Domain 6 · Filesystems

Create and configure
file systems

Standard permissions, Access Control Lists, special permission bits, NFS network shares, and autofs automounting — the full RHCSA filesystem configuration domain on RHEL 9.

10objectives
6topic areas
8quiz questions
ACLkey focus

Objectives

What the exam tests

  • Create, mount, unmount, and use VFAT, ext4, and XFS filesystems
  • Mount and unmount network filesystems using NFS
  • Configure automounting with autofs
  • Extend existing logical volumes and filesystems
  • Create and configure set-GID directories for collaboration
  • Diagnose and correct file permission problems
  • List and set file ACLs
  • Configure disk compression and deduplication — VDO (optional)
  • Configure group-managed shared directories
  • Manage file attributes with chattr and lsattr

ACLs and special permission bits (especially SGID on shared directories) are tested together in realistic multi-user collaboration scenarios. Expect at least one task combining both.

Coverage weight by topic

Standard permissions
Very high
ACLs
Very high
Special bits (SUID/SGID/sticky)
High
NFS mounts
High
autofs
High
File attributes (chattr)
Low

Standard file permissions

Understanding the permission model

Every file and directory has three permission sets — owner (u), group (g), and others (o) — each with read (r=4), write (w=2), and execute (x=1) bits.

# ls -l output anatomy -rwxr-x--- 1 alice devs 4096 Apr 9 10:00 script.sh │└─┬─┘└─┬─┘└─┬─┘ │ owner group others └─ file type: - file d dir l symlink c char b block p pipe
SymbolOctalOn a fileOn a directory
r4Read file contentsList directory (ls)
w2Modify / overwrite fileCreate, rename, delete files inside
x1Execute as programEnter with cd; traverse path
-0Permission not grantedPermission not granted

chmod — symbolic and octal modes

── SYMBOLIC MODE ──────────────────────────────────────────── chmod u+x script.sh # add execute to owner chmod g-w file.txt # remove write from group chmod o=r file.txt # set others to read-only (exact) chmod a+r file.txt # add read to all (a = ugo) chmod ug+rw,o-rwx shared # multiple changes in one command chmod -R g+w /project/ # recursive ── OCTAL MODE ─────────────────────────────────────────────── chmod 755 script.sh # rwxr-xr-x chmod 644 config.txt # rw-r--r-- chmod 660 shared.txt # rw-rw---- chmod 700 private/ # rwx------ chmod 600 ~/.ssh/id_rsa # rw------- (SSH key requirement)

chown and chgrp

# Change owner chown alice file.txt # Change owner AND group together chown alice:devs file.txt # Change group only chown :devs file.txt chgrp devs file.txt # equivalent # Recursive chown -R alice:devs /project/

Only root can change file ownership. Regular users can only change a file's group to a group they belong to.

umask — default permission mask

# View current umask umask # e.g. 0022 umask -S # symbolic: u=rwx,g=rx,o=rx # How umask works: # New file base: 0666 (rw-rw-rw-) # New dir base: 0777 (rwxrwxrwx) # umask 0022 subtracts write from group and others # File result: 0666 - 0022 = 0644 (rw-r--r--) # Dir result: 0777 - 0022 = 0755 (rwxr-xr-x) # Set umask for current session umask 027 # files=640, dirs=750 umask 002 # files=664, dirs=775 (collaborative) # Persist umask for all users — add to /etc/profile or /etc/bashrc # umask 022 # Persist for a specific user — add to ~/.bashrc or ~/.bash_profile # umask 027
umaskNew fileNew directoryCommon use
0022644 rw-r--r--755 rwxr-xr-xSystem default — public readable
0027640 rw-r-----750 rwxr-x---Group-accessible, others blocked
0002664 rw-rw-r--775 rwxrwxr-xCollaborative group work
0077600 rw-------700 rwx------Maximum privacy

File attributes — chattr and lsattr

# List extended attributes lsattr file.txt lsattr -R /etc/ # recursive # Set attributes chattr +i file.txt # immutable — cannot be modified or deleted (even by root) chattr -i file.txt # remove immutable flag chattr +a logfile.txt # append-only — can only be appended to, not overwritten chattr +e file.txt # extents format (usually set automatically) # Common attributes in lsattr output: # i = immutable a = append-only e = extents # A = no atime updates S = synchronous writes

The +i (immutable) flag prevents even root from deleting or modifying a file. If a file seems undeletable, check lsattr first.

