| Object | Result mode | Symbolic assignment | Copy |
|---|---|---|---|
| New file | {{ umaskFileNumeric || 'Invalid' }} |
{{ umaskFileSymbolic || 'Enter three octal digits' }} |
|
| New directory | {{ umaskDirNumeric || 'Invalid' }} |
{{ umaskDirSymbolic || 'Enter three octal digits' }} |
{{ card.value }}| Field | Value | Notes | Copy |
|---|---|---|---|
| {{ row.field }} | {{ row.value }} |
{{ row.note }} |
| Priority | Action | Rationale | Copy |
|---|---|---|---|
| {{ row.priority }} | {{ row.action }} | {{ row.why }} |
| Mode | Access split | Why it exists | Delta from current |
|---|---|---|---|
|
{{ row.seriesName }}
{{ row.mode }}
|
{{ row.accessText }} | {{ row.note }} | {{ row.deltaText }} |
Unix permission bits decide who can read, change, or run a file system object. A small mode mistake can expose secrets, stop a service from traversing a directory, or turn a shared folder into a place where users can remove one another's work. This calculator turns that bit pattern into something you can inspect before you run chmod.
You can start from a known octal mode, a symbolic assignment, or a preset such as 600, 755, 2770, or 1777. The page keeps one live permission state and renders it as octal, canonical symbolic text, an ls -l style preview, plain-language access notes, command previews, and a profile comparison.
The scope is broader than a simple converter. The advanced controls let you test relative symbolic changes such as g=u or o-rwx, switch between numeric and symbolic command styles, build a GNU --reference command, add recursive flags, and model what a chosen umask would do to newly created files and directories. When one recursive mode would blur file and directory needs together, the page also suggests a split mixed-tree recipe.
The results are grouped into four views. Decision Brief collects the main commands and ledger values, Hardening Plan ranks the current warnings, Baseline Map compares your selection with a profile target and a nearby common mode, and JSON gives you the same state as structured data. The tables can be copied as CSV, downloaded as CSV, or exported to DOCX, and the chart can be saved as PNG, WebP, JPEG, or CSV.
Everything on the page is derived from the values you enter in the browser after the page loads. It does not inspect a live path, read ownership, evaluate ACLs, or check platform-specific controls such as SELinux labels, so the final safety decision still belongs on the real host.
A Unix mode is built from three permission triplets: owner, group, and others. Each triplet is a read, write, execute bitset, and each octal digit is just the weighted sum of those bits. The page keeps that relationship visible in both directions, which is why the matrix, the octal mode, and the symbolic assignment always describe the same current state.
The meaning of the execute bit changes with object type. On regular files it means executable content. On directories it means search or traversal. That is why the calculator asks for Target type early and uses that choice when it explains the permission digest, the hardening checks, and the common-baseline comparison.
The first rule explains the octal digits: rwx becomes 7, rw- becomes 6, and r-x becomes 5. The second rule explains the sandboxed creation defaults: a file base of 666 with a 022 mask yields 644, while a directory base of 777 with the same mask yields 755.
Special bits layer extra behavior on top of the ordinary triplets. On regular executables, setuid and setgid can change the effective user or group at run time. On shared directories, setgid is widely used to keep new entries in the directory's group, and the sticky bit is the usual protection for world-writable drop zones. The calculator lets you toggle all three, but the real effect of some combinations still depends on the object type, filesystem, and platform.
