"What is the difference between chmod 755 and chmod 644 in Linux?"

"chmod 755 (rwxr-xr-x) is used for directories and executable scripts, giving the owner full permissions while allowing others to read and execute. chmod 644 (rw-r--r--) is for regular files, giving the owner read/write access while others can only read."

"How do I add a user to a group without removing existing groups?"

"Use 'sudo usermod -aG groupname username' with the -a (append) flag. Without -a, the -G flag replaces all existing supplementary groups, which can remove important permissions like sudo access."

"Why can't I cd into a directory even though I have read permission?"

"Directories require execute permission (x) to be entered with cd. Read permission (r) only allows listing the directory contents with ls. Set at least 'chmod 755' on a directory to allow both listing and entering."

Linux Group Permission Management Guide: chmod, chown, and Group Configuration

In Linux, Group Permissions are the foundation of multi-user collaboration and system security. Understanding the three identities – owner, group, and others – and mastering the chmod, chown, and chgrp commands along with the complete group management workflow is an essential skill for every Linux user.

Linux Permission Basics

Linux employs a strict access control mechanism where every file and directory has a combination of three identities and three permissions.

Three Identities

Identity	Description	Symbol
Owner	The user who created the file, typically has the highest privileges	`u` (user)
Group	The group the owner belongs to; group members share the same permissions	`g` (group)
Others	All other users who are not the owner and not in the group	`o` (others)

Three Permissions

Permission	Symbol	Value	Meaning for Files	Meaning for Directories
Read	`r`	4	Can read the file contents	Can list the directory contents (`ls`)
Write	`w`	2	Can modify or delete the file	Can create or delete files in the directory
Execute	`x`	1	Can execute the file (script or program)	Can enter the directory (`cd`)

Reading `ls -l` Output

$ ls -l my_file.txt
-rw-r--r-- 1 benz developers 1024 Jan 18 10:00 my_file.txt

Column-by-column breakdown:

-  rw-  r--  r--  1  benz  developers  1024  Jan 18 10:00  my_file.txt
|   |    |    |   |    |       |          |
|   |    |    |   |    |       |          └── File size (bytes)
|   |    |    |   |    |       └──────────── Group name
|   |    |    |   |    └──────────────────── Owner name
|   |    |    |   └───────────────────────── Number of hard links
|   |    |    └───────────────────────────── others permissions
|   |    └────────────────────────────────── group permissions
|   └─────────────────────────────────────── owner permissions
└─────────────────────────────────────────── File type (- is a regular file, d is a directory)

Numeric Notation

Permissions can be represented numerically by adding up the values of the three permissions:

Number	Permission Combination	Symbol	Description
7	4+2+1	`rwx`	Read + Write + Execute (full permissions)
6	4+2	`rw-`	Read + Write (common for regular files)
5	4+1	`r-x`	Read + Execute
4	4	`r--`	Read only
0	0	`---`	No permissions

Three digits represent the three identities:

755 = rwx r-x r-x
      |   |   └── others: can read, can execute (cannot write)
      |   └────── group: can read, can execute (cannot write)
      └────────── owner: can read, can write, can execute (full permissions)

644 = rw- r-- r--
      |   |   └── others: read only
      |   └────── group: read only
      └────────── owner: can read, can write (cannot execute)

Complete chmod Command Usage

chmod (change mode) is used to modify the access permissions of files or directories.

Numeric Mode

# Give the owner full permissions on a script; group and others can only read and execute
chmod 755 script.sh
# -rwxr-xr-x

# Standard setting for regular files: owner can read/write, others can only read
chmod 644 document.txt
# -rw-r--r--

# Only the owner can read and write (commonly used for private config files)
chmod 600 ~/.ssh/id_rsa
# -rw-------

# Directories are usually set to 755 so others can enter them
chmod 755 /var/www/html

# Recursively modify an entire directory and all its contents
chmod -R 755 /var/www/html

Symbolic Mode

Symbolic mode is more intuitive and is well-suited for modifying a specific permission for a particular identity:

# u=owner, g=group, o=others, a=all (all three)
# +=add, -=remove, ==set (full override)

# Add execute permission for the owner
chmod u+x script.sh

# Remove write permission for the group
chmod g-w file.txt

# Set others' permissions to read only (full override)
chmod o=r file.txt

# Add read permission for everyone
chmod a+r document.txt

# Set permissions for multiple identities at once
chmod u=rw,g=r,o=r document.txt
# Equivalent to chmod 644 document.txt

# Recursive modification (symbolic mode also supports -R)
chmod -R g+rw /home/benz/shared/

chown Command

chown (change owner) is used to modify the owner of a file or directory, and can also change the group at the same time.

