When to Use 755 vs 644 (And Why Most chmod Advice Is Half Right)

Two Numbers Cover Almost Everything

If you have ever copied a chmod command from a forum post, pasted it into a terminal, and watched the problem go away without quite knowing why, you are in the majority. Unix file permissions are not difficult, exactly — there are three bits in three groups and you can memorize the whole system in an afternoon — but they are taught badly. The result is a generation of developers and sysadmins who reach for chmod 777 when something breaks, chmod 755 when they want to feel responsible, and chmod 644 when a tutorial told them to. Most of the time it works. The times it does not are exactly the times the answer matters.

This post is an attempt to explain, plainly and in one place, what 755 and 644 actually mean, when each one is the right choice, and the dozen specific situations where the standard advice is subtly wrong or actively dangerous. By the end you should be able to read any chmod number on sight, decide what it should be for a given file, and recognize the half-dozen permission mistakes that account for nearly every "why is my web server returning 403?" thread on the internet.

The Three Bits, Three Groups Structure

Every file and directory on a Unix-like system has nine permission bits that describe who can do what. The bits are organized into three groups — the file's owner, the file's group, and everyone else (called "other" or "world") — and within each group there are three permissions: read, write, and execute. Read lets you see the contents, write lets you modify them, and execute lets you run the file as a program. That last one has a separate meaning on directories, which is the source of most of the confusion in this entire topic, and we will come back to it.

The numeric notation collapses these nine bits into three digits by treating each group as a binary number where read is worth 4, write is worth 2, and execute is worth 1. You add them up. Read plus write plus execute is 7. Read plus execute is 5. Read plus write is 6. Read alone is 4. The three digits in chmod 755 describe, in order, the owner's permissions, the group's permissions, and everyone else's permissions. So 755 means the owner can read, write, and execute (4+2+1); the group can read and execute (4+1); and other can read and execute (4+1). 644 means the owner can read and write (4+2); the group can read (4); and other can read (4). That is the whole encoding.

If you want to skip the arithmetic, the chmod calculator on this site flips the bits with switches and shows you the numeric mode, the symbolic rwxr-xr-x string, and the exact chmod command in one place. Useful when you are sanity-checking a deployment script or trying to explain to a teammate why a particular directory needs to be 750 rather than 755. But the conceptual model above is what you should hold in your head when reading existing modes; the calculator is for composing new ones.

What 755 Is Actually For

755 is the standard mode for two specific kinds of filesystem objects: directories that should be world-traversable, and executable files that everyone should be able to run. Those are not the same use case and the reasoning is different in each, even though the number is the same.

For a directory, the execute bit does not mean "run it as a program." It means "you can traverse into this directory and access files inside it whose names you already know." This is the single most counterintuitive piece of the whole system. A directory with mode 644 — read but not execute — lets you list the names of files inside it, because directory contents are essentially a list of name-to-inode mappings that read permission lets you see. But you cannot open any of those files, even if their own permissions allow it, because opening a file requires traversing the directory it lives in, and traversal requires the execute bit. Conversely, a directory with mode 711 — execute but not read — lets you open files inside it if you know their exact names, but you cannot list the directory to discover what names exist. This is occasionally useful as a deliberate security posture.

For an executable file — a script, a compiled binary, a CGI program — 755 means the owner can edit and run it, while everyone else can run it but cannot modify it. That is the right posture for almost any script you want to share. Common files that should be 755 include shell scripts you put in ~/bin, system binaries in /usr/local/bin, and CGI handlers in a web server's executable directory. The rule of thumb is: if invoking the path is supposed to run the contents, it should be 755. If invoking it is supposed to dump the contents to stdout, it should not.

What 644 Is Actually For

644 is the standard mode for files that are meant to be read but not executed, by their owner or anyone else. That covers the overwhelming majority of files on a normal system: HTML, CSS, JavaScript, Markdown documents, configuration files that get loaded rather than executed, images, audio, video, almost everything in /etc, and the entire content of a typical web root. The owner can edit them; the group and the world can read them; nobody can run them as a program, which is the right answer because they are not programs.

