Determining User Access on a Linux Filesystem with „Classic Permissions“

Directory Execute-Permissions

The „Execute“ permission on a directory enables a user, group or others to perform any of the following:

  • To change the current working directory to that directory and
  • to read attributes of all entries in the directory.

The ability to read the base-names of entries in a directory is granted with the read permission on that directory.

To test the effects of the execute permission, create a directory owned by user „user1“ and group „user1“ and assign permissions to read, but not to execute, to others:

mkdir /tmp/component1
chown user1:user1 /tmp/component1
chmod 754 /tmp/component1

In that directory, create a subdirectory that grants permission to read and execute to others.

mkdir /tmp/component1/component2
chown user1:user1 /tmp/component1/component2
chmod 755 /tmp/component1/component2

Inside the subdirectory, create a plain text file that grants permission to read to others.

touch /tmp/component1/component2/test
chown user1:user1 /tmp/component1/component2
chmod 644 /tmp/component1/component2/test

To perform the following tests, change into user identity „user3“, who is not the owner and is not a member of the owning group:

sudo -u user3 /bin/bash

List the names of entries in the directory:

user3$ ls /tmp/component1

List the entries of the directory including attributes such as ownership, permissions and creation time:

user3$ ls -l /tmp/component1
ls: cannot access '/tmp/component1/component2': Permission denied
total 0
d????????? ? ? ? ?            ? component2

Change into the directory:

user3 $ cd /tmp/component1
bash: cd: /tmp/component1: Permission denied

Change into the subdirectory:

user3 $ cd /tmp/component1/component2
bash: cd: /tmp/component1/component2: Permission denied

Read the file in the subdirectory:

user3 $ cat /tmp/component1/component2/test
cat: /tmp/component1/component2/test: Permission denied

Notably, the user can not access any file or directory contained in a directory that user has no execute-permission on. Granting write-permissions to the user on that directory does not enable the user to gain access privileges on the directory itself or any of its entries.

To test this, grant write- but not execute-permission to others:

chmod 756 /tmp/component1

Become the user that is not owner or group-owner:

sudo -u user3 /bin/bash

As that user, try to change the permissions of the directory itself:

user3 $ chmod o+x /tmp/component1
chmod: changing permissions of '/tmp/component1': Operation not permitted

Try to change the permissions of an entry of the directory:

user3 $ chmod o+x /tmp/component1/component2 
chmod: cannot access '/tmp/component1/component2': Permission denied

In summary, removing execution rights on a directory bars affected users from all access besides reading the base names of the entries in the directory, and it bars affected users from any access to entries contained in sub-directories.