Execute vs Read bit. How do directory permissions in Linux work?
When applying permissions to directories on Linux, the permission bits have different meanings than on regular files.
- The read bit (
r
) allows the affected user to list the files within the directory - The write bit (
w
) allows the affected user to create, rename, or delete files within the directory, and modify the directory's attributes - The execute bit (
x
) allows the affected user to enter the directory, and access files and directories inside - The sticky bit (
T
, ort
if the execute bit is set for others) states that files and directories within that directory may only be deleted or renamed by their owner (or root)
First, think: What is a directory? It's just a list of items (files and other directories) that live within. So: directory = list of names.
Read bit = If set, you can read this list. So, for example, if you have a directory named poems
:
- You can
ls poems
and you'll get a list of items living within (-l
won't reveal any details!). - You can use command-line completion i.e.
touch poems/so <TAB> poems/somefile
. - You cannot make
poems
your working directory (i.e.cd
into it).
Write bit = If set, you can modify this list i.e. you can {add,rename,delete} names on it. But! You can actually do it only if the execute bit is set too.
Execute bit = Make this directory your working directory i.e. cd
into it. You need this permission if you want to:
- access (read, write, execute) items living within.
- modify the list itself i.e. add, rename, delete names on it (of course the write bit must be set on the directory).
Interesting case 1: If you have write + execute permissions on a directory, you can {delete,rename} items living within even if you don't have write perimission on those items. (use sticky bit to prevent this)
Interesting case 2: If you have execute (but not write) permission on a directory AND you have write permission on a file living within, you cannot delete the file (because it involves removing it from the list). However, you can erase its contents e.g. if it's a text file you can use vi to open it and delete everything. The file will still be there, but it will be empty.
Summary:
Read bit = You can read the names on the list.
Write bit = You can {add,rename,delete} names on the list IF the execute bit is set too.
Execute bit = You can make this directory your working directory.
PS: The article mentioned by Kusalananda is a good read.
I have prepared this table with all the possible permissions and their practical effects.
(*) Only file names: other attributes such as size or date are not accesible. E.g. you can use tab key to autocomplete but not ls command.
Some thoughts:
- With X unset, R and W are mostly useless.
- X alone disabling RW gives you a false sense of security since you could blindly read and write file contents and access subdirectories. You should be sure that every direct children of the directory have explicit permissions.
- Rarely you will use other values than:
- 0: No access.
- 1: Minimum access allowing traversing.
- 5: Allow reading / writing, but not altering the structure of the directory tree itself.
- 7: Full access.