Linux Group Permission Management Guide: chmod, chown, and Group Configuration
2024/01/18
In Linux, Group Permissions are the foundation of multi-user collaboration and system security. Understanding the three identities – owner, group, and others – and mastering the
chmod,chown, andchgrpcommands along with the complete group management workflow is an essential skill for every Linux user.
Linux Permission Basics
Linux employs a strict access control mechanism where every file and directory has a combination of three identities and three permissions.
Three Identities
| Identity | Description | Symbol |
|---|---|---|
| Owner | The user who created the file, typically has the highest privileges | u (user) |
| Group | The group the owner belongs to; group members share the same permissions | g (group) |
| Others | All other users who are not the owner and not in the group | o (others) |
Three Permissions
| Permission | Symbol | Value | Meaning for Files | Meaning for Directories |
|---|---|---|---|---|
| Read | r | 4 | Can read the file contents | Can list the directory contents (ls) |
| Write | w | 2 | Can modify or delete the file | Can create or delete files in the directory |
| Execute | x | 1 | Can execute the file (script or program) | Can enter the directory (cd) |
Reading ls -l Output
$ ls -l my_file.txt
-rw-r--r-- 1 benz developers 1024 Jan 18 10:00 my_file.txt
Column-by-column breakdown:
- rw- r-- r-- 1 benz developers 1024 Jan 18 10:00 my_file.txt
| | | | | | | |
| | | | | | | âââ File size (bytes)
| | | | | | âââââââââââââ Group name
| | | | | âââââââââââââââââââââ Owner name
| | | | ââââââââââââââââââââââââââ Number of hard links
| | | ââââââââââââââââââââââââââââââ others permissions
| | âââââââââââââââââââââââââââââââââââ group permissions
| ââââââââââââââââââââââââââââââââââââââââ owner permissions
ââââââââââââââââââââââââââââââââââââââââââââ File type (- is a regular file, d is a directory)
Numeric Notation
Permissions can be represented numerically by adding up the values of the three permissions:
| Number | Permission Combination | Symbol | Description |
|---|---|---|---|
| 7 | 4+2+1 | rwx | Read + Write + Execute (full permissions) |
| 6 | 4+2 | rw- | Read + Write (common for regular files) |
| 5 | 4+1 | r-x | Read + Execute |
| 4 | 4 | r-- | Read only |
| 0 | 0 | --- | No permissions |
Three digits represent the three identities:
755 = rwx r-x r-x
| | âââ others: can read, can execute (cannot write)
| âââââââ group: can read, can execute (cannot write)
âââââââââââ owner: can read, can write, can execute (full permissions)
644 = rw- r-- r--
| | âââ others: read only
| âââââââ group: read only
âââââââââââ owner: can read, can write (cannot execute)
Complete chmod Command Usage
chmod (change mode) is used to modify the access permissions of files or directories.
Numeric Mode
# Give the owner full permissions on a script; group and others can only read and execute
chmod 755 script.sh
# -rwxr-xr-x
# Standard setting for regular files: owner can read/write, others can only read
chmod 644 document.txt
# -rw-r--r--
# Only the owner can read and write (commonly used for private config files)
chmod 600 ~/.ssh/id_rsa
# -rw-------
# Directories are usually set to 755 so others can enter them
chmod 755 /var/www/html
# Recursively modify an entire directory and all its contents
chmod -R 755 /var/www/html
Symbolic Mode
Symbolic mode is more intuitive and is well-suited for modifying a specific permission for a particular identity:
# u=owner, g=group, o=others, a=all (all three)
# +=add, -=remove, ==set (full override)
# Add execute permission for the owner
chmod u+x script.sh
# Remove write permission for the group
chmod g-w file.txt
# Set others' permissions to read only (full override)
chmod o=r file.txt
# Add read permission for everyone
chmod a+r document.txt
# Set permissions for multiple identities at once
chmod u=rw,g=r,o=r document.txt
# Equivalent to chmod 644 document.txt
# Recursive modification (symbolic mode also supports -R)
chmod -R g+rw /home/benz/shared/
chown Command
chown (change owner) is used to modify the owner of a file or directory, and can also change the group at the same time.
# Check the current owner
ls -l file.txt
# Change the owner (requires root or sudo privileges)
sudo chown benz file.txt
# Change both owner and group (format: owner:group)
sudo chown benz:developers file.txt
# Change only the group (keep the owner unchanged): leave the part before the colon empty
sudo chown :developers file.txt
# Recursively modify an entire directory
sudo chown -R benz:developers /home/benz/projects/
# Practical example: fix web server file permissions
sudo chown -R www-data:www-data /var/www/html/
chgrp Command
chgrp (change group) is used to change only the group of a file or directory:
# Change the group of a single file
sudo chgrp developers file.txt
# Change the group of a directory and all its contents
sudo chgrp -R developers /home/benz/projects/
# Verify the result
ls -l file.txt
# -rw-r--r-- 1 benz developers 1024 Jan 18 10:00 file.txt
Group Management Commands
Viewing Group Information
# View all groups the current user belongs to
groups
# View groups for a specific user
groups benz
# View detailed user and group ID information
id
# View all groups on the system (format: group_name:password:GID:member_list)
cat /etc/group
# Search for a specific group
grep "developers" /etc/group
Creating and Managing Groups
# Create a new group
sudo groupadd developers
# Create a group with a specific GID
sudo groupadd -g 1050 developers
# Add a user to a group (-aG is append mode; does not remove other groups)
sudo usermod -aG developers benz
sudo usermod -aG docker benz
# Remove a user from a group
sudo gpasswd -d benz developers
# Delete a group
sudo groupdel developers
# Note: after modifying groups, the user needs to log out and log back in (or run newgrp) for changes to take effect
newgrp developers
Practical Examples
Example 1: Team Shared Directory Setup
Suppose you have a development team whose members need to share the /srv/project directory:
# 1. Create the group
sudo groupadd dev-team
# 2. Add members to the group
sudo usermod -aG dev-team alice
sudo usermod -aG dev-team bob
sudo usermod -aG dev-team charlie
# 3. Create the shared directory and set owner and group
sudo mkdir -p /srv/project
sudo chown root:dev-team /srv/project
# 4. Set permissions: owner has full access, group can read/write, others have no access
sudo chmod 770 /srv/project
# 5. Set the setgid bit: ensures new files created in this directory automatically belong to dev-team
sudo chmod g+s /srv/project
# Verify the configuration
ls -ld /srv/project
# drwxrws--- 2 root dev-team 4096 Jan 18 10:00 /srv/project
Example 2: Web Server File Permission Setup
# Standard permission setup for Nginx / Apache web root directory
# The web server process (www-data) needs to read all files but should not have write access
# Set the directory owner to your account and the group to www-data
sudo chown -R benz:www-data /var/www/html/mysite
# Directories: owner has full access, group and others can only read and enter
find /var/www/html/mysite -type d -exec chmod 755 {} \;
# Regular files: owner can read/write, group and others can only read
find /var/www/html/mysite -type f -exec chmod 644 {} \;
# If there are directories that need PHP write access (e.g., upload directories), grant group write permission
sudo chmod 775 /var/www/html/mysite/uploads
sudo chown www-data:www-data /var/www/html/mysite/uploads
Example 3: Protecting Sensitive Configuration Files
# SSH private key: only the owner can read and write; no access for anyone else
chmod 600 ~/.ssh/id_rsa
# -rw-------
# SSH public key: others can read
chmod 644 ~/.ssh/id_rsa.pub
# .env config file (contains sensitive information like database passwords): only the owner can read/write
chmod 600 .env
# The entire .ssh directory should only be accessible by the owner
chmod 700 ~/.ssh
# If the SSH private key permissions are incorrect, SSH login will fail with an error:
# "Permissions 0644 for '/home/benz/.ssh/id_rsa' are too open."
Frequently Asked Questions (FAQ)
Q1: When should 755 and 644 be used?
These are the two most common permission settings:
- 755 (rwxr-xr-x): Suitable for directories and executable scripts. The owner has full control; group and others can enter directories and execute scripts but cannot modify contents.
- 644 (rw-r–r–): Suitable for regular files (HTML, CSS, images, config files, etc.). The owner can read and write; group and others can only read.
Q2: What is the difference between usermod -aG and usermod -G? Do I always need to include -a?
This difference is very important – make sure to remember it:
# Dangerous! -G will "replace" all of the user's groups
sudo usermod -G developers benz
# If benz was originally in the sudo and docker groups, they will all be removed!
# benz will only have developers as a supplementary group
# Correct! -aG "appends" to the groups without affecting existing ones
sudo usermod -aG developers benz
# benz's original sudo and docker groups are preserved, and developers is added
So always include the -a flag, otherwise the user may suddenly lose important permissions like sudo.
Q3: I’ve already set the permissions, so why can’t I enter the directory?
Directories require “execute permission (x)” to be entered (cd into). Having only read permission (r) allows listing the directory contents (ls), but you cannot actually enter it.
# If the directory is dr--r--r-- (no x)
ls directory/ # Can list contents, but...
cd directory/ # Error: Permission denied
# Correct setting: directories need x to be entered
chmod 755 directory/ # rwxr-xr-x, can be entered
chmod 711 directory/ # rwx--x--x, can be entered but contents cannot be listed
# Parent directories also need x permission
# For example, to access /home/benz/data/, every directory in the path needs x permission
Further reading: