Linux file permissions are the backbone of system security. Every file and directory on a Unix-like system carries metadata that determines who can read, write, or execute it. Whether you are deploying a web application, hardening a server, or troubleshooting a broken deploy script, understanding the chmod command and file permission numbers is non-negotiable. This comprehensive chmod calculator guide walks you through everything from basic permission concepts to special bits, with a complete chmod cheat sheet you can bookmark for daily use.
Try our interactive chmod calculator to visualize permissions instantly.
Chmod Calculator →1. What Are Linux File Permissions?
Every file and directory in Linux has three categories of users that can interact with it. The owner (also called "user") is typically whoever created the file. The group is a set of users that share access rights. Others (sometimes called "world") refers to everyone else on the system. When you run ls -l, the first column reveals the permission string for each entry.
Each user category can be granted three types of access. Read (r) allows viewing file contents or listing a directory. Write (w) allows modifying a file or creating and deleting entries in a directory. Execute (x) allows running a file as a program or entering a directory with cd. These nine permission bits (three categories times three types) form the foundation of the Unix permission model.
Here is how a typical <code>ls -l</code> output looks and how to read the permission string:
-rwxr-xr-- 1 alice developers 4096 Feb 20 deploy.sh
||| ||| |||
||| ||| ||+-- Others: r-- (read only = 4)
||| ||| +--- Others: no write
||| ||+------ Group: r-x (read + execute = 5)
||| +-------- Group: no write
||+----------- Owner: rwx (read + write + execute = 7)
|+------------ Owner: write
+------------- Owner: read
Permission number: 7542. Understanding Permission Numbers (Octal Notation)
Linux represents each permission set as a single octal digit ranging from 0 to 7. The digit is calculated by adding the values of the granted permissions: Read = 4, Write = 2, Execute = 1. A file with no permissions for a category has the value 0. A three-digit number like 755 encodes all three categories: owner (7 = rwx), group (5 = r-x), others (5 = r-x).
This <strong>chmod cheat sheet</strong> for octal values covers every possible single-digit combination. Once you memorize these eight values, you can decode any <strong>linux file permission</strong> number instantly:
| Octal | Symbolic | Meaning |
|---|---|---|
0 | --- | No permission |
1 | --x | Execute only |
2 | -w- | Write only |
3 | -wx | Write + Execute |
4 | r-- | Read only |
5 | r-x | Read + Execute |
6 | rw- | Read + Write |
7 | rwx | Read + Write + Execute |
To compute a full permission number, calculate each digit separately. For example, owner read+write (4+2=6), group read (4), others none (0) gives you 640. This is one of the most practical skills in the linux permissions explained toolkit.
3. chmod Permission Reference Table
Below is a comprehensive reference table showing the most commonly used chmod permission combinations. Bookmark this chmod cheat sheet for quick lookups when configuring servers, Docker containers, or CI/CD pipelines.
| Octal | Symbolic | Meaning | Typical Use Case |
|---|---|---|---|
777 | rwxrwxrwx | Full access for everyone | Temporary debugging only; NEVER use in production |
755 | rwxr-xr-x | Owner full; group/others read+execute | Directories, executable scripts, web server document root |
750 | rwxr-x--- | Owner full; group read+execute; others none | Shared project directories, group-only executables |
700 | rwx------ | Owner full access only | ~/.ssh directory, private scripts |
666 | rw-rw-rw- | Read+write for everyone; no execute | Rarely used; temporary shared files |
644 | rw-r--r-- | Owner read+write; group/others read | HTML, CSS, PHP files, config files, regular documents |
640 | rw-r----- | Owner read+write; group read; others none | Log files, sensitive configs shared with group |
600 | rw------- | Owner read+write only | SSH private keys, .env files, database credentials |
400 | r-------- | Owner read only | SSL certificates, read-only secrets |
775 | rwxrwxr-x | Owner full; group full; others read+execute | Shared upload directories, team project folders |
4. How to Use the chmod Command
The chmod command changes file and directory permissions. It supports two syntax modes: numeric (octal) mode sets all nine permission bits at once, while symbolic mode lets you add or remove specific permissions without affecting others. Both are essential in every developer's daily workflow.
