chmod Permissions Calculator
Linux file permissions are three octal digits encoding read (4), write (2), and execute (1) for the owner, group, and everyone else — plus an optional leading digit for setuid, setgid, and the sticky bit. This calculator keeps all three notations in lockstep: tick the checkboxes, type an octal mode like 755 or 4755, or paste a symbolic string like rwxr-xr-x straight from ls -l, and the other two update instantly along with a ready-to-copy chmod command.
| Read (4) | Write (2) | Execute (1) | |
|---|---|---|---|
| Owner | |||
| Group | |||
| Others | |||
| Special |
Owner: read, write, execute · Group: read, execute · Others: read, execute
chmod 755 script.shHow to use the chmod permissions calculator
- Check the boxes for what owner, group, and others should be allowed to do — the octal and symbolic fields update live.
- Or work in reverse: type an octal mode (755, 4755) or paste the 9-character symbolic string from ls -l output, and the grid fills in.
- Use the preset chips for the modes you will set 95% of the time: 644 for files, 755 for directories and scripts, 600/400 for secrets.
- Edit the filename and copy the finished chmod command.
- Heed the warning if you land on 777 or any world-writable mode — there is almost always a safer fix.
How the 4-2-1 system works
Each permission is a power of two so any combination sums to a unique digit: read = 4, write = 2, execute = 1. Read + write = 6; read + execute = 5; all three = 7. A full mode is three of these digits in fixed order — owner, group, others. So 755 means the owner can read/write/execute (7), while group and others can read and execute but not write (5). 644 means owner read/write, everyone else read-only. The mapping to ls -l output is direct: rwxr-xr-x is 755, rw-r--r-- is 644, rw------- is 600.
A fourth, leading digit encodes the special bits with the same 4-2-1 scheme: setuid (4) runs an executable as the file's owner, setgid (2) runs it as the file's group (and on directories makes new files inherit the directory's group), and the sticky bit (1) on a directory restricts deletion to file owners — /tmp is mode 1777 for exactly this reason. In symbolic output the special bits replace the x position: a lowercase s or t means execute is also set, an uppercase S or T means the special bit is set without execute (almost always a mistake worth investigating).
Execute on a directory means traversal, not running
Directories reuse the rwx bits with different meanings: read lets you list the names inside, write lets you create, rename, and delete entries, and execute lets you enter the directory and access files within it by name. A directory with read but no execute lets you see filenames but not open them; a directory with execute but no read lets you open files whose names you already know but not list them. This is why directories are conventionally 755 while plain files are 644 — and why a website “403 Forbidden” often traces back to a parent directory missing its execute bit.
The classic real-world failure: SSH keys
If you have ever seen WARNING: UNPROTECTED PRIVATE KEY FILE! … Permissions 0644 for 'id_rsa' are too open, this is the fix: OpenSSH refuses to use a private key that anyone besides the owner can read. Set the key to 600 (rw-------) — or 400 if you never need to rewrite it — your ~/.ssh directory to 700, and authorized_keys to 600. On the server side, sshd is equally strict: a world-writable home directory or .ssh directory silently disables public-key login, one of the most common “my key suddenly stopped working” causes.
Sidebar: where default permissions come from (umask)
New files do not start at 777 and get trimmed by you — they start from a creation mode (666 for files, 777 for directories) minus the bits in your umask. With the common umask 022, new files arrive as 644 and new directories as 755; with the stricter 077 they arrive as 600 and 700. If freshly created files keep coming out group-writable on a shared server, check umask before blaming your deploy script.
Frequently asked questions
What does chmod 755 mean?
755 grants the owner read, write, and execute (4+2+1 = 7), and gives group and others read and execute (4+1 = 5) without write. In symbolic form it is rwxr-xr-x. It is the standard mode for directories and for scripts or binaries that everyone may run but only the owner may modify.
What is the difference between chmod 755 and 775?
The middle digit. 755 gives the group read+execute only; 775 adds group write, letting every member of the file's group modify it. 775 (often with setgid on the directory, i.e. 2775) is common for shared project directories; 755 is the safer default everywhere else.
Why is chmod 777 dangerous?
777 lets every user on the system modify the file, and on a directory it lets anyone create or delete entries. Any compromised process — a vulnerable web app, a rogue cron job — can then plant or alter code that you may later execute. It also masks the real problem, which is almost always wrong ownership; chown to the correct user or group instead of opening permissions to the world.
What does the first digit in a 4-digit mode like 4755 do?
It sets the special bits: 4 = setuid (the program runs with the file owner's privileges — how passwd can edit /etc/shadow), 2 = setgid (runs with the file's group; on directories, new files inherit the directory's group), 1 = sticky (on directories, only a file's owner can delete it — /tmp is 1777). They combine like normal permissions: 6755 means setuid + setgid + 755.
How do I fix the SSH “permissions are too open” error?
Run chmod 600 ~/.ssh/id_rsa (or 400 for read-only), chmod 700 ~/.ssh, and chmod 600 ~/.ssh/authorized_keys. OpenSSH deliberately rejects private keys readable by group or others, so 644 keys fail with “UNPROTECTED PRIVATE KEY FILE”. The same strictness applies server-side: a group-writable home directory disables key-based login.
What is the symbolic equivalent of an octal mode, and which should I use?
Symbolic notation expresses the same bits as rwx triplets — 644 is rw-r--r--, 750 is rwxr-x---. chmod also accepts relative symbolic commands like chmod u+x file (add execute for the owner only), which is safer than retyping the whole octal mode when you just want to flip one bit. Use octal when setting an absolute, known-good mode; use symbolic +/- for surgical changes.
Related tools
- .htpasswd GeneratorGenerate .htpasswd lines for Apache and nginx basic auth — bcrypt or MD5-crypt hashes computed locally, your password never touches a server.
- Hash Generator (MD5/SHA-1/SHA-256/SHA-512)Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files instantly — computed in your browser, nothing is ever uploaded.
- YAML Validator / LinterValidate YAML in your browser with line-numbered errors — catch indentation mistakes, tabs, and duplicate keys in Kubernetes and CI configs.
- Aspect Ratio CalculatorCalculate aspect ratios and missing dimensions — lock 16:9 or any ratio and solve width or height for video, images, and responsive design.
- Base64 ⇄ Image ConverterConvert Base64 to an image and images to Base64 data URIs in your browser — instant preview, PNG, JPG, WebP and SVG support, nothing uploaded.
- CSS Box Shadow GeneratorDesign CSS box shadows visually with multiple layers, inset, spread, and color alpha controls — live preview and copy-ready CSS output.