ToolsOps

Permissions

chmod calculator

Pick permissions for owner, group and others, or paste an octal or symbolic value. The calculator shows the equivalent octal, symbolic, chmod command and ls -l line. All logic runs in your browser.

AudienceRead (r)Write (w)Execute (x)Octal
Owner6
Group4
Others4
Special bits

Spaces, quotes and special characters are escaped for POSIX shells.

chmod options
Inherited permissions

Command risk

safe

No obvious risks detected for this combination.

Octal
644
Symbolic
rw-r--r--
ls -l
-rw-r--r--
chmod command
chmod 644 ./my-file
Share this configuration without saving anything on a server.

Human-readable summary

Owner
read, write
Group
read
Others
read

Permission presets

How to use chmod for common cases

This short guide covers the chmod modes you'll meet most often on Linux servers and developer workstations. The calculator on this page supports every scenario described below, including setuid, setgid, sticky bit and --reference. When you pick a risky combination, the risk panel flags it without running anything.

The calculator does not execute commands: it produces the equivalent chmod line so you can copy it and run it yourself in your shell.

Common chmod modes and when to use them.
OctalSymbolicTypical use
644rw-r--r--Public web files: HTML, CSS, JS, images.
755rwxr-xr-xPublic directories and executable scripts (binaries, /usr/bin).
600rw-------SSH private keys, tokens, files containing secrets.
700rwx------Private user directories or scripts (~/.ssh, ~/bin).
775rwxrwxr-xGroup-shared directories (collaborative projects).
1777rwxrwxrwtWorld-writable directory with sticky bit, /tmp style.
2755rwxr-sr-xSetgid directory: new files inherit the directory's group.
4755rwsr-xr-xSetuid binary: runs with the owner's privileges. Risky — audit before using.
777rwxrwxrwxAvoid except for ephemeral isolation. Almost always hides a deeper permissions problem.

Files vs directories

The rwx bits don't mean the same thing on files and on directories. This distinction is the most common source of confusion when running chmod over mixed trees.

  • On a file, x lets you execute it (script or binary).
  • On a directory, x lets you enter and traverse it (cd / access entries).
  • r on a directory lets you list entry names (ls).
  • w on a directory lets you create, delete and rename entries — but only when x is also set.

SSH keys and secrets

OpenSSH refuses to use a private key with permissions that are too open. The calculator flags this explicitly when you combine group or other bits with a filename like id_rsa or id_ed25519.

  • Private keys: usually 600 (rw-------) or 400 (r--------).
  • Public keys (id_rsa.pub, authorized_keys): 644 is common.
  • If group or others have any bit on a private key, SSH will most likely reject it on security grounds.
  • Not every SSH implementation enforces exactly the same rules; treat these as practical guidance, not universal compatibility.

Safe chmod -R

The -R flag applies permissions recursively over the entire subtree. It's the fastest operation to type and the easiest to regret.

  • Double-check the path before pressing Enter; a mistake with -R on / is hard to undo.
  • Avoid chmod -R 777: it grants world write to files that should stay private.
  • --preserve-root makes GNU chmod refuse to operate on / by default; leave it enabled unless you really know what you're doing.
  • The risk panel on this page flags combinations like -R 777, -R on /, and recursive world-write.

Symbolic mode and ls -l

The calculator accepts several formats in the main input. It's a practical selection of the forms used most often; it does not cover the full POSIX chmod syntax.

  • Octal: 755, 0755, 4755 (with special bits like setuid/setgid/sticky).
  • Absolute symbolic: rwxr-xr-x.
  • Full ls -l style line: `-rwxr-xr-x 1 user group 1234 may 12 script.sh`. Beyond the first ten permission characters, the calculator also infers the file type (-, d, l) and the entry name as target path when the line includes them.
  • Relative operations such as u+x, g-w, o=r, a=rx, or comma-separated sequences (u+x,g-w,o=r) applied on top of the current state.

--reference

With --reference=<file>, chmod copies the exact permissions of another file instead of using the mode you typed. It's handy when you want to align permissions across files without recalculating them.

  • When --reference is active, the octal mode in the calculator is ignored and the final command omits the digits.
  • Combining --reference with -R copies the reference file's permissions to the whole subtree; measure the impact before running it.
  • The calculator does not validate the reference file: it only escapes it in a shell-safe way for the final command. Whether the file exists, is reachable, or has readable permissions is decided by chmod at runtime.

Frequently asked questions

What does each digit mean in chmod 755?
The first digit (7) is the owner's permissions, the second (5) the group's, the third (5) everyone else. Each digit combines read (4), write (2) and execute (1). 7 = 4+2+1 (rwx), 5 = 4+1 (r-x).
Why is 777 dangerous, and when is it justified?
Almost never in production. With 777, any user on the system can read, modify and execute the file, or create and delete entries inside the directory. It almost always masks a real ownership or group issue that should be fixed with chown, a shared group, or ACLs — not by opening permissions. The typical exception is a temporary directory protected by the sticky bit (1777, /tmp style).
What is the setuid bit?
Setuid (4 in the leading octal digit, e.g. 4755) makes an executable run with the privileges of its owner instead of the invoking user. It's used for binaries like `passwd`. In symbolic output it appears as `s` (or `S` when there's no execute permission).
What does the sticky bit do (the 1 in 1777)?
The leading 1 in a mode like 1777 sets the sticky bit. On a world-writable directory (typically /tmp), it prevents a user from deleting or renaming files they don't own, even when they have write permission on the directory itself. Without sticky, any user could wipe the whole /tmp. In symbolic output it appears as `t` (or `T` when the others execute bit is off).
Why do uppercase 'S' or 'T' show up?
When a special bit (setuid, setgid, sticky) is set but the corresponding execute bit is NOT, the letter appears uppercase (`S`, `T`). It usually indicates a misconfiguration or an intentional setup to disable execution.
What's the difference between 755 and 644?
755 adds the execute bit (x) for owner, group and others, which on files means they can be executed and on directories means they can be entered and traversed. 644 leaves only read for group and others — typical for static files (HTML, CSS, images) that should not be executed.
What permissions does an SSH private key need?
Usually 600 (rw-------) or 400 (r--------). If group or others have any bit set, OpenSSH will normally reject the key with a 'Permissions are too open' error. Public keys (.pub, authorized_keys) can stay at 644.
Can I paste an ls -l line?
Yes. If you paste something like `-rwxr-xr-x 1 user group 1234 may 12 script.sh`, the calculator extracts the first ten characters (including the `t`, `s` or `S` for sticky/setuid/setgid) and fills in the rest of the state. It also infers the file type (-, d, l) and, when the name is present at the end, proposes it as the target path.