Access Control Lists

Why ACLs? Standard permissions are not enough

Standard Unix permissions allow exactly three permission sets: owner, one group, and everyone else. ACLs extend this by letting you grant different permissions to multiple specific users and groups on the same file.

Standard permissions — limitation

  • One owner, one group, others
  • Cannot give bob rw- and carol r-- separately
  • Cannot give a second group different rights
  • Stored in inode — no extra packages

ACLs — extended control

  • Multiple named users and groups
  • Bob gets rw-, carol gets r--, dave gets ---
  • Multiple groups with different permissions
  • Requires filesystem to be mounted with ACL support (default on RHEL 9)

When ls -l shows a + at the end of the permission string (e.g., rw-r--r--+), an ACL is present. Use getfacl to see the full ACL.

getfacl — reading ACLs

# View the ACL of a file or directory getfacl file.txt getfacl /shared/project/ # Example getfacl output: # file: file.txt # owner: alice # group: devs # user::rw- ← owner permissions # user:bob:r-- ← named user bob # group::r-- ← owning group permissions # group:ops:rw- ← named group ops # mask::rw- ← effective permission ceiling # other::--- ← everyone else

setfacl — setting ACLs

── ADDING / MODIFYING entries ──────────────────────────────── # Grant a named user specific permissions setfacl -m u:bob:rw file.txt # bob gets read+write setfacl -m u:carol:r file.txt # carol gets read-only setfacl -m u:dave:--- file.txt # dave gets no access # Grant a named group specific permissions setfacl -m g:ops:rw /shared/ setfacl -m g:audit:r /shared/ # Set permissions for others setfacl -m o::--- file.txt # Multiple entries in one command setfacl -m u:bob:rw,g:ops:r file.txt # Apply recursively to a directory tree setfacl -R -m g:devs:rwx /project/ ── DEFAULT ACLs (new files inherit these) ─────────────────── # Set a default ACL on a directory setfacl -d -m g:devs:rwx /shared/ # new files in /shared/ inherit rwx for devs setfacl -d -m u:bob:rw /shared/ # Set both regular and default ACLs at the same time setfacl -Rm u:bob:rwx,d:u:bob:rwx /shared/ ── REMOVING entries ───────────────────────────────────────── # Remove a specific named user or group entry setfacl -x u:bob file.txt setfacl -x g:ops file.txt # Remove ALL ACL entries (revert to standard permissions) setfacl -b file.txt # Remove only default ACLs from a directory setfacl -k /shared/

The ACL mask

The mask is the maximum effective permission for all named users, named groups, and the owning group. It does not limit the file owner or "other".

# The mask acts as a bitwise AND with named ACL entries # If mask = r-- and bob has rw-, bob's effective permission = r-- # Set the mask explicitly setfacl -m mask:r-- file.txt # cap all named entries at read-only setfacl -m m::rwx file.txt # open mask fully # When you run chmod on a file with an ACL, it updates the mask chmod 664 file.txt # sets mask to rw- (group bits) # Check effective permissions in getfacl output # Lines ending in #effective:... show the actual permission after mask

Running chmod on a file with ACLs modifies the mask, not the named ACL entries. This can silently reduce effective permissions. Always verify with getfacl after chmod.

Copying and archiving with ACLs

# cp — preserve ACLs cp --preserve=all src.txt dst.txt cp -a src/ dst/ # archive mode — preserves ACLs # tar — preserve ACLs (requires --acls flag) tar --acls -czf backup.tar.gz /shared/ tar --acls -xzf backup.tar.gz # rsync — preserve ACLs rsync -aA src/ dst/ # -A = preserve ACLs

Standard cp without --preserve=all drops ACLs. Always use cp -a or cp --preserve=all when the destination must keep ACL entries.

