RED HAT ENTERPRISE LINUX
Standard File
Permissions
List, set, and change standard ugo/rwx permissions
CIS126RH | RHEL System Administration 1
Mesa Community College
Every file and directory on a Linux system has a set of permissions that control who can read it, write to it, and execute it. The ugo/rwx permission model — user, group, and other combined with read, write, and execute — is the foundation of Linux access control. Understanding how to read, set, and change these permissions is tested directly on the RHCSA exam and applied in nearly every other administration task.
Learning Objectives
-
Read and interpret permission strings —
Identify file type, user, group, and other permissions from
ls -loutput - Understand what permissions mean for files and directories — Explain how read, write, and execute apply differently to files versus directories
- Change permissions with chmod — Use both symbolic mode and octal mode to set permissions exactly
- Change ownership with chown and chgrp — Reassign the user owner and group owner of files and directories
The Permission Model
Every file and directory has three sets of permissions — one for each of three categories of users.
| Category | Letter | Who it applies to |
|---|---|---|
| User | u |
The file's owner — the user account that owns the file |
| Group | g |
Members of the file's group — accounts that belong to the owning group |
| Other | o |
Everyone else — any account that is neither the owner nor in the group |
Each category has three permissions:
| Permission | Letter | On a file | On a directory |
|---|---|---|---|
| Read | r | View file contents | List directory contents with ls |
| Write | w | Modify file contents | Create, delete, or rename files inside the directory |
| Execute | x | Run the file as a program | Enter the directory and access its contents with cd |
Reading the ls -l Permission String
The first field in ls -l output is a 10-character permission string.
$ ls -l /etc/ssh/sshd_config
-rw-r--r-- 1 root root 3905 May 25 09:00 sshd_config
# ^ ^^^ ^^^ ^^^
# | u g o (user, group, other)
# file type| Position | Meaning | Possible values |
|---|---|---|
| 1 | File type | - regular file, d directory, l symlink, b block device, c char device |
| 2–4 | User (owner) permissions | Each position: r, w, x, or - (not set) |
| 5–7 | Group permissions | Same pattern |
| 8–10 | Other permissions | Same pattern |
-rw-r--r-- means: regular file; owner can read and write;
group can read only; others can read only. No one but root can write.
Common Permission Patterns
These patterns appear throughout a RHEL system. Being able to read them at a glance is an essential administration skill.
| Permission string | Typical use | What it means |
|---|---|---|
-rw-r--r-- | Config files (/etc/hosts) | Owner reads and writes; group and others read only |
-rw------- | Private keys, private config | Owner reads and writes; no access for group or others |
-rwxr-xr-x | System commands (/usr/bin/ls) | Owner full access; group and others read and execute |
-rwx------ | Personal scripts | Owner full access; no access for anyone else |
drwxr-xr-x | Standard directories (/etc) | Owner full access; others can list and enter but not modify |
drwx------ | Home directories | Only owner can list, enter, or modify |
drwxrwxr-x | Shared project directories | Owner and group can create or delete files; others read and enter |
-rw-rw-r-- | Shared documents | Owner and group can read and write; others read only |
Permissions on Directories
Directory permissions behave differently from file permissions. This is the most commonly misunderstood area of Linux access control.
| Permission | On a directory — what it allows | Without it — what fails |
|---|---|---|
| Read (r) | List the filenames inside with ls |
ls shows "Permission denied" or lists filenames without metadata |
| Write (w) | Create new files, delete existing files, rename files inside | Cannot create or remove files inside — even if you own the file |
| Execute (x) | Enter the directory with cd and access file contents |
Cannot cd into the directory — all access to its contents is blocked |
Read permission on a directory lets you see filenames, but execute permission is required to actually access those files. Without execute on a directory, you cannot read, write, or execute any file inside it — even if the file itself has open permissions.
chmod: Symbolic Mode
chmod changes permissions. Symbolic mode uses letters to describe
the change — readable and easy to apply incrementally.
Symbolic syntax: chmod WHO OPERATOR PERMISSION file
| WHO | OPERATOR | PERMISSION |
|---|---|---|
u user, g group, o other, a all |
+ add, - remove, = set exactly |
r read, w write, x execute |
# Add execute permission for the owner
$ chmod u+x script.sh
# Remove write permission from group and other
$ chmod go-w config.txt
# Set group to read-only exactly — removes write and execute
$ chmod g=r config.txt
# Add read and execute for everyone
$ chmod a+rx shared-script.sh
# Multiple changes in one command — comma separated
$ chmod u+x,g-w,o=r file.txtSymbolic mode is safer than octal for incremental changes because it only modifies the bits you specify — the others stay the same.
chmod: Octal Mode
Octal mode uses a three-digit number to set all nine permission bits at once. Each digit represents one category — user, group, other.
| Permission | Octal value |
|---|---|
| Read (r) | 4 |
| Write (w) | 2 |
| Execute (x) | 1 |
| No permission | 0 |
Add the values together for each category to get the digit for that category.
| Octal | Symbolic | Meaning |
|---|---|---|
7 | rwx | 4+2+1 — read, write, execute |
6 | rw- | 4+2 — read and write |
5 | r-x | 4+1 — read and execute |
4 | r-- | 4 — read only |
0 | --- | no permissions |
chmod Octal Examples
Three digits — user, group, other — each calculated by adding the permission values.
