The precise rule is: you can traverse a directory if and only if you have execute permission on it.
So for example to access dir/subdir/file
, you need execute permission on dir
and dir/subdir
, plus the permissions on file
for the type of access you want. Getting into corner cases, I'm not sure whether it's universal that you need execute permission on the current directory to access a file through a relative path (you do on Linux).
The way you access a file matters. For example, if you have execute permissions on /foo/bar
but not on /foo
, but your current directory is /foo/bar
, you can access files in /foo/bar
through a relative path but not through an absolute path. You can't change to /foo/bar
in this scenario; a more privileged process has presumably done cd /foo/bar
before going unprivileged. If a file has multiple hard links, the path you use to access it determines your access constraints.
Symbolic links change nothing. The kernel uses the access rights of the calling process to traverse them. For example, if sym
is a symbolic link to the directory dir
, you need execute permission on dir
to access sym/foo
. The permissions on the symlink itself may or may not matter depending on the OS and filesystem (some respect them, some ignore them).
Removing execute permission from the root directory effectively restricts a user to a part of the directory tree (which a more privileged process must change into). This requires access control lists to be any use. For example, if /
and /home
are off-limits to joe
(setfacl -m user:joe:0 / /home
) and /home/joe
is joe
's home directory, then joe
won't be able to access the rest of the system (including running shell scripts with /bin/sh
or dynamically linked binaries that need to access /lib
, so you'd need to go deeper for practical use, e.g. setfacl -m user:joe:0 /*; setfacl -d user:joe /bin /lib
).
Read permission on a directory gives the right to enumerate the entries. Giving execute permission without giving read permission is occasionally useful: the names of entries serve as passwords to access them. I can't think of any use in giving read or write permission to a directory without execute permission.
Try to run umask
in your folder. If it returns anything other than '0022' then this is your problem. In your case it should initialy output '0177'. The permission system when creating directory is basically computed:
default - umask
0777 is the default mode for directories, and 0666 to ordinary files, but there are different umasks, if I understand these things right. Try to execute umask a=rx,uu+w
.
EDIT: You can use umask to give execute bit to directory to be able to cd into it, but not to files. These have to be given execute bit manually because of security. Simply add chmod +x <file>
to your script. And, execute flag set on file anything other than executable has no effect.
Best Answer
You can't access/enter a directory (or create files) with permissions set to
600
as a regular user. You are also not able to acces/list (well, sort of) files at all with said folder permissions.