Chmod Calculator
Calculate Unix file permissions with an interactive chmod calculator. Toggle read, write, and execute for owner, group, and other.
This interactive calculator lets you build Unix file permissions by toggling read, write, and execute checkboxes for owner, group, and other. It shows the numeric (octal), symbolic (rwx), and full chmod command in real time. You can also enter an octal number to see the permission breakdown. Common presets are included for quick access.
About Chmod Calculator
How Unix File Permissions Work
Every file and directory on a Unix/Linux system has three permission sets, each controlling a different class of users. Each set grants or denies three types of access:
| Permission | Letter | Octal Value | Effect on Files | Effect on Directories |
|---|---|---|---|---|
| Read | r | 4 | View file contents | List directory contents (ls) |
| Write | w | 2 | Modify file contents | Create/delete/rename files inside |
| Execute | x | 1 | Run as a program/script | Enter directory (cd) and access files |
The three user classes are: owner (the file's creator), group (users sharing the file's group), and other (everyone else). Each class gets its own rwx triplet.
Reading Octal Permission Numbers
Each digit in the octal code is the sum of the permission values for one class. The digits go in order: owner, group, other.
| Octal | Binary | Symbolic | Permissions Granted |
|---|---|---|---|
| 0 | 000 | --- | None |
| 1 | 001 | --x | Execute only |
| 2 | 010 | -w- | Write only |
| 3 | 011 | -wx | Write + execute |
| 4 | 100 | r-- | Read only |
| 5 | 101 | r-x | Read + execute |
| 6 | 110 | rw- | Read + write |
| 7 | 111 | rwx | Read + write + execute |
Common Permission Presets
| Octal | Symbolic | Use Case | Description |
|---|---|---|---|
| 755 | rwxr-xr-x | Directories, scripts | Owner full access; group and others can read and execute |
| 644 | rw-r--r-- | Regular files | Owner can edit; everyone else can only read |
| 600 | rw------- | Private configs, SSH keys | Only the owner can read or write |
| 700 | rwx------ | Private scripts, .ssh directory | Only the owner has any access |
| 664 | rw-rw-r-- | Shared project files | Owner and group can edit; others read only |
| 775 | rwxrwxr-x | Shared directories | Owner and group full access; others read and execute |
| 444 | r--r--r-- | Read-only files | No one can modify |
| 777 | rwxrwxrwx | Never use in production | Everyone can do anything - major security risk |
Recommended Permissions for Web Servers
| Content | Permission | Why |
|---|---|---|
| Web root directory | 755 | Server needs to read and traverse directories |
| HTML/CSS/JS files | 644 | Server reads; owner edits |
| PHP/Python scripts | 644 or 755 | 644 if the server interprets them; 755 if they run as executables |
| Upload directories | 755 | Server needs to write uploaded files |
| .htaccess | 644 | Apache reads; owner edits |
| Config files with passwords | 600 or 640 | Restrict access to sensitive credentials |
| SSH private keys | 600 | SSH refuses to use keys with wider permissions |
| ~/.ssh directory | 700 | Only the owner should access the SSH directory |
Never use 777 on a production server. It allows any user on the system to read, modify, and execute the file, which is a severe security vulnerability.
Numeric vs Symbolic chmod
| Form | Example | Meaning | Best For |
|---|---|---|---|
| Numeric (octal) | chmod 755 file | Set all three classes at once | Setting absolute permissions |
| Symbolic (add) | chmod u+x file | Add execute for owner | Adding one permission without affecting others |
| Symbolic (remove) | chmod go-w file | Remove write from group and other | Removing specific permissions |
| Symbolic (set) | chmod u=rwx,go=rx file | Set exact permissions per class | Readable absolute permissions |
Symbolic mode is more flexible for incremental changes (like adding execute without touching read/write). Numeric mode is faster when setting all permissions from scratch.
Special Permission Bits
| Bit | Octal | Symbol | Effect |
|---|---|---|---|
| Setuid | 4000 | s in owner execute | Run file as the file's owner (e.g., passwd runs as root) |
| Setgid | 2000 | s in group execute | Run as file's group; on directories, new files inherit the group |
| Sticky bit | 1000 | t in other execute | On directories, only file owners can delete their files (e.g., /tmp) |
These special bits create a fourth octal digit prepended to the standard three. For example, chmod 4755 sets setuid + rwxr-xr-x. The /tmp directory typically has permissions 1777 (sticky bit + full access for everyone).
Worked Example: Decoding 2755
A four-digit octal like 2755 adds a special bit to a standard three-digit code. Read it from left to right: special (2), owner (7), group (5), other (5).
Step 1 - special bit. The leading 2 is setgid. On a directory, this means new files and subdirectories inherit the parent directory's group rather than the creating user's primary group. That single bit is why group-shared project directories work on Linux and Solaris.
Step 2 - owner. 7 = 4 (read) + 2 (write) + 1 (execute) = rwx. The owner can do anything.
Step 3 - group. 5 = 4 + 1 = r-x. Group members can list, read, and traverse, but not create or delete.
Step 4 - other. Same as group: 5 = r-x.
Final symbolic form: drwxr-sr-x. The lowercase s in the group execute slot confirms setgid is active and the execute bit is also set. An uppercase S would mean setgid is set but execute is not, which is rarely what you want on a directory. For comparison tables between octal, symbolic, and binary representations, the Binary to Decimal Converter helps visualise how each digit decomposes into its three permission bits.
