# chmod Permissions Cheatsheet — Unix File Permission Reference

> Unix file permissions explained: numeric (octal) and symbolic notation, common permission sets, chmod command examples, and special permissions (setuid, setgid, sticky bit).

- URL: https://www.browserutils.dev/cheatsheets/chmod-permissions
- Published: 2026-03-21
- Updated: 2026-03-16

---

Unix file permissions control who can read, write, and execute files and directories. Every file has three permission sets: one for the owner, one for the group, and one for everyone else. Understanding permissions is essential for server administration, deployment, and security.

## Permission Basics

Each file has three permission categories and three permission types:

| Category | Symbol | Who |
|----------|--------|-----|
| User/Owner | `u` | The file's owner |
| Group | `g` | Members of the file's group |
| Others | `o` | Everyone else |
| All | `a` | All three (u+g+o) |

| Permission | Symbol | On Files | On Directories |
|------------|--------|----------|----------------|
| Read | `r` | View file contents | List directory contents |
| Write | `w` | Modify file contents | Create, delete, rename files in directory |
| Execute | `x` | Run as a program | Enter directory (`cd` into it) |

## Reading `ls -l` Output

```
-rwxr-xr-- 1 alice developers 4096 Mar 21 10:00 script.sh
│├─┤├─┤├─┤
│ │   │  └── Others: read only (r--)
│ │   └───── Group: read + execute (r-x)
│ └───────── Owner: read + write + execute (rwx)
└─────────── File type: - (regular file), d (directory), l (symlink)
```

## Numeric (Octal) Notation

Each permission has a numeric value. Add them up for each category.

| Permission | Value |
|------------|-------|
| Read (r) | 4 |
| Write (w) | 2 |
| Execute (x) | 1 |
| None (-) | 0 |

Combine by adding: `rwx` = 4+2+1 = **7**, `r-x` = 4+0+1 = **5**, `r--` = 4+0+0 = **4**

| Octal | Binary | Symbolic | Meaning |
|-------|--------|----------|---------|
| 0 | 000 | `---` | No permissions |
| 1 | 001 | `--x` | Execute only |
| 2 | 010 | `-w-` | Write only |
| 3 | 011 | `-wx` | Write + execute |
| 4 | 100 | `r--` | Read only |
| 5 | 101 | `r-x` | Read + execute |
| 6 | 110 | `rw-` | Read + write |
| 7 | 111 | `rwx` | Read + write + execute |

## Common Permission Sets

| Octal | Symbolic | Use Case |
|-------|----------|----------|
| `755` | `rwxr-xr-x` | Executable scripts, public directories |
| `644` | `rw-r--r--` | Regular files (HTML, CSS, images) |
| `600` | `rw-------` | Private files (SSH keys, configs with secrets) |
| `700` | `rwx------` | Private executable scripts, private directories |
| `750` | `rwxr-x---` | Group-shared executables/directories |
| `664` | `rw-rw-r--` | Group-writable files |
| `775` | `rwxrwxr-x` | Group-writable directories |
| `777` | `rwxrwxrwx` | World-writable (avoid this — security risk) |
| `400` | `r--------` | Read-only for owner (SSH private keys) |
| `444` | `r--r--r--` | Read-only for everyone |
| `666` | `rw-rw-rw-` | World-readable/writable (rarely appropriate) |
| `000` | `---------` | No access for anyone |

## chmod Command — Symbolic Mode

```bash
# Format: chmod [who][operator][permissions] file
# who: u (user), g (group), o (others), a (all)
# operator: + (add), - (remove), = (set exactly)

chmod u+x script.sh          # Add execute for owner
chmod g+rw file.txt           # Add read+write for group
chmod o-w file.txt            # Remove write for others
chmod a+r file.txt            # Add read for everyone
chmod u=rwx,g=rx,o=r file     # Set exact permissions
chmod go= secret.key          # Remove all group and others permissions
chmod +x script.sh            # Add execute for all (same as a+x)
chmod u+s program             # Set setuid bit
chmod g+s directory            # Set setgid bit
chmod +t /tmp                  # Set sticky bit
```

