chmod Calculator

Object	Result mode	Symbolic assignment	Copy
New file	`{{ umaskFileNumeric \|\| 'Invalid' }}`	`{{ umaskFileSymbolic \|\| 'Enter three octal digits' }}`
New directory	`{{ umaskDirNumeric \|\| 'Invalid' }}`	`{{ umaskDirSymbolic \|\| 'Enter three octal digits' }}`

Command	Preview	Notes	Copy
{{ row.label }}	`{{ row.value }}`	{{ row.note }}

Field	Value	Notes	Copy
{{ row.field }}	`{{ row.value }}`	{{ row.note }}

Check	Status	Action	Copy
{{ row.check }}	{{ row.status }}	{{ row.action }}

Priority	Action	Rationale	Copy
{{ row.priority }}	{{ row.action }}	{{ row.why }}

Mode	Access split	Why it exists	Delta from current	Copy
{{ row.seriesName }} `{{ row.mode }}`	{{ row.accessText }}	{{ row.note }}	{{ row.deltaText }}

File permissions become important the moment a system has more than one account, service, deployment script, or shared directory. A single mode bit can decide whether a private key stays private, whether a web server can read a file, whether a teammate can update a shared asset, or whether a recursive command opens an entire tree too widely.

The Unix permission model splits access into three classes: the file owner, the file group, and everyone else. Each class can receive read, write, and execute permissions. Octal chmod modes compress those nine choices into three digits, and an optional leading digit records special behavior such as setuid, setgid, or sticky protection.

Owner: The user account that owns the file or directory. Owner access is the first permission digit.
Group: The Unix group attached to the object. Group access is often used for service accounts or team collaboration.
Others: Every user who is neither the owner nor in the owning group. This is the permission class most likely to create accidental public exposure.
Execute/search: On files, execute means run the file as a program or script. On directories, execute means search or traverse the directory path.

Directory permissions are the easiest place to make a wrong assumption. Read can list directory names, but execute is required to pass through the directory and reach entries inside it. Write usually matters together with execute because changing a directory's contents means creating, removing, or renaming entries, not editing the bytes inside each file.

Four digit chmod mode anatomy showing special, owner, group, and others digits with read, write, and execute bit weights. — Each owner, group, and others digit is built from read 4, write 2, and execute 1. The leading digit is reserved for special bits.

Some modes are common because they match common operating patterns. A private file often starts at 600 so only the owner can read or write it. A deployed content file often uses 644, while a directory in the same tree may need 755 so processes can traverse it. Shared directories may use setgid so new entries keep the shared group, and public drop directories normally need sticky protection if everyone can write.

Chmod numbers are useful shorthand, not a full security review. Ownership, access control lists (ACLs), service users, mount options, mandatory access controls, symbolic links, and platform-specific chmod behavior can all change the real effect after the command runs.

How to Use This Tool:

Use the calculator as a review step before copying a chmod command into a shell. Pick the intended object and profile first, then use the result tables to check that the numeric mode, symbolic mode, and warnings all tell the same story.

Choose a Preset if one matches the job, or leave it on Custom when you already know the mode you want.
Set Target type to File or Directory. This changes the digest because execute means run for files but traverse for directories.
Select a Deployment profile so the baseline comparison uses the right lens for private material, web content, shared assets, or a general file.
Enter a Target path only if you want command text with a real path. The calculator quotes paths when needed and keeps a placeholder when the field is empty.
Pick Command style and Apply strategy. Direct mode can be octal or symbolic. GNU reference mode builds a --reference command plus a direct fallback.
Use Numeric mode, the permission switches, Special bits, or Symbolic assignment to change the mode. If numeric input is rejected, use only three or four octal digits from 0 through 7.
Open Advanced when you need recursive flags, symbolic operation tests such as g+w,o-rwx, or the umask sandbox. Finish by checking Command Safety, the risk band, and the split tree recipe before running recursive commands or reference-mode commands.

Interpreting Results:

The chmod Commands tab shows the primary command from the selected mode, command style, flags, path, and apply strategy. The alternate command shows the same permission intent in the other direct syntax or as a fallback when reference mode is selected.

