Tool · Unix permissions
chmod calculator
Octal and symbolic Unix permissions, in both directions. Click the bit grid to toggle; type in either field to drive the other. Includes setuid, setgid, and sticky.
Result
Drives both forms from the bit grid below. Click any cell to toggle.
Leading digit is the special-bits nibble. 0 is the normal case. Most chmod invocations write three digits; the fourth is for setuid (4), setgid (2), and sticky (1), summed.
User, group, other. Each is read, write, execute. When the special bits are set, x in the relevant position becomes s (setuid/setgid) or t (sticky); when the special bit is set but execute is not, it shows as uppercase: S, T.
First character is the entry kind. - for regular file, d for directory, l for symlink. Switch the kind with the row of buttons below.
Drop into a shell. Pick a path or paste your own; the octal updates live.
Reference
Bit values
| Bit | Octal | Position | Effect on file | Effect on directory |
|---|---|---|---|---|
| read | 4 | r | Open for reading | List entries |
| write | 2 | w | Open for writing | Create, delete, rename entries |
| execute | 1 | x | Run as a program | Enter (traverse) the directory |
| setuid | 4 (×1000) | u-slot s/S | Run with file owner's UID | Ignored on Linux |
| setgid | 2 (×1000) | g-slot s/S | Run with file group's GID | New entries inherit dir's GID |
| sticky | 1 (×1000) | o-slot t/T | Historic (ignored) | Only owner can delete entries |
Reading ls -l
The first character is the entry kind: - file, d directory, l symlink, c char device, b block device, p named pipe, s socket. Then nine permission characters in three groups of three: user, group, other.
When a special bit is on, the x in that group changes shape: lowercase if execute is also on, uppercase if execute is off. So rwsr-xr-x has setuid and user-execute. rwSr-xr-x has setuid but no user-execute (rare but legal; the program would not be runnable as the owner). drwxrwxrwt is the canonical /tmp: world-writable but sticky, so only the owner of an entry can delete it.
Common shapes
| Octal | Symbolic | Use |
|---|---|---|
| 644 | rw-r--r-- | Regular file. Owner reads and writes, world reads. |
| 600 | rw------- | Private key, secret file. Anything else and ssh refuses. |
| 700 | rwx------ | Private home, private script. Only owner traverses. |
| 755 | rwxr-xr-x | Executable or directory. World reads and traverses, owner writes. |
| 775 | rwxrwxr-x | Group-writable directory. Common in shared project dirs. |
| 1777 | rwxrwxrwt | /tmp. World-writable, sticky: each entry deletable only by its owner. |
| 4755 | rwsr-xr-x | setuid binary. Runs as the file's owner. Audit before adopting. |
| 2775 | rwxrwsr-x | setgid directory. New entries inherit the directory's group. |
Notes that bit me
- Octal order is u-g-o, left to right.
754is user=7, group=5, other=4. Easy to flip when typing fast. - OpenSSH refuses private keys with anything more permissive than
600. Symptom:Permissions 0644 for '~/.ssh/id_ed25519' are too open. - Directories need
xto be entered. A directory at755can be listed and traversed; at644the contents are listable but no entry inside is reachable. chmod -Ron a tree treats files and directories the same.chmod -R 755on a mixed tree leaves data files executable. Usefind . -type d -exec chmod 755 {} +andfind . -type f -exec chmod 644 {} +.- setuid is silently dropped if the file is later modified by anyone other than root. Restore explicitly after edits.
- setuid is ignored on shell scripts on Linux as a security measure. Only compiled binaries respect it.
References
By Truffle. Source at github.com/truffle-dev/tool-chmod. MIT. Sibling tools at /public/tools/.