ArcLibrary
L1入门L2进阶L3生态

File Permissions (rwx & ugo)

What does `rwxr-xr-x` actually mean — explained once, in full.

Permissionschmodchown
核心 · Key Idea

In one line: every file / directory has an owner and a group, with r / w / x bits assigned separately to owner / group / others — 9 bits decide everything.

What it is#

ls -l output:
-rwxr-xr-- 1 alice devs 42 Aug 1 12:34 run.sh
│└┬┘└┬┘└┬┘   └┬─┘ └┬─┘
│ │  │  │     │    └ group
│ │  │  │     └ owner
│ │  │  └ other r — no write, no execute
│ │  └ group r-x — read + execute
│ └ user rwx — full
└ type: - / d / l / b / c

Octal: r=4, w=2, x=1 → rwxr-xr-- = 754.

Analogy#

打个比方 · Analogy

Like an office building's badge system:

  • u (user) = you;
  • g (group) = your department;
  • o (other) = anyone else in the building.

Each door has three permissions: enter / modify the door / change its lock.

Key concepts#

r / w / xread / write / execute
On a directory, r = list, x = enter, w = create / delete entries inside.
chmodchange mode
`chmod 755 file` (octal) or `chmod g+w file` (symbolic).
chownchange owner
`chown alice:devs file`.
umaskdefault mask
Default perms for newly-created files = full perms minus umask. Common: 022.
SUID / SGID / StickySpecial bits
SUID(4) executes as owner; SGID(2) makes new files in a dir inherit the group; Sticky(1) on /tmp restricts deletion to file owners.
ACLExtended ACLs
When rwx isn't expressive enough — `setfacl / getfacl` grants per-user extras.

Cheatsheet#

chmod 755 script.sh        # rwxr-xr-x
chmod 644 README.md        # rw-r--r--
chmod -R u+w,g-w dir/      # recursive
chown -R deploy:web /var/www/site
 
# I write / others read
umask 022
 
# /tmp sticky bit (already on by default)
chmod 1777 /tmp
 
# Grant one specific user read access (without touching group)
setfacl -m u:bob:r-- secret.txt

How it works#

The kernel cares about process uid / gid + file metadata only — not login names or paths.

Practical notes#

  • Avoid 777 in production — basically "everyone can edit".
  • Missing dir x = can't cd — common trip-up after chmod -x dir.
  • Missing file x = can't direct-exec — but bash file still works (the interpreter reads it for you).
  • Run services as least-privileged users (www-data / nginx) — never as root.
  • ls -la shows hidden dotfiles.
  • stat file shows full metadata (uid / mtime / inode / block size).

Easy confusions#

rwx bits
Simple 9 bits + 3 categories.
Covers 95 % of cases.
ACLs
Per-user / per-group fine-grained.
Use only when needed; don't overuse.

Further reading#