Security

Chmod calculator

Unix permissions look simple — three little numbers — yet a single wrong digit can lock you out of a server, break a deploy, or quietly leave a private key readable by the whole machine. This calculator turns that guesswork into something you can see: flip a read/write/execute cell and watch the octal value, the symbolic rwxr-xr-x string, and the exact chmod command move together. The setuid, setgid, and sticky bits, symbolic operations like u+x, umask resolution, and plain-English security warnings all live on one screen, and every byte of it runs locally in your browser.

  • Octal ⇄ symbolic ⇄ matrix
  • setuid / setgid / sticky
  • umask & symbolic ops
tools/chmod-calculator
Read4Write2Exec1Owner6Group4Others4

Octal

0644

Symbolic

rw-r--r--

Numeric command

chmod 644 file

Symbolic command

chmod u=rw,g=r,o=r file

Who can do what

Owner
ReadWrite
Group
Read
Others
Read

Overview

One screen keeps every representation of a permission in sync, so you can stop converting in your head and start reasoning about access. Each piece is built to answer a real question you have while staring at a terminal.

  1. 01

    Live octal ⇄ symbolic ⇄ matrix

    Click the rwx grid, type an octal value, or paste an ls -l string, and all three views update in the same instant. Whichever notation you think in, the others follow without a “convert” button.

  2. 02

    Special bits done right

    setuid, setgid, and the sticky bit are shown as s/S/t/T in the symbolic string and as the leading octal digit, including the capital-letter case where the bit is set but the underlying execute permission is not.

  3. 03

    Two commands, ready to paste

    Copy the numeric form (chmod 755 file) for muscle memory, or the symbolic form (chmod u=rwx,g=rx,o=rx file) when you want the change to read clearly in a script or a code review.

  4. 04

    Plain-English breakdown

    A per-class summary spells out exactly what the owner, the group, and everyone else may do, so you can sanity-check intent before a single file changes on disk.

  5. 05

    Symbolic operations engine

    Apply real chmod operations such as u+x, go-w, a=r, or +t on top of a starting value, including the conditional X that only grants execute when it makes sense.

  6. 06

    umask resolver

    Feed in a umask and instantly see the default file and directory permissions it produces — the reverse of the calculation most people never quite remember.

How to use

Go from “what permission do I actually need” to a command you can paste, in a handful of clicks — and understand the result before you run it.

  1. 01

    Start from a common preset such as 644 or 755, or type the octal value you have in mind; the matrix and symbolic string fill in to match.

  2. 02

    Fine-tune by toggling individual read / write / execute cells for the owner, group, and others until the access reads the way you want it.

  3. 03

    Add setuid, setgid, or the sticky bit only if you specifically need them — the symbolic string and the leading octal digit update so you can see their effect immediately.

  4. 04

    Read the plain-English breakdown and any “heads up” warnings to confirm the result matches your intent and does not quietly open more access than you meant to.

  5. 05

    Copy either the numeric or the symbolic chmod command and run it in your shell; switch to Symbolic ops or umask mode if you need to model a relative change or a default instead.

Details

The small decisions that make the tool accurate, honest, and quick to trust:

  • Octal output is always four digits so the special-bit position is never ambiguous, while the generated command drops to a clean three digits whenever no special bits are set.
  • Symbolic parsing tolerates a leading file-type character, so you can paste the whole permission column straight out of ls -l without trimming it first.
  • The conditional X operation resolves exactly the way real chmod does — execute is granted for directories, or when execute already exists somewhere on the file, and skipped otherwise.
  • Every value and command has its own inline copy button, and an invalid octal or symbolic entry is flagged in place instead of silently snapping back to the last good value.
  • Nothing you type is uploaded or logged: filenames, permission values, and umask inputs stay on your device and disappear when you close the tab.

Use cases

The everyday moments where getting a permission exactly right saves a debugging session — or prevents an incident:

  1. Fixing SSH key permissions

    Most SSH clients refuse to use a private key that other users could read. Confirm the key is 600 and its .ssh directory 700 so the client stops complaining and the secret stays yours alone.

  2. Deploying to a web server

    Set application files to 644 and directories to 755 so the server can read pages and traverse folders, without ever handing it the write access an attacker would love to find.

  3. Designing a shared scratch directory

    Plan a group-writable directory with the sticky bit so teammates can drop files in but cannot delete each other’s work, then copy the exact bits before applying them on a shared host.

  4. Reviewing scripts, Dockerfiles, and CI

    Decode a cryptic chmod 4755 or a symbolic u+s buried in a build script to see precisely what access it grants — and whether that setuid bit really belongs there.

  5. Repairing upload and cache folders

    Work out whether an app needs group write, directory execute, or a corrected owner before widening permissions on uploads, cache, session, or log folders.

  6. Preparing release artifacts

    Check that packaged binaries are executable, documentation is read-only, and generated assets do not accidentally ship with writable bits from a local build machine.

  7. Auditing shared hosting accounts

    Translate provider instructions such as 705, 750, or 775 into plain access rules before changing permissions on a multi-tenant server.

  8. Teaching Unix permissions

    Show the 4-2-1 arithmetic, rwx string, and resulting command together so a teammate can see why 644, 755, and 600 mean different operational choices.

See also

When permissions alone are not enough and the bytes themselves must stay private, reach for File Encryption . And to protect the accounts that own those files in the first place, generate strong, unique secrets with the Password Generator .

How Unix permissions work

The numbers stop feeling arbitrary once the model clicks. Here is the whole mental model in a few short pieces — enough to read any chmod value at a glance and to explain it to the next person who asks.

