Why do we need execution permission to change a directory in Unix

file-permissionsunix

Here are the permissions given on the machine:

drwxrwxrwx   4 root     root         512 May 16 09:32 STC_10
drwxrw-rw-   4 root     root         512 May  5 11:22 STC_11

Now here is the Problem:

cd STC_11
-bash: cd: STC_11: Permission denied

But this one works:

-bash-4.0$ cd STC_10
-bash-4.0$ ls
Codemgr_wsdata  src

Why do we need execution permission to do a reach that directory STC_11? Wont read-write permissions suffice?

An ls command on STC_11 would work.

Best Answer

For the following demonstration, I created a few directories:

$ mkdir read_only
$ mkdir exec_only
$ mkdir r_e
$ touch read_only/cant_open
$ echo foo > read_only/cant_open 
$ echo bar > exec_only/cant_find
$ echo baz > r_e/normal
$ chmod 400 read_only/
$ chmod 100 exec_only/
$ chmod 500 r_e/

Read permissions are sufficient to list the contents of the directory: ls(1) can't find details about the file, but it can tell you the name of the file.

$ ls read_only/
ls: cannot access read_only/cant_open: Permission denied
cant_open

But read-only access doesn't let you traverse the directory:

$ cat read_only/cant_open 
cat: read_only/cant_open: Permission denied

Execute permissions are sufficient to traverse the directory (including cd), but you can't list the contents:

$ ls exec_only/
ls: cannot open directory exec_only/: Permission denied

Even though you can't get a listing of files in the directory, you can still traverse the directory:

$ cat exec_only/cant_find
bar

Both read and execute permissions work as you expect:

$ ls r_e
normal
$ cat r_e/normal 
baz

While it is initially confusing to have permission to list the files in a directory but not be able to do anything with them, and it is also confusing to have permission to do things with files but not be able to list them, it is part of Unix's tradition of simple mechanisms being used for clever things: these two elements alone make it easy to implement Capability-based security. If I were to place a few thousand files in the directory, but only wanted some people to read files meant for them, I could easily pick unguessable filenames, and give out the filenames when people give me money to read the files. :)

Or, maybe you have a dozen clients, and you want them all to have access to a directory of files meant for them. If you place all the client information into a single directory with only execute access, they could never determine your other clients, unless they already know that the other person is a client.

Related Solutions

Ubuntu – How To Give Execute Permissions To Root User File In Ubuntu

The author made a number of mistakes.

The script should be created, chmod'd and executed as root.
The script is missing the shebang to tell it what interpreter to use.

This is what you should be doing:

As root (sudo -s) create the file /root/fw.stop:

$ sudo -s
Enter foo's password:
# nano -w /root/fw.stop

Then enter the following script (note the change in the first line):

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Then you can chmod it (still as root):

# chmod +x /root/fw.stop

Then you can run it (yes, still as root):

# /root/fw.stop

If you want to run it as anyone other than root then you should use sudo (sudo /root/fw.stop). The setuid bit is possible but a serious security hole as it would allow anyone to run the script.

Linux – Why do you need execute permission on the parent directory to rename a file

The meaning of execute permission for a directory is the ability to look up file names inside that directory. Of course, successfully looking up a file name produces a reference to an inode number, but the execute permission has nothing to do with inodes per se.

Without execute permission on the directory, you can't stat, open, rename, delete, or descend into subdirectories inside that directory. The only thing you can do is see the list of which filenames exist, and then only if you have read permission (and read but not execute is a strange set of permissions to have for a directory).

Consider if you have rw- on a directory. You know that filename foo exists inside this directory. In order to delete it you need to look it up, and you even need access to the inode (to decrement its link count). For that matter, you need access to the inode in order to tell if it's a directory or not (because if it's a directory, unlink should fail and rmdir should succeed, and the reverse if it's not a directory). But you can't look it up.

Best Answer

Related Solutions

Ubuntu – How To Give Execute Permissions To Root User File In Ubuntu

Linux – Why do you need execute permission on the parent directory to rename a file

Related Question