File Permissions Quick Guide for macOS¶
Published: February 14, 2026 · Last edited: February 24, 2026
A practical guide to understanding and using chmod, chown, and chgrp without the overwhelm.
The 30-Second Version¶
# Make file executable
chmod +x script.sh
# Make file private (only you can read/write)
chmod 600 private-file.txt
# Fix "permission denied" on your own files
sudo chown -R $(whoami) /path/to/folder
# That's 90% of what you'll ever need.
Understanding File Permissions (The Basics)¶
Every file has:¶
- Owner - One user who owns it (usually you)
- Group - One group that has access (usually "staff" on macOS)
- Permissions - What each can do (read, write, execute)
Check permissions:¶
ls -l myfile.txt
# Output:
-rw-r--r-- 1 username staff 1234 Feb 14 10:30 myfile.txt
│││││││││ │ │ │ │ │
│││││││││ │ │ │ │ └─ filename
│││││││││ │ │ │ └─────── size
│││││││││ │ │ └────────────── group
│││││││││ │ └──────────────────────── owner
│││││││││ └─────────────────────────── number of links
│││││││││
│││└┴┴───── permissions for "others" (everyone else)
││└────────── permissions for "group"
│└─────────── permissions for "owner" (you)
└──────────── file type (- = file, d = directory, l = link)
Permission Letters:¶
- r = read (view the file)
- w = write (modify the file)
- x = execute (run the file as a program)
- - = no permission
chmod - Change Permissions¶
The Easy Way (Symbolic Mode)¶
Who:
- u = user (owner)
- g = group
- o = others (everyone else)
- a = all (everyone)
What:
- + = add permission
- - = remove permission
- = = set exactly this permission
Permission:
- r = read
- w = write
- x = execute
Common chmod Commands¶
# Make a script executable
chmod +x script.sh
# or more explicitly:
chmod u+x script.sh
# Make file readable by everyone
chmod a+r document.txt
# Remove write permission from group and others (make it private)
chmod go-w private.txt
# Make directory and all contents private (only you can access)
chmod -R 700 ~/my-private-folder
# Make a file completely public (everyone can read)
chmod a+r public-file.txt
# Remove all permissions for others
chmod o-rwx secret-file.txt
# Give group read and execute, but not write
chmod g+rx,g-w shared-folder
The Number Way (Octal Mode)¶
Each permission is a number: - Read (r) = 4 - Write (w) = 2 - Execute (x) = 1 - None = 0
Add them up for each group:
7 = 4+2+1 = rwx (read, write, execute)
6 = 4+2 = rw- (read, write)
5 = 4+1 = r-x (read, execute)
4 = 4 = r-- (read only)
3 = 2+1 = -wx (write, execute - rare)
2 = 2 = -w- (write only - rare)
1 = 1 = --x (execute only - rare)
0 = 0 = --- (no permissions)
Three digits: Owner | Group | Others
chmod 755 script.sh
│││
││└─ Others: 5 (r-x) can read and execute
│└── Group: 5 (r-x) can read and execute
└─── Owner: 7 (rwx) can read, write, and execute
Most Common Permission Numbers¶
# Files you want to keep private
chmod 600 file.txt # rw------- (only you can read/write)
chmod 400 readonly.txt # r-------- (only you can read, can't modify)
# Files you want to share
chmod 644 public-doc.txt # rw-r--r-- (you can edit, others can read)
chmod 444 readonly.txt # r--r--r-- (everyone can read, nobody can write)
# Scripts and executables
chmod 700 my-script.sh # rwx------ (only you can run it)
chmod 755 shared-script.sh # rwxr-xr-x (everyone can run, only you can edit)
# Directories
chmod 700 private-dir # rwx------ (only you can access)
chmod 755 public-dir # rwxr-xr-x (everyone can browse, only you can add files)
chmod 775 shared-dir # rwxrwxr-x (you and group can add files, others browse)
Recursive Operations¶
# Apply to directory and everything inside
chmod -R 755 ~/my-project
# Be careful! This affects ALL files and subdirectories
chown - Change Owner¶
Basic Usage¶
# Change owner
chown newowner file.txt
# Change owner and group at once
chown newowner:newgroup file.txt
# Recursive (directory and all contents)
chown -R username folder/
Common chown Scenarios¶
# Take ownership of your own files (common after sudo operations)
sudo chown $(whoami) file.txt
# Take ownership of entire directory
sudo chown -R $(whoami) ~/project
# Change owner and group together
sudo chown username:staff file.txt
# Change ownership of a web directory (common for server setups)
sudo chown -R www-data:www-data /var/www/html
Why You Need Sudo¶
# This FAILS (can't give away files you don't own)
chown someone-else myfile.txt
# This WORKS (admin privileges)
sudo chown someone-else myfile.txt
Important: On macOS, you typically need sudo to change ownership, even of your own files.
