Skip to content
browserutils
Cheatsheet

chmod Permissions Cheatsheet — Unix File Permission Reference

Unix file permissions explained: numeric (octal) and symbolic notation, common permission sets, chmod command examples, and special permissions (setuid, setgid, sticky bit).

Updated Reference

Unix file permissions control who can read, write, and execute files and directories. Every file has three permission sets: one for the owner, one for the group, and one for everyone else. Understanding permissions is essential for server administration, deployment, and security.

Permission Basics

Each file has three permission categories and three permission types:

Category Symbol Who
User/Owner u The file’s owner
Group g Members of the file’s group
Others o Everyone else
All a All three (u+g+o)
Permission Symbol On Files On Directories
Read r View file contents List directory contents
Write w Modify file contents Create, delete, rename files in directory
Execute x Run as a program Enter directory (cd into it)

Reading ls -l Output

-rwxr-xr-- 1 alice developers 4096 Mar 21 10:00 script.sh
│├─┤├─┤├─┤
│ │   │  └── Others: read only (r--)
│ │   └───── Group: read + execute (r-x)
│ └───────── Owner: read + write + execute (rwx)
└─────────── File type: - (regular file), d (directory), l (symlink)

Numeric (Octal) Notation

Each permission has a numeric value. Add them up for each category.

Permission Value
Read (r) 4
Write (w) 2
Execute (x) 1
None (-) 0

Combine by adding: rwx = 4+2+1 = 7, r-x = 4+0+1 = 5, r-- = 4+0+0 = 4

Octal Binary Symbolic Meaning
0 000 --- No permissions
1 001 --x Execute only
2 010 -w- Write only
3 011 -wx Write + execute
4 100 r-- Read only
5 101 r-x Read + execute
6 110 rw- Read + write
7 111 rwx Read + write + execute

Common Permission Sets

Octal Symbolic Use Case
755 rwxr-xr-x Executable scripts, public directories
644 rw-r--r-- Regular files (HTML, CSS, images)
600 rw------- Private files (SSH keys, configs with secrets)
700 rwx------ Private executable scripts, private directories
750 rwxr-x--- Group-shared executables/directories
664 rw-rw-r-- Group-writable files
775 rwxrwxr-x Group-writable directories
777 rwxrwxrwx World-writable (avoid this — security risk)
400 r-------- Read-only for owner (SSH private keys)
444 r--r--r-- Read-only for everyone
666 rw-rw-rw- World-readable/writable (rarely appropriate)
000 --------- No access for anyone

chmod Command — Symbolic Mode

# Format: chmod [who][operator][permissions] file
# who: u (user), g (group), o (others), a (all)
# operator: + (add), - (remove), = (set exactly)

chmod u+x script.sh          # Add execute for owner
chmod g+rw file.txt           # Add read+write for group
chmod o-w file.txt            # Remove write for others
chmod a+r file.txt            # Add read for everyone
chmod u=rwx,g=rx,o=r file     # Set exact permissions
chmod go= secret.key          # Remove all group and others permissions
chmod +x script.sh            # Add execute for all (same as a+x)
chmod u+s program             # Set setuid bit
chmod g+s directory            # Set setgid bit
chmod +t /tmp                  # Set sticky bit

chmod Command — Numeric Mode

chmod 755 script.sh           # rwxr-xr-x
chmod 644 index.html          # rw-r--r--
chmod 600 id_rsa              # rw-------
chmod 700 .ssh                # rwx------
chmod 664 shared-doc.txt      # rw-rw-r--
chmod 775 shared-dir          # rwxrwxr-x

Recursive Permission Changes

# Change all files and directories recursively
chmod -R 755 /var/www/html

# Change only directories (find + chmod)
find /var/www -type d -exec chmod 755 {} \;

# Change only files
find /var/www -type f -exec chmod 644 {} \;

# Common web server setup
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;

Special Permissions

Beyond the standard rwx bits, there are three special permission bits.

Permission Octal Symbolic Effect on Files Effect on Directories
Setuid 4000 u+s File runs as the file owner, not the user running it No standard effect
Setgid 2000 g+s File runs with the file’s group New files inherit the directory’s group
Sticky bit 1000 +t No standard effect Only file owner can delete their files
# Setuid example (appears as 's' in user execute position)
chmod 4755 /usr/bin/passwd     # -rwsr-xr-x

# Setgid on directory (new files inherit group)
chmod 2775 /shared/project     # drwxrwsr-x

# Sticky bit (appears as 't' in others execute position)
chmod 1777 /tmp                # drwxrwxrwt

# Numeric with special bits: prepend the special bit digit
chmod 4755 file   # setuid + 755
chmod 2755 dir    # setgid + 755
chmod 1755 dir    # sticky + 755

chown and chgrp

Change file ownership alongside permissions:

# Change owner
chown alice file.txt
chown alice:developers file.txt    # Change owner and group
chown :developers file.txt         # Change group only
chown -R alice:developers /dir     # Recursive

# Change group
chgrp developers file.txt
chgrp -R developers /dir           # Recursive

Default Permissions (umask)

The umask controls default permissions for newly created files and directories.

# View current umask
umask              # Shows octal (e.g., 0022)
umask -S           # Shows symbolic (e.g., u=rwx,g=rx,o=rx)

# Set umask
umask 022          # Default: files 644, dirs 755
umask 077          # Restrictive: files 600, dirs 700
umask 002          # Group-friendly: files 664, dirs 775
umask File Default Directory Default
022 644 (rw-r–r–) 755 (rwxr-xr-x)
027 640 (rw-r—–) 750 (rwxr-x—)
077 600 (rw—––) 700 (rwx——)
002 664 (rw-rw-r–) 775 (rwxrwxr-x)

The calculation: files start at 666 and directories at 777. The umask is subtracted (bitwise AND with complement).

Quick Reference for Common Scenarios

Scenario Recommended Command
Web server files 644 chmod 644 *.html *.css *.js
Web server directories 755 chmod 755 /var/www/html
CGI/executable scripts 755 chmod 755 script.sh
SSH private key 600 chmod 600 ~/.ssh/id_rsa
SSH directory 700 chmod 700 ~/.ssh
SSH authorized_keys 644 chmod 644 ~/.ssh/authorized_keys
.env file 600 chmod 600 .env
Shared project directory 2775 chmod 2775 /projects/shared
Temp directory 1777 chmod 1777 /tmp
Log files 640 chmod 640 /var/log/app.log

Calculate permissions visually with the chmod Calculator tool.