Permission Ledger is where mismatches become easier to catch. Confirm that Numeric mode, Symbolic assignment, Permission digest, ls -l preview, and the profile baseline all describe the access you intended. A command that looks familiar can still be wrong if the digest gives group or others more access than the file should have.

High exposure means a severe pattern is active, such as world write without sticky protection, privilege bits combined with writable access, or recursive chmod on / without a guard.
Moderate exposure means the mode conflicts with an important expectation, such as a private file that is not 600, a directory without owner execute, or a recursive tree that should split file and directory modes.
Lower exposure means no high or medium finding fired. It does not prove the command is safe on the host because ownership, ACLs, symlinks, service context, and platform policy are not inspected.
Mode Comparison Map compares the current owner, group, and others digits against a profile target and nearby common mode. Use it as a visual check, not as a replacement for the command and safety tables.

Technical Details:

Unix file modes store permission bits in groups. Read, write, and execute are separate bits, and an octal digit is a compact way to show which of those bits are on for one permission class. Owner, group, and others each get one digit, so 750 means owner 7, group 5, and others 0.

The optional leading digit stores special bits. Setuid and setgid affect execution privilege on supported executable files. Setgid on directories is commonly used for shared group inheritance. Sticky is mainly useful on directories where many users can write but should not be able to remove or rename entries they do not own.

Formula Core

Permission arithmetic is compact, but every chmod shorthand depends on these sums.

\begin{array}{lcl} Permission digit & = & 4 R + 2 W + 1 X \\ Full mode & = & special digit, owner digit, group digit, others digit \\ Creation result & = & base mode \land (\neg umask) \end{array}

In the first line, R, W, and X are 1 when the permission is present and 0 when it is absent. Owner rwx is 4 + 2 + 1, so the owner digit is 7. Group r-x is 4 + 1, so the group digit is 5. Others --- is 0, giving a three-digit mode of 750. If setgid is also present, the full display becomes 2750.

chmod permission digit map
Digit	Bits	Triplet	File meaning	Directory meaning
7	4 + 2 + 1	`rwx`	Read, write, execute	List, change entries, traverse
6	4 + 2	`rw-`	Read and write	List and change entries, but no traversal
5	4 + 1	`r-x`	Read and execute	List and traverse
4	4	`r--`	Read only	List names without traversal
3	2 + 1	`-wx`	Write and execute without read	Change known entries and traverse
2	2	`-w-`	Write only	Write bit alone is usually not useful
1	1	`--x`	Execute only	Traverse without listing names
0	none	`---`	No access	No access

Rule Core

Symbolic chmod expressions name the permission class and operation directly. The class symbols are u for owner, g for group, o for others, and a for all three. The operation can add, remove, assign, or copy bits. Uppercase X is conditional execute: it applies to directories and to files that already have at least one execute bit.

chmod special bits and safety interpretation
Special bit	Octal value	Common use	Review point
setuid	4000	Supported executable files can run with the file owner's effective user ID.	Review carefully when any write access exists outside the owner.
setgid	2000	Executable files can run with group privileges; directories can pass their group to new entries on many systems.	Useful for group directories, risky when combined with loose write access.
sticky	1000	Shared writable directories can restrict deletion and rename by non-owners.	Expected for public drop directories, usually not meaningful on regular files.

chmod command risk rules
Pattern	Why it matters	Safer direction
World writable without sticky protection	Any user may be able to replace or remove entries when directory write and traversal permit it.	Remove other write, narrow the group, or use sticky for a deliberate public drop directory.
setuid or setgid plus group or other write	Privilege behavior and writable access can create escalation or ownership-confusion risk.	Tighten write access before enabling special bits.
Recursive chmod on a mixed tree	One mode applies to files and directories, often making ordinary files executable or directories unusable.	Use separate directory and file commands with `find` when the tree contains both object types.
Recursive traversal through symlinks	Following linked directories can change permissions outside the tree you meant to edit.	Use non-following traversal unless link traversal is intentional and reviewed.

