Right, let’s talk about the thing that will inevitably drive you to drink at least once: file permissions. It’s the system’s way of playing bouncer at the club of your filesystem, deciding who gets in and what they can do once they’re inside. It seems archaic until you get a crypto-locker ransomware because a directory was world-writable, and then it seems like the most brilliant idea ever conceived.

The entire model rests on three simple, slightly anthropomorphic concepts: the User (u), the Group (g), and the Other (o). Don’t overthink the names; they’re brutally literal.

  • User (u): This is the file’s owner. You created the file? Congrats, you’re the User. It’s your personal fiefdom. The system checks what you are allowed to do with this file first.
  • Group (g): Files are also assigned to a specific group. This is the genius part—it lets you grant access to a whole set of people (or processes) at once. Think of it as a VIP list. Maybe the www-data group needs read access to your web files, or the devs group needs write access to a source code directory.
  • Other (o): This is everyone else. The great unwashed masses of users on the system who are neither the owner nor in the group. The permission bits here are a default for the entire world. This is where you need to be paranoid. Granting write access to o is like leaving your front door open with a sign that says “Free TV, just walk in.”

These three entities each get their own set of permissions: Read (r), Write (w), and Execute (x). When you run ls -l and see that glorious, cryptic string of characters—drwxr-xr-x—you’re looking at the entire permission model in one line.

The first character is the file type (d for directory, - for regular file, l for symlink, etc.). The next nine characters are three groups of three: rwx for the user, r-x for the group, and r-x for other.

What the Permissions Actually Do

It’s crucial to understand that r, w, and x mean slightly different things for files and directories. This is a classic pitfall.

For a file:

  • r (Read): You can view the file’s contents. cat file.txt will work.
  • w (Write): You can modify the file’s contents. echo "oops" >> file.txt will work. (Note: Deleting a file is governed by the permissions of the directory it’s in, not the file itself. Remember that.)
  • x (Execute): The file can be run as a program. This is what makes a script or a binary actually do something when you type its name.

For a directory:

  • r (Read): You can list the directory’s contents. ls /somedir will work. Without this, ls will just fail miserably.
  • w (Write): You can create, rename, or delete files within the directory. This is the one people mess up. You can have a file you can’t write to, but if you have write permission on its directory, you can still delete it. Madness, but true.
  • x (Execute): You can access the directory. This is often called the “search” bit. It means you can cd into it or access files and subdirectories inside it by name. This is the most important permission for a directory. Without it, you’re locked out, even if you know exactly what’s inside.

Let’s see this in action. Let’s create a file and a directory and poke at them.

# Create a file and a directory
touch my_file.txt
mkdir my_dir

# Check their default permissions
ls -ld my_file.txt my_dir
# drwxr-xr-x 2 user user 4096 Apr 10 10:00 my_dir
# -rw-r--r-- 1 user user    0 Apr 10 10:00 my_file.txt

# Let's make the file executable for the user (owner)
chmod u+x my_file.txt
ls -l my_file.txt
# -rwxr--r-- 1 user user 0 Apr 10 10:00 my_file.txt*

# Now, let's be paranoid and remove all permissions for "other" on the directory
chmod o-rwx my_dir
ls -ld my_dir
# drwxr-x--- 2 user user 4096 Apr 10 10:00 my_dir

# Now try to list it as another user (or just try to access it)
sudo -u nobody ls my_dir
# ls: cannot open directory 'my_dir': Permission denied

The Umask: Your Permission Filter

You might be wondering, “Why do new files usually start as rw-r--r-- (644) and directories as rwxr-xr-x (755)?” Meet umask, the party pooper of permissions. It’s not what gets added, but what gets subtracted from the maximum possible permissions.

The maximum for a file is 666 (read and write for everyone, but never execute by default for safety). The maximum for a directory is 777 (full access for everyone). Your umask, usually 022, subtracts the write permission for group and other.

# Check your current umask (it's usually 022)
umask
# 0022

# This means: for files, 666 - 022 = 644 (rw-r--r--)
# For directories, 777 - 022 = 755 (rwxr-xr-x)

# Want your new files to be private by default? Set a restrictive umask:
umask 077 # This will result in files as 600 (rw-------) and dirs as 700 (rwx------)

The best practice? Set a sane umask in your shell’s startup file (like ~/.bashrc). 077 is great for a personal machine. 022 or 002 (which allows group write) is common on multi-user systems or development servers. This isn’t a questionable design choice; it’s a brilliantly simple one. You just have to know it exists.