The symbolic editors cover two different jobs. Symbolic assignment rebuilds the full owner, group, and others state from canonical clauses such as u=rw,g=r,o=, with separate special-bit clauses when needed. Symbolic operation lab applies relative changes such as u+rwx, o-rwx, g=u, or a+rwX. In this page, leaving out the target letters applies the change across owner, group, and others, and uppercase X adds execute only when the target is a directory or the current mode already has at least one execute bit.
ls -l style preview, and the baseline delta.| Input path | Accepted form | How the page uses it |
|---|---|---|
Permission matrix |
Direct read, write, and execute toggles for owner, group, and others | Builds the live triplets one bit at a time and updates every result surface immediately |
Numeric mode |
Three or four octal digits such as 644 or 2750 |
Maps the last three digits to owner, group, and others, with an optional leading digit for special bits |
Symbolic assignment |
Canonical clauses such as u=rwx,g=rx,o=, plus optional u+s, g+s, or o+t |
Rebuilds the full permission state from scratch instead of applying an incremental change |
Symbolic operation lab |
Relative operations such as g+w, o-rwx, g=u, or a+rwX |
Tests live chmod-style edits against the current state and then refreshes the commands, warnings, and chart |
Umask sandbox |
A three-digit mask plus file and directory base modes | Models creation-time results for new files and directories without changing the current chmod selection |
| Profile lens | File baseline | Directory baseline | How the page uses it |
|---|---|---|---|
| General asset | 644 |
755 |
Acts as the everyday comparison point for ordinary content and traversable directories |
| Private credential material | 600 |
700 |
Flags group or other access earlier because the expectation is owner-only control |
| Web content or deploy artifact | 644 |
755 |
Treats execute bits on ordinary web files and unusually wide directory access as drift from common deploy defaults |
| Shared team directory or group asset | 660 |
2770 |
Highlights group collaboration patterns, setgid inheritance, and the difference between shared and public access |
| Public drop preset | Not a file baseline | 1777 |
Available as a preset when you need a world-writable directory with sticky-bit delete protection |
The Baseline Map plots the owner, group, and others digits on a 0 to 7 scale for three rows: your current selection, the profile target, and the closest built-in common mode. The nearest common mode is chosen by smallest bit-level distance, so the delta text tells you exactly which permissions would need to be added or removed to reach that nearby standard.
Command previews are built from the same state. The direct form can be numeric or symbolic, entered paths are shell-quoted when needed, and the page can also generate a GNU --reference command from a second path. Because that GNU form is not the normal portable path on BSD or macOS systems, the page also keeps a direct fallback command visible.
The quickest way to a sensible answer is to decide what kind of object you are changing before you chase the exact digits. A regular file that stores configuration, a directory that must be traversable by a service, and a shared drop zone can all look similar when you only stare at octal numbers. In this page, Target type and Deployment profile give the later warnings enough context to say something useful.
Numeric mode when you already know the octal value and want to confirm what it really means.Symbolic assignment when you want to restate the full owner, group, and others mode explicitly.Symbolic operation lab when the real question is "what would this change do?" rather than "what full mode do I want?"Umask sandbox when you are planning creation defaults for a shell session, deployment user, or service account rather than changing one existing object.A practical review path is to stop as soon as the page labels the state High exposure. That label is not based on an average. One serious issue is enough to move the run into the highest band, so the top action in Hardening Plan should be read before you trust the command preview.
Be especially careful with recursive operations. A single chmod -R mode can make ordinary files executable or make directories too restrictive to traverse. If the target is a mixed tree, compare the direct recursive command with the split recipe before you copy anything.
Target type and Deployment profile first so the page knows whether execute means run or traverse, and which baseline it should compare against.Permission matrix.Numeric mode or Symbolic assignment. If you are testing a change, use Symbolic operation lab instead.Target path and any flags such as recursion, verbosity, link handling, or GNU root protection.Decision Brief and its command safety notes. Make sure the ls -l preview and the baseline delta describe what you meant to build.Hardening Plan and Baseline Map before acting. If the target is a mixed directory tree, compare the single recursive command with the split recipe.JSON, CSV, DOCX, or chart export only after the result reads correctly on screen, since all exports are snapshots of the current state.Decision Brief is the fastest summary of a finished run. It shows the primary command, the alternate form, the ls -l preview, the selected profile baseline, the delta needed to reach that baseline, the closest common mode, and the current umask sandbox outputs. If those fields disagree with your expectation, trust the live mode itself and work backward from there.