Default Permissions and umask
When you create a new file or directory, the kernel assigns default permissions calculated from the process's umask. The umask is a three-digit octal that is subtracted from the system maximum (666 for files, 777 for directories) using a bitwise AND-NOT. It is not a true subtraction - umask of 022 turns 666 into 644 by clearing the write bits for group and other.
| umask | New file perms | New dir perms | Typical environment |
|---|---|---|---|
| 022 | 644 | 755 | Default on most Linux desktops and servers |
| 002 | 664 | 775 | Developer workstations, shared group projects |
| 027 | 640 | 750 | Hardened servers, CIS benchmark recommendation |
| 077 | 600 | 700 | Multi-tenant systems where users must not see each other |
Check the current umask with the shell built-in umask. Change it for the session with umask 027. Make the change permanent for a login shell by adding the line to ~/.bashrc or /etc/profile. Setting a restrictive umask is the cheapest hardening step a Linux admin can take, and CIS Linux benchmarks have required 027 or stricter on multi-user systems since version 1.0.
How chmod Interacts With Ownership and ACLs
Chmod changes the permission bits but not the owner or group. To change ownership you use chown user:group file, and only root can transfer ownership to another user. Regular users can change the group of a file they own, but only to a group they belong to.
Traditional Unix permissions are coarse - they only distinguish owner, one group, and everyone else. Modern Linux filesystems (ext4, XFS, Btrfs, ZFS) support POSIX Access Control Lists (ACLs) for finer control. An ACL lets you grant rwx to specific named users or groups without changing the file's primary owner or group.
| Tool | Purpose | Example |
|---|---|---|
| ls -l | Show standard permissions | -rw-r--r-- 1 alice staff 4096 report.txt |
| ls -le or getfacl | Show ACLs (if present) | user:bob:rw- |
| setfacl | Add or remove ACL entries | setfacl -m u:bob:rw report.txt |
| stat -c %a | Print octal mode only | Outputs "644" |
When ACLs are present, ls -l shows a trailing plus sign like -rw-r--r--+. The standard chmod operation still works but interacts with the ACL mask, which can silently cap the effective permissions below what the ACL entry appears to grant. This is a classic source of confusion - a file can show user:bob:rwx in getfacl output but Bob only gets rw because the mask is rw-.
Common Permission Mistakes and Fixes
Most permission bugs fall into a handful of recurring patterns. Here are the ones that surface most often in production:
- chmod 777 as a shortcut. If a script is failing with "permission denied", 777 makes the error go away but opens the file to every user and process. The correct fix is to figure out which user the failing process runs as and grant the minimum permission needed (usually 644 for readable config or 755 for an executable).
- SSH key permissions too open. OpenSSH refuses to use private keys readable by anyone other than the owner. If you see "Permissions 0644 for 'id_rsa' are too open", run
chmod 600 ~/.ssh/id_rsa. The~/.sshdirectory itself must be 700. - Recursive chmod on a web root.
chmod -R 755on/var/wwwmakes every file executable, including text content. Usefind /var/www -type d -exec chmod 755 {} \;for directories andfind /var/www -type f -exec chmod 644 {} \;for files to keep them separate. - Forgetting the sticky bit on shared temp directories. /tmp typically has mode 1777. Without the sticky bit, any user with write access can delete another user's files. Restore it with
chmod +t /tmp. - Setuid on scripts. Linux ignores setuid on shell scripts for security reasons (race conditions during interpreter startup). If you need a script to run with elevated privileges, either compile it as a binary or configure sudo with a specific command in
/etc/sudoers. - Group inheritance on shared directories. New files in a shared project directory pick up the creator's primary group unless setgid is set on the parent directory. Run
chmod g+s project/to fix this. - Windows SMB shares mangling permissions. Files copied from Windows via Samba often end up as 755 or 777 regardless of the source, because the Windows ACL model does not map cleanly to Unix modes. Configure the Samba share with
create maskanddirectory maskrather than relying on chmod after the fact.
Cross-Platform Notes
Linux, macOS, and the BSDs all implement chmod with the POSIX numeric and symbolic syntax, so the numbers you calculate here work identically across them. Solaris adds a fourth special bit for mandatory file locking (2000 on group execute when group execute is not set). Windows, including Windows Subsystem for Linux, stores a compatibility mode on NTFS but the real access check uses Windows ACLs - the ls -l output on WSL is sometimes a lie if you view a file created on the Windows side.
On macOS, the chflags command layers additional file flags (schg for immutable, uchg for user-immutable, etc.) on top of chmod. These are stored in the HFS+/APFS filesystem metadata and survive most chmod operations - ls -lO shows them. For comparing how chmod output maps to related binary representations, see the Hex to Decimal Converter.
For network configuration calculations, the Subnet Calculator handles IP ranges and CIDR. For encoding data in shell scripts, the Base64 Encoder converts text to safe ASCII. All calculations run in your browser.
Sources
Frequently Asked Questions
What does chmod 755 mean?
Chmod 755 sets the file so the owner can read, write, and execute (7), while the group and others can read and execute but not write (5). This is the standard permission for directories and executable scripts.
How do I read a chmod number?
Each digit represents a user class: owner, group, and other. The digit is the sum of permissions where read is 4, write is 2, and execute is 1. So 6 means read plus write (4+2), and 7 means all three (4+2+1).
What is the difference between numeric and symbolic chmod?
Numeric (octal) mode uses three digits like 755. Symbolic mode uses letters like rwxr-xr-x. Both represent the same permissions. The numeric form is more common in scripts and documentation.
What permissions should I use for web files?
Directories typically use 755 (owner can write, everyone can read and traverse). Regular files usually use 644 (owner can write, everyone can read). Never use 777 on a production server as it allows anyone to modify the file.
Is this tool free and private?
Yes, completely free. The chmod calculation runs entirely in your browser with no data sent to any server.
Related Tools
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/chmod-calculator/" title="Chmod Calculator - Free Online Tool">Try Chmod Calculator on ToolboxKit.io</a>