Learn › RHCSA (EX200) › Exam Orientation + Essential Tools
chmod - a hands-on Linux lab on a real virtual machine.
Read the ls -l ten-character mode string and set it exactly with chmod. Three classes (user, group, other) times three bits (read, write, execute), octal (640, 755, 750) and symbolic (u+x, g-r, o=), and what execute means on a directory. Serves EX200 objective 32: fix a permission or ownership problem without over-permissioning.
A colleague hands you a task. A script on the server refuses to run. Another file leaks data it should not. Both problems have the same root, and it is not the content of the files. It is a ten-character string sitting at the front of every line of ls -l, and most people never learn to read it.
That string is the file's permissions. It decides who may read a file, who may change it, and who may run it. On the RHCSA exam, one task hands you a broken permission or ownership and asks you to fix it, and only that. Grant too much and you fail the task even though the file now opens. This lesson teaches you to read that string and set it exactly, with chmod.
The black boxes below are a practice terminal: a safe sandbox that only checks the one command each step teaches. The outputs shown are one real capture from a RHEL 10 machine. Two fields in every ls -l line, the date and the owner name, belong to the machine and moment they were captured on. Yours will read differently. The permission string itself, the part this lesson is about, is exact and repeatable.
Every file and directory carries permissions for three classes of people. User (u) is the single owner of the file. Group (g) is everyone in the file's group. Other (o) is everyone else on the system. That is the whole audience: you, your team, the world.
Each class gets three bits, each a yes-or-no switch. Read (r) means view the contents. Write (w) means change the contents. Execute (x) means run the file as a program. Three classes times three bits is nine switches, and those nine switches are what the ten-character string in ls -l spells out.
This model, three classes and three bits, is called ugo/rwx, and naming it is EX200 objective 32: list, set, and change standard ugo/rwx permissions. It is the only permission model RHEL 10 asks you to know. There is no ACL question on the current exam.
The rwx model is almost as old as Unix itself. It was there in the first editions in the early 1970s, when a computer was one shared machine. The only question worth answering was simple: of the people logged in right now, who is allowed to touch this file? User, group, other answered it in three letters, and fifty years later the exam still hangs on those same three letters.
There is no fourth class and no per-person list in this model. If you need someone outside the owner and the group to have access, your only lever is other, which means everyone. That bluntness is exactly why setting permissions *exactly* matters on the exam: other is all-or-nothing.
The fastest way to set all nine bits at once is octal notation: three digits, one per class, in the order user, group, other. Each digit is a sum of three values: read is 4, write is 2, execute is 1. Add up the bits you want. Read plus write is 4 + 2 = 6. Read plus execute is 4 + 1 = 5. All three is 7. Nothing is 0.
So 640 means user 6 (read plus write), group 4 (read only), other 0 (nothing). Create an empty file with touch, then set it. Before you run this, decide what the string should read: user gets rw-, group gets r--, other gets ---.
prompt: student@servera:~$ answer: chmod 640 perm.txt output: hint: Three digits after chmod, one per class. User read plus write is 4 plus 2. Group read is 4. Other nothing is 0.
chmod prints nothing when it succeeds, which is why the box above is silent. Silence is success. To SEE the result you look at the file with ls -l, which is the next step.
Now confirm what chmod did. ls -l prints one line per file, and the first field is the ten-character mode string. Run it against the file you just changed:
prompt: student@servera:~$ answer: ls -l perm.txt output: -rw-r-----. 1 student student 0 Jul 5 18:36 perm.txt hint: The long-format flag on ls is a single lowercase l. Point it at perm.txt.
Look at -rw-r-----. Read it in four pieces, left to right:
That is your 640 read back to you. The 6 became rw-, the 4 became r--, the 0 became ---. Reading a mode string is just this: chop off the first character, then split the remaining nine into three groups of three.
The student student in the output is the owning user and the owning group. Those names and the date belong to the capture machine and will differ on yours. The trailing dot after the permissions signals an SELinux label is present, which is normal on RHEL 10 and not part of this lesson.
Octal sets all nine bits at once, which is perfect when you know exactly what the whole string should be. But sometimes the task is narrower: add execute for the user, leave everything else alone. For that you use symbolic notation: a class letter (u, g, o), an operator, and a bit letter.
