Linux shell / CLI linux permissions bash
Ingrid Holm Systems Engineer

Linux bash: Permission denied

Encountering 'Permission denied' means your user lacks necessary file permissions; this guide explains how to fix it.

What This Error Means

The "Permission denied" error in your Linux bash shell is a clear signal from the operating system's security mechanisms. It means your current user account does not have the necessary privileges to perform the action you're attempting on a particular file or directory. This could involve trying to:

  • Execute a script or program without execute permissions.
  • Read the contents of a file without read permissions.
  • Write to a file or directory without write permissions.
  • Change into a directory (cd) without execute permissions on that directory.
  • Delete a file or directory without write permissions in the parent directory.

Fundamentally, it's a security feature protecting the integrity and confidentiality of your system. Linux, being a multi-user operating system, relies heavily on a robust permission model to prevent unauthorized access or modification of files and processes.

Why It Happens

This error arises because the Linux kernel enforces a strict set of rules known as file permissions. Every file and directory on a Linux system has associated permissions that dictate who can do what with it. These permissions are defined for three categories of users:

  1. User (u): The owner of the file.
  2. Group (g): Members of the group that owns the file.
  3. Others (o): Everyone else on the system.

For each of these categories, three primary permissions can be granted or denied:

  • Read (r): Allows viewing the file's contents or listing a directory's contents.
  • Write (w): Allows modifying the file's contents, creating/deleting files within a directory, or renaming a directory.
  • Execute (x): Allows running a file as a program/script or entering (cd) a directory.

When you encounter "Permission denied," it's because your user, within its assigned group and global permissions, is not authorized to perform the requested r, w, or x operation on the target resource. In my experience, it's one of the most frequent hurdles new Linux users face, and even seasoned engineers can occasionally forget to check permissions when troubleshooting.

Common Causes

Troubleshooting "Permission denied" often involves understanding the specific context. Here are the most common scenarios I've encountered:

  1. Attempting to Execute a Script: The most frequent cause for scripts (e.g., .sh, .py, compiled binaries) is the lack of execute permission. If you try to run ./myscript.sh and it's not executable, you'll hit this error.
  2. Accessing System Files or Directories: Many critical system files and directories (like /etc, /var/log, /root) are owned by the root user or specific system accounts, with restricted permissions for ordinary users. Trying to read, write, or modify these without sudo will fail.
  3. Incorrect File Ownership: You might be trying to modify a file that's owned by another user or group, and your current user doesn't have the necessary group or 'other' permissions. I've seen this often in production when files are created by a service user and then an ops user tries to manually edit them.
  4. Files Created by root (or sudo): If you previously ran a command with sudo that created or modified files, those files might now be owned by root. Subsequent attempts to interact with them as a non-root user will result in "Permission denied."
  5. Filesystem Mounted as Read-Only: Sometimes, a filesystem (e.g., a network share, a recovery partition, or a disk with errors) might be mounted as read-only. Any attempt to write to it will be denied, regardless of file permissions.
  6. SELinux or AppArmor Interference: On systems with enhanced security features like SELinux (Security-Enhanced Linux) or AppArmor, even if standard file permissions look correct, a security policy might be preventing the operation. This is more common in server environments or specific distributions (e.g., CentOS/RHEL for SELinux, Ubuntu for AppArmor).
  7. umask Configuration: The umask setting determines the default permissions for newly created files and directories. If umask is too restrictive, files you create might not have the permissions you expect, leading to issues later.
  8. Incorrect Redirection with sudo: A classic pitfall! sudo echo "hello" > /root/file.txt will fail because sudo applies only to the echo command, not the shell's redirection (>). The shell itself (running as your non-root user) tries to open /root/file.txt for writing and gets denied.

Step-by-Step Fix

When troubleshooting "Permission denied," I always follow a systematic approach.

  1. Identify the Target and Operation:

    • What file or directory are you trying to access?
    • What operation are you performing (read, write, execute, delete, change directory)?

  2. Check Current Permissions and Ownership:
    Use the ls -l command, which provides detailed information about files and directories, including their permissions, owner, and group.

    bash ls -l /path/to/your/file_or_directory

    Example Output:
    -rwxrw-r-- 1 ingrid devops 1024 May 15 10:30 myscript.sh drwxr-xr-x 2 root root 4096 Apr 20 08:00 /var/log/nginx
    * The first column (-rwxrw-r--) shows the permissions:
    * The first character indicates the file type (- for file, d for directory).
    * The next three characters (rwx) are for the owner (ingrid).
    * The next three (rw-) are for the group (devops).
    * The last three (r--) are for others.
    * The third column (ingrid, root) is the file owner.
    * The fourth column (devops, root) is the file's group.

