All posts
June 5, 20265 min read

Understanding chmod and Unix file permissions: what 755 and 644 actually mean

chmod 755 script.sh works, but most people copy the number from somewhere without knowing what it says. Once you see the structure, you can read any permission at a glance and pick the right one instead of guessing.

Three groups, three permissions

Every file has permissions for three classes of user:

  • Owner — the user who owns the file.
  • Group — members of the file's group.
  • Others — everyone else.

Each class can have three permissions: read (r), write (w), and execute (x). That is the -rwxr-xr-x you see in ls -l: the first character is the type, then three triplets for owner, group, and others.

The octal shortcut

Each permission has a value: read is 4, write is 2, execute is 1. Add them per class to get one digit.

  • 7 = 4 + 2 + 1 = read, write, execute
  • 6 = 4 + 2 = read, write
  • 5 = 4 + 1 = read, execute
  • 4 = read only
  • 0 = no access

So 755 means owner has full access (7), group and others can read and execute (5). 644 means owner can read and write (6), everyone else can only read (4). The chmod Calculator lets you tick the boxes and gives you the number, or paste a number and see what it grants.

Why execute means two different things

On a regular file, the execute bit lets you run it as a program. On a directory, execute means something else entirely: permission to enter the directory and access files inside it by name. This is why a directory with read but no execute lists names but refuses to open anything, a confusing failure until you know the rule. Directories almost always want 755 or 700.

Safe defaults

  • Regular files: 644. Owner edits, everyone reads. No execute, because data files should not be runnable.
  • Scripts and binaries: 755. Add the execute bit so they can run.
  • Directories: 755, or 700 for private ones.
  • Secrets and SSH private keys: 600. Owner reads and writes, nobody else touches it. SSH actively refuses to use a key that is readable by group or others, so this one is not optional.

The danger sign is 777: read, write, and execute for everyone. It is almost never the right answer, and it is a common foothold in security incidents because any user or process can overwrite the file. If a tutorial tells you to chmod 777, narrow it down. Use the chmod Calculator to find the least permission that actually works, and pair it with the Subnet Calculator and SSL Checker when you are hardening a server end to end.