HOWTO for UNIX/Linux "permission anomaly"

(C) 2006-2017 T.Birnthaler/H.Gottschalk <howtos(at)ostc.de>
              OSTC Open Source Training and Consulting GmbH
              www.ostc.de

$Id: unix-rights-anomaly-eng-HOWTO.txt,v 1.18 2018/06/20 21:51:32 tsbirn Exp $

This document describes the "permission anomaly" on UNIX/Linux systems. That
means, whether some operations on files are allowed or not depends on the
directory permissions the file is located in and some of them depend on the
file permissions itself.

Table of Contents

1) Introduction
2) Permission needed for certain tasks

1) Introduction   (Toc)

The permission COMBINATION of a file and the directory it is located in,
decides what operations are allowed on a file and which one's are not allowed.

* FILE PERMISSIONS decide about the right to do operations on the
  FILES CONTENT (e.g. read, copy, change, call as program)

* DIRECTORY PERMISSIONS decide about the right to do operations on the
  FILE NAMES located in the directory (e.g. create, rename, move, delete)

The simple example of a FILE located in a DIRECTORY is used to illustrate
these rules by showing the operations allowed in 2 different cases (A) + (B):

                     (A)                       (B)
                            +=============+
                     rwx    |  DIRECTORY  |    r-x
                            +======+======+
                                   |
                            ,------+------.
                     r--    |    FILE     |    rw-
                            `-------------'

  +---------------------------+------------+-----------+------------+
  | File operation            | References |    (A)    |    (B)     |
  +---------------------------+------------+-----------+------------+
  | Read/Open        (more)   | Content    |    yes    |    yes     |
  | Copy             (cp)     | Content    |    yes    |     -- (*) |
  | Overwrite/Save   (>)      | Content    |     --    |    yes     |
  | Edit = Change    (vi)     | Content    |     --    |    yes     |
  | (Read + Write)            |            |           |            |
  | Delete content   (>)      | Content    |     --    |    yes     |
  | Print content    (lpr)    | Content    |    yes    |    yes     |
  +---------------------------+------------+-----------+------------+
  | Touch            (touch)  | Name/Inode |    yes    |    yes     |
  | Create hard link (ln)     | Name/Inode |    yes    |     -- (*) |
  | Create soft link (ln -s)  | Name       |    yes    |     -- (*) |
  | Create           (touch)  | Name       |    yes    |     --     |
  | Rename           (mv)     | Name       |    yes    |     --     |
  | Move             (mv)     | Name       |    yes    |     --     |
  | Remove file      (rm)     | Name       |    yes    |     --     |
  +---------------------------+------------+-----------+------------+
  | Execute          (./FILE) | Permissions|     --    |     --     |
  +---------------------------+------------+-----------+------------+
  (*) "yes" if target directory is a different one (with write permission set)

If a directory is not readable a file name to be accessed in it has to be known
by heart (as directory content listing is impossible)!

2) Permission needed for certain tasks   (Toc)

  +------------------------------+----------+-------+-------+-------+
  |                              | Command  | Dir.  | File  | Type  |
  +------------------------------+----------+-------+-------+-------+
  | Change into directory        | cd       | - - x | - - - |       |
  | List directory content       | ls       | r - - | - - - | N     |
  | List file info (inode)       | ls -l    | r - x | - - - | N   M |
  +------------------------------+----------+-------+-------+-------+
  | Touch file (inode)           | touch    | - - x | - - - | N   M |
  | Read/Open file               | more     | - - x | r - - | N C   |
  | Write/Save file (not create) | > FILE   | - - x | - w - | N C M |
  | Edit file (change)           | vi       | - - x | r w - | N C   |
  | Copy file (from directory)   | cp       | - - x | r - - | N C   |
  | Print file (inode)           | lpr      | - - x | r - - | N C   |
  +------------------------------+----------+-------+-------+-------+
  | Copy file (into directory)   | cp       | - w x | r - - | N C M |
  | Create file                  | > FILE   | - w x | - - - | N C M |
  | Rename file                  | mv       | - w x | - - - | N     |
  | Move file                    | mv       | - w x | - - - | N     |
  | Delete file                  | rm       | - w x | - - - | N   M |
  +------------------------------+----------+-------+-------+-------+
  | Execute binary program       | FILE     | - - x | - - x | N C   |
  | Execute shell script (A)     | FILE     | - - x | r - x | N C   |
  | Execute shell script (B)     | sh FILE  | - - x | r - - | N C   |
  | Create hard link to file     | ln       | - w x | - - - | N   M |
  | Create soft link to file     | ln -s    | - w - | - - - | N     |
  | Use soft link to file        |          | - - x | - - - | N     |
  +------------------------------+----------+-------+-------+-------+
  | Change owner                 | chown    |   root only   |     M |
  | Change owner group           | chgrp    |  owner only   |     M |
  | Change permissions           | chmod    |  owner only   |     M |
  | Change attributes (date)     | touch    |  owner only   |     M |
  +------------------------------+----------+---------------+-------+
                                      Typ = N)ame C)ontent M)etadata

If a directory is not readable all file names to be accessed in it
have to be known by heart (as directory content listing is impossible)!