Forem: VAtSea

What `-rwxr-xr-x` Really Means

VAtSea — Fri, 03 Apr 2026 12:19:45 +0000

File mode

Ever wondered what this -rw-r--r--@ means in this list?

➜  demo git:(main) ✗ ls -l
drwxr-xr-x@ 2 johndoe  staff  64  3 Apr 11:12 mydir
-rwxr-xr-x@ 1 johndoe  staff   0  3 Apr 11:12 myfile

This is called the file mode. It shows the file type and the permissions set on that file or directory.

Let's break down what each bit represents.

-rwxr-xr-x

The first bit represents the file type. It can indicate a regular file, a directory, or a symlink.

d represents a directory
- represents a regular file
l represents a symlink

Note: A symlink is like a shortcut. It points to another file or directory.

The next 9 bits represent the permissions for the file/directory.

r represents read permission
w represents write permission
x represents execute permission

They come in sets of 3:

The first 3 bits represent the owner permissions
The second 3 bits represent the group permissions
The third 3 bits represent the permissions for others

In this example rwx r-x r-x:

rwx represents the owner permissions. The owner can read, write to, and execute the file.
r-x represents the group permissions. Users in the group can read and execute the file, but they cannot write to it.
r-x represents the permissions for others. Everyone else can read and execute the file, but they cannot write to it.

You may also notice an extra @ at the end of the output from ls -l on macOS. That is not part of the file mode itself. It usually indicates that the file or directory has extended attributes.

How to update the permissions

We can update permissions with the chmod command.
It has two modes that we can use:

Symbolic mode
Numeric mode

Numeric mode

Let's go through numeric mode first.

Each of these permissions in rwx has a number:

Permission	Number
r	4
w	2
x	1

These numbers are used to represent permissions in numeric form. For example, rwxr-xr-x means the owner has full permissions, while group and others have read and execute permissions. This is written as 755.

rwxr-xr-x = (4 + 2 + 1) (4 + 1) (4 + 1) = 7 5 5

Here is a handy table for numeric permissions:

Octal	Permission
7	rwx
6	rw-
5	r-x
4	r--

Examples:

chmod 444 file      # Only read permissions for everyone
chmod 544           # Read and execute permission for owner, only read permission for others

Wondering about other combinations, such as -w- ? Yes, they are valid. Some combinations are uncommon or less useful in practice, but experimenting with them in a test directory is a good way to understand how permissions behave.

Symbolic mode

Now let's take a look at symbolic mode, which you can use with chmod.

chmod [who][operator][permissions] file

This is the basic structure of symbolic mode.

who can be u, g, o, or a: user/owner, group, others, and all
operator can be -, +, or =: remove permission, add permission, or set exact permission
permissions can be r, w, or x

Examples:

chmod u-rwx file    # remove read write execute permissions from user (owner)
chmod u+x file      # Add execute for owner
chmod g-w file      # Remove write permission from group
chmod a=rw file     # Set read and write access for everyone

Decode JWT in the terminal

VAtSea — Wed, 01 Apr 2026 18:21:39 +0000

Do you still use online tools like jwt.io to decode JWT tokens? Ever wonder how they are decoded?
Would you like to have a tool right in your terminal to do it?

Let's decode the JWT

A JWT token has three parts. It's in the following format:

header.payload.signature

All three parts are part of the token, but in this article we will only decode the header and payload.
The signature is used to verify the token with the secret. We will not be covering that this time.

In this article, we will decode a JWT token with Node.js and also write a small command line script so we can decode it from the terminal using jwt <token>.

Let's get started.

We will do this in steps so you can build along and test it all the way.

We will start with a simple function decodeJwt(token) to decode the token
We will add support to pass the token while running the script node jwt <token>
We will add it as a global script which can be used from anywhere jwt <token>

Step 1: Create the `decodeJwt` function

Create a scripts directory in a location of your choice.

mkdir scripts

Add the jwt file.

touch jwt

A JWT token will be in the header.payload.signature format. Let's split it and get the values.

function decodeJwt(jwtToken) {
  const [header, payload, signature] = jwtToken.split(".");
}

Let's write a function to decode a base64url-encoded string.

function base64UrlDecode(str) {
  // Replace URL safe chars
  str = str.replace(/-/g, "+").replace(/_/g, "/");

  // Add padding if needed
  while (str.length % 4) {
    str += "=";
  }

  return Buffer.from(str, "base64").toString("utf8");
}

Now let's decode the payload.

function decodeJwt(jwtToken) {
  const [header, payload, signature] = jwtToken.split(".");
  const decodedPayload = JSON.parse(base64UrlDecode(payload));
}

Let's test the script.

Code so far:

function base64UrlDecode(str) {
  // Replace URL safe chars
  str = str.replace(/-/g, "+").replace(/_/g, "/");

  // Add padding if needed
  while (str.length % 4) {
    str += "=";
  }

  return Buffer.from(str, "base64").toString("utf8");
}

function decodeJwt(jwtToken) {
  const [header, payload, signature] = jwtToken.split(".");
  const decodedPayload = JSON.parse(base64UrlDecode(payload));
  console.log("Payload::");
  console.log(decodedPayload);
}

decodeJwt(
  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIn0.OdG00YOF5aRPGJ2QgRh90hu9AO3Xye8bonaEtPaVodU",
);

Let's run this script with Node.js.

node jwt

Payload::
{ sub: 'user123' }

Step 2: Let's make this run like a CLI utility.

Usage:

node jwt <jwtToken>

Remove the function call and add these to the end of the file.

...
const jwtToken = process.argv[2];

if (!jwtToken) {
  console.error("token not found");
  console.error("Usage: jwt <token>");
  process.exit(0);
}

decodeJwt(jwtToken);

Now we can run this script by passing a JWT token as input.

node jwt <token>

Step 3: Let's make this script run from anywhere in the terminal.

The goal is to run jwt <token> from any folder and have it work.

Let's do it.

Let’s add the following line to the top of our jwt file. This tells the operating system to run the script using Node.js. It will find node in the current PATH and use it to run the script.

#!/usr/bin/env node

Now we have to make this file executable.

What is an executable? How do we check it?

Run ls -l in the scripts folder and you will get something like this:

-rw-r--r--@ 1 johndoe  staff   682  1 Apr 22:39 jwt

-rw-r--r-- shows the file permissions.
We have only read and write access as a user. We have to make it executable.

To do this, run chmod 700 jwt and run ls -l again. You should have rwx now. You will be able to run this file.

-rwx------@ 1 johndoe  staff   682  1 Apr 22:39 jwt

You can read more about permissions here filemode

Now you can just run ./jwt <token> to decode.

Do I still have to be in the scripts folder to run it?

Yes, for now, but we can change this.
We need to add this scripts folder to our PATH variable so the terminal knows where to look for it.

How do I add this?

If you use the zsh terminal, there will be a .zshrc file in your home folder.

Add your folder path to PATH.

If your scripts folder is on your Desktop:

echo 'export PATH=$PATH:$HOME/Desktop/scripts' >> ~/.zshrc

Now source your .zshrc using source ~/.zshrc.

Run which jwt. It should show your file path.

which jwt
/Users/johndoe/Desktop/scripts/jwt

Now you can run jwt <token> from any folder in your terminal. Your JWT token will be decoded and displayed.

Final command:

jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIn0.OdG00YOF5aRPGJ2QgRh90hu9AO3Xye8bonaEtPaVodU
Payload::
{ sub: 'user123' }

You can find the code and article details in this repo jwt repo