If I have a root folder with some restrictive permission, let's say 600, and if the child folders/files have 777 permission will everybody be able to read/write/execute the child file even though the root folder has 600?
permissions – Do Parent Directory’s Permissions Matter When Accessing a Subdirectory?
directorypermissions
Best Answer
The precise rule is: you can traverse a directory if and only if you have execute permission on it.
So for example to access
dir/subdir/file
, you need execute permission ondir
anddir/subdir
, plus the permissions onfile
for the type of access you want. Getting into corner cases, I'm not sure whether it's universal that you need execute permission on the current directory to access a file through a relative path (you do on Linux).The way you access a file matters. For example, if you have execute permissions on
/foo/bar
but not on/foo
, but your current directory is/foo/bar
, you can access files in/foo/bar
through a relative path but not through an absolute path. You can't change to/foo/bar
in this scenario; a more privileged process has presumably donecd /foo/bar
before going unprivileged. If a file has multiple hard links, the path you use to access it determines your access constraints.Symbolic links change nothing. The kernel uses the access rights of the calling process to traverse them. For example, if
sym
is a symbolic link to the directorydir
, you need execute permission ondir
to accesssym/foo
. The permissions on the symlink itself may or may not matter depending on the OS and filesystem (some respect them, some ignore them).Removing execute permission from the root directory effectively restricts a user to a part of the directory tree (which a more privileged process must change into). This requires access control lists to be any use. For example, if
/
and/home
are off-limits tojoe
(setfacl -m user:joe:0 / /home
) and/home/joe
isjoe
's home directory, thenjoe
won't be able to access the rest of the system (including running shell scripts with/bin/sh
or dynamically linked binaries that need to access/lib
, so you'd need to go deeper for practical use, e.g.setfacl -m user:joe:0 /*; setfacl -d user:joe /bin /lib
).Read permission on a directory gives the right to enumerate the entries. Giving execute permission without giving read permission is occasionally useful: the names of entries serve as passwords to access them. I can't think of any use in giving read or write permission to a directory without execute permission.