| Pattern | Why the page flags it | Usual next move |
|---|---|---|
| World-writable access without sticky protection | Shared writable locations become much easier to abuse when anyone can also remove or replace other users' entries | Add sticky on a shared directory or remove write for others |
setuid or setgid on a writable target |
Privilege-changing behavior combined with group or world write is a classic hardening problem | Clear the special bit or tighten write access first |
| Regular file is both executable and writable for others | A file that everyone can modify and run is a strong multi-user host risk | Drop at least one of those bits unless the workflow truly requires both |
Recursive change on / or broad link following |
A wide recursive command can escape the tree you meant to touch or damage a whole host | Narrow the path, keep -P unless you mean otherwise, and use GNU --preserve-root when applicable |
| Profile mismatch | Private material looser than 600 or 700, or web files with execute bits, often means the mode does not match the job |
Move toward the profile baseline or record why this object is an exception |
| One recursive mode on a mixed tree | Files and directories often need different execute semantics, so one blanket mode tends to overgrant or undergrant | Use the split file and directory recipe instead of one -R mode |
The risk band is driven by the highest-severity finding, not by an average across all findings. Moderate exposure often means the page sees a realistic but fixable mismatch. Lower exposure means no strong warning pattern is active in the current logic, not that the real system is automatically safe.
The Baseline Map is best used as a shape check. If the current bars are close to the baseline on owner and group but much higher on others, the issue is usually public access, not the whole mode. If the current row and the profile target match but the object still feels risky, the missing context is probably outside ordinary mode bits, such as ownership, ACLs, or application design.
JSON is the structured version of the same run. It includes the inputs, resolved mode, commands, comparison rows, findings, umask sandbox outputs, and command safety notes. That makes it useful for automation notes, tickets, or review records, but it still describes the in-page model rather than a live filesystem scan.
Private file (600) preset, keep the profile on private material, and enter a path such as /srv/app/.env. The direct preview resolves to chmod 600 /srv/app/.env, the symbolic assignment becomes u=rw,g=,o=, and the baseline delta disappears because the current state already matches the profile target.
App dir (755), switch the target type to directory, and turn on recursion for a path such as /var/www/app. The page will show the expected direct recursive command, but it will also warn that one recursive mode is often wrong for mixed trees and suggest a split recipe such as 755 for directories and 644 for regular files.
Team share (2770) preset for a collaborative directory. The current mode now carries setgid, owner and group keep full control, others are blocked, and the comparison row should match the shared-directory baseline exactly. This is the pattern to reach for when a group needs to keep ownership inheritance tidy without making the directory public.
777 on a directory first and look at the warning list. The page raises the risk because a world-writable shared directory without sticky protection lets users remove or rename other users' entries. Add the sticky bit to reach 1777 and the specific shared-drop warning clears while the shared-write design stays intact.
755 make sense for many directories but not for many regular files?On a directory, execute means search or traversal, so 755 often means "readable and traversable by others, writable only by owner". On a regular file, execute means runnable content. That is why the same digits can be normal for a directory and suspicious for a plain text or media file.
a+rwX stop at 666 instead of 777 on my file?Uppercase X is conditional. In this page it adds execute only when the target is a directory or the current mode already has at least one execute bit. If you want unconditional execute on a regular file, use lowercase x instead.
GNU chmod --reference is useful when you want to copy a mode from another path, but it is not the normal portable syntax across all Unix-like systems. The page therefore keeps a direct command visible alongside it so you can fall back to an explicit numeric or symbolic mode when needed.
No. The profile changes the review lens and the comparison baseline. The bits change only when you apply a preset, edit the matrix, enter a new numeric or symbolic value, or run a symbolic operation.
644 while new directories come out 755 under umask 022?The usual creation bases are different. Regular files commonly start from 666 and directories from 777. Applying the same 022 mask removes group and other write from both, which leaves files at 644 and directories at 755.
No live path inspection is performed here. The target and reference fields are used only to build previews from your current browser inputs, so you still need a separate filesystem check if you want to confirm the real mode, ownership, or ACL state on disk.