Level 1

Linux permissions chmod chown and umask deep guide

Maximilian B. 6 min read 3 views

Linux permissions decide who can read, change, or run each file. New technicians often learn chmod first, then get surprised by outages caused by wrong ownership or a bad umask. This guide explains how the model works and how to use chmod, chown, and umask safely on Debian 13.3, Ubuntu 24.04.3 LTS and 25.10, Fedora 43, RHEL 10.1, and RHEL 9.7.

How Linux evaluates permission bits

Every inode has an owner UID, a group GID, and permission bits. The kernel checks access in this order: owner bits, then group bits, then other bits. Each class has three flags: read (r), write (w), execute (x).

For files, r means read content, w means change content, and x means run the file as a program or script. For directories, meanings are different: r lists names, w creates/deletes/renames entries, and x lets you enter the directory and access files by name.

# Inspect ownership and mode
ls -l /etc/passwd
ls -ld /var/log

# Show numeric mode and owner/group in one line
stat -c '%n %a %U:%G' /etc/passwd /var/log

Special bits matter in production:

  • setuid (4xxx): executable runs with file owner identity.
  • setgid (2xxx): executable runs with file group; on directories, new files inherit directory group.
  • sticky (1xxx): in shared directories like /tmp, users cannot delete each other’s files.

Production consequence: if sticky bit is removed from a shared temp directory, one user can delete another service's temporary files and break workloads.

Using chmod without causing accidental outages

chmod changes mode bits only. It does not change owner or group. Use symbolic mode when you want clear intent, and numeric mode when you need exact reproducible settings.

# Symbolic: set exact policy for one config file
chmod u=rw,go= /etc/myapp/secret.env

# Numeric: common secure defaults
chmod 640 /etc/myapp/app.conf
chmod 750 /usr/local/bin/backup-rotate
chmod 755 /usr/local/bin/health-check

# Recursive, but safer than plain -R because X only sets execute where needed
chmod -R u=rwX,g=rX,o= /srv/internal-docs

Why X helps: it adds execute only on directories and files that already had execute. This avoids turning text files into executable files by mistake.

Avoid blanket commands like chmod -R 777. They hide design mistakes and remove privilege boundaries. If a web app needs write access, grant write only to the specific runtime directories and only to the service account group.

# Good pattern for web uploads
sudo install -d -m 2770 -o root -g www-data /var/www/app/uploads
# setgid (2) keeps group ownership consistent for new files

Production consequence: too-open modes on secrets (.env, key files, backups) often lead to credential leaks during low-privilege compromise.

Using chown and chgrp to align ownership with services

chown changes owner and optionally group. chgrp changes group only. Only root (or a process with CAP_CHOWN) can arbitrarily change file owners. Correct ownership is required for daemons, logs, sockets, and deployment directories.

# Find service users (names differ by distro and package)
getent passwd www-data
getent passwd apache

# Set deployment tree ownership for an app account
sudo chown -R appsvc:appsvc /opt/inventory-app

# Fix group for shared operations scripts
sudo chgrp -R ops /srv/ops-scripts
sudo chmod -R g+rX /srv/ops-scripts

Be careful with symlinks. Recursive ownership changes can follow links depending on flags and tools. Review with find before large recursive operations.

# Preview before changing ownership at scale
find /opt/inventory-app -xdev -printf '%M %u:%g %p\n' | head -n 20

# Safer change: only where current owner matches expected old owner
sudo chown -R --from=deploy:deploy appsvc:appsvc /opt/inventory-app

Production consequence: wrong ownership on ~/.ssh or private keys blocks SSH login. Wrong ownership on app runtime directories can cause "permission denied" loops after deployment.

How umask controls default modes

umask is a mask applied when files or directories are created. Base defaults are usually 666 for files and 777 for directories, then mask bits are removed. Example: umask 027 gives new files 640 and new directories 750.

# Check current shell umask
umask
umask -S

# Temporary test in current shell
umask 027
touch sample.txt
mkdir sample-dir
ls -ld sample.txt sample-dir

Common masks:

  • 022: owner can write; group/others read.
  • 002: collaborative groups can write.
  • 027: tighter default, blocks "other" access.

Set umask at the right layer. Interactive shell defaults may come from /etc/profile, user shell files, or PAM (pam_umask, /etc/login.defs). For services, set it in systemd unit files, not only in shell profiles.

# /etc/systemd/system/inventory.service.d/permissions.conf
[Service]
UMask=0027

After editing systemd drop-ins, run systemctl daemon-reload and restart the service. Without this, your new mask is ignored.

Production consequence: teams often think group write is enabled, but service processes still create root-owned 600 files because unit-level UMask was not configured.

Distribution compatibility notes (2026 baseline)

Core permission behavior comes from the Linux kernel and GNU coreutils, so commands are portable. Differences are mostly package defaults and security layers.

Distribution Service account pattern Permission troubleshooting note
Debian 13.3 Web services commonly run as www-data Verify shell/PAM umask sources when defaults look inconsistent.
Ubuntu 24.04.3 LTS / 25.10 Often www-data for web stack packages Cloud images can mix sudo workflows with service-specific runtime users.
Fedora 43 Apache service user is usually apache If UNIX mode looks correct, check SELinux context next.
RHEL 10.1 Enterprise service accounts and stricter hardening defaults Use same permission commands as Fedora; include SELinux checks in runbooks.
RHEL 9.7 Same ownership model as RHEL 10.1 Operational procedures for chmod, chown, and umask are directly compatible with RHEL 10.1.

Fast checklist for "permission denied" incidents

When a service fails with permission errors, do not guess. Check each layer in order.

# 1) Who is the process user?
ps -o user,group,cmd -C nginx -C httpd -C php-fpm

# 2) Can that user traverse each directory in the path?
namei -l /var/www/app/storage/cache

# 3) Do mode and ownership match expectation?
stat -c '%A %a %U:%G %n' /var/www/app/storage /var/www/app/storage/cache

# 4) Are ACLs overriding simple mode bits?
getfacl /var/www/app/storage/cache

# 5) On Fedora/RHEL, is SELinux blocking access?
sestatus
ls -Z /var/www/app/storage/cache

For beginners, this checklist prevents random permission changes. For operators, it shortens outage time because each check removes one failure domain quickly.

Summary

chmod sets what is allowed, chown/chgrp define who owns resources, and umask controls defaults for newly created files. Use narrow permissions, match ownership to real service users, and set UMask in systemd units for production processes. Those habits work the same on Debian 13.3, Ubuntu 24.04.3 LTS and 25.10, Fedora 43, RHEL 10.1, and RHEL 9.7.

Sysadmin linux permissions chmod chown umask
Share this article
X / Twitter LinkedIn Reddit
Related Articles

Continue Reading

Viewing and editing text with less nano and vim
Level 1

Viewing and editing text with less nano and vim

Learn when to use less, nano, and vim on Linux systems, with safe workflows for reading logs,...

5 min
User and group administration passwd shadow and sudo
Level 1

User and group administration passwd shadow and sudo

Learn how /etc/passwd, /etc/shadow, Linux groups, and sudo work together, with practical commands...

6 min
Troubleshoot network issues with ss ip ping and tracepath
Level 1

Troubleshoot network issues with ss ip ping and tracepath

Learn a practical Linux network troubleshooting flow with ss, ip, ping, and tracepath, including...

5 min