| Field | Value | Copy |
|---|---|---|
| {{ row.field }} | {{ row.value }} |
| Priority | Action | Rationale | Copy |
|---|---|---|---|
| {{ row.priority }} | {{ row.action }} | {{ row.why }} |
Unix permissions decide who can read, write, or execute a file system object. A small bit change can expose secret material, make a shared directory unsafe, or stop an application from traversing a path, and this calculator turns those bits into a mode you can inspect before you run chmod.
That makes it useful when you are translating between octal and symbolic forms, building a command for a deployment script, or checking whether a mode still fits the kind of object you are changing. The page resolves one current permission state into a numeric mode, a symbolic assignment, a command preview, an ls -l style preview, a hardening plan, and an exposure chart.
The tool also helps when you do not start with a finished mode. You can begin with a preset such as a private file, a web directory, or a public drop directory, then refine the permission matrix until the result matches the real path you have in mind.
Its scope goes beyond plain conversion. The direct editors let you move between numeric and symbolic entry, the symbolic operation lab applies relative updates such as g=u or a+rwX, and the umask sandbox shows what new files and directories would inherit from common base modes.
Even so, this is a planning surface, not a live host audit. It does not inspect ownership, access control lists, mount options, or service-account context, so the final safety check still belongs on the target system.
The fastest first pass is usually to choose the right Deployment profile and Target type, then click the closest Quick archetype. That gives you a sane baseline before you start toggling individual bits, and it keeps the later Hardening Plan focused on the differences that actually matter.
If you already know the current mode, skip the preset and type it directly into Numeric mode or Symbolic assignment. The matrix, Resolved chmod Mode, and Mode Ledger all sync to the same state, which makes it easy to confirm that 2750 really means what you think it means before you build a command around it.
Target type early. Execute on a file means runnable content, while execute on a directory means search or traversal, so the same octal digit can imply different operational consequences.Profile as a review lens, not an automatic policy engine. It changes the hardening guidance, but it does not force bits unless you apply a preset.Hardening Plan before copying the command. A clean-looking numeric mode can still be flagged because it is world-writable, mixes privilege bits with writable access, or does not match the selected profile.Symbolic operation lab when you want to test a relative change such as o-rwx, g=u, or a+rwX without recalculating every triplet by hand.A good fit for this tool is planning or reviewing a mode you intend to apply yourself. It is a poor fit for proving what a live system currently enforces, because the chart and previews describe the mode you assembled here, not filesystem metadata read from disk.
Stop and verify when Risk band says High exposure or when the Permission Exposure Map shows broad access for Others. At that point, read the top action in Hardening Plan before you trust the generated command.
Unix modes are built from three permission triplets: owner, group, and others. Each triplet is a bitset for read, write, and execute, and each octal digit is just the weighted sum of those bits. The calculator keeps that representation visible in both directions, so the permission matrix, numeric digits, and symbolic assignment all describe one shared state.
Special bits ride on top of those triplets. setuid and setgid add privilege or inheritance behavior, while the sticky bit mainly matters on writable directories where many users can create files. The ls -l preview reflects those bits with s, S, t, or T, depending on whether the underlying execute bit is present.
The editors model three different transformation paths. Numeric mode accepts three or four octal digits, Symbolic assignment accepts canonical owner/group/others assignments, and Symbolic operation lab applies relative changes with +, -, =, copy operations such as g=u, and the conditional X flag. The result then feeds the risk checks, chart, command preview, and umask sandbox.
Each permission digit is the weighted sum of the read, write, and execute bits for one principal.
R, W, and X are binary flags for read, write, and execute. That is why rwx becomes 7, rw- becomes 6, and r-x becomes 5.
The umask sandbox uses a bit-clearing step instead of addition. For each owner/group/others digit, the resulting creation mode is the base digit with the mask bits removed.
With the common defaults shown in the tool, a file base of 666 and a umask of 022 yields 644, while a directory base of 777 with the same mask yields 755.
| Input path | Accepted form | How the tool interprets it |
|---|---|---|
Permission matrix |
Direct read, write, execute toggles | Builds owner, group, and others digits one bit at a time |
Numeric mode |
Three or four octal digits | Rightmost three digits map to owner, group, others; the leading digit maps to special bits |
Symbolic assignment |
Canonical clauses such as u=rwx,g=rx,o= |
Rebuilds each triplet directly from the specified letters |
Symbolic operation lab |
Relative ops such as o-rwx, g=u, a+rwX |
Applies incremental changes, including copy semantics and special-bit operations |
Umask sandbox |
Octal mask plus file and directory base modes | Calculates creation-time results for new files and new directories |
The conditional X deserves special attention because it is easy to overread. In this tool, X adds execute only when the target is a directory or when any execute bit is already present somewhere in the current mode. If you need unconditional execute, use lowercase x instead.
