File Permissions Quick Guide for macOS

Published: February 14, 2026 · Last edited: February 24, 2026

A practical guide to understanding and using chmod, chown, and chgrp without the overwhelm.

The 30-Second Version

# Make file executable
chmod +x script.sh

# Make file private (only you can read/write)
chmod 600 private-file.txt

# Fix "permission denied" on your own files
sudo chown -R $(whoami) /path/to/folder

# That's 90% of what you'll ever need.

Understanding File Permissions (The Basics)

Every file has:

1. Owner - One user who owns it (usually you)
2. Group - One group that has access (usually "staff" on macOS)
3. Permissions - What each can do (read, write, execute)

Check permissions:

ls -l myfile.txt

# Output:
-rw-r--r--  1  username  staff  1234  Feb 14 10:30  myfile.txt
│││││││││  │  │         │      │     │
│││││││││  │  │         │      │     └─ filename
│││││││││  │  │         │      └─────── size
│││││││││  │  │         └────────────── group
│││││││││  │  └──────────────────────── owner
│││││││││  └─────────────────────────── number of links
│││││││││
│││└┴┴───── permissions for "others" (everyone else)
││└────────── permissions for "group"
│└─────────── permissions for "owner" (you)
└──────────── file type (- = file, d = directory, l = link)

Permission Letters:

• r = read (view the file)
• w = write (modify the file)
• x = execute (run the file as a program)
• - = no permission

chmod - Change Permissions

The Easy Way (Symbolic Mode)

Who:

• u = user (owner)
• g = group
• o = others (everyone else)
• a = all (everyone)

What:

• + = add permission
• - = remove permission
• = = set exactly this permission

Permission:

• r = read
• w = write
• x = execute

Common chmod Commands

# Make a script executable
chmod +x script.sh
# or more explicitly:
chmod u+x script.sh

# Make file readable by everyone
chmod a+r document.txt

# Remove write permission from group and others (make it private)
chmod go-w private.txt

# Make directory and all contents private (only you can access)
chmod -R 700 ~/my-private-folder

# Make a file completely public (everyone can read)
chmod a+r public-file.txt

# Remove all permissions for others
chmod o-rwx secret-file.txt

# Give group read and execute, but not write
chmod g+rx,g-w shared-folder

The Number Way (Octal Mode)

Each permission is a number:

• Read (r) = 4
• Write (w) = 2
• Execute (x) = 1
• None = 0

Add them up for each group:

7 = 4+2+1 = rwx (read, write, execute)
6 = 4+2   = rw- (read, write)
5 = 4+1   = r-x (read, execute)
4 = 4     = r-- (read only)
3 = 2+1   = -wx (write, execute - rare)
2 = 2     = -w- (write only - rare)
1 = 1     = --x (execute only - rare)
0 = 0     = --- (no permissions)

Three digits: Owner | Group | Others

chmod 755 script.sh
      │││
      ││└─ Others: 5 (r-x) can read and execute
      │└── Group:  5 (r-x) can read and execute
      └─── Owner:  7 (rwx) can read, write, and execute

Most Common Permission Numbers

# Files you want to keep private
chmod 600 file.txt        # rw------- (only you can read/write)
chmod 400 readonly.txt    # r-------- (only you can read, can't modify)

# Files you want to share
chmod 644 public-doc.txt  # rw-r--r-- (you can edit, others can read)
chmod 444 readonly.txt    # r--r--r-- (everyone can read, nobody can write)

# Scripts and executables
chmod 700 my-script.sh    # rwx------ (only you can run it)
chmod 755 shared-script.sh # rwxr-xr-x (everyone can run, only you can edit)

# Directories
chmod 700 private-dir     # rwx------ (only you can access)
chmod 755 public-dir      # rwxr-xr-x (everyone can browse, only you can add files)
chmod 775 shared-dir      # rwxrwxr-x (you and group can add files, others browse)

Recursive Operations

# Apply to directory and everything inside
chmod -R 755 ~/my-project

# Be careful! This affects ALL files and subdirectories

chown - Change Owner

Basic Usage

# Change owner
chown newowner file.txt

# Change owner and group at once
chown newowner:newgroup file.txt

# Recursive (directory and all contents)
chown -R username folder/

Common chown Scenarios

# Take ownership of your own files (common after sudo operations)
sudo chown $(whoami) file.txt

# Take ownership of entire directory
sudo chown -R $(whoami) ~/project

# Change owner and group together
sudo chown username:staff file.txt

# Change ownership of a web directory (common for server setups)
sudo chown -R www-data:www-data /var/www/html

Why You Need Sudo

# This FAILS (can't give away files you don't own)
chown someone-else myfile.txt

# This WORKS (admin privileges)
sudo chown someone-else myfile.txt

Important: On macOS, you typically need sudo to change ownership, even of your own files.

