Reading chmod: what 755 actually means.
Three digits that everyone copies from Stack Overflow and nobody quite remembers. But 755 isn't a magic incantation — it's three little sums, and once you see the arithmetic you'll never need to look it up again. Here's how to read any mode at a glance, what the letters mean, and the special bits that bite people.
You want a script to be runnable, so you type chmod 755 deploy.sh and move on. It works, but 755 is doing something specific and legible — it's not a ritual. The Unix permission model is one of the tidiest pieces of design in the system, and it fits in your head in about five minutes.
Three digits, three audiences.
Every file on a Unix system carries permissions for three classes of user, in this fixed order:
- Owner (often called user, abbreviated
u) — the single account that owns the file. - Group (
g) — the file's group; every user in that group gets these permissions. - Other (
o) — everyone else on the system.
An octal mode like 755 is one digit for each: 7 for the owner, 5 for the group, 5 for other. That's the first thing to internalize — the three digits are always owner, group, other, left to right.
Each digit is a sum of 4, 2, 1.
Within each class there are three permissions, and each has a value:
| Permission | Letter | Value |
|---|---|---|
| read | r | 4 |
| write | w | 2 |
| execute | x | 1 |
A digit is simply the sum of the permissions that are turned on. Because 4, 2, and 1 are distinct powers of two, every sum from 0 to 7 is unique — there's exactly one way to make each number:
7 = 4+2+1 rwx (read, write, execute)
6 = 4+2 rw- (read, write)
5 = 4+1 r-x (read, execute)
4 = 4 r-- (read only)
0 = 0 --- (nothing)
So 755 reads as: owner 7 = rwx (full control), group 5 = r-x (read and execute), other 5 = r-x. In plain English: "I can do anything to this file; everyone else can read it and run it, but not change it." And 644 — the default for ordinary files — is owner 6 = rw-, group and other 4 = r--: "I can edit it; everyone else can only read."
The whole trick: read is 4, write is 2, execute is 1. Add up the ones you want, per class, and write the three sums in the order owner-group-other. That's the entire octal notation.
The rwx form, and reading ls -l.
When you run ls -l, permissions show up as a nine-character string like rwxr-xr-x. It's the same information, just spelled out: three characters per class, a letter where the permission is granted and a dash where it isn't. Split it into threes and you can read it directly:
rwx r-x r-x
└┬┘ └┬┘ └┬┘
owner grp other → 755
The very first character you see in ls -l (before the nine) is the file type, not a permission: - for a regular file, d for a directory, l for a symlink. So drwxr-xr-x is a directory with mode 755. chmod also accepts symbolic edits — chmod u+x file adds execute for the owner without touching anything else — which is often clearer than recomputing the octal when you only want to flip one bit.
Why x means something different on a directory.
The same three bits mean different things depending on whether the target is a file or a directory, and the execute bit is the confusing one:
| Bit | On a file | On a directory |
|---|---|---|
| r | read the contents | list the names inside |
| w | modify the contents | create / delete / rename entries |
| x | run it as a program | enter it / access entries by name |
This is why directories are almost always 755 or 700, not 644: without the execute (traverse) bit you can't cd into a directory or reach anything inside it, even if you can list the names. A directory with r but no x lets you see filenames but not open them; x but no r lets you open a file if you already know its exact name but not list what's there. Most "permission denied" surprises on directories trace back to a missing x.
The fourth digit: setuid, setgid, sticky.
Sometimes you'll see a four-digit mode like 4755 or 1777. The leading digit holds three special bits, summed the same way:
- setuid (4) — when set on an executable, it runs with the privileges of the file's owner, not the user who launched it. This is how
passwdcan edit a root-owned file while you run it as yourself. Powerful and security-sensitive. - setgid (2) — like setuid but for the group. On a directory it does something handy: new files inside inherit the directory's group, which keeps shared folders consistent.
- sticky (1) — on a directory, it means "only the owner of a file (or root) may delete it," even if others can write to the directory. This is why
/tmpis mode1777: everyone can create files, but you can't delete someone else's.
In symbolic form these bits ride on top of the execute slots. 4755 shows as rwsr-xr-x — the owner's x became s to signal setuid and execute. If the special bit is set but the underlying execute bit is not, you get a capital letter: 4644 is rwSr--r--. A capital S or T is usually a sign something's misconfigured — you asked for setuid/sticky on something that isn't executable.
Modes worth memorizing.
| Mode | Symbolic | Typical use |
|---|---|---|
| 644 | rw-r--r-- | ordinary files (readable by all, writable by owner) |
| 755 | rwxr-xr-x | scripts, binaries, and directories |
| 600 | rw------- | private files — SSH keys, secrets |
| 700 | rwx------ | private directories (e.g. ~/.ssh) |
| 664 | rw-rw-r-- | group-writable shared files |
| 1777 | rwxrwxrwt | world-writable temp dirs with the sticky bit |
A safety note: chmod 777 ("everyone can do everything") is almost never the right fix, even though it makes a permissions error go away. It usually means the real problem is ownership, and you've just opened the file to every account on the machine. Reach for the narrowest mode that works.
Takeaways.
The thing to remember: read 4, write 2, execute 1; three digits for owner, group, other; a fourth optional digit for setuid (4), setgid (2), and sticky (1). On directories, x means "traverse," which is why they need it. Prefer the least-permissive mode that does the job, and treat 777 and a capital S as smells.
Permissions feel cryptic only because the notation is dense, not because the idea is hard. It's three sums and a left-to-right order. Once that clicks, ls -l output reads like a sentence, and you'll set modes deliberately instead of pasting numbers and hoping.
Stop guessing octal in your head.
The Chmod Calculator turns the checkboxes into the number and back: tick read/write/execute for owner, group, and other — or type an octal value — and it shows the symbolic form, the special bits, and a copy-ready chmod command. Entirely in your browser.