How to check file and folder permissions in Linux

In Linux, checking file and directory permissions is one of the fastest ways to explain why one user or service can read a path while another gets denied. A quick permission review also helps confirm whether sensitive data is exposed more broadly than intended before any changes are made.

Each filesystem object stores a type, owner, group, and mode bits for user, group, and others. Commands such as ls and stat show those bits in symbolic forms like drwxrwxr-x and octal forms like 775, while getfacl reveals extra per-user or per-group Access Control List entries when the path uses ACLs.

Permission checks stay read-only, but the result still needs to be interpreted in context. A file can look correct and still be unreachable when a parent directory is missing the execute bit, and ACL details appear only when the filesystem and userspace tools support them, so reviewing both the target path and its directory chain gives the clearest answer.

Related: How to change file and folder permissions in Linux
Related: How to change ownership of files and directories in Linux

Steps to check file and folder permissions in Linux:

  1. Inspect the target file or directory entry with ls -ld to see the mode string, ownership, and whether an alternate access method such as an ACL is present. 
    $ ls -ld /srv/docs/permissions-demo /srv/docs/permissions-demo/secret.txt
drwxrwxr-x+ 3 root root 4096 Apr 14 01:20 /srv/docs/permissions-demo
-rw-rwx---+ 1 root root    7 Apr 14 01:20 /srv/docs/permissions-demo/secret.txt

    A leading d marks a directory, a leading - marks a regular file, and a trailing + after the permission bits means an ACL or other alternate access method exists.

  2. List a directory with ls -l when the permissions of the items inside it matter more than the directory node itself. 
    $ ls -l /srv/docs/permissions-demo
total 12
-rw-r--r--  1 root root    7 Apr 14 01:20 public.txt
-rw-rwx---+ 1 root root    7 Apr 14 01:20 secret.txt
drwxr-xr-x  2 root root 4096 Apr 14 01:20 subdir

    The leftmost column shows the effective mode for each child entry, which makes mixed access levels easy to spot in one view.

  3. Walk a directory tree with ls -lR when the permission problem may be inside nested subdirectories. 
    $ ls -lR /srv/docs/permissions-demo
/srv/docs/permissions-demo:
total 12
-rw-r--r--  1 root root    7 Apr 14 01:20 public.txt
-rw-rwx---+ 1 root root    7 Apr 14 01:20 secret.txt
drwxr-xr-x  2 root root 4096 Apr 14 01:20 subdir

/srv/docs/permissions-demo/subdir:
total 4
-rw-r--r-- 1 root root 5 Apr 14 01:20 note.txt

    Recursive listings quickly show where a restrictive subdirectory or unexpectedly open file appears deeper in the tree.

  4. Print the symbolic mode, octal mode, owner, group, and path in one stable line with stat when the result needs to be compared or scripted. 
    $ stat -c "%A %a %U:%G %n" /srv/docs/permissions-demo /srv/docs/permissions-demo/secret.txt
drwxrwxr-x 775 root:root /srv/docs/permissions-demo
-rw-rwx--- 670 root:root /srv/docs/permissions-demo/secret.txt

    The stat format string combines the same access bits that ls shows with the numeric mode that tools such as chmod use.

  5. Use the default stat view when timestamps, link count, or inode details are needed alongside the permission bits. 
    $ stat /srv/docs/permissions-demo/secret.txt
  File: /srv/docs/permissions-demo/secret.txt
  Size: 7         	Blocks: 8          IO Block: 4096   regular file
Device: 0,90	Inode: 2905146     Links: 1
Access: (0670/-rw-rwx---)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2026-04-14 01:20:41.362177005 +0000
Modify: 2026-04-14 01:20:41.363177005 +0000
Change: 2026-04-14 01:20:41.367177005 +0000
 Birth: 2026-04-14 01:20:41.362177005 +0000

    The Access line combines the octal and symbolic forms, while the timestamp lines help distinguish a recent permission change from older file content changes.

  6. Check every directory component in the full path with namei -om when a file looks correct but access is still denied. 
    $ namei -om /srv/docs/permissions-demo/secret.txt
f: /srv/docs/permissions-demo/secret.txt
 drwxr-xr-x root root /
 drwxr-xr-x root root srv
 drwxr-xr-x root root docs
 drwxrwxr-x root root permissions-demo
 -rw-rwx--- root root secret.txt

    Every directory in the path needs the execute bit for traversal, so namei is useful when the file mode is correct but a parent directory blocks access.

  7. Query ACL entries with getfacl -p when the trailing + in ls output suggests extra rules beyond owner, group, and others. 
    $ getfacl -p /srv/docs/permissions-demo/secret.txt /srv/docs/permissions-demo
# file: /srv/docs/permissions-demo/secret.txt
# owner: root
# group: root
user::rw-
user:www-data:r--
group::rwx
mask::rwx
other::---

# file: /srv/docs/permissions-demo
# owner: root
# group: root
user::rwx
group::rwx
group:adm:r-x
mask::rwx
other::r-x

    Entries such as user:www-data or group:adm are ACL rules layered on top of the base mode bits. If getfacl is unavailable, install the ACL userspace tools from the distribution package set before retrying.

  8. Check the current shell creation mask with umask when new files or directories keep appearing with unexpected default permissions. 
    $ umask
0022
$ umask -S
u=rwx,g=rx,o=rx

    umask does not report the mode of an existing path. It shows which permission bits the shell removes from newly created files and directories.