chgrp - Change Group

Basic Usage

# Change group
chgrp newgroup file.txt

# Recursive
chgrp -R staff folder/

Common Groups on macOS

• staff - Default group for regular users
• wheel - Administrators
• admin - Administrative access
• everyone - All users

Common chgrp Scenarios

# Change to staff group (most common on macOS)
chgrp staff file.txt

# Share with admin group
sudo chgrp admin shared-folder
sudo chmod g+rw shared-folder

# Recursive group change
chgrp -R staff ~/Documents

Real-World Scenarios

Scenario 1: "I can't edit my own file!"

Problem:

ls -l myfile.txt
-r--r--r--  1 root  wheel  1234 Feb 14 10:30 myfile.txt
#            ↑     ↑
#         owned by root, not you

Solution:

# Take ownership
sudo chown $(whoami) myfile.txt

# Add write permission
chmod u+w myfile.txt

Scenario 2: "Permission denied when running script"

Problem:

./deploy.sh
-bash: ./deploy.sh: Permission denied

Solution:

# Make it executable
chmod +x deploy.sh

# Now run it
./deploy.sh

Scenario 3: "Can't access folder I created with sudo"

Problem:

sudo mkdir important-folder
cd important-folder
# Permission denied

Solution:

# Fix ownership of the folder
sudo chown -R $(whoami) important-folder

# Now you can access it
cd important-folder

Scenario 4: "Want to share folder with team"

Problem:

# Want teammates to read/write files

Solution:

# Change group to team's group
sudo chgrp -R teamname shared-folder

# Give group read/write/execute
chmod -R 775 shared-folder

# Now team can access

Scenario 5: "Downloaded script won't run"

Problem:

./downloaded-script.sh
-bash: Permission denied

Solution:

# Make executable
chmod +x downloaded-script.sh

# Verify
ls -l downloaded-script.sh
-rwxr-xr-x  1 you  staff  ...  downloaded-script.sh

Scenario 6: "Need to protect sensitive file"

Problem:

# SSH keys, passwords, API tokens need to be private

Solution:

# Make it private (only you can read/write)
chmod 600 ~/.ssh/id_rsa
chmod 600 secrets.txt

# Verify
ls -l secrets.txt
-rw-------  1 you  staff  ...  secrets.txt

Quick Reference Cheat Sheet

Permission Numbers Guide

Number  Binary  Permissions  Use Case
------  ------  -----------  --------
0       000     ---          No access
1       001     --x          Execute only (rare)
2       010     -w-          Write only (rare)
3       011     -wx          Write + Execute (rare)
4       100     r--          Read only
5       101     r-x          Read + Execute (scripts, dirs)
6       110     rw-          Read + Write (files)
7       111     rwx          Full access (owner on dirs)

Common Permission Patterns

# Private Files
600  -rw-------  Your eyes only (passwords, SSH keys)
400  -r--------  Read-only for you (protected configs)

# Shared Files  
644  -rw-r--r--  You edit, others read (documents)
664  -rw-rw-r--  You and group edit, others read

# Executable Files
700  -rwx------  Only you can run (private scripts)
755  -rwxr-xr-x  Everyone can run, you can edit (public scripts)
775  -rwxrwxr-x  You and group can edit/run

# Directories
700  drwx------  Private folder
755  drwxr-xr-x  Public folder (websites, shared code)
775  drwxrwxr-x  Collaborative folder (team workspace)

One-Line Fixes

# "I can't run this script"
chmod +x script.sh

# "Permission denied on my own files"
sudo chown -R $(whoami) .

# "Want to keep this file private"
chmod 600 secrets.txt

# "Share this folder with my group"
chmod -R 775 shared-folder && sudo chgrp -R staff shared-folder

# "SSH key permissions are wrong"
chmod 600 ~/.ssh/id_rsa && chmod 644 ~/.ssh/id_rsa.pub

# "Fix permissions on entire project"
find ~/project -type d -exec chmod 755 {} \; && find ~/project -type f -exec chmod 644 {} \;

