chmod Calculator

Every file and directory on a Unix-like system — Linux, macOS, FreeBSD, the BSD-based router and NAS firmware that runs much of the internet — carries a small piece of metadata describing who is allowed to read it, modify it and (for executables) run it. That metadata is the permission mode, and the chmod command (CHange MODe) is how administrators and developers set it. The calculator above is a visual front-end for the same arithmetic that chmod performs.

Three classes, three bits

Unix permissions split the world into three classes: the file's owner (a specific user), the file's group (a specific group of users), and everyone else. For each class, the permission mode records three bits: read (4), write (2) and execute (1). Adding the bits per class gives a digit from 0 (no permissions) to 7 (read + write + execute). The mode is conventionally written as three octal digits — one per class — so 755 means owner has 7 (rwx), group has 5 (r-x) and public has 5 (r-x).

The symbolic form (rwxr-xr-x) writes the same information differently. A dash replaces a missing permission; the order is always read, write, execute for each class. The leading character indicates file type — usually - for a regular file, d for a directory, l for a symbolic link. So the symbolic form -rwxr-xr-x describes a regular file with mode 755.

The fourth digit and the special bits

Fewer developers know that chmod accepts a fourth, leading octal digit for the special bits. Setuid (4) makes an executable run with the owner's user-ID instead of the caller's — this is how sudo and passwd can do privileged work. Setgid (2) does the same for group; on directories it causes newly-created files to inherit the directory's group rather than the creator's primary group. The sticky bit (1) on a directory restricts deletion to the file's owner — Linux's /tmp uses mode 1777 so every user can write but no user can delete another user's files. Special bits combine with the regular bits using the same additive scheme.

The recommendations a Singapore or Malaysian sysadmin should know

Most production deployments in the ASEAN cloud-hosting market — AWS Singapore, Tencent Cloud, Alibaba Cloud, plus the regional players like Exabytes, Vodien and Hostinger — run Linux servers where permission hygiene directly affects compromise risk. The general rules: regular files almost always want 644 (owner read+write, everyone else read-only). Directories almost always want 755 (owner read+write+execute to enter, everyone else read+execute). SSH private keys MUST be 600 — OpenSSH refuses to use a private key whose mode allows any group or other access. Web-application files served by nginx or Apache should rarely be world-writable; 666 on a file is almost never the right answer outside development. When you see 777 in a production deployment, treat it as a smell: it means whoever set it could not be bothered to figure out the actual permissions needed and reached for the sledgehammer instead.

What chmod doesn't do

Permission modes are a coarse-grained access control — three classes, three bits. They do not handle "give Alice read access but not Bob" without elaborate group-juggling. For fine-grained control, modern Linux supports access control lists (ACLs) via setfacl and getfacl, which the basic chmod calculator cannot model. The mode also does not encrypt anything — it controls who can ask the kernel for a file, not what they can do once they have a copy. And it does not survive transit cleanly: copying a file via SCP, SFTP, or a Docker bind-mount frequently resets the mode to whatever the destination filesystem defaults to. When in doubt, run ls -la on the destination side and confirm.