Special permission bits

SUID, SGID, and sticky bit overview

BitOctalOn a fileOn a directoryls -l shows
SUID4xxxRuns with owner's UID (e.g., /usr/bin/passwd)No standard effects in owner execute position (rws)
SGID2xxxRuns with group's GIDNew files inherit directory's group; critical for collaborations in group execute position (rwxrws)
Sticky1xxxNo modern effect on filesOnly owner or root can delete files in the directoryt in others execute position (rwxrwxt)

Uppercase S or T in ls -l means the special bit is set but the underlying execute bit is not set — an unusual and often unintentional configuration.

SGID shared directories — exam favourite

The most commonly tested special bit scenario: a shared collaboration directory where all new files automatically belong to the group, not the creating user's primary group.

Create the shared directory
mkdir /shared/project
Set group ownership
chgrp devs /shared/project
Set permissions — group writable
chmod 770 /shared/project # rwxrwx---
Set SGID so new files inherit group
chmod g+s /shared/project # or equivalently: chmod 2770 /shared/project # rwxrws---
Verify
ls -ld /shared/project # Expected: drwxrws--- 2 root devs ...

SGID on a directory is a sign in ls -l: look for s in the group execute position (drwxrws---). Any file created inside will be owned by group devs, not the user's default group.

Sticky bit — shared writable directories

# /tmp uses sticky bit — world-writable but users can only delete their own files ls -ld /tmp # drwxrwxrwt — note the 't' at the end # Set sticky bit on a directory chmod +t /shared/uploads chmod 1777 /shared/uploads # rwxrwxrwt # Remove sticky bit chmod -t /shared/uploads

Sticky bit is tested most often in the context of a world-writable shared drop directory where users should not be able to delete each other's files.

SUID on executables

# View SUID binaries on the system find / -perm -4000 -type f 2>/dev/null # Set SUID on a binary chmod u+s /usr/bin/myapp chmod 4755 /usr/bin/myapp # rwsr-xr-x # Classic SUID examples: # /usr/bin/passwd — writes to /etc/shadow (root-owned) # /usr/bin/su — needs to read /etc/shadow # /usr/bin/sudo — needs root privileges

NFS network filesystems

NFS client — mounting network shares

# Show available NFS exports from a server showmount -e fileserver showmount -e 192.168.1.100 # Manual mount mount -t nfs fileserver:/exports/data /mnt/data mount -t nfs4 fileserver:/exports/data /mnt/data # force NFSv4 # Mount with options mount -t nfs -o ro,soft fileserver:/data /mnt/data mount -t nfs -o rw,sync fileserver:/data /mnt/data # Persistent NFS mount in /etc/fstab fileserver:/exports/data /mnt/data nfs defaults,_netdev 0 0
NFS optionEffect
rw / roRead-write or read-only mount
syncWrites confirmed before returning — slower but safe
asyncWrites buffered — faster but risk on crash
softReturn error after retries — client application can handle
hardKeep retrying forever — safer for important data (default)
_netdevWait for network before mounting — required for NFS in fstab
nfsvers=4Force specific NFS version
timeo=Timeout in tenths of a second before retrying

Always include _netdev in /etc/fstab for NFS entries. Without it, the system may hang at boot trying to mount a network share before the network is available.

NFS server — configuring exports

# Install NFS server packages dnf install -y nfs-utils # Enable and start NFS server systemctl enable --now nfs-server # Export configuration: /etc/exports # Format: directory client(options) /exports/data 192.168.1.0/24(rw,sync,no_root_squash) /exports/public *(ro,sync) /home client1.example.com(rw,sync) # Apply changes without restarting NFS exportfs -r # re-export all exportfs -a # export all listed shares exportfs -v # show current exports verbosely # Allow NFS through firewall firewall-cmd --permanent --add-service=nfs firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --permanent --add-service=mountd firewall-cmd --reload
Export optionEffect
rwAllow read-write access from client
roAllow read-only access (default)
syncWrite to disk before acknowledging client
no_root_squashRoot on client maps to root on server — use carefully
root_squashRoot on client maps to anonymous UID (default, safer)
no_all_squashPreserve user UIDs (default)
all_squashMap all users to anonymous UID

autofs — automounting

What is autofs?

autofs automatically mounts a filesystem when a process accesses the mount point directory, and unmounts it after a configurable idle timeout (default 5 minutes). This avoids keeping NFS mounts active when not in use and prevents boot-time hangs on unreachable servers.