Understanding the Numbers (Visual Guide)

chmod 754 myfile.txt

7 = 4 + 2 + 1 = Read + Write + Execute = rwx  (Owner)
5 = 4 + 0 + 1 = Read +   -   + Execute = r-x  (Group)
4 = 4 + 0 + 0 = Read +   -   +    -    = r--  (Others)

Result: -rwxr-xr--

Safety Tips

Before Changing Permissions

# Always check current permissions first
ls -l file.txt

# Preview what recursive change will affect
find folder -ls

# Make a backup of important files first
cp important-file.txt important-file.txt.backup

Dangerous Commands to Avoid

# DON'T DO THESE without understanding:

# ❌ Makes EVERYTHING world-writable (security nightmare)
chmod -R 777 /

# ❌ Changes ownership of your entire system
sudo chown -R username /

# ❌ Makes all files executable (messy, unnecessary)
chmod -R +x ~/Documents

Safe Defaults

# ✅ For most files
chmod 644 file.txt

# ✅ For most directories
chmod 755 directory

# ✅ For scripts
chmod 755 script.sh

# ✅ For private data
chmod 600 private.txt

Helpful Aliases

Add to ~/.bashrc or ~/.zshrc:

# Show permissions in human-readable format
alias lsl='ls -lh'

# Show all permissions including hidden files
alias lsa='ls -lah'

# Fix common permission issues
alias fix-perms='find . -type d -exec chmod 755 {} \; && find . -type f -exec chmod 644 {} \;'

# Make script executable and run it
alias runsh='chmod +x'

# Take ownership of current directory
alias own='sudo chown -R $(whoami)'

# Show who owns what
alias perms='stat -f "%N: %Su:%Sg %Sp"'

Troubleshooting Guide

"Operation not permitted"

# You need sudo
sudo chown username file.txt

"Permission denied" when running script

# Make it executable
chmod +x script.sh

"Can't write to file I created with sudo"

# Take ownership back
sudo chown $(whoami) file.txt

"Can't access directory"

# Need execute permission on directories
chmod u+x directory

"SSH won't accept my key"

# SSH is picky about permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config

Quick Decision Tree

Can you access/edit/run the file?
├─ YES → You're done!
└─ NO → What's the error?
    │
    ├─ "Permission denied" running script
    │  └─ chmod +x script.sh
    │
    ├─ "Permission denied" editing your own file
    │  └─ sudo chown $(whoami) file.txt
    │
    ├─ "Permission denied" accessing directory
    │  └─ chmod u+x directory
    │
    └─ Want to share with others
       └─ chmod 755 (if directory) or 644 (if file)

macOS-Specific Notes

ACLs (Access Control Lists)

macOS also has ACLs beyond basic permissions:

# View ACLs
ls -le file.txt

# Remove ACLs (if they're causing issues)
chmod -N file.txt

Extended Attributes

# View extended attributes (like quarantine)
ls -l@ file.txt

# Remove quarantine attribute
xattr -d com.apple.quarantine file.txt

# Remove all extended attributes
xattr -c file.txt

Default macOS Permissions

# User home directory
drwxr-xr-x  (755)

# Files you create
-rw-r--r--   (644)

# Directories you create  
drwxr-xr-x   (755)

Complete Workflow Examples

Setting up a new script

# Create script
nano deploy.sh

# Make executable
chmod +x deploy.sh

# Verify
ls -l deploy.sh
# Should see: -rwxr-xr-x

# Run it
./deploy.sh

Fixing a borked project folder

# Check what's wrong
ls -la project/

# Take ownership
sudo chown -R $(whoami) project/

# Fix directory permissions (755)
find project -type d -exec chmod 755 {} \;

# Fix file permissions (644)
find project -type f -exec chmod 644 {} \;

# Make scripts executable
chmod +x project/*.sh

# Verify
ls -la project/

Securing sensitive data

# SSH keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

# Environment files
chmod 600 .env
chmod 600 config/secrets.yml

# Database credentials
chmod 600 config/database.yml

# Verify nothing is too open
find ~ -type f -perm -002 2>/dev/null
# (Shows world-writable files - should be none)

Remember

✅ chmod = change permissions (what can be done) ✅ chown = change owner (who owns it)
✅ chgrp = change group (which group it belongs to)

Most of the time you only need:

• chmod +x to make scripts runnable
• chmod 600 to make files private
• sudo chown $(whoami) to take back ownership

When in doubt: ls -l to see current permissions, then adjust from there.

Related

• Unix File System — Deep dive into the file system that permissions protect
• Listening Ports — Another system-level reference for diagnosing access issues