto 3 bits: r=4, w=2, x=1, and you sum the values you want. A single digit therefore ranges from 0 (---, no access) to 7 (rwx, full access). The permission -rwxr-xr-- becomes 754 (owner: 4+2+1=7, group: 4+0+1=5, other: 4+0+0=4). This compact octal form is what chmod most commonly takes as an argument, e.g. chmod 644 file.txt.
Cricket analogy: Converting -rwxr-xr-- to octal 754 is like a scorer converting a detailed ball-by-ball commentary into a compact numeric scorecard: owner's full rwx (4+2+1=7) plus group's r-x (4+0+1=5) plus other's r-- (4+0+0=4) becomes one tidy three-digit summary.
Historical note: this rwx-for-owner/group/other scheme dates back to Unix in the 1970s and was deliberately kept simple for performance and predictability on early hardware. Modern Linux systems layer more granular access control on top when needed — POSIX ACLs (via setfacl/getfacl) allow permissions for arbitrary additional users or groups beyond the classic three categories, and SELinux/AppArmor add mandatory access control policies — but the base rwx model remains the foundation almost everything else builds on.
A common misconception is that a file's own permissions control whether it can be deleted. In fact, deleting (unlinking) a file requires write permission on its containing DIRECTORY, not on the file itself — you can delete a read-only file if you own the directory it lives in and have write+execute on that directory. This trips up many beginners who wonder why rm succeeds on a file they marked read-only.
- Every file has an owner, a group, and three rwx permission triplets: owner, group, other, visible in
ls -las a 10-character string. - On files: r = read contents, w = modify/truncate, x = execute as a program.
- On directories: r = list entries, w = create/rename/delete entries inside, x = traverse into it / access files by path.
- Octal notation sums r=4, w=2, x=1 per triplet, so rwxr-xr-- becomes 754, and chmod commonly takes this 3-digit form.
- Deleting a file depends on write permission on its parent directory, not on the file's own permission bits.
- POSIX ACLs (setfacl/getfacl) and SELinux/AppArmor extend beyond the classic rwx model for finer-grained or mandatory access control.
Practice what you learned
1. What does the execute (x) permission mean when applied to a directory?
2. What permission is actually required to delete a file named report.txt?
3. What octal value represents the permission string rwxr-xr--?
4. In `ls -l` output, what does the very first character of the permission string indicate?
5. A file shows permissions rw-r-----. What can a user in the file's group do?
Was this page helpful?
You May Also Like
chmod and chown
Learn how to change file permissions with chmod (symbolic and octal modes) and change ownership with chown and chgrp, including recursive usage and special bits.
Users, Groups, and sudo
Learn how Linux organizes access through users and groups, how to create and manage them, and how sudo grants temporary elevated privileges safely and auditably.
The /etc/passwd and /etc/shadow Files
Understand the structure and purpose of /etc/passwd (user account metadata) and /etc/shadow (hashed passwords and aging policy), and how they work together.
Common Shell Scripting Pitfalls
A field guide to the mistakes that silently break Bash scripts — unquoted variables, wrong test operators, subshell scoping, and error-handling gaps.
Related Reading
Related Study Notes in DevOps
Browse all study notesNginx Study Notes
DevOps · 30 topics
DevOpsAnsible Study Notes
DevOps · 30 topics
DevOpsAdvanced Kubernetes Study Notes
Kubernetes · 30 topics
DevOpsAdvanced Bash Scripting Study Notes
Bash · 30 topics
DevOpsApache Kafka Study Notes
Kafka · 30 topics
DevOpsDocker & Kubernetes Study Notes
YAML · 40 topics