Static NFS mount (/etc/fstab)

  • Mounted at boot, always active
  • Boot fails if server unreachable
  • Consumes resources even when idle
  • Simple to configure

autofs automount

  • Mounted on demand, unmounted when idle
  • Boot succeeds even if server is down
  • No resource use when idle
  • Requires autofs service and config files

autofs configuration files

autofs uses two levels of configuration: the master map at /etc/auto.master (or /etc/auto.master.d/) and indirect maps that define specific mount entries.

── /etc/auto.master (master map) ─────────────────────────── # Format: mount-point map-file [options] /mnt/nfs /etc/auto.nfs /home /etc/auto.home --timeout=60 /misc /etc/auto.misc ── /etc/auto.nfs (indirect map for /mnt/nfs/) ────────────── # Format: key [options] location data -rw,soft fileserver:/exports/data public -ro fileserver:/exports/public backup -rw,sync nas01:/vol/backup # Result: accessing /mnt/nfs/data triggers mount of fileserver:/exports/data

autofs for user home directories

A very common exam scenario: automount user home directories from an NFS server using the & wildcard key.

── /etc/auto.master ───────────────────────────────────────── /home /etc/auto.home --timeout=300 ── /etc/auto.home ─────────────────────────────────────────── # The & substitutes for the key (username) * -rw,sync fileserver:/home/& # When user 'alice' logs in, autofs mounts: # fileserver:/home/alice → /home/alice # When user 'bob' logs in, autofs mounts: # fileserver:/home/bob → /home/bob

The * wildcard key combined with & (substitution) in the map value is the standard pattern for automounting per-user home directories.

Starting and managing autofs

# Install autofs dnf install -y autofs # Enable and start the autofs service systemctl enable --now autofs # After changing map files, reload without restart systemctl reload autofs automount -f # foreground debug mode # Check which automounts are active mount | grep autofs ls /mnt/nfs/ # listing the directory triggers mounts # Verify with automount verbose output systemctl status autofs journalctl -u autofs -f

Direct maps vs indirect maps

Indirect map (most common)

  • Mount point is a subdirectory below the map base
  • Base dir (/mnt/nfs) managed by autofs
  • Keys become subdirectories: /mnt/nfs/data
  • Use for multiple mounts under one path
  • Wildcard * key supported
# auto.master: /mnt/nfs /etc/auto.nfs

Direct map

  • Each key is an absolute path
  • Mounts appear at exact specified paths
  • Use /- as master map base
  • Good for one-off mounts at fixed paths
  • No wildcard support
# auto.master: /- /etc/auto.direct # auto.direct: /opt/data -rw srv:/data

Cheat sheet

Most-tested commands — quick reference

Add execute to owner
chmod u+x script.sh
Octal 755
chmod 755 script.sh
Change owner+group
chown user:grp file
View umask
umask
Set collaborative umask
umask 002
Make file immutable
chattr +i file.txt
View file attributes
lsattr file.txt
View ACL
getfacl file.txt
Grant user ACL entry
setfacl -m u:bob:rw file
Grant group ACL entry
setfacl -m g:ops:r file
Set default ACL
setfacl -d -m g:devs:rwx /dir
Remove user ACL entry
setfacl -x u:bob file
Remove all ACLs
setfacl -b file
Recursive ACL set
setfacl -R -m g:devs:rwx /dir
Set SGID on directory
chmod g+s /shared
SGID octal
chmod 2770 /shared
Set sticky bit
chmod +t /shared/uploads
Sticky octal
chmod 1777 /tmp/shared
Show NFS exports
showmount -e fileserver
Mount NFS share
mount -t nfs server:/path /mnt
NFS in fstab
server:/path /mnt nfs defaults,_netdev 0 0
Install autofs
dnf install -y autofs
Start autofs
systemctl enable --now autofs
Reload autofs maps
systemctl reload autofs
Find SUID files
find / -perm -4000 -type f
Copy preserving ACLs
cp -a src/ dst/

setfacl flag reference

FlagMeaningExample
-mModify — add or update an entrysetfacl -m u:bob:rw file
-xRemove a specific entrysetfacl -x u:bob file
-bRemove all ACL entriessetfacl -b file
-kRemove default ACL onlysetfacl -k /dir
-dSet a default ACL (new files inherit)setfacl -d -m g:devs:rwx /dir
-RApply recursivelysetfacl -R -m g:ops:r /dir
-nDo not recalculate masksetfacl -n -m u:bob:rw file