The split between 755 and 644 is the basis of the most common piece of permissions advice you will see for web hosting: directories should be 755, files should be 644. That advice is correct for the default web-serving case where the server process needs to traverse the directory tree and read the files, but does not need to write to anything, and where you are running as the file owner and want to be able to edit. It is the standard WordPress, Drupal, and static-site recommendation, and it works precisely because the directory-traversal versus file-read distinction maps cleanly onto how a web server actually serves requests.

If you ever wondered why so much advice converges on these two specific numbers, this is the reason: 022 is the default umask on most Linux distributions, which means new files are created without the write bit for group and other. A new file the user touches lands at 644; a new directory lands at 755. The advice is not a magic incantation; it is just the default world rendered explicitly so people stop fighting it.

The Places the Standard Advice Is Wrong

Knowing when 755 and 644 are correct is half the skill. The other half is knowing when they are not. The following situations are where blindly applying the default pattern will give you a working but insecure or actively broken system.

WordPress wp-config.php. If your wp-config.php is mode 644, your database password is readable by every user account on the server. On a shared host, that includes other tenants. The conservative mode is 600 (owner can read and write, nobody else can do anything) if the web server runs as the file owner, or 440 if a separate group needs read access. The same logic applies to .env files, Rails secrets.yml, Django settings.py with embedded credentials, and any other file whose contents are sensitive.

SSH private keys. The ~/.ssh directory must be mode 700, and the private key file inside it must be 600. OpenSSH actively refuses to use a private key with looser permissions, on the theory that a key readable by other accounts cannot really be considered private. People who copy keys around with scp and then get cryptic "permissions are too open" errors are running into exactly this check. The right answer is not to argue with SSH but to fix the permissions.

Scripts that the web server runs. If you have a CGI script or a webhook receiver that the web server actually executes, mode 755 is fine as long as the script itself is not writable by the user the web server runs as. A subtle and common mistake is making the script 777 "to be safe," which means anyone who can write to the directory — including, on a compromised system, the attacker who just landed a file upload exploit — can replace the script with their own code. Mode 755 is more secure than 777, not less.

Directories that need write access for uploads. The standard advice says directories should be 755. An upload directory cannot be 755 because the web server needs to write into it. The conservative mode is 750 with the web server's group set as the directory's group, or 775 if you genuinely need group write across multiple users. Mode 777 on an upload directory is a security incident waiting to happen because any other process or tenant on the host can drop files into it.

Log files. Log files should usually be 640 or 600, not 644, because logs frequently contain sensitive information — IP addresses, session tokens, error context that includes user input. The default world-readable posture is convenient and wrong.

Setuid and setgid binaries. Some binaries need to run with the permissions of their owner rather than the invoking user; sudo is the canonical example. These have a fourth digit before the usual three: 4755 sets the setuid bit, 2755 sets setgid, and 1755 sets the sticky bit. The sticky bit on /tmp is why you cannot delete other users' files there even though the directory is world-writable. If you do not know what you are doing, do not set these bits. If you find a file you do not recognize that has them set, treat it as a finding worth investigating.

Symbolic Notation Is Worth Learning

The numeric mode is concise, but the symbolic mode that chmod also accepts is often clearer for incremental changes. chmod u+x script.sh adds the execute bit for the user without touching anything else. chmod go-w file removes write permission for group and other. chmod a=r file sets read-only for everyone. The pattern is who op what: u, g, o, or a for the subject; +, -, or = for the operation; r, w, or x for the permission.

The reason this matters is that scripts using numeric mode overwrite everything. chmod 644 file sets the mode regardless of what was there before, including stripping the setuid bit if it was set. chmod u-x file only changes the one bit you mentioned. For automation that should be precise about what it is changing, symbolic notation is safer.

The Mental Model to Walk Away With

If you remember nothing else, remember this. A chmod number is three digits, one per owner-group-other, each summing read (4), write (2), and execute (1). Directories need execute to be traversable, which is what 755 buys you. Most files do not need execute and 644 is right. Anything that contains secrets should be tighter than the default, usually 600. Anything that needs to be runnable should be looser than the default, usually 755. The standard advice — directories 755, files 644 — is the right starting point for almost all web content, and the right starting point for almost nothing that touches credentials. When in doubt, run the command through the calculator first, read what the symbolic mode says out loud, and ask whether that sentence is what you actually meant. The answer is usually obvious once the bits are visible.