chmod 400 Explained — Owner Read-Only Permission
Understand the 400 permission in Linux. Owner can read but not write; no access for group or others. Used for deployed certificates and immutable sensitive files.
Detailed Explanation
What Does chmod 400 Mean?
Permission 400 is the most restrictive useful permission for regular files:
| Role | Octal | Symbolic | Permissions |
|---|---|---|---|
| Owner | 4 | r-- | Read only |
| Group | 0 | --- | No access |
| Others | 0 | --- | No access |
When to Use 400
Permission 400 is appropriate when a file should be read but never modified, even accidentally:
# Deployed SSL certificates (private key)
chmod 400 /etc/ssl/private/server.key
# AWS EC2 key pairs (.pem files)
chmod 400 ~/keys/production.pem
# Backup encryption keys
chmod 400 /root/backup-key.gpg
# Immutable configuration deployed by automation
chmod 400 /etc/app/deployed-config.yaml
400 vs 600
- 400: Read-only. Owner cannot accidentally overwrite. Use for files managed by automation.
- 600: Read-write. Owner can modify. Use for files that need manual editing.
AWS EC2 Key Pairs
AWS documentation specifically recommends 400 for .pem key files:
# After downloading from AWS
chmod 400 my-key-pair.pem
# SSH using the key
ssh -i my-key-pair.pem ec2-user@instance
If the key has broader permissions, SSH will display a warning and refuse to connect.
Reverting When Needed
If you need to modify a 400 file:
# Temporarily allow writing
chmod 600 file.key
# Make changes...
# Restore read-only
chmod 400 file.key
Use Case
Use 400 for AWS EC2 .pem key files, deployed SSL private keys, backup encryption keys, and any secret file that should never be modified in place. The read-only restriction provides an additional safety layer against accidental corruption.
Try It — Linux Permission Reference
Related Topics
chmod 600 Explained — Owner-Only Read-Write
Common Permissions
SSH Key File Permissions — Complete Guide
SSH & Security
Permissions for Sensitive Files — Passwords, Keys, and Secrets
SSH & Security
chmod 644 Explained — Owner Read-Write, Others Read-Only
Common Permissions
chmod 700 Explained — Owner-Only Full Access
Common Permissions