Chmod Calculator
Octal, symbolic and special bits both ways, with plain-English meaning and warnings.
100% in your browser. Nothing you type ever leaves this page.
| Read (4) | Write (2) | Execute (1) | |
|---|---|---|---|
| Owner | |||
| Group | |||
| Others |
Special bits
Umask: what new files are born with
- New files (666 - umask)
- 644 (rw-r--r--)
- New directories (777 - umask)
- 755 (rwxr-xr-x)
Self-test passed: octal/symbolic conversion verified against reference modes on load.
The mental model that makes chmod obvious
A Unix mode is just three small numbers, one per audience: the file's owner, the
file's group, everyone else. Each number is a sum: read is 4, write is 2, execute is
1. Add what you grant. Owner gets everything: 4+2+1 = 7. Group reads only: 4. That is
the whole system; 755 and rwxr-xr-x are two spellings of the same twelve bits, and
the calculator converts between them in both directions, including from the
ls -l string you just pasted from a terminal.
The modes you will actually type
Four modes cover most of a sysadmin's life. 644 for ordinary files: the owner edits, the world reads, nothing executes. 755 for directories and scripts: same idea plus traversal or execution. 600 for anything secret (tokens, configs with passwords), and 400 for SSH private keys, where even your own write access is removed so a stray command cannot truncate the key; OpenSSH refuses keys that are group or world readable, which is the most common reason a freshly copied key "does not work". Web servers add a wrinkle worth knowing: the files should usually be owned by a deploy user and merely readable by the server account, not owned by it, so a compromised PHP process cannot rewrite the site.
Special bits, the fourth digit
The optional leading digit packs three switches. Setgid on a shared directory (2775)
is the genuinely useful one: every file created inside inherits the directory's
group, which is how team folders stay accessible without nightly chgrp cron jobs.
The sticky bit explains /tmp: 1777 lets everyone create files but only
owners delete their own, so users cannot remove each other's temp files. Setuid is
the dangerous one, an executable that runs with its owner's privileges; legitimate
uses like passwd are carefully audited, and a setuid root shell script
is the textbook local privilege escalation, which is why the calculator turns red
when you build one.
When chmod is not the answer
Half the permission errors fixed with chmod 777 were ownership problems wearing a
disguise: the right call was chown. And when you genuinely need "these
two users and that service account, but nobody else", the classic bits run out;
POSIX ACLs (setfacl, getfacl) layer per-user grants on top
without blowing the door open. The rule that keeps audits short: grant the minimum,
grant it to the narrowest audience, and treat any 7 in the others column as a
finding until proven otherwise.
Frequently asked questions
What does chmod 755 actually mean?
Three octal digits, one per audience: 7 for the owner (read 4 + write 2 + execute 1), 5 for the group (read 4 + execute 1), 5 for everyone else. So the owner has full control and everybody else can read and execute but not modify. It is the standard mode for directories and executable scripts that the world may use but not touch.
Why is 777 almost always wrong?
Because it grants write access to every account on the system, including a compromised web service or a malicious local user, who can then replace the file content. The usual reason people reach for 777 is a permission error whose real cause is ownership; the right fix is chown to the correct user, not opening the file to the world.
What is the difference between x on a file and x on a directory?
On a file, execute means it can be run as a program. On a directory, execute means traversal: the right to enter it and reach things inside by name. A directory with r but no x lets you list names but not open them; x without r lets you access contents whose name you already know but not list them. Most real directories want both or neither.
What do setuid, setgid and the sticky bit do?
Setuid (4xxx) makes an executable run with its owner's privileges, the mechanism behind passwd modifying a root-owned file. Setgid (2xxx) on a directory makes new files inherit the directory's group, the standard trick for shared team folders. The sticky bit (1xxx) on a directory restricts deletion to each file's owner, which is why /tmp is 1777.
How does umask relate to chmod?
Umask is the subtraction applied at creation time: new files start from 666 and directories from 777, minus the umask bits. With the common 022, files arrive as 644 and directories as 755. Chmod changes permissions after the fact; umask decides what they are born with.