---
title: "AP Cybersecurity File Permissions and chmod Guide"
description: "Practice ls -l, getfacl, and symbolic and numeric chmod for AP Cybersecurity. Learn owner, group, and other permissions for Device Security Analysis."
canonical: "https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/file-permissions-chmod-guide/study-guide/Oi3rgnbnQ0dri3gn5BnX"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Cybersecurity Technical Skills"
lastUpdated: "2026-06-16"
---

# AP Cybersecurity File Permissions and chmod Guide

## Summary

Practice ls -l, getfacl, and symbolic and numeric chmod for AP Cybersecurity. Learn owner, group, and other permissions for Device Security Analysis.

## Guide

File permissions decide who can read, change, or run files on a Linux system, and they are a core part of how you secure devices and data. This guide helps you read permission strings with `ls -l` and `getfacl`, then change them safely using both symbolic and numeric `chmod`. You will also connect those skills to the [Device Security Analysis](/ap-cybersecurity/device-security-analysis "fv-autolink") free-response question.

## Where This Shows Up

File permissions appear in two places on the [AP Cybersecurity Exam](/ap-cybersecurity/ap-cybersecurity-exam "fv-autolink"). In the multiple-choice section, you may get scenario items built on file-permission strings or access-control emails. In the free-response Device Security Analysis, one of your sources may be file-system permissions, and you may be asked to identify a problem, describe how a permission change affects users, or write a proper command.

This ties directly to Skill Categories 2 and 3. You are mitigating [risk](/ap-cybersecurity/key-terms/risk "fv-autolink") by tightening weak permissions (Skill 2.D, implement and log mitigations) and detecting attacks by spotting overly permissive files that an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") could abuse (EK 5.1.A.3).

## Reading Permissions With ls -l

Start with `ls -l` to list files with their permission strings. A typical line looks like this:

```
-rwxr-xr- 1 alice rnd 4096 Feb 10 09:14 formula.txt

```

The first character is the file type. A dash (`-`) means a regular file, and `d` means a directory. The next nine characters are three permission groups of three.

| Position | Applies to | Example | Meaning |
|:--|:--|:--|:--|
| 1-3 | Owner (user) | `rwx` | read, write, execute |
| 4-6 | Group | `r-x` | read, execute, no write |
| 7-9 | Other | `r--` | read only |

In the example above, `alice` is the owner and `rnd` is the group. The owner can read, write, and execute. Members of the `rnd` group can read and execute but not write. Everyone else (other) can only read.

## What Read, Write, and Execute Actually Do

The three permissions behave differently on files versus directories, and AP scenarios test that distinction.

- Read (`r`): view a file's contents, or list the names inside a directory.
- Write (`w`): change or delete a file's contents, or add and remove files inside a directory.
- Execute (`x`): run a file as a program, or enter (`cd` into) a directory.

A directory with read but no execute is a trap. You can see filenames but cannot access anything inside. To use a directory normally, you usually need both `r` and `x`.

## Reading Detailed Permissions With getfacl

When a file uses [access control list](/ap-cybersecurity/key-terms/access-control-list "fv-autolink") entries beyond the basic owner, group, and other, use `getfacl` to see the full picture. It prints the same core permissions plus any extra named-user or named-group entries.

```
getfacl formula.txt
## file: formula.txt
## owner: alice
## group: rnd
user::rwx
group::r-x
other::r-
```

The `user::`, `group::`, and `other::` lines match what `ls -l` shows. If you see lines like `user:bob:rwx`, that is a specific named user given access through an ACL, which can be a security issue if `bob` should not have it.

## Numeric chmod

Numeric (octal) mode sets all three groups at once using a digit from 0 to 7. Each permission has a value: read is 4, write is 2, execute is 1. Add them up per group.

| Digit | Permissions | Meaning |
|:--|:--|:--|
| 7 | rwx | 4+2+1 |
| 6 | rw- | 4+2 |
| 5 | r-x | 4+1 |
| 4 | r- | 4 |
| 0 | -- | none |

So `chmod 750 formula.txt` gives the owner `rwx`, the group `r-x`, and other no access. That matches a common AP-style requirement: the owner has full access, the team can read and run, and everyone else is locked out.

```
chmod 750 formula.txt
ls -l formula.txt
-rwxr-x-- 1 alice rnd 4096 Feb 10 09:14 formula.txt

```

## Symbolic chmod

Symbolic mode changes permissions without resetting the rest. You name the target (`u` owner, `g` group, `o` other, `a` all), an operator (`+` add, `-` remove, `=` set exactly), and the permissions (`r`, `w`, `x`).

```
chmod o-w shared.txt      # remove write from other
chmod g+x scripts.sh      # add execute for the group
chmod u=rwx,g=rx,o= data  # set each group exactly
```

Use symbolic mode when you want a surgical fix, such as removing a single risky permission. Use numeric mode when you want to define the whole permission set cleanly.

## Worked Mini-Example: Tightening a Weak Directory

Suppose Device Security Analysis hands you this listing, and the policy says only the `rnd` group should access the research directory:

```
drwxrwxrwx 2 alice rnd 4096 Feb 10 09:14 Research
```

The `rwxrwxrwx` string means everyone can read, write, and enter the directory. That is the [weak access control](/ap-cybersecurity/unit-5/application-and-data-vulnerabilities-and-attacks/study-guide/T25I7qaDw4w4XT1rkAYr "fv-autolink") described in EK 5.1.A.3, and an adversary with any account could steal or destroy files.

