Wednesday 10 March 2010

Directory permissions in Unix

There are umpteen pages in the net about permissions in Unix. This is not yet another one of them.

Even after reading many of those umpteen pages, I couldn't remember what the permissions meant on directories. This is because the names of the permissions are directly related to file operations, and their interpretation for directories is not very straightforward. Even Wikipedia says 'The effect of setting the permissions on a directory (rather than a file) is "one of the most frequently misunderstood file permission issues" (Hatch 2003).'.

So here I'll try to explain them in a way we can remember.
You should already know this, but: Unix permissions are of three kinds - read, write, execute. On files, these have obvious meanings - whether you can read the contents of the file, whether you can write to the file, and whether you can execute the file (for example, if it was a script).

Directories too have these permissions. What does 'read' permission on a directory mean? This is the easiest to answer and remember, provided you start thinking of directories as simply special files that have lists of filenames within them. What does being able to 'read' such a file mean? It means you can get the list of files under the directory. That is, you just have been provided with permissions to see what all files are present under that directory. Note that this permission only means that you can get the names of the files - reading the files themselves depends on other things. Think of it like this: you somehow get hold of a list of room numbers and names of girls staying in a ladies hostel - this would be the read permission on the directory. But that does not mean you can go and meet any of them, since (a) they might not be willing to meet you - you might not have read permissions on the files, or (b) the security at the hostel might not allow you - you might not have execute permission on the directory (this is explained below).
That's directory read permissions for you.
Next is the 'write' permission on a directory. Let's continue thinking of directories as special files with list of filenames stored. Then, what would it mean to have write permissions on such a special file? It would mean you could modify the entries in the list, delete entries and add new entries to it. So, a write permission on a directory means you can modify the names of the files in it, delete files from it or create new files in it.
Note that with a write permission on a directory, you can change the name of a file under it, but cannot change the contents of the file (unless you have write permissions on the file too). Of the three kinds of permissions, write permissions are a little special in that they sort of allow some modifications on the files - they allow you to rename the files, or delete them.
A lot of people mistakenly believe that if write permissions on a file are set to off, others cannot delete the file. Now on, hopefully you'll remember that it's the write permissions on the parent directory that matters, not on the file itself.

Ok finally, we've come to the 'execute' permissions on a directory. Huh? What can it mean to 'execute' a directory? Doesn't make any sense!
That's because it isn't meant to - they just had one permission name and one functionality left, so they mapped the two. So, what's the functionality here?
Now imagine the situation at the end of the 'read' permissions paragraph above again, but you don't have the list of room numbers or names with you.You won't have much luck trying to coerce the security into giving you a list of the names of the girls staying there. On the other hand though, if you knew the exact name and room number of a girl, you could tell him those details and ask him to request the girl to come and meet him. Having directory 'execute' permissions alone is like having such a security in front of the directory - if you know the exact path and filename of a file, you can access it, but if you don't, you're out of luck: you can't just peep into the directory and try to find what's there.
Whether the meeting actually happens depends upon the girl's willingness; and whether you can actually read the contents of the file depends upon the file's own read permissions.
When you don't have execute permissions on a directory, it's as if the security was not a helpful person, and instead is a fat old lady who refuses to speak to you, and asks you to simply get out - girls in this hostel are not allowed to meet outsiders(!).

Finally, let's try some combinations to make sure we understood things. What if you have both read and execute permissions on a directory? Well, what if you got hold of a list of room numbers and names of girls, and also had a security in front of the hostel? You could look up any girl, tell the security her room number, and thus try to meet her.
What if you had read permissions on a directory but no execute permissions? Not much luck here, you got hold of a list of room numbers and names of the girls, but it's of no use - the fat old lady (remember, she appears whenever you don't have directory execute permissions) doesn't care about what details you have, so you have only the list to look at and sigh.
What does it mean to have read permissions on a file, but not have read or execute permissions on the directory? This means that even though the girl is willing to meet you, you can't find her room number. Worse, you would be blocked even if you somehow had it - the fat old lady again. One thing to remember is that you have to have permissions on each directory in the path to the file. If the file was at /psgtech/mblock/512/myfile, then you should have permissions on each of the directories psgtech/, mblock/, and 512/. It's as if there was a sequence of securities at each stage to the room.

I hope that explanation helped you understand directory permissions in Unix. Please leave a comment if some part of the explanation isn't clear.

No comments: