BashSnippets Snippets File Permissions & Security
security chmod audit

Linux File Permissions & Security

Wrong permissions crash deploys. chmod 777 gets you pwned. Here's how to set, audit, and fix Linux file permissions the right way.

The Script

Paste this into a file called permissions-audit.sh. It scans a target directory for world-writable files and saves a report when it finds them.

permissions-audit.sh 
#!/bin/bash
# permissions-audit.sh — BashSnippets.xyz
# Audit and report dangerous file permissions

set -euo pipefail

CHECK="✓"
CROSS="✗"

SCAN_DIR="${1:-/var/www}"
DANGEROUS_PERMS="777"
REPORT_FILE="/tmp/perms-audit-$(date +%Y%m%d).txt"

echo "Scanning: $SCAN_DIR"
echo "Looking for world-writable files ($DANGEROUS_PERMS)..."
echo ""

FOUND=$(find "$SCAN_DIR" -perm "$DANGEROUS_PERMS" -type f 2>/dev/null)

if [ -z "$FOUND" ]; then
  echo "$CHECK No $DANGEROUS_PERMS files found in $SCAN_DIR"
else
  echo "$CROSS DANGER: World-writable files found:"
  echo "$FOUND"
  echo "$FOUND" > "$REPORT_FILE"
  echo ""
  echo "Report saved to: $REPORT_FILE"
fi

echo ""
echo "--- Recommended Permissions ---"
echo "Files:       chmod 644 (rw-r--r--)"
echo "Directories: chmod 755 (rwxr-xr-x)"
echo "Executables: chmod 755 (rwxr-xr-x)"
echo "SSH keys:    chmod 600 (rw-------)"
echo "Private dirs: chmod 700 (rwx------)"
✓ What this script checks

find "$SCAN_DIR" -perm "$DANGEROUS_PERMS" -type f searches for files with exact 777 permissions. Those files are world-writable, which means any user or compromised process can overwrite them.

How to Use It

  1. chmod +x permissions-audit.sh
  2. ./permissions-audit.sh /var/www
  3. Review report at /tmp/perms-audit-[date].txt
  4. Fix flagged files: chmod 644 flagged-file.txt
terminal
chmod +x permissions-audit.sh
./permissions-audit.sh /var/www
chmod 644 flagged-file.txt

chmod Basics

Octal mode

Format: chmod [owner][group][other] file

terminal
chmod 644 file.txt   # owner rw, group r, other r
chmod 755 script.sh  # owner rwx, group rx, other rx
chmod 600 id_rsa     # owner rw, no one else

Symbolic mode

terminal
chmod u+x script.sh   # add execute for owner
chmod go-w file.txt   # remove write for group and other
chmod a+r file.txt    # add read for all (a = all)

Common Permission Patterns

PatternOctalUse Case
rw-r--r--644Regular files, configs, web assets
rwxr-xr-x755Directories, executables, scripts
rw-------600SSH private keys, secrets
rwx------700Private directories
rw-rw-r--664Shared group files

Recursive Changes

Recursive permission changes are where people usually break deploys. Directories need the execute bit so users and processes can enter them.

terminal
chmod -R 755 /var/www/html    # Fix entire web root
chmod -R 644 /var/www/html    # DON'T DO THIS — breaks directories
find /var/www/html -type f -exec chmod 644 {} \;   # Files only
find /var/www/html -type d -exec chmod 755 {} \;   # Dirs only
⚠ Never use chmod -R 777

chmod -R 777 makes everything world-writable. On a shared server or web host, that means anyone who can run code as another user can overwrite your files, plant backdoors, or break your app.

Auditing with find

find is the permission audit tool you already have installed. These searches help you spot dangerous files before they become incidents.

terminal
find / -perm 777 -type f 2>/dev/null       # All 777 files on system
find /var/www -perm -o+w -type f           # World-writable web files
find /home -perm 600 -name "*.key"         # Find SSH keys with correct perms
find / -perm -4000 -type f 2>/dev/null     # Find SUID files (security audit)

chown — Changing Ownership

Permissions decide what the owner, group, and everyone else can do. chown changes who the owner and group are.

terminal
chown user file.txt                 # change owner
chown user:group file.txt           # change owner and group
chown -R www-data:www-data /var/www # Fix web server ownership
chown --reference=ref.txt target.txt # Copy perms from another file
Setting up a new VPS? Correct file permissions from day one matter. DigitalOcean Droplets start at $6/month — the first thing to do after spinning one up is run this audit script.
Get $200 Free Credit →

Security Rules

⚠ Permissions rules worth memorizing

Frequently Asked Questions

What is chmod 777 and why is it dangerous?

chmod 777 gives read, write, and execute permission to everyone — owner, group, and all other users. On a web server, this lets any process or user overwrite your files. Never use 777 in production.

What permissions should web files have in Linux?

Web files should be 644 (rw-r--r--) and directories should be 755 (rwxr-xr-x). This lets the web server read files without allowing other users to modify them.

What is the difference between chmod octal and symbolic mode?

Octal mode uses numbers: chmod 644 file. Symbolic mode uses letters: chmod u+x file. Octal is faster for setting exact permissions. Symbolic is better for adding or removing specific bits without changing others.

How do I find all world-writable files on my Linux server?

Run: find / -perm 777 -type f 2>/dev/null. This searches the entire filesystem for files that anyone can read, write, and execute. Pipe to a file for a report: find / -perm 777 -type f 2>/dev/null > audit.txt

What permissions should SSH private keys have?

SSH private keys must be chmod 600 (rw-------). If permissions are too open, SSH will refuse to use the key and show a warning: WARNING: UNPROTECTED PRIVATE KEY FILE!

⚙️ Free Tools

Use our interactive tools to build bash scripts, look up exit codes, and generate cron jobs — no signup needed.

Browse All Tools →

Related Snippets

Automated File Backup
backup · files
Bash Error Handling
bash · reliability
Disk Space Warning
monitor · cron-ready
Check If Website Is Up
monitor · uptime