Chmod Calculator

Every file has three permission classes: owner (u), group (g), and other (o). Each class has three primary bits: read (r=4), write (w=2), execute (x=1). The numeric mode is the sum: 7 = rwx, 6 = rw-, 5 = r-x, 4 = r--. Three classes × one octal digit each = three-digit chmod. With special bits (setuid=4, setgid=2, sticky=1) you get a fourth leading digit: 4755, 2755, 1777.

Directories use the same bits but they mean different things: r on a directory means "list contents", w means "create, rename, delete files inside", x means "enter the directory / resolve names through it". x without r is "you can cd in and access named files, but cannot ls". This is the basis of "secret directories" — set 0711 on a dir to allow lookup without listing.

• Setuid (4xxx) — on an executable, runs as the file owner regardless of who invokes it. /usr/bin/passwd uses this so non-root users can update /etc/shadow. Almost never the right answer outside system utilities.
• Setgid (2xxx) — on an executable, runs as the file group. On a directory, files created inside inherit the directory's group. Useful for shared project directories.
• Sticky bit (1xxx) — on a directory, files inside can only be deleted by their owner or root. This is why /tmp (mode 1777) lets every user write but stops them deleting each other's files.
• Capabilities — modern Linux replaces most setuid uses with file capabilities (setcap cap_net_bind_service+ep on a binary lets it bind low ports without full root). Check with getcap; capabilities are not visible in chmod output.

umask is the inverse mask applied when a process creates files. Default umask 022 means files are created with mode (0666 & ~022) = 0644, directories with (0777 & ~022) = 0755. For systems where files should never be world-readable, set umask 027 — files become 640, dirs 750. Set it in /etc/profile or the user's shell rc for persistence.

• You read a tutorial that says chmod 0755 and want to verify what those permissions actually grant before applying to production files.
• You inherited a Dockerfile or Ansible playbook with mode: "0644" sprinkled everywhere and need to audit which are too permissive.
• You are setting up a shared SFTP chroot and need to figure out the directory permissions that let multiple users upload to the same dir but not delete each other's files (answer: 1770 with shared group).
• You are debugging a "permission denied" error and need to translate the ls -l output back to a numeric mode for a chmod fix.

• It will not handle ACLs (getfacl/setfacl). POSIX ACLs add per-user or per-group entries beyond the standard owner/group/other split. ls -l shows a "+" suffix when a file has ACLs; chmod alone cannot see or modify them.
• It will not handle SELinux or AppArmor contexts. On systems with mandatory access control, even chmod 777 will not bypass policy. Use chcon, audit2allow, or aa-status.
• It will not check the parent directory permissions. A file at 644 inside a directory at 700 is unreadable by anyone except the directory owner. The effective access depends on every directory in the path.