# 644: rw-r--r-- — standard config file
$ chmod 644 /etc/myapp.conf
# 755: rwxr-xr-x — standard executable or public directory
$ chmod 755 /usr/local/bin/myscript.sh
# 700: rwx------ — private directory, owner only
$ chmod 700 /home/student/.ssh
# 600: rw------- — private file, owner read/write only
$ chmod 600 /home/student/.ssh/id_ed25519
# 664: rw-rw-r-- — group-writable shared file
$ chmod 664 /srv/project/report.txt
# Recursive — apply to a directory and everything inside
$ chmod -R 755 /var/www/htmlMemorise these five octal values and their symbolic equivalents:
7=rwx, 6=rw-, 5=r-x, 4=r--, 0=---.
The exam uses both notations.
Symbolic vs Octal: When to Use Each
| Situation | Preferred mode | Why |
|---|---|---|
| Add execute to a script you just created | Symbolic: chmod u+x script.sh |
Only changes one bit — other permissions stay untouched |
| Remove world-write from a file | Symbolic: chmod o-w file |
Precise — only removes the dangerous bit |
| Set a config file to standard permissions | Octal: chmod 644 file |
Sets all nine bits at once to a known state |
| Set SSH key permissions | Octal: chmod 600 id_ed25519 |
Fast and unambiguous — all bits set at once |
| Give group the same access as the owner | Symbolic: chmod g=u file |
Copies the user bits to group — no arithmetic needed |
chmod 644 file and chmod u=rw,g=r,o=r file
produce identical permissions. Use whichever is clearer for the task at hand.
The RHCSA exam accepts either notation.
Changing Ownership with chown
chown changes the user owner and optionally the group owner of a file
or directory. Only root can change ownership.
# Change the user owner only
$ sudo chown maria report.txt
# Change the group owner only — note the colon
$ sudo chown :developers project/
# Change user owner and group owner together
$ sudo chown maria:developers project/
# Recursive — apply to a directory tree
$ sudo chown -R apache:apache /var/www/html
# Verify the result
$ ls -l report.txt
-rw-r--r-- 1 maria developers 1024 May 25 09:00 report.txtchown user file — change user owner only
chown :group file — change group owner only
chown user:group file — change both at once
Changing Group with chgrp
chgrp changes only the group owner of a file or directory.
A regular user can use chgrp to change the group to any group
they are a member of.
# Change group owner of a file
$ chgrp developers project.txt
# Change group of a directory tree
$ chgrp -R developers /srv/project
# chown :group is equivalent — most admins prefer chown
$ sudo chown :developers project.txt
# Verify group membership before attempting chgrp
$ id
uid=1000(student) gid=1000(student) groups=1000(student),1001(developers)| Command | Who can use it | What it changes |
|---|---|---|
chown user file | Root only | User owner |
chown :group file | Root only | Group owner |
chown user:group file | Root only | Both |
chgrp group file | Root or member of group | Group owner only |
The umask
The umask is a mask applied to the default permissions of newly created
files and directories. It subtracts permissions from the maximum default.
- Default maximum for new files:
666(rw-rw-rw-) — no execute by default - Default maximum for new directories:
777(rwxrwxrwx) - The umask is subtracted from the maximum to give the actual permissions
# View the current umask
$ umask
0022
# umask 022 applied to new files: 666 - 022 = 644 (rw-r--r--)
# umask 022 applied to directories: 777 - 022 = 755 (rwxr-xr-x)
# Change the umask for the current session
$ umask 027
# New files: 666 - 027 = 640 (rw-r-----)
# New dirs: 777 - 027 = 750 (rwxr-x---)
# Confirm the effect
$ touch testfile
$ ls -l testfile
-rw-r----- 1 student student 0 May 25 testfileHow the Kernel Makes Access Decisions
When a process tries to access a file, the kernel checks permissions in order and stops at the first match.
- Is the process running as root? Root bypasses permission checks — access is always granted (with exceptions for execute).
- Is the process's UID the same as the file's user owner? Apply the user (u) permission bits.
- Is the process's GID or any supplementary group the same as the file's group? Apply the group (g) permission bits.
- Otherwise, apply the other (o) permission bits.
