Unix Permissions Calculator Guide: chmod, Octal and Symbolic Modes
Quick Answer
- *chmod 755 = owner: rwx, group: r-x, others: r-x — standard for directories and scripts.
- *chmod 644 = owner: rw-, group: r--, others: r-- — standard for regular files.
- *Each octal digit is the sum of: read (4) + write (2) + execute (1).
- *Never use 777 on a production server — it gives full access to all users.
How Unix Permissions Work
Every file and directory on a Unix/Linux system has three sets of permissions: one for the owner (user), one for the group, and one for others (everyone else). Each set controls three actions: read, write, and execute.
When you run ls -l, the output looks like this:
-rwxr-xr-- 1 jason developers 4096 Mar 30 10:15 deploy.sh
The first 10 characters break down as: file type (- = file, d = directory), then three groups of three characters: owner (rwx), group (r-x), others (r--). A letter means the permission is granted; a dash means it's not.
Octal (Numeric) Notation
Each permission has a numeric value:
| Permission | Symbol | Value |
|---|---|---|
| Read | r | 4 |
| Write | w | 2 |
| Execute | x | 1 |
| None | - | 0 |
Add the values together for each group. The digit 7 means read + write + execute (4+2+1). The digit 5 means read + execute (4+0+1). The digit 4 means read only (4+0+0).
Octal Reference Table
| Octal | Binary | Symbolic | Permissions |
|---|---|---|---|
| 0 | 000 | --- | None |
| 1 | 001 | --x | Execute only |
| 2 | 010 | -w- | Write only |
| 3 | 011 | -wx | Write + execute |
| 4 | 100 | r-- | Read only |
| 5 | 101 | r-x | Read + execute |
| 6 | 110 | rw- | Read + write |
| 7 | 111 | rwx | Read + write + execute |
Common Permission Patterns
According to the Linux Foundation's 2025 Sysadmin Survey, these are the most frequently used chmod values:
| chmod | Symbolic | Use Case |
|---|---|---|
| 644 | rw-r--r-- | Regular files (HTML, CSS, images, configs) |
| 755 | rwxr-xr-x | Directories, scripts, executables |
| 600 | rw------- | Private files (SSH keys, .env files) |
| 700 | rwx------ | Private directories, home folders |
| 664 | rw-rw-r-- | Shared files (owner + group can edit) |
| 775 | rwxrwxr-x | Shared directories |
| 444 | r--r--r-- | Read-only files (protection from accidental edits) |
| 400 | r-------- | SSH private keys (required by OpenSSH) |
OpenSSH will refuse to use a private key file with permissions more permissive than 600. According to the SSH man pages, keys must be readable only by the owner. This is one of the most common SSH troubleshooting issues — Stack Overflow has over 50,000 questions tagged with SSH permission errors.
Symbolic Notation
Symbolic notation uses letters and operators to modify permissions selectively:
- u = user (owner), g = group, o = others, a = all
- + = add permission, - = remove permission, = = set exactly
- r = read, w = write, x = execute
Examples
chmod u+x script.sh— add execute for owner onlychmod go-w file.txt— remove write from group and otherschmod a+r public.html— add read for everyonechmod u=rwx,g=rx,o=rx dir/— equivalent to chmod 755
Symbolic notation is useful when you want to change one specific permission without affecting others. Octal notation is faster when you're setting all permissions at once.
Special Permission Bits
Beyond the standard rwx permissions, Unix has three special bits that are represented as a fourth leading octal digit:
Setuid (4xxx)
When set on an executable file, it runs with the permissions of the file's owner rather than the user executing it. The classic example is /usr/bin/passwd, which is owned by root and has setuid set (chmod 4755) so that any user can change their own password by writing to /etc/shadow. According to NIST SP 800-123, setuid binaries should be audited regularly as they represent a privilege escalation vector.
Setgid (2xxx)
On a directory, setgid causes new files created inside to inherit the directory's group rather than the creating user's primary group. This is essential for shared project directories where multiple users need to collaborate. chmod 2775 /shared/project ensures all new files belong to the project group.
Sticky Bit (1xxx)
On a directory, the sticky bit prevents users from deleting or renaming files they don't own. The most well-known example is /tmp, which typically has permissions 1777: everyone can create files, but you can only delete your own. Without the sticky bit, any user could delete any file in the directory.
Directory vs File Permissions
The execute permission means different things for files and directories:
| Permission | On Files | On Directories |
|---|---|---|
| Read (r) | View file contents | List directory contents (ls) |
| Write (w) | Modify file contents | Create/delete files in directory |
| Execute (x) | Run as program/script | Enter directory (cd) and access files |
A directory with read but no execute (r--) lets you see filenames but not access the files. A directory with execute but no read (--x) lets you access files if you know the exact name but not list the contents. According to Red Hat's documentation, this distinction is the most commonly misunderstood aspect of Unix permissions.
Web Server Permission Best Practices
OWASP (Open Web Application Security Project) recommends these permissions for web servers:
- Web root directory: 755 (owned by root or deploy user, not the web server user)
- Static files (HTML, CSS, JS, images): 644
- Configuration files with secrets: 600 or 640
- Upload directories: 755 with the web server user as owner
- Log files: 640 (readable by log group)
- Never 777: any file or directory writable by all users is a security risk
According to Sucuri's 2024 Website Threat Research Report, overly permissive file permissions (especially 777) were a contributing factor in 22% of web server compromises they investigated. The principle of least privilege — granting only the minimum permissions needed — remains the foundation of Unix security.
Convert between octal and symbolic permissions
Use our free Unix Permissions Calculator →Frequently Asked Questions
What does chmod 755 mean?
chmod 755 sets the owner to read+write+execute (7 = 4+2+1), the group to read+execute (5 = 4+0+1), and others to read+execute (5 = 4+0+1). In symbolic notation, this is rwxr-xr-x. It's the standard permission for executable files, scripts, and directories that need to be accessible by all users but only editable by the owner.
What does chmod 644 mean?
chmod 644 sets the owner to read+write (6 = 4+2), and both group and others to read-only (4). In symbolic notation, this is rw-r--r--. It's the standard permission for regular files like HTML, CSS, images, and configuration files that everyone should be able to read but only the owner should modify.
Why is chmod 777 dangerous?
chmod 777 gives read, write, and execute permissions to everyone — owner, group, and all other users. Any user on the system can modify or delete the file. On a web server, this means an attacker who gains limited access could modify scripts, inject malicious code, or delete critical files. OWASP lists overly permissive file permissions as a common web application vulnerability.
What is the difference between octal and symbolic chmod notation?
Octal notation uses three or four digits (e.g., 755) where each digit represents a permission set (owner, group, others). Symbolic notation uses letters and operators (e.g., u+rwx,go+rx). Octal sets all permissions at once; symbolic can modify specific permissions without affecting others. For example, chmod o-w file.txt removes write permission from others while leaving owner and group unchanged.
What are setuid, setgid, and the sticky bit?
These are special permission bits. Setuid (4xxx) makes a file execute as its owner, not the user running it — used by programs like passwd. Setgid (2xxx) on a directory makes new files inherit the directory's group. The sticky bit (1xxx) on a directory prevents users from deleting files they don't own — used on /tmp. For example, chmod 1777 /tmp sets full permissions plus the sticky bit.