File permissions decide who can read, change, or run files on a Linux system, and they are a core part of how you secure devices and data. This guide helps you read permission strings with ls -l and getfacl, then change them safely using both symbolic and numeric chmod. You will also connect those skills to the Device Security Analysis free-response question.
Where This Shows Up
File permissions appear in two places on the AP Cybersecurity Exam. In the multiple-choice section, you may get scenario items built on file-permission strings or access-control emails. In the free-response Device Security Analysis, one of your sources may be file-system permissions, and you may be asked to identify a problem, describe how a permission change affects users, or write a proper command.
This ties directly to Skill Categories 2 and 3. You are mitigating risk by tightening weak permissions (Skill 2.D, implement and log mitigations) and detecting attacks by spotting overly permissive files that an adversary could abuse (EK 5.1.A.3).
Reading Permissions With ls -l
Start with ls -l to list files with their permission strings. A typical line looks like this:
</>Code-rwxr-xr- 1 alice rnd 4096 Feb 10 09:14 formula.txt
The first character is the file type. A dash (-) means a regular file, and d means a directory. The next nine characters are three permission groups of three.
| Position | Applies to | Example | Meaning |
|---|---|---|---|
| 1-3 | Owner (user) | rwx | read, write, execute |
| 4-6 | Group | r-x | read, execute, no write |
| 7-9 | Other | r-- | read only |
In the example above, alice is the owner and rnd is the group. The owner can read, write, and execute. Members of the rnd group can read and execute but not write. Everyone else (other) can only read.
What Read, Write, and Execute Actually Do
The three permissions behave differently on files versus directories, and AP scenarios test that distinction.
- Read (
r): view a file's contents, or list the names inside a directory. - Write (
w): change or delete a file's contents, or add and remove files inside a directory. - Execute (
x): run a file as a program, or enter (cdinto) a directory.
A directory with read but no execute is a trap. You can see filenames but cannot access anything inside. To use a directory normally, you usually need both r and x.
Reading Detailed Permissions With getfacl
When a file uses access control list entries beyond the basic owner, group, and other, use getfacl to see the full picture. It prints the same core permissions plus any extra named-user or named-group entries.
</>Codegetfacl formula.txt ## file: formula.txt ## owner: alice ## group: rnd user::rwx group::r-x other::r-
The user::, group::, and other:: lines match what ls -l shows. If you see lines like user:bob:rwx, that is a specific named user given access through an ACL, which can be a security issue if bob should not have it.
Numeric chmod
Numeric (octal) mode sets all three groups at once using a digit from 0 to 7. Each permission has a value: read is 4, write is 2, execute is 1. Add them up per group.
| Digit | Permissions | Meaning |
|---|---|---|
| 7 | rwx | 4+2+1 |
| 6 | rw- | 4+2 |
| 5 | r-x | 4+1 |
| 4 | r- | 4 |
| 0 | -- | none |
So chmod 750 formula.txt gives the owner rwx, the group r-x, and other no access. That matches a common AP-style requirement: the owner has full access, the team can read and run, and everyone else is locked out.
</>Codechmod 750 formula.txt ls -l formula.txt -rwxr-x-- 1 alice rnd 4096 Feb 10 09:14 formula.txt
Symbolic chmod
Symbolic mode changes permissions without resetting the rest. You name the target (u owner, g group, o other, a all), an operator (+ add, - remove, = set exactly), and the permissions (r, w, x).
</>Codechmod o-w shared.txt # remove write from other chmod g+x scripts.sh # add execute for the group chmod u=rwx,g=rx,o= data # set each group exactly
Use symbolic mode when you want a surgical fix, such as removing a single risky permission. Use numeric mode when you want to define the whole permission set cleanly.
Worked Mini-Example: Tightening a Weak Directory
Suppose Device Security Analysis hands you this listing, and the policy says only the rnd group should access the research directory:
</>Codedrwxrwxrwx 2 alice rnd 4096 Feb 10 09:14 Research
The rwxrwxrwx string means everyone can read, write, and enter the directory. That is the weak access control described in EK 5.1.A.3, and an adversary with any account could steal or destroy files.
A defensive fix gives the owner full control, the group access, and other nothing:
</>Codechmod 770 Research ls -l drwxrwx-- 2 alice rnd 4096 Feb 10 09:14 Research
If the prompt asks you to describe the impact, explain that rnd members keep full access while all other users lose the ability to read, modify, or enter the directory, which removes the exposure without blocking the intended team.
Common Mistakes to Avoid
- Mixing up the value order. Read is 4, write is 2, execute is 1.
chmod 644isrw-r-r--, not the reverse. - Forgetting execute on directories. A directory with
rw-lets users see names but not open contents, which often is not what the scenario wants. - Using
chmod 777as a quick fix. That grants everyone full access and is the opposite of mitigation. The exam treats it as a vulnerability. - Confusing symbolic operators.
=overwrites the whole set for that target, while+and-only adjust one permission. - Reading the wrong triad. Always confirm whether a permission problem affects the owner, the group, or other before recommending a change.
- Ignoring ownership. Permissions only matter relative to who the owner and group are, so check the
ownerandgroupfields inls -lorgetfacl.
Quick Workflow for the FRQ
- Run or read
ls -l(orgetfacl) and identify the type, owner, group, and the three permission triads. - Compare the current permissions against the stated policy or least-privilege expectation.
- Name the specific risk in plain terms, such as other users having write access to sensitive files.
- Choose numeric mode for a full reset or symbolic mode for a targeted fix.
- Write the exact command and state how it changes access for owner, group, and other.
Keep your reasoning evidence based. When the prompt says write or describe, cite the permission string you saw and explain the effect on each class of user.
Frequently Asked Questions
What is the difference between numeric and symbolic chmod?
Numeric chmod uses octal digits (read 4, write 2, execute 1) to set all three permission groups at once, like chmod 750. Symbolic chmod uses targets and operators, like chmod g+x, to add or remove specific permissions without resetting the rest.
How do I read an ls -l permission string?
The first character is the file type, where a dash is a regular file and d is a directory. The next nine characters form three triads for owner, group, and other, each showing read (r), write (w), and execute (x) or a dash if denied.
Why is chmod 777 a security problem on the AP Cybersecurity Exam?
chmod 777 grants read, write, and execute to the owner, group, and everyone else. 3, letting any user, including a compromised account, steal or destroy files.
When should I use getfacl instead of ls -l?
Use getfacl when a file may have access control list entries beyond the basic owner, group, and other. It prints the same core permissions plus any named-user or named-group entries, such as user:bob:rwx.