If you've ever pasted chmod 755 from a Stack Overflow answer without knowing why, or stared at rwxr-xr-x in an ls -l listing wondering what it's telling you, you're not alone. Linux file permissions are one of those things every developer touches constantly and understands properly only after getting burned once. This guide walks through what the numbers actually mean, when 755 is right and when 644 is right, why 777 keeps showing up in "quick fixes" that aren't actually fixes, and how to decode a permission string the moment you see one.
- Each permission digit (0–7) is the sum of read (4), write (2), and execute (1)
- 644 — standard for regular files: owner can read/write, everyone else read-only
- 755 — standard for directories and scripts: owner has full access, everyone else can read and execute
- 777 — full access for everyone, almost never the correct answer
-
rwxr-xr-xis the symbolic spelling of the same permission setls -lshows you — and it decodes to 755
How Octal Permission Numbers Work
Every Linux file or directory has three sets of permissions: one for the owner, one for the group, and one for everyone else. Each set is a single digit from 0 to 7, built by adding together the values of whichever permissions are switched on:
| Value | Meaning |
|---|---|
| 4 | read |
| 2 | write |
| 1 | execute |
So a digit of 7 means read + write + execute (4+2+1), 6 means read + write (4+2, no execute), 5 means read + execute (4+1, no write), and 0 means nothing at all. A three-digit permission like 755 is just three of these digits stacked: 7 for the owner, 5 for the group, 5 for everyone else.
A fourth, leading digit is optional and encodes the special bits — setuid, setgid, and the sticky bit — which we'll come back to further down.
Chmod 755 vs 644: When to Use Each
These two are by far the most common permission sets you'll ever set, and the difference between them is entirely the execute bit.
| Owner | Group | Other | Typical use | |
|---|---|---|---|---|
| 644 | read, write | read | read | Regular files: HTML, CSS, images, config files, documents |
| 755 | read, write, execute | read, execute | read, execute | Directories, shell scripts, compiled binaries |
As a rule of thumb: 644 for files, 755 for directories and anything meant to run. A directory needs its execute bit set just to be entered (cd) or listed properly — without it, even a directory you can "read" will behave strangely.
If a hosting support article tells you to "set permissions to 644", it means: the owner (usually your account or the web server user) can edit the file, and everyone else — including the web server process reading it to serve a page — can only view it. That's exactly right for a static file. Try to make that same file executable and nothing changes for how it's served; the execute bit is irrelevant to files a web server just reads and returns.
Why chmod 777 Is (Almost) Always the Wrong Answer
chmod 777 gives every user on the system — owner, group, and anyone else who can reach the file — full read, write, and execute access. On a shared server or anything reachable by a web process, that means any compromised script, any other user account, or any misconfigured process can read, overwrite, or execute that file freely.
The reason 777 shows up so often in forum "fixes" is that it genuinely does stop the permission-denied error — by removing every restriction, it removes the specific one that was actually the problem too. Almost always, the real fix is narrower: correcting file ownership (chown) so the right user owns the file, or fixing group membership so the process that needs access has it through the group permission instead of blowing the doors off for everyone. 750 or 770 — owner and group get full or read+execute access, "other" gets nothing — covers the overwhelming majority of cases people reach for 777 to solve.
Symbolic Notation: What Does rwxr-xr-x Mean?
ls -l doesn't show you octal digits — it shows you nine characters split into three groups of three, one group per owner/group/other:
rwxr-xr-x
└┬┘└┬┘└┬┘
owner group other
Each group is r, w, x if that permission is granted, or - if it isn't, always in that fixed order. So rwx is 7, r-x is 5, rw- is 6, and r-- is 4 — the same values from the octal table above, just spelled out instead of summed. rwxr-xr-x is therefore owner=7, group=5, other=5: octal 755. rw-r--r-- is 6, 4, 4: octal 644.
Reading Full ls -l Output
A real ls -l line carries more than just the permission string:
-rwxr-xr-x 1 alice staff 8192 Jun 30 09:14 deploy.sh
Breaking that down left to right:
-
-— the file type.-is a regular file,dis a directory,lis a symbolic link. -
rwxr-xr-x— the nine-character permission string covered above (755 here). -
1— the hard-link count. -
alice— the owning user. -
staff— the owning group. -
8192— file size in bytes. -
Jun 30 09:14— last modified. -
deploy.sh— the filename.
Once you know the shape, you can decode any ls -l line at a glance — or paste the whole line into a parser and let it do the arithmetic for you.
Setuid, Setgid, and the Sticky Bit — the Fourth Digit
Beyond the standard three digits, there's an optional fourth digit that sets three special behaviours: setuid (4) makes an executable run with its owner's privileges rather than the caller's; setgid (2) does the same for group identity and, on a directory, makes new files inherit that directory's group automatically; and the sticky bit (1) — used on shared directories like /tmp — means only a file's own owner (or root) can delete or rename it, even if everyone else can write there.
These show up in symbolic notation as a lowercase s or t replacing the execute character when the underlying execute bit is also on, or an uppercase S/T when it isn't (an unusual combination ls -l flags this way on purpose, since it's usually a mistake). It's a small enough detail that it's easier to see live than to memorise — worth playing with rather than reading about.
Try It Yourself
The fastest way to get comfortable with any of this is to stop doing the arithmetic in your head. Skojio's chmod calculator keeps the octal number, the symbolic string, and a checkbox grid all in sync as you edit any one of them, generates the exact chmod command to copy into a terminal, and — if you've got a real ls -l line or a bare permission string sitting in a hosting panel somewhere — parses it straight back into all three views so you can see exactly what it means before you touch it.
It runs entirely in your browser: nothing you type or paste is sent anywhere.
If permissions were the errand that brought you here, a few of Skojio's other free browser-based tools are worth a look too: the JSON Formatter for tidying up config and API output, the Base64 encoder/decoder for the other everyday encoding puzzle, and the Password Generator for the account-security half of "locking things down properly."
Top comments (0)