chmod Explained: Linux File Permissions, Octals, and rwx Notation
Every file and directory on a Unix system has a permission set that controls who can read it, write to it, or execute it. When a deployment fails because your web server cannot read a config file, or your CI script is not executable, the fix is usually one chmod command — once you understand what the numbers mean.
The three permission classes
Unix permissions apply to three categories of user:
| Class | Symbol | Who it applies to |
|---|---|---|
| Owner | u | The user who owns the file |
| Group | g | Members of the file's group |
| Others | o | Everyone else |
The three permission bits
| Permission | Symbol | On a file | On a directory |
|---|---|---|---|
| Read | r | View file contents | List directory contents (ls) |
| Write | w | Modify or delete the file | Create, rename, delete files inside |
| Execute | x | Run as a program | Enter the directory (cd) |
Symbolic notation: rwxr-xr--
Run ls -l and you will see something like -rwxr-xr--. Reading left to right:
- Position 1: file type (
-regular file,ddirectory,lsymlink) - Positions 2–4: owner permissions (
rwx= read, write, execute) - Positions 5–7: group permissions (
r-x= read, no write, execute) - Positions 8–10: others permissions (
r--= read only)
A dash - in any position means that permission is not granted.
Octal notation
Each permission triplet maps to a single octal digit (0–7) because there are exactly three bits:
| Binary | Octal | Symbolic | Meaning |
|---|---|---|---|
| 111 | 7 | rwx | Read + write + execute |
| 110 | 6 | rw- | Read + write |
| 101 | 5 | r-x | Read + execute |
| 100 | 4 | r-- | Read only |
| 000 | 0 | --- | No permissions |
So chmod 755 means: owner=7(rwx), group=5(r-x), others=5(r-x).
Common permission patterns
| Octal | Symbolic | Typical use |
|---|---|---|
755 | rwxr-xr-x | Directories, public executables (web server binaries, scripts) |
644 | rw-r--r-- | Regular files, HTML, config files (not secret) |
600 | rw------- | Private keys, SSH id_rsa, secrets (owner read/write only) |
700 | rwx------ | Private directories (e.g. ~/.ssh) |
777 | rwxrwxrwx | Avoid — everyone can write. Temporary workaround only. |
Using chmod
# Set permissions using octal
chmod 755 deploy.sh
chmod 644 config.yaml
chmod 600 ~/.ssh/id_rsa
# Set permissions using symbolic mode
chmod u+x deploy.sh # add execute for owner
chmod go-w sensitive.txt # remove write from group and others
chmod a+r public.html # add read for all (a = all)
# Recursive — apply to directory and all contents
chmod -R 755 /var/www/htmlSetuid, setgid, and sticky bit
A fourth octal digit controls three special bits:
- Setuid (4xxx) — executable runs as the file's owner, not the caller. Used by
sudoandpasswd. Example:chmod 4755 binary - Setgid (2xxx) — on files: runs as the file's group. On directories: new files inherit the directory's group, not the creator's. Example:
chmod 2755 shared-dir/ - Sticky bit (1xxx) — on directories: only the owner can delete their own files, even if others have write permission. Used on
/tmp. Example:chmod 1777 /tmp
Checking current permissions
ls -la # show permissions for all files in directory
stat file.txt # detailed permissions, owner, size, timestamps
find . -perm 777 # find world-writable files (security audit)Try it yourself
Use the free browser-based chmod Calculator on DevBench — no signup, runs entirely in your browser.
Open chmod Calculator