User Rating 0.0 ★★★★★

Total Usage 0 times

Category Code Utilities

Permission Matrix

	Read	Write	Execute
Owner
Group
Others

Special Bits

SUID SGID Sticky

Results

Octal

Symbolic

---------

File Type

ls -l Preview

----------

chmod Command

chmod 0000 filename

find Command

find . -perm 0000

Quick Presets

Human-Readable Summary

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

Misconfigured file permissions remain the single largest vector for privilege escalation on Linux systems. A file set to 777 grants every user full control. A miscalculated SUID bit on a root-owned binary hands attackers an instant shell. The chmod system encodes access rights into a compact octal representation where each digit is a weighted sum: r × 4 + w × 2 + x × 1. This tool calculates permissions bidirectionally. Toggle checkboxes to produce the octal code and symbolic string, or type an octal value to reverse-map every bit. Special bits (SUID, SGID, Sticky) are handled correctly, including the uppercase/lowercase distinction in symbolic output (s vs S, t vs T) that indicates whether the underlying execute bit is set. The calculator generates ready-to-paste chmod and find commands. It does not guess. It does not approximate. Permissions are deterministic bitmasks and this tool treats them as such.

Formulas

Each permission triple (read, write, execute) maps to a single octal digit through a weighted binary sum:

d = r × 4 + w × 2 + x × 1

where r, w, x ∈ {0, 1} are boolean flags for read, write, and execute respectively.

The full four-digit octal code is composed as:

mode = S ⋅ 1000 + U ⋅ 100 + G ⋅ 10 + O

where S is the special bits digit (SUID = 4, SGID = 2, Sticky = 1), U is the owner digit, G is the group digit, and O is the others digit.

Symbolic notation uses a 9-character string. Special bits modify the execute position: SUID replaces owner's x with s (execute set) or S (execute unset). SGID replaces group's x with s/S. Sticky replaces others' x with t/T.

Reference Data

Octal	Symbolic	Read	Write	Execute	Typical Use Case
0755	rwxr-xr-x	✓ / ✓ / ✓	✓ / ✗ / ✗	✓ / ✓ / ✓	Standard executable, web server directory
0644	rw-r--r--	✓ / ✓ / ✓	✓ / ✗ / ✗	✗ / ✗ / ✗	Regular files, config files, HTML/CSS
0600	rw-------	✓ / ✗ / ✗	✓ / ✗ / ✗	✗ / ✗ / ✗	SSH private keys, secrets, .env files
0700	rwx------	✓ / ✗ / ✗	✓ / ✗ / ✗	✓ / ✗ / ✗	User home directory, private scripts
0444	r--r--r--	✓ / ✓ / ✓	✗ / ✗ / ✗	✗ / ✗ / ✗	Read-only files, published documents
0666	rw-rw-rw-	✓ / ✓ / ✓	✓ / ✓ / ✓	✗ / ✗ / ✗	Shared writable files (use with caution)
0777	rwxrwxrwx	✓ / ✓ / ✓	✓ / ✓ / ✓	✓ / ✓ / ✓	Full access - security risk, avoid in production
0750	rwxr-x---	✓ / ✓ / ✗	✓ / ✗ / ✗	✓ / ✓ / ✗	Group-shared application directories
0640	rw-r-----	✓ / ✓ / ✗	✓ / ✗ / ✗	✗ / ✗ / ✗	Group-readable config (e.g., /etc/shadow)
0440	r--r-----	✓ / ✓ / ✗	✗ / ✗ / ✗	✗ / ✗ / ✗	Sudoers file, read-only group access
0400	r--------	✓ / ✗ / ✗	✗ / ✗ / ✗	✗ / ✗ / ✗	AWS PEM keys, highly sensitive read-only
1777	rwxrwxrwt	✓ / ✓ / ✓	✓ / ✓ / ✓	✓ / ✓ / ✓	/tmp directory - sticky bit prevents deletion
2755	rwxr-sr-x	✓ / ✓ / ✓	✓ / ✗ / ✗	✓ / ✓ / ✓	SGID directory - inherit group ownership
4755	rwsr-xr-x	✓ / ✓ / ✓	✓ / ✗ / ✗	✓ / ✓ / ✓	SUID binary (e.g., /usr/bin/passwd)
4750	rwsr-x---	✓ / ✓ / ✗	✓ / ✗ / ✗	✓ / ✓ / ✗	SUID with group execute, no others
2770	rwxrws---	✓ / ✓ / ✗	✓ / ✓ / ✗	✓ / ✓ / ✗	Collaborative SGID directory
1755	rwxr-xr-t	✓ / ✓ / ✓	✓ / ✗ / ✗	✓ / ✓ / ✓	Sticky bit executable directory
0111	--x--x--x	✗ / ✗ / ✗	✗ / ✗ / ✗	✓ / ✓ / ✓	Execute-only (binary without read)
0511	r-x--x--x	✓ / ✗ / ✗	✗ / ✗ / ✗	✓ / ✓ / ✓	CGI scripts with minimal access
0000	---------	✗ / ✗ / ✗	✗ / ✗ / ✗	✗ / ✗ / ✗	No permissions - root can still access

Frequently Asked Questions

Lowercase s indicates that both the special bit (SUID or SGID) and the underlying execute bit are set. Uppercase S means the special bit is set but the execute bit is not. For example, 4755 produces rwsr-xr-x (lowercase s, execute is on), while 4655 produces rwSr-xr-x (uppercase S, execute is off). The same logic applies to the sticky bit with t vs T in the others' execute position.

Mode 777 grants read, write, and execute to every user on the system. Any process running as any user can modify or replace the file. If that file is a script executed by root or a web server, an attacker can inject arbitrary code. On directories, it means any user can create, rename, or delete files inside. Even seemingly harmless data files can become attack vectors when writable by all - an attacker can alter log files to cover tracks or modify configuration read by privileged services.

The sticky bit (octal 1000) on a directory restricts file deletion. Without it, any user with write permission on the directory can delete any file inside. With the sticky bit set, only the file's owner, the directory's owner, or root can delete or rename files within. The /tmp directory uses mode 1777: everyone can create files, but users cannot delete each other's files. This prevents a common denial-of-service where one user deletes another's temporary files.

On most Linux filesystems, SUID on a directory is ignored. It has no defined behavior in POSIX for directories. SGID on a directory, however, is meaningful: new files and subdirectories created inside inherit the directory's group ownership rather than the creating user's primary group. This is the standard mechanism for shared project directories where multiple users need consistent group ownership. Use mode 2775 or 2770 for collaborative directories.

For compiled binaries, execute-without-read (0111) works: the kernel can load and execute the binary without the user being able to read its contents via cat or cp. For scripts (bash, Python), it fails because the interpreter needs to read the file contents. The kernel detects the shebang line but the interpreter process runs as the user, who lacks read permission. This distinction matters for protecting proprietary binaries while still allowing execution.

The umask is a bitmask that removes permissions from newly created files. Default file creation mode is 0666 and default directory mode is 0777. The effective permission is calculated as mode − umask (bitwise AND with complement). A umask of 022 yields files at 0644 and directories at 0755. A umask of 077 yields files at 0600 and directories at 0700. This calculator shows the final permissions; subtract your umask mentally or use the octal input to check results.