  1. Three classes, three permissions

    Every file and directory carries permissions for three classes of user: the owner, the owning group, and everyone else (“others”). Each class independently gets up to three permissions — read, write, and execute — which is why a full permission is nine on/off switches, written left to right as owner, group, others.

  2. The octal shorthand (4-2-1)

    Within each class, read is worth 4, write 2, and execute 1, and you simply add them up: rwx = 7, rw- = 6, r-x = 5, r-- = 4. Line up the three sums and you get the familiar three-digit number — 644 is rw-/r--/r--, 755 is rwx/r-x/r-x.

  3. Symbolic notation

    The same bits can be written as the rwxr-xr-x string you see in ls -l, or as targeted clauses using u (user/owner), g (group), o (others), and a (all), with +, -, or = to add, remove, or set exactly — for example u=rw,go=r is the readable twin of 644.

  4. Execute means something different for directories

    On a file, the execute bit lets you run it as a program or script. On a directory it has nothing to do with running anything: it grants the right to enter the directory and reach the files inside, which is why directories you want to use are usually 755, not 644.

  5. The special bits: setuid, setgid, sticky

    A fourth, leading octal digit carries three powerful flags. setuid (4000) and setgid (2000) make an executable run as its owner or group rather than the caller — useful for tools like passwd, dangerous when misused. setgid on a directory makes new files inherit its group. The sticky bit (1000) on a shared directory lets users delete only their own files, the way /tmp works.

  6. umask: permissions by subtraction

    You rarely set permissions on brand-new files by hand — the umask does it for you by removing bits from a default of 666 for files and 777 for directories. A umask of 022 strips group and other write, leaving the everyday 644 and 755; a stricter 077 leaves new files readable only by their owner.

Best practices

Defaults and habits that keep a system both usable and hard to abuse:

  • Reach for the least permission that still works — 644 for ordinary files and 755 for directories and scripts handle the overwhelming majority of cases.
  • Keep secrets at 600 (or 400 when they should never change) and put them in a 700 directory, so the owner is the only account that can even reach them.
  • Treat 777 as a red flag rather than a fix: when something “only works” at 777, the real problem is almost always ownership or a missing execute bit, not the width of the permission.
  • Use setuid and setgid sparingly, audit the ones you have, and never combine them with group- or world-writable permissions on the same file.
  • Add the sticky bit to any shared, world-writable directory so one user cannot delete or replace another user’s files.
  • Prefer symbolic changes like chmod go-w over absolute values when you only mean to adjust one bit, so you do not accidentally reset the permissions you wanted to keep.

Limitations

Where this calculator stops, so you know what to reach for next:

  • It computes permission bits only. It never touches your files, runs commands, or connects to a machine — copy the command and run it yourself.
  • Ownership (chown), access-control lists (setfacl/getfacl), and extended attributes (chattr) are separate mechanisms that sit alongside the bits shown here and are out of scope.
  • Symbolic operations cover the common u/g/o/a, +/-/=, and r/w/x/X/s/t syntax; a few rare or shell-specific spellings are intentionally left out to keep the parser predictable.
  • The umask resolver uses the standard 666 and 777 bases. Real login shells, editors, and daemons may layer their own restrictions on top of what you see here.

FAQ

Common questions about chmod, octal versus symbolic notation, and the bits that trip people up.

What does chmod 755 actually mean?

Reading the digits left to right, the owner gets 7 (read 4 + write 2 + execute 1, so full control) while the group and others each get 5 (read 4 + execute 1, but no write). In symbolic form that is rwxr-xr-x. It is the standard setting for directories and for scripts or programs everyone should be able to run but not modify.

When should I use 644 versus 755?

Use 644 (rw-r--r--) for ordinary files that should be readable by everyone but only writable by the owner — source files, configs, documents. Use 755 (rwxr-xr-x) for directories, which need the execute bit so users can enter them, and for executable scripts. A common mistake is giving a directory 644, which then cannot be opened.

What is the difference between octal and symbolic notation?

Octal (e.g. 644) packs each class into a single 0–7 digit and sets the whole permission at once. Symbolic (e.g. rw-r--r-- or u=rw,go=r) names the classes and lets you add or remove individual bits without disturbing the rest. They describe the same nine switches; this tool keeps both perfectly in sync so you can think in whichever one suits the task.

What do setuid, setgid, and the sticky bit do?

They are the fourth, leading octal digit. setuid (4000) and setgid (2000) make an executable run with the file owner’s or group’s privileges rather than the caller’s, and setgid on a directory makes new files inherit that directory’s group. The sticky bit (1000) on a directory means only a file’s owner can delete it. In the symbolic string they appear as s/S in the execute slots and t/T for others.

Why is 777 considered dangerous?

It grants every account on the system permission to read, modify, and execute the file or directory. On anything shared, multi-user, or reachable from the network, that is an easy route to tampering, defacement, or a foothold for an attacker. When a tutorial reaches for 777, it is usually papering over an ownership problem — fixing the owner and using 644/755 is almost always the correct answer.

How does umask relate to chmod?

chmod sets permissions explicitly on existing files; umask decides the defaults for files you have not created yet. New files begin at 666 and directories at 777, and the umask subtracts bits from those bases — so umask 022 produces 644 and 755, while 077 keeps new files owner-only. Switch to umask mode here to see exactly what a given value yields.

Is anything I enter sent to a server?

No. The calculator is entirely client-side. Filenames, permission values, symbolic operations, and umask inputs are processed in your browser, are never transmitted or stored, and are gone the moment you close the tab.

Related tools

Keep going with the rest of the security toolkit.