# Check the current owner
ls -l file.txt

# Change the owner (requires root or sudo privileges)
sudo chown benz file.txt

# Change both owner and group (format: owner:group)
sudo chown benz:developers file.txt

# Change only the group (keep the owner unchanged): leave the part before the colon empty
sudo chown :developers file.txt

# Recursively modify an entire directory
sudo chown -R benz:developers /home/benz/projects/

# Practical example: fix web server file permissions
sudo chown -R www-data:www-data /var/www/html/

chgrp Command

chgrp (change group) is used to change only the group of a file or directory:

# Change the group of a single file
sudo chgrp developers file.txt

# Change the group of a directory and all its contents
sudo chgrp -R developers /home/benz/projects/

# Verify the result
ls -l file.txt
# -rw-r--r-- 1 benz developers 1024 Jan 18 10:00 file.txt

Group Management Commands

Viewing Group Information

# View all groups the current user belongs to
groups

# View groups for a specific user
groups benz

# View detailed user and group ID information
id

# View all groups on the system (format: group_name:password:GID:member_list)
cat /etc/group

# Search for a specific group
grep "developers" /etc/group

Creating and Managing Groups

# Create a new group
sudo groupadd developers

# Create a group with a specific GID
sudo groupadd -g 1050 developers

# Add a user to a group (-aG is append mode; does not remove other groups)
sudo usermod -aG developers benz
sudo usermod -aG docker benz

# Remove a user from a group
sudo gpasswd -d benz developers

# Delete a group
sudo groupdel developers

# Note: after modifying groups, the user needs to log out and log back in (or run newgrp) for changes to take effect
newgrp developers

Practical Examples

Example 1: Team Shared Directory Setup

Suppose you have a development team whose members need to share the /srv/project directory:

# 1. Create the group
sudo groupadd dev-team

# 2. Add members to the group
sudo usermod -aG dev-team alice
sudo usermod -aG dev-team bob
sudo usermod -aG dev-team charlie

# 3. Create the shared directory and set owner and group
sudo mkdir -p /srv/project
sudo chown root:dev-team /srv/project

# 4. Set permissions: owner has full access, group can read/write, others have no access
sudo chmod 770 /srv/project

# 5. Set the setgid bit: ensures new files created in this directory automatically belong to dev-team
sudo chmod g+s /srv/project

# Verify the configuration
ls -ld /srv/project
# drwxrws--- 2 root dev-team 4096 Jan 18 10:00 /srv/project

Example 2: Web Server File Permission Setup

# Standard permission setup for Nginx / Apache web root directory
# The web server process (www-data) needs to read all files but should not have write access

# Set the directory owner to your account and the group to www-data
sudo chown -R benz:www-data /var/www/html/mysite

# Directories: owner has full access, group and others can only read and enter
find /var/www/html/mysite -type d -exec chmod 755 {} \;

# Regular files: owner can read/write, group and others can only read
find /var/www/html/mysite -type f -exec chmod 644 {} \;

# If there are directories that need PHP write access (e.g., upload directories), grant group write permission
sudo chmod 775 /var/www/html/mysite/uploads
sudo chown www-data:www-data /var/www/html/mysite/uploads

Example 3: Protecting Sensitive Configuration Files

# SSH private key: only the owner can read and write; no access for anyone else
chmod 600 ~/.ssh/id_rsa
# -rw-------

# SSH public key: others can read
chmod 644 ~/.ssh/id_rsa.pub

# .env config file (contains sensitive information like database passwords): only the owner can read/write
chmod 600 .env

# The entire .ssh directory should only be accessible by the owner
chmod 700 ~/.ssh

# If the SSH private key permissions are incorrect, SSH login will fail with an error:
# "Permissions 0644 for '/home/benz/.ssh/id_rsa' are too open."

Frequently Asked Questions (FAQ)

Q1: When should 755 and 644 be used?

These are the two most common permission settings:

755 (rwxr-xr-x): Suitable for directories and executable scripts. The owner has full control; group and others can enter directories and execute scripts but cannot modify contents.
644 (rw-r–r–): Suitable for regular files (HTML, CSS, images, config files, etc.). The owner can read and write; group and others can only read.

Q2: What is the difference between usermod -aG and usermod -G? Do I always need to include -a?

This difference is very important – make sure to remember it:

# Dangerous! -G will "replace" all of the user's groups
sudo usermod -G developers benz
# If benz was originally in the sudo and docker groups, they will all be removed!
# benz will only have developers as a supplementary group

# Correct! -aG "appends" to the groups without affecting existing ones
sudo usermod -aG developers benz
# benz's original sudo and docker groups are preserved, and developers is added

So always include the -a flag, otherwise the user may suddenly lose important permissions like sudo.

Q3: I’ve already set the permissions, so why can’t I enter the directory?

Directories require “execute permission (x)” to be entered (cd into). Having only read permission (r) allows listing the directory contents (ls), but you cannot actually enter it.

# If the directory is dr--r--r-- (no x)
ls directory/   # Can list contents, but...
cd directory/   # Error: Permission denied

# Correct setting: directories need x to be entered
chmod 755 directory/   # rwxr-xr-x, can be entered
chmod 711 directory/   # rwx--x--x, can be entered but contents cannot be listed

# Parent directories also need x permission
# For example, to access /home/benz/data/, every directory in the path needs x permission