## chmod Command — Numeric Mode

```bash
chmod 755 script.sh           # rwxr-xr-x
chmod 644 index.html          # rw-r--r--
chmod 600 id_rsa              # rw-------
chmod 700 .ssh                # rwx------
chmod 664 shared-doc.txt      # rw-rw-r--
chmod 775 shared-dir          # rwxrwxr-x
```

## Recursive Permission Changes

```bash
# Change all files and directories recursively
chmod -R 755 /var/www/html

# Change only directories (find + chmod)
find /var/www -type d -exec chmod 755 {} \;

# Change only files
find /var/www -type f -exec chmod 644 {} \;

# Common web server setup
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;
```

## Special Permissions

Beyond the standard rwx bits, there are three special permission bits.

| Permission | Octal | Symbolic | Effect on Files | Effect on Directories |
|------------|-------|----------|----------------|----------------------|
| Setuid | 4000 | `u+s` | File runs as the file owner, not the user running it | No standard effect |
| Setgid | 2000 | `g+s` | File runs with the file's group | New files inherit the directory's group |
| Sticky bit | 1000 | `+t` | No standard effect | Only file owner can delete their files |

```bash
# Setuid example (appears as 's' in user execute position)
chmod 4755 /usr/bin/passwd     # -rwsr-xr-x

# Setgid on directory (new files inherit group)
chmod 2775 /shared/project     # drwxrwsr-x

# Sticky bit (appears as 't' in others execute position)
chmod 1777 /tmp                # drwxrwxrwt

# Numeric with special bits: prepend the special bit digit
chmod 4755 file   # setuid + 755
chmod 2755 dir    # setgid + 755
chmod 1755 dir    # sticky + 755
```

## chown and chgrp

Change file ownership alongside permissions:

```bash
# Change owner
chown alice file.txt
chown alice:developers file.txt    # Change owner and group
chown :developers file.txt         # Change group only
chown -R alice:developers /dir     # Recursive

# Change group
chgrp developers file.txt
chgrp -R developers /dir           # Recursive
```

## Default Permissions (umask)

The `umask` controls default permissions for newly created files and directories.

```bash
# View current umask
umask              # Shows octal (e.g., 0022)
umask -S           # Shows symbolic (e.g., u=rwx,g=rx,o=rx)

# Set umask
umask 022          # Default: files 644, dirs 755
umask 077          # Restrictive: files 600, dirs 700
umask 002          # Group-friendly: files 664, dirs 775
```

| umask | File Default | Directory Default |
|-------|-------------|-------------------|
| `022` | `644` (rw-r--r--) | `755` (rwxr-xr-x) |
| `027` | `640` (rw-r-----) | `750` (rwxr-x---) |
| `077` | `600` (rw-------) | `700` (rwx------) |
| `002` | `664` (rw-rw-r--) | `775` (rwxrwxr-x) |

The calculation: files start at `666` and directories at `777`. The umask is subtracted (bitwise AND with complement).

## Quick Reference for Common Scenarios

| Scenario | Recommended | Command |
|----------|-------------|---------|
| Web server files | `644` | `chmod 644 *.html *.css *.js` |
| Web server directories | `755` | `chmod 755 /var/www/html` |
| CGI/executable scripts | `755` | `chmod 755 script.sh` |
| SSH private key | `600` | `chmod 600 ~/.ssh/id_rsa` |
| SSH directory | `700` | `chmod 700 ~/.ssh` |
| SSH authorized_keys | `644` | `chmod 644 ~/.ssh/authorized_keys` |
| `.env` file | `600` | `chmod 600 .env` |
| Shared project directory | `2775` | `chmod 2775 /projects/shared` |
| Temp directory | `1777` | `chmod 1777 /tmp` |
| Log files | `640` | `chmod 640 /var/log/app.log` |

Calculate permissions visually with the [chmod Calculator](/tools/chmod-calculator) tool.