chmod Calculator: Linux File Permissions Explained (Octal & Symbolic)
You see chmod 755 in a deployment script and wonder what the numbers mean. Or you need to make a script executable without opening permissions to the world. Or your SSH key refuses to work because the permissions are too broad. Linux file permissions are one of those things every developer encounters, and this guide covers everything from the basics to special bits — with a chmod calculator you can use without memorizing octal math.
How Linux Permissions Work
Every file and directory in Linux has three sets of permissions assigned to three categories of users:
| Category | Symbol | Who |
|---|---|---|
| Owner | u (user) | The user who owns the file |
| Group | g | Members of the file's group |
| Others | o | Everyone else |
Each category gets three permission bits:
| Permission | Symbol | Octal value | On a file | On a directory |
|---|---|---|---|---|
| Read | r | 4 | View file contents | List directory contents |
| Write | w | 2 | Modify file contents | Create/delete files inside |
| Execute | x | 1 | Run as a program | Enter (cd into) the directory |
Reading the Permission String
Running ls -l shows a 10-character permission string:
-rwxr-xr--
^^^ --- ---
| | |
| | └── Others: read only (r--)
| └─────── Group: read + execute (r-x)
└──────────── Owner: read + write + execute (rwx)
The first character:
- = regular file
d = directory
l = symbolic linkOctal Notation: The Numbers Explained
Each permission triplet (rwx) maps to a 3-bit binary number, which converts to a single octal digit (0–7):
| Binary | Octal | Permissions | Meaning |
|---|---|---|---|
| 000 | 0 | --- | No permissions |
| 001 | 1 | --x | Execute only |
| 010 | 2 | -w- | Write only |
| 011 | 3 | -wx | Write + execute |
| 100 | 4 | r-- | Read only |
| 101 | 5 | r-x | Read + execute |
| 110 | 6 | rw- | Read + write |
| 111 | 7 | rwx | Read + write + execute |
A 3-digit octal permission like 755 means: owner=7 (rwx), group=5 (r-x), others=5 (r-x).
Don't want to do the math in your head? Use the chmod calculator to click permission checkboxes and instantly see both the octal code and the chmod command.
Common Permission Values
| Octal | Symbolic | Typical Use |
|---|---|---|
777 | rwxrwxrwx | Full access for everyone — avoid in production |
755 | rwxr-xr-x | Executables, directories, web server roots |
750 | rwxr-x--- | Executables shared with group only |
700 | rwx------ | Private executables and directories |
644 | rw-r--r-- | Regular files — config files, HTML, CSS |
640 | rw-r----- | Config files readable by group only |
600 | rw------- | Private files — SSH keys, credentials |
444 | r--r--r-- | Read-only for everyone |
400 | r-------- | Read-only for owner only (PEM keys) |
The chmod Command
Octal Mode
# Set permissions using octal
chmod 755 script.sh # rwxr-xr-x
chmod 644 config.json # rw-r--r--
chmod 600 ~/.ssh/id_rsa # rw------- (SSH private key)
# Recursive: apply to directory and all contents
chmod -R 755 /var/www/htmlSymbolic Mode
Symbolic mode is more readable and lets you modify specific bits without affecting others:
# Syntax: [who][operator][permissions]
# who: u (user/owner), g (group), o (others), a (all)
# operator: + (add), - (remove), = (set exactly)
# perms: r, w, x
# Make a script executable for owner
chmod u+x deploy.sh
# Remove write permission from group and others
chmod go-w sensitive.conf
# Set exact permissions: owner rwx, group rx, others none
chmod u=rwx,g=rx,o= script.sh
# Add execute for all (equivalent to +x for u, g, o)
chmod a+x run.sh
# Remove execute from others only
chmod o-x programCombining octal and symbolic
# These two are equivalent:
chmod 755 script.sh
chmod u=rwx,g=rx,o=rx script.sh
# These two are equivalent:
chmod 644 file.txt
chmod u=rw,g=r,o=r file.txtSpecial Permission Bits
Beyond the standard rwx bits, Linux has three special permission bits controlled by a 4th octal digit (or symbolic letters):
Setuid (SUID) — 4000
When set on an executable, the program runs as the file's owner, not the user who launched it. This is how passwd can write to /etc/shadow (owned by root) even when run by a regular user.
# Set setuid bit
chmod 4755 program # rwsr-xr-x (s in owner execute position)
chmod u+s program # symbolic equivalent
# View setuid files
find / -perm /4000 -type f 2>/dev/nullSecurity note: Setuid on scripts (shell, Python, etc.) is ignored by the Linux kernel — only compiled binaries honour it. Misuse of setuid is a common privilege escalation vector; apply it only to well-audited programs.
Setgid (SGID) — 2000
On an executable: runs as the file's group. On a directory: new files created inside inherit the directory's group instead of the creator's primary group — useful for shared project directories.
# Set setgid on a directory
chmod 2775 /shared/project # rwxrwsr-x (s in group execute position)
chmod g+s /shared/project # symbolic equivalent
# Now any file created in /shared/project inherits the group
ls -l /shared/project/
# -rw-r--r-- 1 alice developers 0 Mar 5 10:00 newfile.txt
# ^^^^^^^^^^^
# group "developers" inherited from directorySticky Bit — 1000
On a directory: only the file owner (or root) can delete or rename files inside, even if others have write permission. Classic example: /tmp.