Numeric Mode
In numeric mode you provide a three-digit (or four-digit for special permissions) octal number:
chmod 755 script.sh # rwxr-xr-x
chmod 644 config.json # rw-r--r--
chmod 600 id_rsa # rw-------
chmod 400 cert.pem # r--------
chmod -R 755 /var/www/html # Recursive on directorySymbolic Mode
Symbolic mode uses letters to specify who, what operation, and which permissions. The syntax is chmod [ugoa][+-=][rwxXst]:
- Who: u (user/owner), g (group), o (others), a (all)
- Operator: + (add permission), - (remove permission), = (set exactly)
- Permission: r (read), w (write), x (execute), X (execute only if directory or already executable)
chmod u+x script.sh # Add execute for owner
chmod g-w file.txt # Remove write from group
chmod o+r document.pdf # Add read for others
chmod a+x run.sh # Add execute for all
chmod u=rwx,go=rx dir/ # Owner=rwx, group+others=rx (755)
chmod go-rwx secret.key # Remove all from group+othersRecursive chmod
Use chmod -R to change permissions recursively. A common pattern is to set directories and files differently using find:
# Set directories to 755 and files to 644 (web server standard)
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
# Make all .sh files executable
find /opt/scripts -name "*.sh" -exec chmod 755 {} \;Use our chmod calculator to generate the exact command you need:
5. Common chmod Patterns for Developers
Different file types demand specific permission settings. Getting these wrong is one of the most common causes of deployment failures, SSH errors, and security vulnerabilities. Here is a definitive reference of chmod patterns every developer should know.
Web Server Files
For Apache and Nginx web servers, the standard convention is 644 for files and 755 for directories. This allows the web server process to read files and traverse directories while preventing unauthorized modifications:
# Web server document root
chmod 755 /var/www/html
chmod 644 /var/www/html/index.html
chmod 644 /var/www/html/style.css
chmod 644 /var/www/html/.htaccess
# PHP / application files
chmod 644 /var/www/html/app/*.php
chmod 755 /var/www/html/app/storageScripts and Executables
Any file you want to run directly (shell scripts, Python scripts, compiled binaries) needs the execute bit. Use 755 for shared scripts and 700 for private ones:
# Shared executable scripts
chmod 755 deploy.sh
chmod 755 /usr/local/bin/my-tool
# Private scripts (owner only)
chmod 700 backup-db.sh
chmod 700 cleanup.shSSH Keys and Configuration
SSH is very strict about permissions. If your key file is too permissive, SSH will refuse to use it with the error "Permissions are too open". These are the required settings:
chmod 700 ~/.ssh # SSH directory
chmod 600 ~/.ssh/id_rsa # Private key
chmod 600 ~/.ssh/id_ed25519 # Private key (Ed25519)
chmod 644 ~/.ssh/id_rsa.pub # Public key
chmod 600 ~/.ssh/authorized_keys # Authorized keys
chmod 600 ~/.ssh/config # SSH config fileEnvironment and Secret Files
Files containing API keys, database credentials, and other secrets must be locked down to owner-only access:
chmod 600 .env # Environment variables
chmod 600 .env.production # Production secrets
chmod 600 database.yml # Database credentials
chmod 600 credentials.json # API credentials
chmod 400 ssl-cert.pem # SSL certificate (read-only)Upload Directories
Directories where a web application writes uploaded files need group write access so the web server process can create files:
chmod 775 /var/www/html/uploads
chmod 775 /var/www/html/tmp
chmod 775 /var/www/html/cache
# Ensure web server group owns the directory
# chown www-data:www-data /var/www/html/uploads6. Special Permissions: setuid, setgid, Sticky Bit
Beyond the standard nine permission bits, Linux supports three special permission bits that modify execution behavior. These are represented as a fourth (leading) octal digit and appear as special characters in the ls -l output.
When set on an executable file, the process runs with the file owner's permissions instead of the user who executes it. The classic example is /usr/bin/passwd, which needs root privileges to modify /etc/shadow but must be runnable by any user. In ls -l output, SUID shows as s in the owner execute position (-rwsr-xr-x). If the execute bit is not set, it appears as uppercase S.
On an executable, SGID causes the process to run with the file's group privileges. On a directory, it is even more useful: new files created inside automatically inherit the directory's group instead of the creator's primary group. This is essential for shared team directories where all files must belong to the same group.
When set on a directory, the sticky bit ensures that only the file owner, the directory owner, or root can delete or rename files within it, even if other users have write permission. The canonical example is /tmp (permissions 1777), where all users can create files but cannot delete each other's files.
Setting special permissions:
# SUID: run as file owner
chmod 4755 /usr/bin/passwd
chmod u+s /usr/bin/my-tool
# SGID: inherit group on directory
chmod 2755 /shared/project
chmod g+s /shared/project
# Sticky Bit: prevent deletion by others
chmod 1777 /tmp
chmod +t /shared/uploads
# Combine: SGID + standard permissions
chmod 2775 /team/shared-dir
# Find files with special permissions
find / -perm -4000 -type f 2>/dev/null # Find SUID files
find / -perm -2000 -type f 2>/dev/null # Find SGID files
find / -perm -1000 -type d 2>/dev/null # Find sticky dirs7. Best Practices for File Permissions
File permissions are a critical layer of defense. Following these best practices will help you avoid security incidents and deployment headaches.
Follow the principle of least privilege. Grant only the minimum permissions needed. Start restrictive (e.g., 600) and loosen only if required.
Never use chmod 777 in production. It means every user on the system can read, modify, and execute the file. If your application requires 777 to work, your deployment architecture has a flaw.
Audit permissions regularly. Use find / -perm -777 -type f to locate overly permissive files. Schedule this as part of your security review process.
Use groups instead of world-readable permissions. If multiple users need access, create a shared group and set group permissions rather than opening files to "others".
Be careful with recursive chmod. Running chmod -R 755 / on the wrong directory can break your system. Always double-check the path and use find to target specific file types.
Document your permission requirements. Include chmod commands in your deployment scripts, Dockerfiles, and README files so the correct permissions are always applied.
Use umask to set secure defaults. Set umask 027 in your shell profile so new files are created with 640 (files) and 750 (directories) by default.
For a quick, visual way to determine the right permissions, use our chmod calculator tool linked below. It lets you toggle checkboxes and see the octal number, symbolic notation, and ls -l output in real time.
8. Frequently Asked Questions
What does chmod 755 mean?
chmod 755 sets the file permissions so that the owner has full access (read + write + execute = 7), while the group and others have read and execute access only (4 + 1 = 5). In symbolic notation this is rwxr-xr-x. It is the standard permission for executable scripts, directories, and web server document roots.
What is the difference between chmod 755 and 644?
chmod 755 (rwxr-xr-x) grants execute permission to all three user categories, making it suitable for directories and executable scripts. chmod 644 (rw-r--r--) removes all execute permissions and only grants write to the owner, making it the standard for regular files like HTML, CSS, configuration files, and documents. Use 755 for things that need to be run or traversed, and 644 for things that only need to be read.
How do I check file permissions in Linux?
Run the command ls -la in your terminal to see detailed file information including permissions. The first column displays the permission string (e.g., -rwxr-xr-x). You can also use the stat command for a more detailed view: stat filename shows the permission in both octal and symbolic notation, along with owner and group information.
What is the most secure file permission?
The most secure standard permission is 000 (no access for anyone except root), but practically, 400 (read-only for owner) or 600 (read+write for owner only) are the most restrictive useful permissions. For SSH private keys, use 600. For SSL certificates, use 400. The principle of least privilege says you should always start with the most restrictive permissions and only add access as needed.
Can I use chmod on Mac?
Yes. macOS is built on BSD Unix and fully supports the chmod command with the same syntax as Linux. You can use both numeric mode (chmod 755 file) and symbolic mode (chmod u+x file). The permissions work identically to Linux. macOS also supports ACLs (Access Control Lists) for more fine-grained access control via the chmod +a and chmod -a syntax.
Calculate exact chmod values with our free online chmod calculator.
Chmod Calculator →