“Permission denied.” If you’ve used a shared server or tried to install software on Linux, you’ve seen it. Most engineers either panic, blindly throw sudo at everything, or ask someone else. None of those are good habits.
Permissions exist for a reason — especially on shared compute clusters and servers where one bad move can affect everyone. This lesson demystifies how Linux controls access to files and why it matters for your day-to-day engineering work.
The Filesystem Hierarchy
Linux doesn’t have drive letters (no C:\). Everything lives under one root: /. Every file and directory on the system — including mounted drives and USB devices — lives somewhere inside this tree.
Key directories you need to know:
/ Root of everything
├── home/ User home directories (/home/alice, /home/bob)
├── etc/ System-wide config files (don't break things here)
├── var/ Variable data — logs, databases, caches (/var/log)
├── tmp/ Temporary files, wiped on reboot
├── usr/ User-installed programs and libraries
├── bin/ Essential system binaries (ls, cp, bash, etc.)
├── opt/ Optional/third-party software installs
└── proc/ Virtual filesystem — live info about running processesTip: If you’re editing config for a service (like nginx, PostgreSQL, or SSH), look in /etc/. If you’re reading logs to debug why something failed, look in /var/log/.
Understanding Permissions
Run ls -l in any directory and you’ll see something like this:
ls -l
# -rwxr-xr-- 1 alice engineering 4096 Mar 10 run.sh
# drwxr-x--- 2 alice engineering 4096 Mar 10 results/The first column is the permission string:
- rwx r-x r--
│ │ │ └── Others: read only
│ │ └────── Group: read + execute
│ └────────── Owner: read + write + execute
└──────────── Type: - = file, d = directory, l = symlinkThree permission groups: Owner, Group, Others
Three permission bits: r (read), w (write), x (execute)
Changing Permissions with chmod
Symbolic mode:
chmod +x run.sh # Add execute permission for everyone
chmod u+w data.csv # Add write permission for the owner
chmod g-w shared.txt # Remove write permission from the group
chmod o-rwx private.key # Remove all permissions from othersOctal mode:
chmod 755 run.sh # rwxr-xr-x
chmod 644 data.csv # rw-r--r--
chmod 600 id_rsa # rw-------
chmod 700 secrets/ # rwx------The octal digits: read=4, write=2, execute=1. Add them up per group. 7 = 4+2+1 = rwx.
Ownership with chown and chgrp
sudo chown alice script.sh
sudo chown alice:engineering script.sh
sudo chgrp engineering results/Users, Groups, and sudo
whoami
id
groups
cat /etc/passwdsudo runs a command as root.
sudo apt install htop
sudo systemctl restart nginx
sudo cat /etc/shadowWarning: Never log in as root and work interactively. Never run your simulation as root. Use a normal user account and sudo for specific commands that need it.
Try It Yourself
Break and fix a script’s permissions:
- Create a file called
simulate.shwith the following content:#!/bin/bash echo "Simulation complete. Results: 42" - Try running it:
./simulate.sh— observe the error. - Check the permissions with
ls -l simulate.sh. - Add execute permission:
chmod +x simulate.sh. - Run it again:
./simulate.sh. - Remove read permission from others:
chmod o-r simulate.sh. - Check
ls -l simulate.shagain to see the change.
Hint
New files default to 644 (rw-r--r--) — not executable. chmod +x adds the execute bit so the shell can run the script directly.
Quick Quiz
A team member runs ls -l and sees -rw-r-----. Which of the following is true?
- A) Everyone can read the file.
- B) Owner can read and write; group members can read; others have no access.
- C) Only the owner can access the file.
- D) The file is executable by the group.
Answer
B) Owner can read and write; group members can read; others have no access. The permission string breaks down as: rw- (owner: read + write), r-- (group: read only), --- (others: no access).