We're an ISO27001:2013 Certified Supplier

blog-post-featured-image

The subject of directory permissions in Linux can give rise to confusion, so here’s a quick guide (or reminder).

Read Permission

r – allows the directory itself to be listed, but not the contents of the directory:

$ mkdir readonly 
$ touch readonly/myfile 
$ chmod 400 readonly 
$ ls -l readonly 
ls: cannot access 'readonly/myfile': Permission denied 
total 0 
-????????? ? ? ? ?            ? myfile 
$ ls -ld readonly/ 
dr-------- 2 kae kae 4096 Apr 25 16:19 readonly/ 
$

You also cannot cd into the directory:

$ cd readonly/
bash: cd: readonly/: Permission denied

Read and Execute

Having both Read and Execute set allows the contents of the directory to be seen:

$ chmod u+x readonly/
$ ls -l readonly/myfile
-rw-r--r-- 1 kae kae 0 Apr 25 16:19 readonly/myfile
$

Write Permission

w – by itself, allows only the directory file to be read and written:

$ mkdir writeonly
$ touch writeonly/myfile
$ chmod 200 writeonly
$ ls -l writeonly/
ls: cannot open directory 'writeonly/': Permission denied
$ ls -ld writeonly/
d-w------- 2 kae kae 4096 Apr 25 16:20 writeonly/
$ touch writeonly/myfile
touch: cannot touch 'writeonly/myfile': Permission denied

Again, you cannot cd to the directory:

$ cd writeonly/
bash: cd: writeonly/: Permission denied

Write and Execute

If the Execute bit is also set, reading, writing and deleting within the directory is permitted. However, without Read permission the directory contents cannot be listed, so you’ll need to know the name of the file:

$ chmod 300 writeonly/
$ ls -ld writeonly/
d-wx------ 2 kae kae 4096 Apr 25 16:20 writeonly/
$ ls writeonly/
ls: cannot open directory 'writeonly/': Permission denied
$ ls writeonly/myfile
writeonly/myfile
$ touch writeonly/myfile
$ rm writeonly/myfile

Execute Permission

x – allows the directory to be accessed via cd. However, you’ll still need either read or read+write access to be able to do anything useful:

$ mkdir executeonly
$ chmod 100 executeonly/
$ ls executeonly/
ls: cannot open directory 'executeonly/': Permission denied
$ cd executeonly/
/home/kae/tmp/executeonly
$ ls
ls: cannot open directory '.': Permission denied

Common Usage

From the above, it can be seen that the only really useful directory permissions are either read+execute (r-x) or read+write+execute (rwx).

The High End Bits

There are three additional permission bits that may be set:

  • setuid bit (4)
  • setgid bit (2)
  • sticky bit (1)

The setuid bit has no effect on directories under Linux.

The setgid bit forces all files and directories created within that directory to be the same group owner as the parent:

# mkdir setgid-dir
# chmod 2755 setgid-dir
# ls -ld setgid-dir/
drwxr-sr-x 2 root root 40 Apr 25 16:45 setgid-dir/
# chgrp kae setgid-dir
# ls -ld setgid-dir
drwxr-sr-x 2 root kae 40 Apr 25 16:45 setgid-dir
# touch setgid-dir/a_file
# ls -l setgid-dir/
total 0
-rw-r--r-- 1 root kae 0 Apr 25 16:46 a_file

Note the s in the third place of the group permissions, indicating that the setgid bit is set.

If the execute bit is not set, the s will be uppercase:

# chmod g-x setgid-dir/
# ls -ld setgid-dir/
drwxr-Sr-x 2 root kae 60 Apr 25 16:46 setgid-dir/

This should serve as a warning: as we saw above, we almost always want the execute bit set.

Finally, setting the sticky bit on a directory prevents unprivileged users from deleting or renaming files within that directory unless either a) they own the file or b) they own the parent directory. This is how the /tmp directory is set by default, and the trailing t of the permissions indicates this:

# ls -ld /tmp
drwxrwxrwt 29 root root 3640 Apr 25 16:48 /tmp

If we don’t own a file in /tmp, we can’t delete it no matter what the file permissions:

# touch /tmp/abcdef
# chmod 777 /tmp/abcdef
# ls -l /tmp/abcdef
-rwxrwxrwx 1 root root 0 Apr 25 16:52 /tmp/abcdef
# su - kae
rm /tmp/abcdef
rm: cannot remove '/tmp/abcdef': Operation not permitted
$

Summary

The permission bits as applied to Linux directories is often not as well understood as permission bits on ordinary files, but hopefully this article has made things a little clearer.

Was This Linux Tip Useful?

Let us know in the comments below.