Tuesday, June 26, 2012

Unix Permissions on Folders

Unix Permissions on Folders: Unix permissions become somewhat of a tricky thing when they're applied to directories instead of files. This post should hopefully clear up any confusion about them (they had me pretty confused so I figured them out by trial-and-error).

On normal files, the permissions are pretty straightforward:


  • Read allows you to read the contents of the file (i.e. open a text file in an editor, open an image in a viewer).
  • Write allows you to write to a file (make changes and save it, copy a new file over top of an old one, etc.)
  • Execute allows you to run the file as a program (for a binary or e.g. a Perl script).

On directories, the permissions get a bit trickier.

  • Read allows you to list the contents of the directory to see the files inside. This is it. It doesn't implicitly allow you to read the contents of the files, or to descend into subdirectories. It only lists them.
  • Write allows you to create new files in the directory or delete existing ones (even if the files belong to a different user, like root, that you wouldn't think you'd be able to delete). This only works if the Execute bit is also on.
  • Execute allows you to interact with a file, or to traverse past the directory into a subdirectory (provided that subdirectory has permissions that allow you to do so). Basically, the Execute permission allows the permissions on the file or subdirectory to take effect. If the folder doesn't have Execute permissions, any attempt to do anything to a file or subdirectory is automatically denied.

So here's a breakdown of the different permission combinations and what they do for you:

  • --- (000): No permissions. Can't open the folder, list its contents, or do anything with its contents.
  • r-- (400): You can list the contents. You can't open the files, or descend into subdirectories. Can't create new files or write to existing ones.
  • -w- (200): This is the same as ---, or, no permissions at all. The write permission is useless without Execute.
  • --e (100): You can't list the contents of the folder, but if you know of a specific name of a file or subdirectory, you can interact with it (provided it has permissions that allow you to). You can cd into a subdirectory or read/write a file that has permissions for it. But no listing the directory's contents.
  • rw- (600): Same as r--, you can list the contents but nothing more. The Write permission is useless without Execute.
  • r-e (500): You can list the contents, access files (subject to their permissions), and descend into subdirectories (subject to their permissions). You can't create new files though.
  • -we (300): This one is interesting. You can not list the contents of the directory, but you can interact with existing files (if you know their names in advance), and you can create new files in the directory and delete existing files. You can also descend into subdirectories.
  • rwx (700): All permissions for the directory.

No comments:

Post a Comment