The operators are + to add a bit, - to remove a bit, and = to set a class to exactly what you list and clear the rest. You can stack several changes in one command by separating them with commas. Take the 640 file from before and, in one command, add execute for the user and remove read from the group:
prompt: student@servera:~$ answer: chmod u+x,g-r perm.txt output: hint: Two changes separated by a comma. u plus x adds execute for the user. g minus r removes read from the group.
Symbolic touched only the bits you named. The user gained x, the group lost r, and other was already empty. Read it back:
prompt: student@servera:~$ answer: ls -l perm.txt output: -rwx------. 1 student student 0 Jul 5 18:36 perm.txt hint: Same ls -l as before, pointed at perm.txt.
Compare this to the 640 line. Only the two bits you named moved: user went rw- to rwx, group went r-- to ---. Everything else held. That surgical quality is the whole point of symbolic notation, and it is why the exam sometimes forces it: when a task says change one thing without disturbing the rest, chmod 700 would be over-permissioning. Change only what was asked.
On a file, execute means run it as a program. On a directory, execute means something different and easy to forget: permission to enter, to cd into it and reach the files inside. A directory with read but no execute lets you list the names but not open anything within. Almost every directory you want to use needs x.
Watch it on a real directory. 750 on a directory means user rwx (full), group r-x (enter and list), other --- (locked out). Note the -d flag on ls, which shows the directory itself rather than its contents:
prompt: student@servera:~$ answer: ls -ld pdir output: drwxr-x---. 2 student student 6 Jul 5 18:36 pdir hint: Add d to the long-format flag so ls describes the directory itself: ls -ld, then the directory name pdir.
This particular directory was set to 750, so its string is drwxr-x---. The leading d marks it a directory. User has rwx, group has r-x (they can enter and list but not create files), and other has ---, locked out entirely. A member of other here cannot even cd in, because they have no x. That is the trap the exam sets: strip x off a directory and you lock people out even if you left r on.
Permissions decide what each class may do. Ownership decides who is in each class. Two more commands set ownership, and you will meet them fully in a later lesson, but know them now: chown changes the owning user (and optionally the group, as chown alice:devs file), and chgrp changes just the group. Only root may hand a file to another user.
Why it matters for objective 32: a file might be unreadable not because the bits are wrong but because it is owned by the wrong user. The fix is chown, not chmod. Read the ls -l line first. It tells you both the permissions and the owner, so you can see which one is actually broken before you touch anything.
Scaffolding off. No command is shown. You have every piece you need.
You have a file named perm.txt. Set it so the owner can read and write it, and nobody else, not the group, not other, can do anything at all. Use octal, and set all nine bits in one command. Before you type, work out the three digits: owner is read plus write, group is nothing, other is nothing.
prompt: student@servera:~$ answer: chmod 600 perm.txt output: hint: Owner read plus write is 4 plus 2. Group nothing is 0. Other nothing is 0. Three digits, no spaces.
That is 600, the classic private-file permission: -rw-------. You reached for octal because you knew the whole target string, and you set it in one move without over-granting. That is exactly the judgement objective 32 tests. chmod printed nothing, because it succeeded.
You earned this cheat sheet. Every row is a form you just ran or read:
And the numbers behind every octal digit: read is 4, write is 2, execute is 1. Add the bits you want. The three pieces of any mode string: chop off the first character for the type, then split the nine that remain into user, group, other.
On the exam, reach for octal when you know the whole target string, and symbolic when the task says change one thing without touching the rest. On a directory, never drop x unless you truly mean to lock people out, because x is what lets anyone enter.
The practice terminal has shown you the shape of permissions. You can read the ten-character string, set all nine bits at once with octal, change one bit at a time with symbolic, and you know that x on a directory means the right to enter. Every one of those you typed yourself.
The Essential Tools module ends on one real RHEL 10 machine, the essential-tools capstone mission, and that is where you fix permissions for real. A full AlmaLinux 10 machine boots for you, the same build the exam simulates. It hands you an objective in the shape of EX200 task 32: a file or directory with the wrong permission or the wrong owner. Your job is to fix exactly that, no more. One difference from here: the mission shows no commands. You read the objective, you recall chmod or chown, you type it. That recall is what makes it stick.
Finish the other Essential Tools lessons, then go fix a real permission for yourself.
Practice ugo/rwx Permissions in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.