| Profile | Tool expectation | What can trigger a warning |
|---|---|---|
Private credential material |
Files lean toward 600, directories toward 700 | Group or other access, or a private path that is looser than those baselines |
Web content/deploy artifact |
Files commonly map to 644 and directories to 755 | Modes that are much wider or tighter than common deploy defaults |
Shared drop directory |
Shared writable directories should use sticky when others can write | World-writable directories without sticky, or using the shared profile on a regular file |
Risk band is based on the highest-severity finding, not on an average across findings. One high-risk condition is enough to move the summary into High exposure. The Permission Exposure Map is simpler: a principal digit from 0 to 2 is labeled Minimal, 3 to 5 is Controlled, and 6 to 7 is Broad, with a dashed marker at 6 to show where exposure becomes wide.
The page does not query the filesystem or send paths anywhere. The command preview, ls -l preview, hardening notes, JSON payload, and chart are all derived from the current in-page permission state.
Use this path when you want to go from an intention or an existing mode to a command you can review with confidence.
Deployment profile and Target type first. Those two controls shape how the hardening checks read the mode and how execute semantics should be interpreted.Quick archetype if you need a safe starting point, or build the state directly in the Permission matrix. Watch Resolved chmod Mode and the badges under it as you make changes.Numeric mode or Symbolic assignment. A valid entry updates the matrix, special bits, and both output forms immediately.Symbolic operation lab for relative edits such as g=u, o-rwx, or a+rwX. If the result is not what you expected, compare Numeric mode and Symbolic assignment to see which bits actually changed.Target path and any command flags such as Recursive (-R), Verbose (-v), or No dereference (-h). Then read Recommended command, Alternate command form, and ls -l preview together.Hardening Plan and Permission Exposure Map before you copy anything. Those views tell you whether the mode is merely syntactically valid or also looks sensible for the selected profile.Umask sandbox if you also need to model newly created files or directories under the same environment. The file and directory rows should match the creation defaults you expect from the target host.If a pasted value seems to do nothing, the usual recovery path is to check the format: Numeric mode needs octal digits only, and Symbolic assignment works best in canonical owner/group/others form such as u=rw,g=r,o=.
Resolved chmod Mode is the canonical state for this tool. The numeric value, symbolic assignment, command preview, chart, and JSON are all alternate views of that same assembled mode, so disagreements usually mean you changed the mode and have not yet updated your assumption.
Risk band tells you the highest-severity concern currently active. High exposure means at least one high-risk finding is present and the top Hardening Plan action should be treated as blocking.Permission Exposure Map is descriptive, not normative. An owner value of 7 can be perfectly normal, while an others value of 7 on a regular file is usually a strong warning sign.Recommended command and Alternate command form should describe the same permission state. Use whichever style fits your workflow, but test the exact form you plan to run.ls -l preview is a readability check, not proof of live filesystem state. It helps you spot special-bit rendering and triplet shape before you touch the real path.The main false-confidence trap is reading a low risk band as proof that the target system is safe. The corrective check is to compare the tool's result with the real path's ownership, ACLs, service account, and platform-specific behavior before you apply the command.
App dir (755) preset, keep Profile on Web content/deploy artifact, set Target type to directory, and enter /var/www/app/public as the target. Resolved chmod Mode shows 755, Symbolic assignment becomes u=rwx,g=rx,o=rx, and Recommended command resolves to a standard deploy-friendly command. The chart shows owner 7 with group and others at 5, which is broad enough for traversal but not writable by the world.
Profile to Shared drop directory, Target type to directory, and build 777 without the sticky bit. Risk band moves to High exposure, Hardening Plan tells you to add sticky or remove others write, and the Permission Exposure Map shows Others at 7, which is in the broad 6 to 7 range. Turning on sticky changes the numeric mode to 1777 and clears the specific shared-directory warning while preserving the shared-write model.
a+rwX stop at 666? Start with a regular file at 640, then run a+rwX in Symbolic operation lab. The result becomes 666, not 777, because uppercase X adds execute only when the target is a directory or some execute bit already exists. If you truly want execute on that file, use lowercase x; if you were modeling a directory, switch Target type first and then re-run the operation.
Both make content readable, but 755 also adds execute to owner, group, and others. That is usually appropriate for directories that need traversal, not for ordinary text or data files.
X behave differently from x?In Symbolic operation lab, uppercase X is conditional. It adds execute only for directories or when some execute bit is already set. Lowercase x always requests execute.
The profile changes the hardening lens, not the bits themselves. To change the mode automatically, apply a matching preset or edit the matrix directly.
Numeric mode accepts octal digits only, and malformed symbolic chunks are skipped. Use three or four octal digits, or a canonical symbolic assignment such as u=rw,g=r,o=, then compare the updated Resolved chmod Mode.
No upload behavior is declared. The path, command preview, chart, and JSON output are assembled in the browser session from the current inputs.