Unix file permissions cheatsheet

• What permission do I need to access a path a/b/c, where c is not a directory?
  • +x on every directory in the path, and whatever relevant permissions on c (+r to read it, +w to write to it, etc.)
  • If a/b/c is a relative path, then also +x on the implicit current directory.
  • (All following examples assume these basic permissions.)
• …to list a directory's contents?
  • +r on the directory
• …to change into a directory?
  • +x on the directory
• …to create a new file in a directory?
  • +wx on the directory
• …to remove a file from a directory?
  • +wx on the directory
• …to rename a file?
  • +wx on the directory
• …to move a file to another directory?
  • The short answer is +wx on both the directory of the source file and the target directory.
  • For the long answer, see my previous blog post.
• …to copy a file from one directory to another?
  • +x on the source directory, +wx on the target directory, and +r on the file
• Who can change a file's permissions?
  • Only the file's owner (or the super-user).
• Who can change a file's owner?
  • Only the super-user.
• Who can change a file's group?
  • Only the file's owner, and only to a group that they belong to (or the super-user can change it to any group).
• How do I deny access to a directory?
  • chmod 700 dir
• How do I make a directory world-readable but writable only by me?
  • chmod 755 dir
• How do I make a file world-readable but writable only by me?
  • chmod 644 file, or chmod 755 file if it should also be executable
• What user and group does a process run as?
  • The same user and primary group as the parent process (e.g., the shell) – unless the setuid bit is set on the process's executable file, in which case it runs instead as the executable file's owner. Likewise for the setgid bit and the executable file's group.
• What is the owner and group of a newly-created file?
  • The owner is the effective user ID of the process that created it.
  • The group is either the group ID of the parent directory (macOS and Linux when the parent's setgid bit is set) or the effective group ID of the process (Linux when the parent's setgid bit is not set).
• What are the default permissions of a newly-created file?
  • Typically, 644 for files and 755 for directories.
  • The full answer is "the explicit permissions passed to open(2), with any bits that are set to 1 in the process's umask set to 0."
  • Standard libraries set the permissions to 666 for regular files (e.g., Rust, Python) and 777 for directories, and the umask is typically 022.
• What is the sticky bit?
  • When set on a directory, the sticky bit enforces that files can only be renamed or removed by the owner of the file or the owner of the directory.
  • The sticky bit is commonly set on shared directories like /tmp.

Appendix: Numeric permission codes

Unix file permissions are commonly expressed as octal numeric strings like 755 and 644. The first digit is the permissions for the file's owner, the second for anyone in the file's group, and the third for anyone else.

You can interpret the whole string by considering each digit on its own. The trick is to remember that the order of the bits is rwx (read-write-execute) – familiar from the output of ls -l.

• The execute bit is in the 1's place, so it has a value of 1.
• The write bit is in the 2's place (binary), so it has a value of 2.
• The read bit is in the 4's place, so it has a value of 4.

Some examples:

• 6 = 4 + 2 = read + write
• 7 = 4 + 2 + 1 = read + write + execute
• 5 = 4 + 1 = read + execute

Further reading

• What file permissions does mv need?
• Whether you can access a path depends on how you name it
• Chapter 4 of Advanced Programming in the Unix Environment ∎