How do octal permission modes work?

Each of owner, group and other gets a digit from 0 to 7, formed by adding read (4), write (2) and execute (1). So 6 is read+write, 7 is read+write+execute, and 5 is read+execute. The mode 644 means owner read+write, group read, other read. An optional leading digit holds the special bits.

What do setuid, setgid and the sticky bit do?

setuid (octal 4000) makes an executable run with the file owner's privileges, like /usr/bin/passwd running as root. setgid (2000) runs with the file's group, and on a directory makes new files inherit that group. The sticky bit (1000) on a directory lets only a file's owner delete or rename it, as used on /tmp.

Why does ls show s or t instead of x sometimes?

When a special bit is set, it replaces the execute character in ls -l output. A setuid file shows s in the owner execute slot (S if execute is off), setgid shows s in the group slot, and the sticky bit shows t in the other slot (T if execute is off). Lowercase means execute is also set, uppercase means it is not.

What permissions does a directory need to be useful?

For a directory, read lets you list names, write lets you create or delete entries, and execute lets you traverse into it to access files by name. You almost always need execute together with read; a directory with read but no execute lets you see names but not open anything inside, so 755 or 700 are the usual choices.

What is the difference between 644 and 755?

644 (owner read/write, group and other read) is the standard mode for regular data files. 755 adds execute for everyone, which is what you want for programs and for directories so they can be entered. Use 600 and 700 instead when a file or directory should be private to its owner.

Linux File Permission Bits

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Unix file permissions control who can read, write and execute each file. They are encoded as three sets of rwx bits — for owner, group and other — plus three special bits. This tool lets you build a mode visually, read off both the octal chmod value and the ls -l string, and decode an octal mode in reverse.

How it works

Each permission has an octal weight: read = 4, write = 2, execute = 1. Add them per class to get one digit:

rwx = 4+2+1 = 7
rw- = 4+2   = 6
r-x = 4+1   = 5
r-- = 4     = 4

Three digits give owner, group and other (e.g. 755). A leading fourth digit holds the special bits: setuid = 4, setgid = 2, sticky = 1, so 4755 is a setuid executable.

In ls -l the same information appears as a 9-character string like rwxr-xr-x. When a special bit is set it overrides the execute character: s/S for setuid/setgid, t/T for sticky — uppercase when the underlying execute bit is off.

Example

A shared upload directory that is group-writable and keeps files owned by their creators uses 2775: owner and group get rwx, other gets r-x, and the setgid bit makes new files inherit the directory’s group. Its ls -l string is rwxrwsr-x.

Notes

For a directory, execute means “may traverse into it”; without it you can’t open files even if you can list names.
write on a directory lets you create and delete entries — including files you don’t own — unless the sticky bit restricts deletion to owners.
setuid is ignored on shell scripts on most modern kernels for security; it only affects binaries.
Default modes come from your umask, which subtracts bits from the base 666 (files) or 777 (directories).