  3. Identify Your Current User and Groups:
    Determine who you are currently logged in as and what groups you belong to.

    bash whoami groups
    This helps you understand which permission set (user, group, or others) applies to your current session.

  4. Modify Permissions (using chmod):
    If the permissions are too restrictive for your user/group, you can change them using chmod.

    • To make a script executable:
      This is the most common fix for "Permission denied" when trying to run a script.

      bash chmod +x /path/to/your/script.sh
      This adds execute permission for the owner, group, and others. If you only want the owner to execute, use chmod u+x.

    • To grant read/write permissions for a file:
      For example, to give the owner read/write, and group/others read-only for a file:

      bash chmod 644 /path/to/your/file.txt
      (Octal explanation: 6=rw-, 4=r--, 4=r--)

    • To grant read/write/execute for directories:
      Directories typically need execute permission for cd into them. A common setting is 755 for directories, allowing the owner full control and others to navigate/read.

      bash chmod 755 /path/to/your/directory/
      Self-correction: While chmod 777 (full read/write/execute for everyone) might seem like an easy fix, it's a significant security risk and should be avoided in production or shared environments. Only use it temporarily for debugging or in highly controlled, isolated scenarios.

  5. Change Ownership (using chown and chgrp):
    If the file is owned by root or another user, and you need to take ownership, you'll likely need sudo.

    • Change owner and group:

      bash sudo chown youruser:yourgroup /path/to/your/file_or_directory
      Replace youruser and yourgroup with your actual username and desired group.

    • Change only the group:

      bash sudo chgrp yourgroup /path/to/your/file_or_directory

  6. Use sudo for Elevated Privileges:
    If you need to perform an operation on a file owned by root or in a protected system directory, and modifying permissions isn't appropriate or feasible, sudo is your go-to.

    bash sudo vim /etc/hosts sudo systemctl restart nginx
    Important Note on Redirection: As mentioned in "Common Causes," sudo only applies to the direct command. If you need to redirect output to a file that requires root privileges, use sudo with bash -c or tee:

    bash sudo bash -c 'echo "my new content" > /path/to/root_owned_file.txt' echo "more content" | sudo tee -a /path/to/root_owned_file.txt

  7. Check Filesystem Mount Options:
    If attempts to write to a drive or partition always result in "Permission denied," check its mount options.

    bash mount | grep "/path/to/mountpoint"
    Look for ro (read-only) in the output. If it's read-only and needs to be writable, you might need to remount it:

    bash sudo mount -o remount,rw /path/to/mountpoint

  8. Address SELinux/AppArmor (Advanced):
    If standard permission checks don't resolve the issue, and you're on a system with SELinux or AppArmor enabled, these might be the culprit.

    • SELinux: Check the SELinux context with ls -Z. You might need to restore the default context using sudo restorecon -Rv /path/to/directory_or_file. Check /var/log/audit/audit.log or dmesg for AVC denials.
    • AppArmor: Check /var/log/syslog or dmesg for AppArmor DENIED messages. You might need to adjust or disable a profile, though this is usually a last resort.

Code Examples

These are concise, copy-paste ready examples for common permission scenarios.

1. Make a script executable:

chmod +x my_script.sh
./my_script.sh # Now it should run

2. List permissions and ownership:

ls -l /var/log/nginx/access.log

Example Output:

-rw-r----- 1 www-data adm 1234567 May 15 11:00 /var/log/nginx/access.log

3. Change file ownership (requires sudo):

sudo chown youruser:yourgroup /opt/app/config.ini

4. Change directory permissions for a web server (common for var/www):

sudo chmod 755 /var/www/html
sudo chown -R www-data:www-data /var/www/html # recursively change owner/group

5. Write to a root-owned file using sudo and tee:

echo "ServerName myapp.example.com" | sudo tee -a /etc/apache2/conf-available/servername.conf

6. Attempting to create a file in a restricted directory (will fail without sudo):

touch /root/newfile.txt # This will likely result in "Permission denied"

7. Correct way to create file in restricted directory:

sudo touch /root/newfile.txt

Environment-Specific Notes

Permission issues can manifest differently depending on your operating environment.

