Do the parent directory's permissions matter when accessing a subdirectory?
The precise rule is: you can traverse a directory if and only if you have execute permission on it.
So for example to access dir/subdir/file
, you need execute permission on dir
and dir/subdir
, plus the permissions on file
for the type of access you want. Getting into corner cases, I'm not sure whether it's universal that you need execute permission on the current directory to access a file through a relative path (you do on Linux).
The way you access a file matters. For example, if you have execute permissions on /foo/bar
but not on /foo
, but your current directory is /foo/bar
, you can access files in /foo/bar
through a relative path but not through an absolute path. You can't change to /foo/bar
in this scenario; a more privileged process has presumably done cd /foo/bar
before going unprivileged. If a file has multiple hard links, the path you use to access it determines your access constraints.
Symbolic links change nothing. The kernel uses the access rights of the calling process to traverse them. For example, if sym
is a symbolic link to the directory dir
, you need execute permission on dir
to access sym/foo
. The permissions on the symlink itself may or may not matter depending on the OS and filesystem (some respect them, some ignore them).
Removing execute permission from the root directory effectively restricts a user to a part of the directory tree (which a more privileged process must change into). This requires access control lists to be any use. For example, if /
and /home
are off-limits to joe
(setfacl -m user:joe:0 / /home
) and /home/joe
is joe
's home directory, then joe
won't be able to access the rest of the system (including running shell scripts with /bin/sh
or dynamically linked binaries that need to access /lib
, so you'd need to go deeper for practical use, e.g. setfacl -m user:joe:0 /*; setfacl -d user:joe /bin /lib
).
Read permission on a directory gives the right to enumerate the entries. Giving execute permission without giving read permission is occasionally useful: the names of entries serve as passwords to access them. I can't think of any use in giving read or write permission to a directory without execute permission.
No. Root folder permission limits child files permission. You can try it.
$ mkdir rootdir
$ touch ./rootdir/childfile
$ chmod 777 ./rootdir/childfile
$ chmod 600 rootdir
$ cat ./rootdir/childfile
I get this:
$ cat: ./rootfolder/childfile: permission denied
You can make the child directory writable even the parent directory is not. I do this for groups.
For example: parent directory is owned by group coder
drwxr-sr-x
child directory
drwxrwsr-x
You (any member of the coder group) can still write to the child directory but not to the parent directory.