# Set sticky bit
chmod 1777 /tmp # rwxrwxrwt (t in others execute position)
chmod +t /shared/uploads # symbolic equivalent
# /tmp is world-writable but users can only delete their own files
ls -ld /tmp
# drwxrwxrwt 10 root root 4096 Mar 5 10:00 /tmp
# ^
# t = sticky bit + execute; T = sticky bit, no executeSpecial bits with 4-digit octal
| Code | Bit | Symbolic | Common use |
|---|---|---|---|
4755 | Setuid | rwsr-xr-x | System binaries (passwd, sudo) |
2775 | Setgid | rwxrwsr-x | Shared project directories |
1777 | Sticky | rwxrwxrwt | World-writable dirs (/tmp) |
6755 | Setuid + Setgid | rwsr-sr-x | Rare; specific system tools |
Real-World Permission Patterns
Web Server Files (Nginx / Apache)
# Web root directory structure
chmod 755 /var/www/html # Directories: owner rwx, others rx
chmod 644 /var/www/html/*.html # HTML files: owner rw, others r
chmod 644 /var/www/html/*.css # CSS/JS: same
chmod 600 /var/www/html/.env # Secrets: owner only!
# Apply recursively with find (safer than chmod -R which also hits files)
find /var/www/html -type d -exec chmod 755 {} ;
find /var/www/html -type f -exec chmod 644 {} ;
# Fix .env and other secrets afterward
chmod 600 /var/www/html/.envShell Scripts
# Make executable by owner only (safer)
chmod 700 deploy.sh
# Make executable by owner and group
chmod 750 deploy.sh
# Make executable by everyone (public scripts)
chmod 755 /usr/local/bin/mytoolSSH Keys
# SSH will refuse to use keys with overly permissive permissions
chmod 700 ~/.ssh # Directory: owner only
chmod 600 ~/.ssh/id_rsa # Private key: owner read/write only
chmod 644 ~/.ssh/id_rsa.pub # Public key: readable by all
chmod 600 ~/.ssh/authorized_keys # Authorized keys: owner only
chmod 644 ~/.ssh/known_hosts # Known hosts: readable by all
# The error you'll see if permissions are wrong:
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# Permissions 0644 for 'id_rsa' are too open.Application Config Files
# Config readable by owner and group (app runs as same group)
chmod 640 /etc/myapp/config.yml
# Database credentials — owner only
chmod 600 /etc/myapp/database.conf
# Log directory — app needs to write, others can read
chmod 755 /var/log/myapp
chmod 644 /var/log/myapp/*.logumask: Default Permissions
When a new file or directory is created, Linux applies a umask (mask of permissions to remove from the default):
# Check current umask
umask # e.g., 0022
# Default permissions before umask:
# Files: 666 (rw-rw-rw-)
# Directories: 777 (rwxrwxrwx)
# With umask 0022:
# Files: 666 - 022 = 644 (rw-r--r--)
# Directories: 777 - 022 = 755 (rwxr-xr-x)
# With umask 0027 (more restrictive — no permissions for others):
# Files: 666 - 027 = 640 (rw-r-----)
# Directories: 777 - 027 = 750 (rwxr-x---)
# Set umask for session
umask 0027
# Set umask permanently (add to ~/.bashrc or /etc/profile)
echo "umask 0027" >> ~/.bashrcViewing Permissions
# Long listing format
ls -l file.txt
# -rw-r--r-- 1 alice developers 1234 Mar 5 10:00 file.txt
# Octal format (requires stat)
stat -c "%a %n" file.txt # Linux
stat -f "%OLp %N" file.txt # macOS
# Output: 644 file.txt
# Find files with specific permissions
find . -perm 644 -type f # Exactly 644
find . -perm /o+w -type f # Others have write (potential security issue)
find . -perm /4000 -type f # Setuid filesChanging Ownership
chmod changes permissions; chown changes the owner and group:
# Change owner
chown alice file.txt
# Change owner and group
chown alice:developers file.txt
# Change group only
chown :developers file.txt
# or
chgrp developers file.txt
# Recursive
chown -R www-data:www-data /var/www/htmlSecurity Checklist
- Never use 777 — world-writable files are a major security risk; narrow permissions to the minimum needed
- Secrets get 600 or 640 — .env files, private keys, and credentials should never be world-readable
- SSH keys require 600 — SSH will reject keys with broader permissions
- Web root directories: 755 — the web server needs execute to traverse directories
- Static files: 644 — readable by the server, not writable by group/others
- Audit setuid/setgid — run
find / -perm /6000 -type fperiodically on production servers - Use umask 0027 for services — prevents newly created files from being accessible to others
Quick Reference
| Task | Command |
|---|---|
| Make a script executable | chmod +x script.sh |
| Secure a private key | chmod 600 id_rsa |
| Set web file permissions | chmod 644 index.html |
| Set web directory permissions | chmod 755 /var/www/html |
| Remove world write access | chmod o-w file |
| Set shared directory group inheritance | chmod g+s /shared |
| Protect shared upload directory | chmod 1777 /uploads |
| Fix web root recursively | find /var/www -type d -exec chmod 755 {} \; |
Tired of converting octal in your head? Use the chmod calculator — click permission checkboxes and instantly see the octal value, symbolic notation, and the exact chmod command to run.