  • Cloud Virtual Machines (AWS EC2, GCP Compute Engine, Azure VMs):

    • Default Users: Cloud providers often provision VMs with specific default users (e.g., ec2-user on Amazon Linux, ubuntu on Ubuntu images, gcpuser on GCP). These users have sudo access but aren't root by default. Always verify your current user (whoami) and use sudo when necessary for system-level changes.
    • Service Accounts/IAM Roles: In cloud environments, applications often run under specific service accounts (e.g., IAM roles in AWS). These accounts have their own permissions, defined by cloud policies, which can restrict file access even if OS-level permissions seem permissive. I've often seen applications fail to write to logs or temp directories because the instance profile or service account lacked s3:PutObject or specific permissions to access an EFS share.
    • Ephemeral Storage: Be mindful of where data is stored. Temporary or ephemeral storage might be owned by root or have strict permissions, and data on it won't persist across reboots.

  • Docker Containers:

    • User Inside Container: By default, processes inside a Docker container often run as root. However, it's a security best practice to run them as a non-root user. If your Dockerfile uses the USER instruction, or your docker run command specifies a user (-u), then the "Permission denied" error will behave exactly as it would on a regular Linux host for that specific user within the container.
    • Volume Mounts: When you mount a host directory as a volume into a container, the permissions of the host directory apply. If the user inside the container doesn't have the necessary permissions on the host's mounted directory, you'll get "Permission denied." I usually set up chown commands in my Dockerfile or entrypoint scripts to ensure the container user has appropriate access to mounted volumes.
    • Image Layers: Files created during docker build (e.g., via RUN commands) will be owned by root unless explicitly changed by a chown within the Dockerfile.

  • Local Development Environments:

    • umask: Your local umask can affect default permissions for new files. If your umask is restrictive (e.g., 077), new files might not be readable by others in your system, which can cause issues if you're sharing files or running services under different users. You can check your umask with umask and temporarily set it with umask 002.
    • IDE/Editor Permissions: Sometimes, the IDE or text editor you're using might be running under different privileges or attempting to save files with permissions that conflict with system defaults. This is rare but can be a confusing edge case.
    • External Drives: USB drives or external SSDs often have different default mount options and permissions than internal drives, especially if formatted for other operating systems.

Frequently Asked Questions

Q: Is chmod 777 always bad?
A: While chmod 777 grants full read, write, and execute permissions to everyone (owner, group, and others), making it a significant security risk, it's not always bad in every single context. For temporary debugging in an isolated, non-production environment, or in specific cases where a file must be globally writable (and you understand the risks), it can be used. However, as a general rule and for production systems, avoid it. Prefer 755 for directories and 644 for files.

Q: What's the difference between chmod +x and chmod 755?
A: chmod +x is a symbolic mode command that adds execute permission for all categories (user, group, others) without affecting existing read/write permissions. chmod 755 is an octal mode command that explicitly sets permissions: 7 for the owner (read, write, execute), 5 for the group (read, execute), and 5 for others (read, execute). If a file was rw-rw-rw- (666) and you ran chmod +x, it would become rwxrwxrwx (777). If you ran chmod 755, it would become rwxr-xr-x. They achieve different results.

Q: I used sudo, but still get "Permission denied". Why?
A: This is often due to shell redirection (> or >>) where sudo only applies to the command immediately preceding it, not the shell's redirection operation. For example, sudo echo "data" > /root/file.txt fails because your non-root shell tries to open /root/file.txt for writing. The fix is to use sudo with bash -c '...' or the tee command (e.g., echo "data" | sudo tee /root/file.txt).

Q: How do I know who owns a file?
A: Use the ls -l command. The third column in the output specifies the owner of the file, and the fourth column specifies the group owner. For example, in -rw-r--r-- 1 ingrid devops 1024 ... file.txt, ingrid is the owner and devops is the group.

Q: Can I get "Permission denied" on a directory?
A: Yes, absolutely.
* If you lack read (r) permission on a directory, you can't list its contents (ls).
* If you lack write (w) permission on a directory, you can't create new files, delete existing ones, or rename items within it.
* If you lack execute (x) permission on a directory, you cannot cd into it, nor can you access files or subdirectories within it, even if you have permissions on those nested items. Execute permission on a directory essentially means "permission to traverse" or "permission to enter."