Linux File Permission Bits

Build chmod modes by toggling rwx and setuid/setgid/sticky, get the octal and ls -l string, decode either way

Interactive Linux permission tool: toggle read/write/execute for owner, group and other plus setuid, setgid and sticky bits to get the octal chmod mode and ls -l symbolic string, or decode an octal mode back to symbolic. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How do octal permission modes work?

Each of owner, group and other gets a digit from 0 to 7, formed by adding read (4), write (2) and execute (1). So 6 is read+write, 7 is read+write+execute, and 5 is read+execute. The mode 644 means owner read+write, group read, other read. An optional leading digit holds the special bits.

Unix file permissions control who can read, write and execute each file. They are encoded as three sets of rwx bits — for owner, group and other — plus three special bits. This tool lets you build a mode visually, read off both the octal chmod value and the ls -l string, and decode an octal mode in reverse.

How the octal system works

Each permission has an octal weight: read = 4, write = 2, execute = 1. Add them per class to get one digit:

rwx = 4+2+1 = 7
rw- = 4+2   = 6
r-x = 4+1   = 5
r-- = 4     = 4

Three digits give owner, group and other (e.g. 755). A leading fourth digit holds the special bits: setuid = 4, setgid = 2, sticky = 1, so 4755 is a setuid executable.

In ls -l the same information appears as a 9-character string like rwxr-xr-x. When a special bit is set it overrides the execute character: s/S for setuid/setgid, t/T for sticky — uppercase when the underlying execute bit is off.

Most common modes and when to use them

Models -lTypical use
644rw-r--r--Regular data files, HTML, configs readable by all
600rw-------SSH private keys, secrets — owner only
755rwxr-xr-xExecutables, directories open to all
700rwx------Private directories, home dirs
2775rwxrwsr-xShared group directory, new files inherit group
1777rwxrwxrwtSticky-bit world-writable, like /tmp

Example: shared upload directory

A shared upload directory that is group-writable and keeps files owned by their creators uses 2775: owner and group get rwx, other gets r-x, and the setgid bit makes new files inherit the directory’s group. Its ls -l string is rwxrwsr-x.

mkdir /srv/uploads
chown root:webteam /srv/uploads
chmod 2775 /srv/uploads

Notes

  • For a directory, execute means “may traverse into it”; without it you cannot open files even if you can list names — a common trap with 644 on directories.
  • Write on a directory lets you create and delete entries, including files you do not own, unless the sticky bit restricts deletion to the file’s owner.
  • setuid is ignored on shell scripts on most modern kernels for security; it only affects compiled binaries.
  • Default modes come from your umask, which subtracts bits from the base 666 (files) or 777 (directories). A umask of 022 produces 644 for files and 755 for directories.

Quickly decoding an unknown mode

When you see a mode in ls -l like rwsr-xr-x and want to know the octal, read it left to right: owner rws = 4+2+1 = 7 with setuid, group r-x = 5, other r-x = 5, setuid prefix = 4. Full octal: 4755. Use the decode field in this tool to verify: type 4755 and confirm the symbolic string matches. This is useful when auditing scripts or configs that include mode strings that are not immediately obvious.