Understanding File Permissions

Although the same letters are used to denote permissions for regular files and for directories, they have slightly different meanings.

Attribute	File	Directory
r	read	read
w	write	create/remove
x	execute	search

For regular files, r means that the file can be displayed by cat, w means that it can be changed by an editor, and x means that is can be executed as a program.

For example:

-rwxr-xr-x   1 reid            0 Jan 11 22:26 allexec*
-rw-r--r--   1 reid            0 Jan 11 22:23 allread
-rw-------   1 reid            0 Jan 11 22:23 ownerread
-r--r--r--   1 reid            0 Jan 11 22:23 readonly

• Everyone can read allread and readonly.
• Everyone can execute allexec.
• Only the owner of ownerread can read and write it.
• If the owner of readonly tries to edit it the editor will not allow the owner to save the changes.
• If anyone tries to execute allread (or ownerread, or readonly) they will get the message "Permission denied."

A directory is a file that stores a list of filenames along with the inode number of the file. (The inode is a data structure that stores data about a file and pointers to disk blocks that hold the file's data.)

Read permission for a directory means that ls can read the list of filenames stored in that directory. If you remove read permission from a directory, ls won't work.

For example:

% ls -ld testdir
d-wx--x--x   2 reid          512 Jan 11 22:41 testdir/
% ls -l testdir
testdir unreadable
% cat testdir/hidefile
I can still read this file

Note that it is still possible to read and write files inside testdir even though we cannot list its contents.

Write permission for a directory means that you can create and remove files from that directory. You should never allow write permission for others on any of your directories. If you did, any other user could remove all of your files from such a directory.

% ls -l
-rw-r--r--   1 reid            0 Jan 11 22:23 allread
dr-xr-xr-x   2 reid          512 Jan 11 22:42 testdir/
% cp allread testdir
cp: cannot create testdir/allread: Permission denied

When write permission is removed from testdir, I can no longer copy a file into testdir.

Execute permission for a directory means that you can "pass through" the directory in searching for subdirectories. You need to have executable permissions for every directory on a path to run a command on that path or to used that path as an argument for another command.

For example, when I remove execute permission from testdir I can no longer really do anything with files and directories under testdir

% ls -l testdir/
total 2
-rw-r--r--   1 reid           28 Jan 11 22:42 hidefile
drwxr-xr-x   2 reid          512 Jan 11 23:02 subdir/
% ls -l testdir/subdir
total 1
-rwxr--r--   1 reid          136 Jan 11 23:02 var.sh*
% chmod a-x testdir
% ls -ld testdir
drw-r--r--   3 reid          512 Jan 11 23:02 testdir/
% testdir/subdir/var.sh
testdir/subdir/var.sh: Permission denied.
% cd testdir
testdir: Permission denied.
% ls testdir/subdir
ls: testdir/subdir: Permission denied
% cat testdir/hidefile
cat: cannot open testdir/hidefile