Chmod Calculator: Linux File Permission Reference
Understanding Unix Permissions
Unix file permissions are the foundational security mechanism that controls access to files and directories on Unix-like operating systems, including Linux, macOS, and BSD. Every file and directory on a Unix system has an associated set of permissions that determines who can read, write, or execute it. This permission system was designed in the early days of Unix in the 1970s and has remained remarkably consistent over the decades, a testament to its elegant simplicity and effectiveness. Understanding how these permissions work is essential for anyone working with Unix-like systems, from system administrators managing servers to developers deploying applications.
The Unix permission model divides the world into three categories: the file owner (user), the group associated with the file, and everyone else (others). For each of these three categories, the system tracks three types of permissions: read, write, and execute. This creates a 3x3 matrix of permissions that can be represented in several notations. The symbolic notation uses letters (r for read, w for write, x for execute, and dashes for absent permissions), while the numeric (octal) notation uses a three-digit number where each digit represents the combined permission value for one category. The numeric format is more compact and is what most system administrators use when setting permissions with the chmod command.
When you list files with the "ls -l" command, the first column displays the permissions in symbolic notation. For example, "-rwxr-xr-x" indicates a regular file where the owner has read, write, and execute permissions, the group has read and execute permissions, and others have read and execute permissions. The first character indicates the file type: a dash for regular files, "d" for directories, "l" for symbolic links, and other characters for special file types. For directories, the meaning of the permission bits changes slightly: read allows listing directory contents, write allows creating and deleting files within the directory, and execute allows entering the directory and accessing files within it by name.
How Chmod Works
The chmod (change mode) command is the primary tool for modifying file and directory permissions on Unix-like systems. It supports two modes of operation: symbolic mode and numeric (absolute) mode. In symbolic mode, you specify permissions using a combination of who (u for user/owner, g for group, o for others, a for all), an operator (+ to add, - to remove, = to set exactly), and the permissions themselves (r, w, x). For example, "chmod u+x script.sh" adds execute permission for the owner, while "chmod go-w file.txt" removes write permission for group and others. Symbolic mode is useful for making incremental changes to existing permissions without affecting other bits.
Numeric mode, also called absolute or octal mode, sets all permission bits at once using a three-digit octal number. Each digit is the sum of the permission values: read is 4, write is 2, and execute is 1. So a permission of 7 (4+2+1) means read, write, and execute; 6 (4+2) means read and write; 5 (4+1) means read and execute; and 0 means no permissions. The three digits correspond to owner, group, and others, in that order. For example, "chmod 755 script.sh" gives the owner full permissions (7) and read-plus-execute permissions (5) to both group and others. Numeric mode is preferred when you want to set permissions to a known, exact state rather than modifying individual bits.
Our Chmod Calculator makes working with chmod intuitive by providing an interactive interface where you can toggle individual permission checkboxes and immediately see the resulting numeric and symbolic notations. You can also click on common presets like 755 or 644 to instantly apply well-known permission configurations. The calculator shows the complete chmod command you would use, ready to copy and paste into your terminal. This visual approach eliminates the common mistake of miscalculating octal values and helps you understand the relationship between the checkbox settings and the resulting permission notation.
Permission Types Explained
The read permission (r, value 4) allows a user to view the contents of a file. For regular files, this means you can open and read the file using commands like cat, less, or any text editor. For directories, read permission allows you to list the files and subdirectories within it using ls. Without read permission on a directory, you cannot see what files it contains, even if you have read permission on the individual files inside. It is important to note that read permission on a directory does not allow you to access the contents of files within it—it only lets you see their names. You also need execute permission on the directory and read permission on the individual files to actually read their contents.
The write permission (w, value 2) allows a user to modify the contents of a file. For regular files, this means you can edit, overwrite, or truncate the file. For directories, write permission is particularly powerful and potentially dangerous—it allows you to create new files, delete existing files, and rename files within the directory. Crucially, the ability to delete a file depends on the write permission of the directory containing the file, not the write permission of the file itself. This means that even if a file is read-only (no write permission), a user with write permission on the parent directory can still delete the file. This is a common source of confusion for those new to Unix permissions.
The execute permission (x, value 1) allows a file to be run as a program or script. For regular files, execute permission is required for the operating system to run the file as a command. Without it, attempting to run a script or binary will result in a "permission denied" error. For directories, execute permission allows you to enter the directory (using cd) and access files within it by their exact names. This is why directories commonly have the execute bit set along with the read bit. A directory with read but not execute permission lets you see the file names but not access the files, while a directory with execute but not read permission lets you access files if you know their names but not list the directory contents. These distinctions are subtle but important for designing secure permission configurations.
Common Permission Patterns and Security
The permission setting 755 (rwxr-xr-x) is one of the most common configurations, used primarily for directories and executable files that need to be accessible to all users. The owner can read, write, and execute, while group and others can read and execute but not modify the file. This is the default permission for directories on many web servers and is appropriate for publicly accessible programs and shared directories. Similarly, 644 (rw-r--r--) is the standard permission for regular files that should be readable by everyone but writable only by the owner. This configuration is commonly applied to configuration files, documents, and web content files.
For sensitive files such as SSH private keys, GPG keys, and configuration files containing passwords or API tokens, the principle of least privilege dictates that permissions should be as restrictive as possible. The permission 600 (rw-------) allows only the owner to read and write the file, with no access for group or others. This is the required permission for SSH private keys—OpenSSH will actually refuse to use a private key that is readable by anyone other than the owner. The even more restrictive 400 (r--------) allows only read access for the owner, which is appropriate for certificates and other files that should never be modified. Using these restrictive permissions for sensitive files is one of the most important security practices on any Unix system.
The permission 777 (rwxrwxrwx) gives full access to everyone and should almost never be used in production environments. While it might seem convenient for quickly resolving permission issues during development, it creates a significant security vulnerability by allowing any user on the system to read, modify, or delete the file. Similarly, 666 (rw-rw-rw-) allows anyone to modify a file, which can lead to data corruption or unauthorized changes. Instead of using these permissive settings, take the time to identify the minimum permissions required for your use case. For web applications, this typically means 755 for directories and 644 for files, with more restrictive settings for configuration files and uploaded content. Our Chmod Calculator helps you find the right permission setting quickly, with common presets and clear explanations of what each permission means for security and functionality.