Reading chmod numbers: what 755 and 644 actually mean
Numbers like chmod 755 come up constantly in Unix work, and they’re the kind of thing many people keep looking up rather than internalizing. This article breaks down the encoding so the values stick.
Permissions are 3 groups × 3 actions = 9 bits
File and directory permissions combine who with what they can do.
Who (3 groups)
- Owner (user)
- Group
- Other (world)
What (3 actions)
- Read (
r) - Write (
w) - Execute (
x)
3 groups × 3 actions = 9 bits. The 9 characters in ls -l output (after the file-type indicator) map directly:
-rwxr-xr-x
├─┤├─┤├─┤
│ │ └── other: r-x (read + execute)
│ └───── group: r-x (read + execute)
└──────── owner: rwx (read + write + execute)Numeric notation: three octal digits
Each group’s permissions pack into 3 bits, ranging 0–7:
| Binary | Octal | Notation | Meaning |
|---|---|---|---|
| 000 | 0 | --- | nothing |
| 001 | 1 | —x | execute |
| 010 | 2 | -w- | write |
| 011 | 3 | -wx | write + execute |
| 100 | 4 | r— | read |
| 101 | 5 | r-x | read + execute |
| 110 | 6 | rw- | read + write |
| 111 | 7 | rwx | read + write + execute |
Mnemonic: r = 4, w = 2, x = 1. Sum to compose:
rwx= 4 + 2 + 1 = 7r-x= 4 + 0 + 1 = 5rw-= 4 + 2 + 0 = 6r--= 4 + 0 + 0 = 4
Common values
| Value | Notation | Use |
|---|---|---|
| 755 | rwxr-xr-x | Executables, scripts, directories |
| 644 | rw-r—r— | Regular text files, configs |
| 700 | rwx------ | Owner-only access (private keys) |
| 600 | rw------- | Owner-only read/write (required for SSH private keys) |
| 777 | rwxrwxrwx | Everyone everything (almost always wrong) |
| 666 | rw-rw-rw- | Everyone read/write (rare) |
Where 644 comes from
New file default = 666 minus the umask. With the typical umask of 022:
666 - 022 = 644Directory default = 777 minus the umask:
777 - 022 = 755So regular files end up at 644 and directories at 755.
When 700/600 matters: SSH
SSH refuses to read a private key (~/.ssh/id_rsa) if it’s group- or world-readable. This is by design:
$ ssh -i ~/.ssh/id_rsa user@host
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/user/.ssh/id_rsa' are too open.Fix with chmod 600 ~/.ssh/id_rsa.
The x bit on directories means something else
For files, x is “executable”. For directories, x is “can cd into it / can access entries by name”.
r--directory — canls, but cannot read entries.--xdirectory — cannotls, but can access entries you already know the name of.r-xdirectory — both (the normal case).
Directories essentially require x. “Always set x on directories” is the rule of thumb.
Special permissions: a fourth digit
chmod 4755 uses four digits; the leading digit covers special permissions.
| Value | Name | Meaning |
|---|---|---|
| 4 | setuid (suid) | Runs with the owner’s privileges |
| 2 | setgid (sgid) | Runs with the owner-group’s privileges |
| 1 | sticky bit | On directories: only owner can delete entries inside |
Combine like the lower digits — up to 7.
Classic setuid: /usr/bin/passwd
passwd lets a user change their own password, which requires writing /etc/shadow (root-only). It works because setuid is set:
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root ... /usr/bin/passwd
↑
setuid (note the s)setuid on the wrong binary is a privilege-escalation vulnerability. Never set setuid on untrusted code.
Classic sticky bit: /tmp
/tmp is world-writable but you don’t want users deleting each other’s files. The sticky bit means only the file owner can delete entries inside the directory:
$ ls -ld /tmp
drwxrwxrwt 22 root root ... /tmp
↑
sticky bit (note the t)Symbolic notation alongside numeric
chmod also accepts a symbolic form like chmod u+x file:
u(user) /g(group) /o(other) /a(all)+add /-remove /=setr/w/x
chmod u+x file # add execute for owner
chmod go-w file # remove write from group and other
chmod a=r file # set everyone to read-onlyNumeric notation says “what to be”; symbolic says “what to change”. Bulk operations like “add execute to many files” read better in symbolic form. New permission setups read clearer in numeric.
Summary
r=4, w=2, x=1adds up to each digit.- Three digits = owner, group, other.
- Memorize: 644 for regular files, 755 for directories, 600 for private keys.
- Fourth digit for setuid / setgid / sticky bit.
When you want to verify the symbolic, numeric, and rwx forms simultaneously, the chmod calculator on this site shows all three side by side.