autofs configuration summary

FileRoleFormat
/etc/auto.masterMaster map — lists base mount points and their map files/base-dir /etc/map-file [options]
/etc/auto.master.d/*.autofsDrop-in master map files (preferred in RHEL 9)Same as auto.master format
/etc/auto.NAMEIndirect map — keys become subdirectories under basekey [options] server:/path
/- /etc/auto.directDirect map — keys are absolute paths/full/path [options] server:/path

SGID shared directory — exam template

Create directory
mkdir /shared/collab
Assign group ownership
chgrp devs /shared/collab
Set SGID + group writable
chmod 2770 /shared/collab # rwxrws---
(Optional) Set default ACL for extra users
setfacl -d -m u:contractor:rx /shared/collab
Verify
ls -ld /shared/collab # look for 's' in group position getfacl /shared/collab # check ACL entries

Practice quiz

Question 1 of 8

After running ls -l report.txt you see -rw-r--r--+. What does the + at the end indicate?

A + at the end of the permission string in ls -l output means the file has an Access Control List (ACL). Use getfacl report.txt to view the full ACL. A . at the end indicates an SELinux context but no ACL.

Question 2 of 8

You want user bob to have read-write access to /project/data.txt, but the file's group ownership should not change. Which command achieves this?

setfacl -m u:bob:rw grants bob read-write via a named user ACL entry without changing group ownership or affecting other users' permissions. Option A grants rw to everyone (others), which is too broad. Option C changes ownership, not just access. Option D adds bob to a group but doesn't directly control this file's access.

Question 3 of 8

A directory /shared has SGID set. User alice (primary group: alice, secondary group: devs) creates a file inside. What group will own the new file?

When SGID is set on a directory, new files inherit the group of the directory, not the creating user's primary group. This is the entire purpose of SGID on directories — ensuring all files in a shared workspace belong to the same group regardless of who creates them.

Question 4 of 8

Which command sets a default ACL on /project so that any new files created inside automatically grant group devs read-write-execute permission?

The -d flag sets a default ACL on a directory. Default ACLs are inherited by new files and subdirectories created inside. Option A sets a regular ACL on the directory itself but does not affect newly created files. Option C removes an entry. Option D removes default ACLs (-k) then tries to modify — invalid combination.

Question 5 of 8

You need to persistently mount the NFS share fileserver:/exports/data at /mnt/data. Which /etc/fstab entry is correct?

Option B is correct: NFS fstab entries need _netdev to delay mounting until the network is available. Without it, boot can hang on an unreachable NFS server. Option A is missing _netdev. Option C has device and mountpoint swapped. Option D uses ext4 as filesystem type — NFS mounts must use nfs.

Question 6 of 8

In an autofs indirect map, the entry * -rw,sync fileserver:/home/& is used. What does the & represent?

In autofs map files, & is a substitution token that expands to whatever matched the key (* wildcard) in that entry. If user alice accesses the automounted directory, & becomes alice, so autofs mounts fileserver:/home/alice. This is the standard pattern for per-user home directory automounting.

Question 7 of 8

You run setfacl -m u:bob:rwx file.txt but then check with getfacl and see user:bob:rwx #effective:r--. Why is bob's effective permission only r--?

The ACL mask defines the maximum effective permissions for all named user entries, named group entries, and the owning group. If the mask is r--, even though bob has rwx in his ACL entry, his effective permission is r-- (masked to read-only). Fix: setfacl -m mask::rwx file.txt to open the mask. This often happens when chmod is run after setting ACLs.

Question 8 of 8

A user complains they cannot delete their own file in /shared/uploads even though the directory is world-writable (777). What is the most likely cause?

Wait — the question says the user cannot delete their own file. The sticky bit prevents users from deleting other users' files, but users can still delete their own. If a user cannot delete their own file in a world-writable directory, the most likely cause is chattr +i (immutable attribute) on the file itself — which prevents deletion even by the owner. Check with lsattr. Note: if the question had said "cannot delete other users' files", sticky bit would be the answer.