Execute vs Read bit. How do directory permissions in Linux work?

When applying permissions to directories on Linux, the permission bits have different meanings than on regular files.

  • The read bit (r) allows the affected user to list the files within the directory
  • The write bit (w) allows the affected user to create, rename, or delete files within the directory, and modify the directory's attributes
  • The execute bit (x) allows the affected user to enter the directory, and access files and directories inside
  • The sticky bit (T, or t if the execute bit is set for others) states that files and directories within that directory may only be deleted or renamed by their owner (or root)

First, think: What is a directory? It's just a list of items (files and other directories) that live within. So: directory = list of names.

Read bit = If set, you can read this list. So, for example, if you have a directory named poems:

  • You can ls poems and you'll get a list of items living within (-l won't reveal any details!).
  • You can use command-line completion i.e. touch poems/so <TAB> poems/somefile.
  • You cannot make poems your working directory (i.e. cd into it).

Write bit = If set, you can modify this list i.e. you can {add,rename,delete} names on it. But! You can actually do it only if the execute bit is set too.

Execute bit = Make this directory your working directory i.e. cd into it. You need this permission if you want to:

  • access (read, write, execute) items living within.
  • modify the list itself i.e. add, rename, delete names on it (of course the write bit must be set on the directory).

Interesting case 1: If you have write + execute permissions on a directory, you can {delete,rename} items living within even if you don't have write perimission on those items. (use sticky bit to prevent this)

Interesting case 2: If you have execute (but not write) permission on a directory AND you have write permission on a file living within, you cannot delete the file (because it involves removing it from the list). However, you can erase its contents e.g. if it's a text file you can use vi to open it and delete everything. The file will still be there, but it will be empty.

Summary:

Read bit = You can read the names on the list.
Write bit = You can {add,rename,delete} names on the list IF the execute bit is set too.
Execute bit = You can make this directory your working directory.

PS: The article mentioned by Kusalananda is a good read.


I have prepared this table with all the possible permissions and their practical effects.

linux directory permissions

(*) Only file names: other attributes such as size or date are not accesible. E.g. you can use tab key to autocomplete but not ls command.

Some thoughts:

  • With X unset, R and W are mostly useless.
  • X alone disabling RW gives you a false sense of security since you could blindly read and write file contents and access subdirectories. You should be sure that every direct children of the directory have explicit permissions.
  • Rarely you will use other values than:
    • 0: No access.
    • 1: Minimum access allowing traversing.
    • 5: Allow reading / writing, but not altering the structure of the directory tree itself.
    • 7: Full access.