chgrp - Change Group¶
Basic Usage¶
Common Groups on macOS¶
staff- Default group for regular userswheel- Administratorsadmin- Administrative accesseveryone- All users
Common chgrp Scenarios¶
# Change to staff group (most common on macOS)
chgrp staff file.txt
# Share with admin group
sudo chgrp admin shared-folder
sudo chmod g+rw shared-folder
# Recursive group change
chgrp -R staff ~/Documents
Real-World Scenarios¶
Scenario 1: "I can't edit my own file!"¶
Problem:
ls -l myfile.txt
-r--r--r-- 1 root wheel 1234 Feb 14 10:30 myfile.txt
# ↑ ↑
# owned by root, not you
Solution:
Scenario 2: "Permission denied when running script"¶
Problem:
Solution:
Scenario 3: "Can't access folder I created with sudo"¶
Problem:
Solution:
# Fix ownership of the folder
sudo chown -R $(whoami) important-folder
# Now you can access it
cd important-folder
Scenario 4: "Want to share folder with team"¶
Problem:
Solution:
# Change group to team's group
sudo chgrp -R teamname shared-folder
# Give group read/write/execute
chmod -R 775 shared-folder
# Now team can access
Scenario 5: "Downloaded script won't run"¶
Problem:
Solution:
# Make executable
chmod +x downloaded-script.sh
# Verify
ls -l downloaded-script.sh
-rwxr-xr-x 1 you staff ... downloaded-script.sh
Scenario 6: "Need to protect sensitive file"¶
Problem:
Solution:
# Make it private (only you can read/write)
chmod 600 ~/.ssh/id_rsa
chmod 600 secrets.txt
# Verify
ls -l secrets.txt
-rw------- 1 you staff ... secrets.txt
Quick Reference Cheat Sheet¶
Permission Numbers Guide¶
Number Binary Permissions Use Case
------ ------ ----------- --------
0 000 --- No access
1 001 --x Execute only (rare)
2 010 -w- Write only (rare)
3 011 -wx Write + Execute (rare)
4 100 r-- Read only
5 101 r-x Read + Execute (scripts, dirs)
6 110 rw- Read + Write (files)
7 111 rwx Full access (owner on dirs)
Common Permission Patterns¶
# Private Files
600 -rw------- Your eyes only (passwords, SSH keys)
400 -r-------- Read-only for you (protected configs)
# Shared Files
644 -rw-r--r-- You edit, others read (documents)
664 -rw-rw-r-- You and group edit, others read
# Executable Files
700 -rwx------ Only you can run (private scripts)
755 -rwxr-xr-x Everyone can run, you can edit (public scripts)
775 -rwxrwxr-x You and group can edit/run
# Directories
700 drwx------ Private folder
755 drwxr-xr-x Public folder (websites, shared code)
775 drwxrwxr-x Collaborative folder (team workspace)
One-Line Fixes¶
# "I can't run this script"
chmod +x script.sh
# "Permission denied on my own files"
sudo chown -R $(whoami) .
# "Want to keep this file private"
chmod 600 secrets.txt
# "Share this folder with my group"
chmod -R 775 shared-folder && sudo chgrp -R staff shared-folder
# "SSH key permissions are wrong"
chmod 600 ~/.ssh/id_rsa && chmod 644 ~/.ssh/id_rsa.pub
# "Fix permissions on entire project"
find ~/project -type d -exec chmod 755 {} \; && find ~/project -type f -exec chmod 644 {} \;
Understanding the Numbers (Visual Guide)¶
chmod 754 myfile.txt
7 = 4 + 2 + 1 = Read + Write + Execute = rwx (Owner)
5 = 4 + 0 + 1 = Read + - + Execute = r-x (Group)
4 = 4 + 0 + 0 = Read + - + - = r-- (Others)
Result: -rwxr-xr--
Safety Tips¶
Before Changing Permissions¶
# Always check current permissions first
ls -l file.txt
# Preview what recursive change will affect
find folder -ls
# Make a backup of important files first
cp important-file.txt important-file.txt.backup
Dangerous Commands to Avoid¶
# DON'T DO THESE without understanding:
# ❌ Makes EVERYTHING world-writable (security nightmare)
chmod -R 777 /
# ❌ Changes ownership of your entire system
sudo chown -R username /
# ❌ Makes all files executable (messy, unnecessary)
chmod -R +x ~/Documents
Safe Defaults¶
# ✅ For most files
chmod 644 file.txt
# ✅ For most directories
chmod 755 directory
# ✅ For scripts
chmod 755 script.sh
# ✅ For private data
chmod 600 private.txt
Helpful Aliases¶
Add to ~/.bashrc or ~/.zshrc:
# Show permissions in human-readable format
alias lsl='ls -lh'
# Show all permissions including hidden files
alias lsa='ls -lah'
# Fix common permission issues
alias fix-perms='find . -type d -exec chmod 755 {} \; && find . -type f -exec chmod 644 {} \;'
# Make script executable and run it
alias runsh='chmod +x'
# Take ownership of current directory
alias own='sudo chown -R $(whoami)'
# Show who owns what
alias perms='stat -f "%N: %Su:%Sg %Sp"'
Troubleshooting Guide¶
"Operation not permitted"¶
"Permission denied" when running script¶
"Can't write to file I created with sudo"¶
"Can't access directory"¶
"SSH won't accept my key"¶
# SSH is picky about permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
Quick Decision Tree¶
Can you access/edit/run the file?
├─ YES → You're done!
└─ NO → What's the error?
│
├─ "Permission denied" running script
│ └─ chmod +x script.sh
│
├─ "Permission denied" editing your own file
│ └─ sudo chown $(whoami) file.txt
│
├─ "Permission denied" accessing directory
│ └─ chmod u+x directory
│
└─ Want to share with others
└─ chmod 755 (if directory) or 644 (if file)
macOS-Specific Notes¶
ACLs (Access Control Lists)¶
macOS also has ACLs beyond basic permissions:
Extended Attributes¶
# View extended attributes (like quarantine)
ls -l@ file.txt
# Remove quarantine attribute
xattr -d com.apple.quarantine file.txt
# Remove all extended attributes
xattr -c file.txt
Default macOS Permissions¶
# User home directory
drwxr-xr-x (755)
# Files you create
-rw-r--r-- (644)
# Directories you create
drwxr-xr-x (755)
Complete Workflow Examples¶
Setting up a new script¶
# Create script
nano deploy.sh
# Make executable
chmod +x deploy.sh
# Verify
ls -l deploy.sh
# Should see: -rwxr-xr-x
# Run it
./deploy.sh
Fixing a borked project folder¶
# Check what's wrong
ls -la project/
# Take ownership
sudo chown -R $(whoami) project/
# Fix directory permissions (755)
find project -type d -exec chmod 755 {} \;
# Fix file permissions (644)
find project -type f -exec chmod 644 {} \;
# Make scripts executable
chmod +x project/*.sh
# Verify
ls -la project/
Securing sensitive data¶
# SSH keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
# Environment files
chmod 600 .env
chmod 600 config/secrets.yml
# Database credentials
chmod 600 config/database.yml
# Verify nothing is too open
find ~ -type f -perm -002 2>/dev/null
# (Shows world-writable files - should be none)
Remember¶
✅ chmod = change permissions (what can be done)
✅ chown = change owner (who owns it)
✅ chgrp = change group (which group it belongs to)
Most of the time you only need:
- chmod +x to make scripts runnable
- chmod 600 to make files private
- sudo chown $(whoami) to take back ownership
When in doubt: ls -l to see current permissions, then adjust from there.