If the user owns the file, only the user bits apply — the group and other bits are
ignored. This means the file owner can have fewer permissions than the group
if the user bits are more restrictive. Example: ----rwxrwx — the owner
cannot access their own file, but group and other can.
Diagnosing Permission Problems
Permission errors are the most common cause of "why isn't this working" on Linux. A systematic approach finds the problem quickly.
Step 1: Identify who is running the command
$ id
uid=1000(student) gid=1000(student) groups=1000(student),1001(developers)Step 2: Check permissions on the file and its parent directories
$ ls -l /etc/ssh/sshd_config
$ ls -ld /etc/ssh
$ ls -ld /etcStep 3: Apply the access decision rules
- Does the user own the file? Check user bits.
- Is the user in the file's group? Check group bits.
- Neither? Check other bits.
- Does every directory in the path have execute permission for this user?
ls -l /etc/ssh lists the contents of /etc/ssh.
ls -ld /etc/ssh shows the permissions on /etc/ssh itself.
Always check both the file and its parent directory when diagnosing access problems.
Common Mistakes
| Mistake | What goes wrong | Correct approach |
|---|---|---|
| Setting 777 on a file or directory | Anyone can modify or delete the file — serious security risk | Use 755 for directories, 644 for files, 700/600 for private content |
| Forgetting to check directory execute permission | File access fails even though file permissions look correct | Check the entire path with ls -ld on each directory |
| Using chmod -R on /etc or /home | Flattens all permissions to the same value — breaks many things | Use find with -type f and -type d to set different permissions on files vs directories |
| Confusing the umask with chmod | Setting umask 644 does not give files 644 permissions — umask 022 does | Remember: umask is subtracted from the maximum. umask 022 produces 644 files. |
| Trying to chown as a regular user | Operation not permitted — only root can change file ownership | Use sudo chown for ownership changes |
| Making a script executable without a shebang | Script runs but the shell cannot determine which interpreter to use | Add #!/bin/bash as the first line before setting execute permission |
Knowledge Check
Answer these before moving to the next slide.
- What does the permission string
drwxr-x---tell you about the file type and what each category of user can do? - A user owns a file with permissions
-rw-rw-r--. What can the owner do? What can a group member do? What can others do? - Write the
chmodcommand to make a script executable by the owner only, without changing any other permissions. - What octal value sets permissions to
rwxr-x---? Show your arithmetic. - After creating a new file, you see its permissions are
-rw-r--r--. What is the current umask value? - You want to give the
developersgroup ownership of/srv/projectand all its contents. Write the command.
Knowledge Check — Answers
drwxr-x---is a directory (d). The owner can read, write (create/delete files inside), and enter it. Group members can read the listing and enter it but cannot create or delete files. Others have no access at all.- With
-rw-rw-r--: the owner can read and write the file. Group members can also read and write. Others can only read — no write or execute for anyone. chmod u+x script.sh— adds execute for the user owner only, leaving all other permission bits unchanged.rwx=7,r-x=5,---=0, so the octal value is750. Arithmetic: user: 4+2+1=7, group: 4+0+1=5, other: 0+0+0=0.- Files default to a maximum of
666. The actual permission is644. The umask is666 - 644 = 022. sudo chown -R :developers /srv/project— the colon before the group name changes the group owner only;-Rapplies to all contents recursively.
Key Takeaways
- Every file has three permission sets: user, group, and other. Each set has read (4), write (2), and execute (1) bits. The kernel checks them in order and stops at the first match — only one set is applied per access attempt.
- Execute means different things on files versus directories. On a file: run it as a program. On a directory: enter it and access its contents. A directory without execute permission blocks all access to everything inside it.
-
chmod changes permissions; chown changes ownership.
Symbolic mode (
u+x,go-w) makes targeted changes. Octal mode (644,755) sets all bits at once. Only root can change ownership with chown. -
Diagnose permission problems systematically.
Check who is running the process with
id, check the file withls -l, and check every parent directory withls -ld. A missing execute bit on any directory in the path blocks access to everything below it.
Graded Lab
- Create the directory
/tmp/permlaband three files inside it. Runls -lto record the default permissions created by your current umask. - Use
umaskto display the current value. Change it to027, create a new file, and confirm the new default permissions. - Use
chmodin octal mode to set one file to644, one to755, and one to600. Verify each withls -l. - Use
chmodin symbolic mode to add group write permission to the644file without changing any other bits. Verify the result. - Use
sudo chownto change the owner of one file torootand the group towheel. Verify withls -l. - Remove execute permission from the
/tmp/permlabdirectory itself, then attempt tocdinto it from a new shell. Observe the error, then restore execute permission.
"List, set, and change standard ugo/rwx permissions." Permission tasks appear throughout the exam — every service configuration, script deployment, and shared directory task involves verifying or correcting permissions.
Next: Locate, Read, and Use System Documantation Including man, info, and files in /usr/share/doc/