Determining User Access on a Linux Filesystem with „Classic Permissions“

Directory Execute-Permissions

The „Execute“ permission on a directory enables a user, group or others to perform any of the following:

  • To change the current working directory to that directory and
  • to read attributes of all entries in the directory.

The ability to read the basenames of entries in a directory is granted with the read permission on that directory.

To test the effects of the execute permission, create a directory owned by user „user1“ and group „user1“ and assign permissions to read, but not to execute, to others:

mkdir /tmp/component1
chown user1:user1 /tmp/component1
chmod 754 /tmp/component1

In that directory, create a subdirectory that grants permission to read and execute to others.

mkdir /tmp/component1/component2
chown user1:user1 /tmp/component1/component2
chmod 755 /tmp/component1/component2

Inside the subdirectory, create a plain text file that grants permission to read to others.

touch /tmp/component1/component2/test
chown user1:user1 /tmp/component1/component2
chmod 644 /tmp/component1/component2/test

To perform the following tests, change into user identity „user3“, who is not the owner and is not a member of the owning group:

sudo -u user3 /bin/bash

List the names of entries in the directory:

user3$ ls /tmp/component1
component2

List the entries of the directory including attributes such as ownership, permissions and creation time:

user3$ ls -l /tmp/component1
ls: cannot access '/tmp/component1/component2': Permission denied
total 0
d????????? ? ? ? ?            ? component2

Change into the directory:

user3 $ cd /tmp/component1
bash: cd: /tmp/component1: Permission denied

Change into the subdirectory:

user3 $ cd /tmp/component1/component2
bash: cd: /tmp/component1/component2: Permission denied

Read the file in the subdirectory:

user3 $ cat /tmp/component1/component2/test
cat: /tmp/component1/component2/test: Permission denied

Notably, the user can not access any file or directory contained in a directory that user has no excute-permission on. Granting write-permissions to the user on that directory does not enable the user to gain access privileges on the directory itself or any of its entries.

To test this, grant write- but not execute-permission to others:

chmod 756 /tmp/component1

Become the user that is not owner or group-owner:

sudo -u user3 /bin/bash

As that user, try to change the permissions of the directory itself:

user3 $ chmod o+x /tmp/component1
chmod: changing permissions of '/tmp/component1': Operation not permitted

Try to change the permissions of an entry of the directory:

user3 $ chmod o+x /tmp/component1/component2 
chmod: cannot access '/tmp/component1/component2': Permission denied

In summary, removing execution rights on a directory bars affected users from all access besides reading the basenames of the entries in the directory, and it bars affected users from any access to entries contained in subdirectories.