The subject of directory permissions in Linux can give rise to confusion, so here’s a quick guide (or reminder).
Read Permission
r – allows the directory itself to be listed, but not the contents of the directory:
$ mkdir readonly $ touch readonly/myfile $ chmod 400 readonly $ ls -l readonly ls: cannot access 'readonly/myfile': Permission denied total 0 -????????? ? ? ? ? ? myfile $ ls -ld readonly/ dr-------- 2 kae kae 4096 Apr 25 16:19 readonly/ $
You also cannot cd into the directory:
$ cd readonly/ bash: cd: readonly/: Permission denied
Read and Execute
Having both Read and Execute set allows the contents of the directory to be seen:
$ chmod u+x readonly/ $ ls -l readonly/myfile -rw-r--r-- 1 kae kae 0 Apr 25 16:19 readonly/myfile $
Write Permission
w – by itself, allows only the directory file to be read and written:
$ mkdir writeonly $ touch writeonly/myfile $ chmod 200 writeonly $ ls -l writeonly/ ls: cannot open directory 'writeonly/': Permission denied $ ls -ld writeonly/ d-w------- 2 kae kae 4096 Apr 25 16:20 writeonly/ $ touch writeonly/myfile touch: cannot touch 'writeonly/myfile': Permission denied
Again, you cannot cd to the directory:
$ cd writeonly/ bash: cd: writeonly/: Permission denied
Write and Execute
If the Execute bit is also set, reading, writing and deleting within the directory is permitted. However, without Read permission the directory contents cannot be listed, so you’ll need to know the name of the file:
$ chmod 300 writeonly/ $ ls -ld writeonly/ d-wx------ 2 kae kae 4096 Apr 25 16:20 writeonly/ $ ls writeonly/ ls: cannot open directory 'writeonly/': Permission denied $ ls writeonly/myfile writeonly/myfile $ touch writeonly/myfile $ rm writeonly/myfile
Execute Permission
x – allows the directory to be accessed via cd. However, you’ll still need either read or read+write access to be able to do anything useful:
$ mkdir executeonly $ chmod 100 executeonly/ $ ls executeonly/ ls: cannot open directory 'executeonly/': Permission denied $ cd executeonly/ /home/kae/tmp/executeonly $ ls ls: cannot open directory '.': Permission denied
Common Usage
From the above, it can be seen that the only really useful directory permissions are either read+execute (r-x) or read+write+execute (rwx).
The High End Bits
There are three additional permission bits that may be set:
setuidbit (4)setgidbit (2)stickybit (1)
The setuid bit has no effect on directories under Linux.
The setgid bit forces all files and directories created within that directory to be the same group owner as the parent:
# mkdir setgid-dir # chmod 2755 setgid-dir # ls -ld setgid-dir/ drwxr-sr-x 2 root root 40 Apr 25 16:45 setgid-dir/ # chgrp kae setgid-dir # ls -ld setgid-dir drwxr-sr-x 2 root kae 40 Apr 25 16:45 setgid-dir # touch setgid-dir/a_file # ls -l setgid-dir/ total 0 -rw-r--r-- 1 root kae 0 Apr 25 16:46 a_file
Note the s in the third place of the group permissions, indicating that the setgid bit is set.
If the execute bit is not set, the s will be uppercase:
# chmod g-x setgid-dir/ # ls -ld setgid-dir/ drwxr-Sr-x 2 root kae 60 Apr 25 16:46 setgid-dir/
This should serve as a warning: as we saw above, we almost always want the execute bit set.
Finally, setting the sticky bit on a directory prevents unprivileged users from deleting or renaming files within that directory unless either a) they own the file or b) they own the parent directory. This is how the /tmp directory is set by default, and the trailing t of the permissions indicates this:
# ls -ld /tmp drwxrwxrwt 29 root root 3640 Apr 25 16:48 /tmp
If we don’t own a file in /tmp, we can’t delete it no matter what the file permissions:
# touch /tmp/abcdef # chmod 777 /tmp/abcdef # ls -l /tmp/abcdef -rwxrwxrwx 1 root root 0 Apr 25 16:52 /tmp/abcdef # su - kae rm /tmp/abcdef rm: cannot remove '/tmp/abcdef': Operation not permitted $
Summary
The permission bits as applied to Linux directories is often not as well understood as permission bits on ordinary files, but hopefully this article has made things a little clearer.
Was This Linux Tip Useful?
Let us know in the comments below.