chmod 640 Explained — Owner Read-Write, Group Read-Only
Understand the 640 permission in Linux. Owner can read and write; group can only read; others have no access. Used for sensitive config and log files.
Detailed Explanation
What Does chmod 640 Mean?
Permission 640 provides a middle ground between open (644) and private (600):
| Role | Octal | Symbolic | Permissions |
|---|---|---|---|
| Owner | 6 | rw- | Read + Write |
| Group | 4 | r-- | Read only |
| Others | 0 | --- | No access |
Where Is 640 Used?
This permission is ideal for files that a service owns but administrators need to read:
# Log files (service writes, admins read)
chmod 640 /var/log/myapp.log
chown myapp:adm /var/log/myapp.log
# Sensitive configuration (not secret, but not public)
chmod 640 /etc/myapp/database.conf
# /etc/shadow (password hashes)
ls -l /etc/shadow
# -rw-r----- 1 root shadow ... /etc/shadow
640 vs Other Permissions
| Permission | Others can read? | Group can write? | Use case |
|---|---|---|---|
| 600 | No | No access | Secrets, private keys |
| 640 | No | Read only | Sensitive config, logs |
| 644 | Yes | Read only | Public files |
| 660 | No | Read + Write | Shared sensitive files |
Practical Example: Log Rotation
# In logrotate.conf:
# create 640 myapp adm
# This ensures rotated log files maintain 640 permissions
/var/log/myapp/*.log {
daily
rotate 7
compress
create 640 myapp adm
}
umask 027
The umask that produces 640 for files and 750 for directories is 027:
Files: 666 & ~027 = 640
Directories: 777 & ~027 = 750
This is recommended for production servers where others should not have access.
Use Case
Use 640 for application log files, database configuration files, and any sensitive file where administrators need read access through group membership but the general public should be blocked. Common in production server hardening.
Try It — Linux Permission Reference
Related Topics
chmod 600 Explained — Owner-Only Read-Write
Common Permissions
chmod 644 Explained — Owner Read-Write, Others Read-Only
Common Permissions
Permissions for Sensitive Files — Passwords, Keys, and Secrets
SSH & Security
Understanding umask 022 — The Linux Default
Umask & Defaults
chmod 664 Explained — Owner+Group Read-Write, Others Read-Only
Directory & Web