A defensive fix gives the owner full [control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink"), the group access, and other nothing:

```
chmod 770 Research
ls -l
drwxrwx-- 2 alice rnd 4096 Feb 10 09:14 Research

```

If the prompt asks you to describe the impact, explain that `rnd` members keep full access while all other users lose the ability to read, modify, or enter the directory, which removes the exposure without blocking the intended team.

## Common Mistakes to Avoid

- Mixing up the value order. Read is 4, write is 2, execute is 1. `chmod 644` is `rw-r-r--`, not the reverse.
- Forgetting execute on directories. A directory with `rw-` lets users see names but not open contents, which often is not what the scenario wants.
- Using `chmod 777` as a quick fix. That grants everyone full access and is the opposite of mitigation. The exam treats it as a [vulnerability](/ap-cybersecurity/key-terms/vulnerability "fv-autolink").
- Confusing symbolic operators. `=` overwrites the whole set for that target, while `+` and `-` only adjust one permission.
- Reading the wrong triad. Always confirm whether a permission problem affects the owner, the group, or other before recommending a change.
- Ignoring ownership. Permissions only matter relative to who the owner and group are, so check the `owner` and `group` fields in `ls -l` or `getfacl`.

## Quick Workflow for the FRQ

1. Run or read `ls -l` (or `getfacl`) and identify the type, owner, group, and the three permission triads.
2. Compare the current permissions against the stated policy or least-privilege expectation.
3. Name the specific risk in plain terms, such as other users having [write access](/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2 "fv-autolink") to sensitive files.
4. Choose numeric mode for a full reset or symbolic mode for a targeted fix.
5. Write the exact command and state how it changes access for owner, group, and other.

Keep your reasoning evidence based. When the prompt says write or describe, cite the permission string you saw and explain the effect on each class of user.

## FAQs

### What is the difference between numeric and symbolic chmod?

Numeric chmod uses octal digits (read 4, write 2, execute 1) to set all three permission groups at once, like chmod 750. Symbolic chmod uses targets and operators, like chmod g+x, to add or remove specific permissions without resetting the rest. Use numeric mode to define a full permission set and symbolic mode for a targeted single change.

### How do I read an ls -l permission string?

The first character is the file type, where a dash is a regular file and d is a directory. The next nine characters form three triads for owner, group, and other, each showing read (r), write (w), and execute (x) or a dash if denied. For example, -rwxr-x--- means the owner has full access, the group can read and execute, and other has none.

### Why is chmod 777 a security problem on the AP Cybersecurity Exam?

chmod 777 grants read, write, and execute to the owner, group, and everyone else. That is weakly configured access control described in EK 5.1.A.3, letting any user, including a compromised account, steal or destroy files. The exam treats it as a vulnerability, so apply least privilege with values like 750 or 770 instead.

### When should I use getfacl instead of ls -l?

Use getfacl when a file may have access control list entries beyond the basic owner, group, and other. It prints the same core permissions plus any named-user or named-group entries, such as user:bob:rwx. Those extra entries can reveal access a user should not have, which matters in Device Security Analysis source interpretation.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/file-permissions-chmod-guide/study-guide/Oi3rgnbnQ0dri3gn5BnX#what-is-the-difference-between-numeric-and-symbolic-chmod","name":"What is the difference between numeric and symbolic chmod?","acceptedAnswer":{"@type":"Answer","text":"Numeric chmod uses octal digits (read 4, write 2, execute 1) to set all three permission groups at once, like chmod 750. Symbolic chmod uses targets and operators, like chmod g+x, to add or remove specific permissions without resetting the rest. Use numeric mode to define a full permission set and symbolic mode for a targeted single change."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/file-permissions-chmod-guide/study-guide/Oi3rgnbnQ0dri3gn5BnX#how-do-i-read-an-ls-l-permission-string","name":"How do I read an ls -l permission string?","acceptedAnswer":{"@type":"Answer","text":"The first character is the file type, where a dash is a regular file and d is a directory. The next nine characters form three triads for owner, group, and other, each showing read (r), write (w), and execute (x) or a dash if denied. For example, -rwxr-x--- means the owner has full access, the group can read and execute, and other has none."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/file-permissions-chmod-guide/study-guide/Oi3rgnbnQ0dri3gn5BnX#why-is-chmod-777-a-security-problem-on-the-ap-cybersecurity-exam","name":"Why is chmod 777 a security problem on the AP Cybersecurity Exam?","acceptedAnswer":{"@type":"Answer","text":"chmod 777 grants read, write, and execute to the owner, group, and everyone else. That is weakly configured access control described in EK 5.1.A.3, letting any user, including a compromised account, steal or destroy files. The exam treats it as a vulnerability, so apply least privilege with values like 750 or 770 instead."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/file-permissions-chmod-guide/study-guide/Oi3rgnbnQ0dri3gn5BnX#when-should-i-use-getfacl-instead-of-ls-l","name":"When should I use getfacl instead of ls -l?","acceptedAnswer":{"@type":"Answer","text":"Use getfacl when a file may have access control list entries beyond the basic owner, group, and other. It prints the same core permissions plus any named-user or named-group entries, such as user:bob:rwx. Those extra entries can reveal access a user should not have, which matters in Device Security Analysis source interpretation."}}]}
```
