- 1Introduction
- 2Classic Permissions
- 3Simultaneous User- and Group-Ownership
- 4Restricted Delegation
- 5Absolute Paths and Path Components
- 6Directory Write-Permissions
- 7Directory Execute-Permissions
- 8Symbolic Links
- 9Hard Links
- 10"Does User X have Access to File Y?"
- 11Observations and Caveats
- 12A Partial Test Procedure
Directory Execute-Permissions
The „Execute“ permission on a directory enables a user, group or others to perform any of the following:
- To change the current working directory to that directory and
- to read attributes of all entries in the directory.
The ability to read the base-names of entries in a directory is granted with the read permission on that directory.
To test the effects of the execute permission, create a directory owned by user „user1“ and group „user1“ and assign permissions to read, but not to execute, to others:
mkdir /tmp/component1
chown user1:user1 /tmp/component1
chmod 754 /tmp/component1
In that directory, create a subdirectory that grants permission to read and execute to others.
mkdir /tmp/component1/component2
chown user1:user1 /tmp/component1/component2
chmod 755 /tmp/component1/component2
Inside the subdirectory, create a plain text file that grants permission to read to others.
touch /tmp/component1/component2/test
chown user1:user1 /tmp/component1/component2
chmod 644 /tmp/component1/component2/test
To perform the following tests, change into user identity „user3“, who is not the owner and is not a member of the owning group:
sudo -u user3 /bin/bash
List the names of entries in the directory:
user3$ ls /tmp/component1
component2
List the entries of the directory including attributes such as ownership, permissions and creation time:
user3$ ls -l /tmp/component1
ls: cannot access '/tmp/component1/component2': Permission denied
total 0
d????????? ? ? ? ? ? component2
Change into the directory:
user3 $ cd /tmp/component1
bash: cd: /tmp/component1: Permission denied
Change into the subdirectory:
user3 $ cd /tmp/component1/component2
bash: cd: /tmp/component1/component2: Permission denied
Read the file in the subdirectory:
user3 $ cat /tmp/component1/component2/test
cat: /tmp/component1/component2/test: Permission denied
Notably, the user can not access any file or directory contained in a directory that user has no execute-permission on. Granting write-permissions to the user on that directory does not enable the user to gain access privileges on the directory itself or any of its entries.
To test this, grant write- but not execute-permission to others:
chmod 756 /tmp/component1
Become the user that is not owner or group-owner:
sudo -u user3 /bin/bash
As that user, try to change the permissions of the directory itself:
user3 $ chmod o+x /tmp/component1
chmod: changing permissions of '/tmp/component1': Operation not permitted
Try to change the permissions of an entry of the directory:
user3 $ chmod o+x /tmp/component1/component2
chmod: cannot access '/tmp/component1/component2': Permission denied
In summary, removing execution rights on a directory bars affected users from all access besides reading the base names of the entries in the directory, and it bars affected users from any access to entries contained in sub-directories.