Umask comparison is a creation-time calculation, not a chmod change. With a regular-file base of 666 and umask 022, the new file result is 644. With a directory base of 777 and the same umask, the directory result is 755. That explains why file and directory defaults often differ even when they are created under the same account.

Privacy and Limits:

The calculator creates command text and comparison tables from the values you enter. It does not inspect the target path, read filesystem metadata, confirm ownership, check ACLs, test symlink targets, or verify that the command will succeed on the destination host.

Treat the Target path and Reference path fields as command-preview text, not live filesystem checks.
GNU options such as --reference and --preserve-root are not portable to every chmod version.
Symlink behavior differs by platform and by recursive traversal flags. Review -H, -L, -P, and -h before copying a recursive command.
Security labels, service identities, container mounts, network filesystems, and deployment automation may add rules beyond ordinary owner, group, and others bits.

Worked Examples:

A private SSH key or token file usually starts at 600 with the private-material profile. The ledger should read u=rw,g=,o=, and the risk notes should not ask for group or other access. If the profile baseline says anything else, recheck the target type and preset.

A web content tree commonly needs directories at 755 and ordinary files at 644. If recursive mode is enabled for a directory and the current mode would push one value across the whole tree, use the split mixed-tree recipe instead of making every file executable.

A shared team directory may use 2770 so the owner and group can work together while others have no access. The leading 2 is the setgid bit, which helps new entries keep the shared group on systems that support directory group inheritance.

A common troubleshooting symptom is a numeric entry that will not apply. The editor accepts only three or four octal digits, so 755, 0755, 1777, and 2750 are valid shapes, while decimal-looking values, spaces inside the mode, or digits 8 and 9 are rejected.

FAQ:

Why does execute mean traverse on a directory?

Directories are looked up by path. Execute, often called search for directories, lets a process pass through the directory to reach entries inside it. Read lists names, but execute is what makes path access work.

Is 777 always unsafe?

It is rarely a good default. A world-writable directory may be deliberate for a drop area, but it normally needs sticky protection such as 1777. A world-writable file is usually much harder to justify.

Can symbolic operations copy one class to another?

Yes. The symbolic operation lab accepts copy-style expressions such as g=u, along with relative edits such as g+w, o-rwx, a+rwX, and special-bit removals such as u-s,g-s,o-t.

Why does reference mode still show a direct command?

GNU --reference copies the mode from another path, but it is not portable to every system. The direct fallback shows the selected mode as a normal chmod command in case reference mode is not available.

Does copying a generated command apply the permissions?

No. Copying only places command text on the clipboard. Review the path, flags, risk band, ownership, ACLs, and platform behavior before running the command in a shell.

Glossary:

Octal mode: A chmod number using digits 0 through 7 for special bits, owner, group, and others.
Symbolic mode: A chmod expression that uses classes such as u, g, o, and a with operations such as add, remove, assign, or copy.
setgid: A special bit used for group privilege on executable files and for shared group inheritance on many directory filesystems.
Sticky bit: A special bit commonly used on shared writable directories to restrict deletion or rename by users who do not own the affected entry.
umask: A creation-time mask that removes permissions from a base file or directory mode before the new object is created.

References:

GNU Coreutils Manual, chmod invocation.
POSIX Programmer's Manual, chmod(1p).
GNU Coreutils Manual, Directories and the Set-User-ID and Set-Group-ID Bits.
OpenBSD chmod(1) manual page.
How to change file and folder permissions in Linux, simplified.guide.
How to check file and folder permissions in Linux, simplified.guide.

chmod Calculator

chmod Decision Brief

Current result

How to Use This Tool:

Interpreting Results:

Technical Details:

Formula Core

Rule Core

Privacy and Limits:

Worked Examples:

FAQ:

Glossary:

References:

chmod Calculator

chmod Decision Brief

Current result

Introduction

How to Use This Tool:

Interpreting Results:

Technical Details:

Formula Core

Rule Core

Privacy and Limits:

Worked Examples:

FAQ:

Glossary:

References: