The chmod command in Linux controls who can read, write, or execute a file — and getting it wrong can either lock you out of your own files or leave your server wide open. Understanding file permissions in Linux is one of the first things every sysadmin needs to get right, and chmod is the tool that makes it happen.
In this guide, you will find 12 practical chmod examples covering both numeric and symbolic modes — from basic permission changes to recursive updates, special bits, and bulk operations using find. Every command below has been tested on RHEL and Ubuntu, and real terminal output is included so you know exactly what to expect. If you are just getting started, check out our Linux commands for beginners guide first.
chmod command in Linux only changes permissions, not ownership. If you need to change who owns a file, that is a job for chown. For a broader look at how Linux handles file types, see our guide on 7 types of files in Linux.
# Numeric mode example
chmod 755 filename
# Symbolic mode example
chmod u+x filename
Numeric mode (e.g. chmod 755) sets all three permission groups
- owner, group, others - in a single value. It is faster and preferred in scripts.
Symbolic mode (e.g. chmod u+x) lets you add or remove a
single permission without touching the rest. Use symbolic when you only want to tweak one bit,
and numeric when you want to set permissions from scratch.
Examples
chmod Command in Linux — Set 755 Permissions (Numeric Mode)
Permission 755 means the owner can read, write, and execute; the group and others
can only read and execute. This is the standard setting for shell scripts and web server files
that need to be run by the server process but not modified by anyone else.
-rwxr-xr-x. 1 alice alice 1024 Mar 17 10:00 deploy.sh
The three digits in 755 map to owner (7 = rwx), group (5 = r-x),
and others (5 = r-x). Check the permission table above to build any numeric value you need.
Run ls -l
afterwards to confirm the change took effect.
Add Execute Permission for the Owner Using Symbolic Mode
If a script you just created is not running, the most common cause is a missing execute bit.
The symbolic expression u+x adds execute permission for the file owner without
touching anything else — group and others stay exactly as they were.
-rw-r--r--. 1 alice alice 512 Mar 17 09:00 script.sh
$ chmod u+x script.sh
$ ls -l script.sh
-rwxr--r--. 1 alice alice 512 Mar 17 09:00 script.sh
Symbolic references: u = user/owner, g = group, o = others,
a = all three. Operators: + adds, - removes,
= sets exactly. Combine them freely — e.g. ug+x adds execute for both
owner and group at once.
Remove Write Permission for the Group
When a configuration file should be readable by a group but not editable by its members,
stripping the write bit with g-w does the job cleanly without affecting owner
or others permissions.
-rw-rw-r--. 1 alice devs 2048 Mar 17 11:00 app.conf
$ chmod g-w app.conf
$ ls -l app.conf
-rw-r--r--. 1 alice devs 2048 Mar 17 11:00 app.conf
This is a common hardening step for files like /etc/nginx/nginx.conf or application
config files stored in shared directories. Only the owner can modify them, but the group
can still read them. For more on securing your Linux server, see the Linux server hardening checklist.
Add Execute Permission for All Users
If you are deploying a utility script that every user on the system should be able to run,
a+x adds the execute bit for owner, group, and others in a single command.
This is equivalent to ugo+x.
-rw-r--r--. 1 root root 860 Mar 17 12:00 health-check.sh
$ chmod a+x /usr/local/bin/health-check.sh
$ ls -l /usr/local/bin/health-check.sh
-rwxr-xr-x. 1 root root 860 Mar 17 12:00 health-check.sh
Scripts placed in /usr/local/bin/ are on the system PATH, so once you make them
executable with a+x, any user can run them by name from any directory — no full path needed.
Set Read-Only Permission for Others
The = operator in symbolic mode sets permissions to exactly what you specify,
discarding any existing bits. o=r gives others read-only access — no write,
no execute — regardless of what was set before.
-rw-rw-rwx. 1 alice alice 3200 Mar 17 13:00 report.txt
$ chmod o=r report.txt
$ ls -l report.txt
-rw-rw-r--. 1 alice alice 3200 Mar 17 13:00 report.txt
Notice how o=r stripped the existing write and execute bits for others and left
only read. If you had used o+r instead, write and execute would have remained.
Choose = when you want predictable, exact results.
Change Permissions Recursively on a Directory
The -R flag applies a permission change to the target directory and everything
inside it — all subdirectories and files — in one pass. This is useful when deploying a web
application and you need to lock down an entire folder tree.
total 12
drwxr-x---. 2 alice www-data 4096 Mar 17 14:00 assets
-rwxr-x---. 1 alice www-data 1024 Mar 17 14:00 index.php
-rwxr-x---. 1 alice www-data 820 Mar 17 14:00 config.php
Using -R with a blanket permission applies the same mode to both files and
directories. Directories typically need the execute bit to be accessible, but plain files
usually should not have it. For a cleaner approach, see Example 12 — using
find
to set different permissions for files versus directories.
