Filesystem permissions on Unix

Question

If I have a folder specified as not-readable. Are all folders under it also non-readable? For example, my shared hosting home account directory is not accessible to other accounts, so, are all folders and files that are 0777 under that home account directory non-accessible, too?

Answer 1

Directories have two different read permissions. You have the standard read permission, like you do with files. This stops you from doing an opendir()/readdir() on the directory. This basically stops you from doing an ls in the directory. You can still access subdirectories if you know the name of them. You also have the execute permission, which in the case of directories prevents you from accessing the files inside them. You can not change directory to a directory you don't have execute permission for and you can not access anything under it, but you can still read the contents.

# mkdir -p read/subdirectory
# mkdir -p execute/subdirectory
# chmod o-x execute/
# chmod o-r read
# logout
% ls -ld read/ execute/
drwxr-xr-- 3 root root 4096 2009-10-20 14:43 execute/
drwxr-x--x 3 root root 4096 2009-10-20 14:43 read/
% ls read
ls: cannot open directory read: Permission denied
% ls execute
ls: cannot access execute/subdirectory: Permission denied
subdirectory
% cd read/subdirectory
% cd -
% cd execute/subdirectory
bash: cd: execute/subdirectory: Permission denied

You'll notice that the ls execute displays an error and the subdirectory. The reason is that ls is allowed to read the execute directory and discover the subdirectory, but ls will stat the subdirectory and get a permission denied there.

Answer 2

The answer is "Yes". If, for example /foo is mode -r-x------, no one except the owner can read or change into /foo, therefore everything beneath that directory is inaccessible for everybody else, regardless of the permissions.

Answer 3

This depends on the implementation, but in most modern unixes preventing access to the parent folder will also prevent access to the subfolders, regardless of their individual permissions.

user@host:/$ sudo chmod 700 test
user@host:/$ sudo ls -ld test/test
drwxr-xr-x 2 root root 4096 2009-10-20 15:29 test/test
user@host:/$ ls -ld test/test
ls: cannot access test/test: Permission denied

If you wish to give access to subfolders you could set the execute bit on the parent folder.

user@host:/$ sudo chmod 711 test
user@host:/$ ls -l test
ls: cannot open directory /test: Permission denied
user@host:/$ ls -ld test/test
drwxr-xr-x 2 root root 4096 2009-10-20 15:29 test/test

As you can see, this prevents listing of the parent folder, but allows access to the subfolder and files.

Answer 4

You can read a directory whose parent is not readable:

[kbrandt@kb: ~/scrap/perm] ls -ld foo                                                                                         
d--x------ 4 kbrandt kbrandt 4096 2009-10-20 08:45 foo
[kbrandt@kb: ~/scrap/perm] ls -ld foo/bar                                                                                     
drwxrwxr-x 3 kbrandt kbrandt 4096 2009-10-20 08:55 foo/bar
[kbrandt@kb: ~/scrap/perm] ls foo                                                                                           
ls: cannot open directory foo: Permission denied
[kbrandt@kb: ~/scrap/perm] ls foo/bar                                                                                       
baz  foo

Directory permissions are not what you think though (from what I gather from your post):

Execute (Search) -- Enter into a directory
Write -- Create and delete files in that directory
Read -- List the files in the directory

Execute (search) does require that all the parents have execute set, unlike read and write.

This is an example of Why it is important to understand directory permissions:
Even if root owns a file, and no other users have write access to that file itself, if another users can write and search to that directory, that user can delete the file (Assuming that was the last remaining hard link).