Chmod 640 for Config Files
Learn how chmod 640 protects configuration files. Owner read-write, group read-only, others blocked. Secure config management.
Permission
640
rw-r-----
chmod 640 filename
Permission Breakdown
| Role | Read (4) | Write (2) | Execute (1) | Octal | Meaning |
|---|---|---|---|---|---|
| Owner | r | w | - | 6 | read, write |
| Group | r | - | - | 4 | read |
| Others | - | - | - | 0 | no permissions |
Visual Permission Grid
Detailed Explanation
The permission 640 is the recommended permission for most configuration files that contain sensitive information.
Octal breakdown:
- 6 (Owner): read (4) + write (2) = read and write
- 4 (Group): read (4) only
- 0 (Others): no access
In symbolic notation this is rw-r-----.
Configuration files often contain database credentials, API keys, encryption secrets, and other sensitive data. Using 640 ensures that the system administrator (owner) can update the configuration, the application service (in the group) can read it, and all other users are blocked.
Common examples include:
/etc/mysql/my.cnfor/etc/postgresql/pg_hba.conffor database configs- Web application
.envfiles orconfig/database.yml /etc/ssl/private/for SSL private key directories/etc/shadow(the system password hash file) often uses 640
Many security auditing tools (like Lynis) will flag configuration files with permissions more open than 640 as potential security issues.
Use Case
The standard secure permission for web application config files, database configurations, SSL private key files, and any configuration containing credentials or secrets.