Use Verbose Mode to Confirm Every Change
When you run chmod normally it produces no output — you have to run
ls -l afterwards to check. Add -v and it will print a confirmation
line for every file it touches, which is useful when applying changes to multiple files
and you need a clear audit trail in your terminal session.
mode of 'db.conf' changed from 0664 (rw-rw-r--) to 0644 (rw-r--r--)
mode of 'nginx.conf' changed from 0660 (rw-rw----) to 0644 (rw-r--r--)
If you only want output when something actually changes (and silence for files that already
have the target permission), use -c instead of -v. Both flags are
great for auditing permissions in automated deployment scripts. For scheduling automated tasks, see our guide on the cron command in Linux.
The sticky bit on a directory means that only the file's owner (or root) can delete or rename
that file, even if the directory is world-writable. The classic example is /tmp,
which everyone can write to but no one can delete each other's files from.
drwxrwxrwt. 2 root root 4096 Mar 17 15:00 /shared/uploads
The trailing t in drwxrwxrwt is how the sticky bit appears in
ls -l output. Numerically, you would set it with chmod 1777 /shared/uploads
— the leading 1 is the sticky bit, followed by the standard 777.
If the execute bit for others is not set, the t appears as a capital T.
Set the SUID Bit on an Executable File
The Set User ID (SUID) bit causes a program to run with the permissions of its owner rather
than the user who executes it. The passwd command is the textbook example —
it runs as root so it can write to /etc/shadow, even when launched by a
regular user. You need sudo
to set SUID on system files.
-rwsr-xr-x. 1 root root 8192 Mar 17 16:00 myutil
SUID on root-owned binaries is a privilege escalation risk if the program has any exploitable
vulnerability. Audit all SUID binaries on your system periodically with:
find / -perm -4000 -type f 2>/dev/null. Only set SUID when there is a clear
operational need for it. For a full security overview, see the Linux security command cheat sheet.
When SGID is set on a directory, any new file created inside it automatically inherits the
directory's group — instead of the creating user's primary group. This is extremely useful
for team project directories where everyone in the group needs write access to each other's files.
drwxrwsr-x. 2 alice devteam 4096 Mar 17 17:00 teamwork
$ touch /projects/teamwork/newfile.txt
$ ls -l /projects/teamwork/newfile.txt
-rw-rw-r--. 1 bob devteam 0 Mar 17 17:05 newfile.txt
Notice in the output that newfile.txt was created by user bob, but it
belongs to the devteam group — not bob's primary group. That is the SGID bit working.
Numerically, SGID is the leading 2: chmod 2775 /projects/teamwork. To manage users and groups, see our guide on how to create users in Linux.
Set Multiple Permissions in a Single Command
You can chain multiple symbolic expressions in one chmod call by separating them
with commas. This sets owner to full access, group to read and execute, and removes all
permissions from others — in a single run with no intermediate states.
-rwxr-x---. 1 alice devops 2048 Mar 17 18:00 server.sh
o= with nothing after the equals sign removes all permissions for others — it is
a clean way to say "others get nothing" without guessing what bits were set before. The
numeric equivalent of this example is chmod 750 server.sh.
Bulk Update File Permissions Using find
Combining chmod with the
find
command is the correct way to apply different permissions to files and directories separately
in one pass. This is far safer than a blanket chmod -R and is standard practice
for locking down web application directories.
find /var/www/myapp -type f -exec chmod 644 {} \;
find /var/www/myapp -type d -exec chmod 755 {} \;
$ find /var/www/myapp -type d -exec chmod 755 {} \;
$ ls -lR /var/www/myapp/
drwxr-xr-x. alice www-data assets/
-rw-r--r--. alice www-data index.php
-rw-r--r--. alice www-data config.php
-rw-r--r--. alice www-data assets/style.css
You can also use -exec chmod ... {} + (with a + instead of \;)
to batch the changes, which is faster on large directory trees because it calls chmod
fewer times. Use \; when you need per-file control or logging.
chmod 777 gives every user on the system — including web server processes and
any attacker who gains a foothold — full read, write, and execute access. On a web server,
this means anyone who can reach a writable directory can upload and execute arbitrary code.
If you are using 777 to "fix" a permission error, the real fix is to set the
correct owner and group with
chown
and then use the most restrictive permission that still lets the application work —
typically 644 for files and 755 for directories. For a broader view of Linux security practices, the Red Hat Linux security guide is a solid reference.
People Also Ask
chmod 755 sets the owner's permissions to read, write, and execute (7), and
gives both the group and others read plus execute access (5). It is the standard permission
for executable scripts and web-accessible directories.
644 is for files that should be readable by everyone but only writable by the
owner — typical for HTML files, config files, and documents. 755 adds execute
permission, making it suitable for scripts, binaries, and directories that need to be
traversed.
Yes. Add the -R flag to apply the permission change to a directory and
everything inside it. For finer control — applying different permissions to files and
directories separately — use find combined with chmod, as
shown in Example 12.
No. chmod only changes the permission bits — who can read, write, or execute
a file. To change the owner or group of a file, use the
chown command.
Run ls -l
in any directory to see the permission string for every file. The first ten characters
of each line (e.g. -rwxr-xr-x) show the file type and permission bits for
owner, group, and others.
From your first terminal command to advanced sysadmin skills — every guide here is written in plain English with real examples you can run right now.
