HOWTO for UNIX/Linux "permission anomaly"

(C) 2006-2023 T.Birnthaler/H.Gottschalk <howtos(at)ostc.de>
              OSTC Open Source Training and Consulting GmbH
              www.ostc.de

$Id: unix-rights-anomaly-eng-HOWTO.txt,v 1.19 2019/11/26 19:37:07 tsbirn Exp $

This document describes the "permission anomaly" on UNIX/Linux systems. That
means, whether some operations on files are allowed or not depends on the
directory permissions the file is located in and some of them depend on the
file permissions itself.

Table of Contents

1) Introduction
2) Permission needed for certain tasks

1) Introduction   (Toc)

The permission COMBINATION of a FILE and the DIRECTORY it is located in,
decides what OPERATIONS are allowed on a file and which one's are not allowed.

* FILE PERMISSIONS decide about the right to do operations on FILE CONTENT
  (e.g. read, copy, change, call as program)

* DIRECTORY PERMISSIONS decide about the right to do operations on FILE NAME
  located in the directory (e.g. create, rename, move, delete)

The simple example of a FILE located in a DIRECTORY is used to illustrate
these rules by showing the operations allowed in 2 different cases (A) + (B):

                     (A)                       (B)
                            +=============+
                     rwx    |  DIRECTORY  |    r-x
                            +======+======+
                                   |
                            ,------+------.
                     r--    |    FILE     |    rw-
                            `-------------'

  +-----------------------------------------------------------+-----------+
  |                                                           | NECESSARY |
  +--------------------+---------+------------+-------+-------+-----------+
  | FILE OPERATION     | COMMAND | ACCESSES   |  (A)  |  (B)  | DIR  FILE |
  +--------------------+---------+------------+-------+-------+-----------+
  | Read/Open          | more    | Content    |  yes  |  yes  | --x  r--  |
  | Copy               | cp      | Content    |  yes  | (yes) | --x  r--  |
  | Overwrite/Save     | >       | Content    |   --  |  yes  | --x  -w-  |
  | Edit = Change      | vi      | Content    |   --  |  yes  | --x  rw-  |
  | (Read + Write)     |         |            |       |       |           |
  | Delete content     | >       | Content    |   --  |  yes  | --x  -w-  |
  | Print content      | lpr     | Content    |  yes  |  yes  | --x  r--  |
  +--------------------+---------+------------+-------+-------+-----------+
  | Touch (file there) | touch   | Name/Inode |  yes  |  yes  | --x  ---  |
  | Create hard link   | ln      | Name/Inode |  yes  | (yes) | -wx  ---  |
  | Create soft link   | ln -s   | Name       |  yes  | (yes) | -wx  ---  |
  | Create (file miss) | touch   | Name       |  yes  |   --  | -wx  ---  |
  | Rename             | mv      | Name       |  yes  |   --  | -wx  ---  |
  | Move               | mv      | Name       |  yes  |   --  | -wx  ---  |
  | Remove file        | rm      | Name       |  yes  |   --  | -wx  ---  |
  +--------------------+---------+------------+-------+-------+-----------+
  | Execute            | ./FILE  | Permissions|   --  |   --  | --x  r-x  |
  +--------------------+---------+------------+-------+-------+-----------+
    DIR   = Directory
    FILE  = File
    (yes) = If target directory is a different one (with write permission!)

HINT: If a directory is not readable (permission "r" missing) a FILENAME to be
accessed in it has to be known by heart (as a directory content listing via
"ls" is impossible then)!

2) Permission needed for certain tasks   (Toc)

  +------------------------------+----------+-------+-------+-------+
  |                              | COMMAND  | DIR.  | FILE  | REFER |
  +------------------------------+----------+-------+-------+-------+
  | Change into directory        | cd       | - - x | - - - |       |
  | List directory content       | ls       | r - - | - - - | N     |
  | List file info (inode)       | ls -l    | r - x | - - - | N   M |
  +------------------------------+----------+-------+-------+-------+
  | Touch file (inode)           | touch    | - - x | - - - | N   M |
  | Read/Open file               | more     | - - x | r - - | N C   |
  | Write/Save file (not create) | > FILE   | - - x | - w - | N C M |
  | Edit file (change)           | vi       | - - x | r w - | N C   |
  | Copy file (from directory)   | cp       | - - x | r - - | N C   |
  | Print file (inode)           | lpr      | - - x | r - - | N C   |
  +------------------------------+----------+-------+-------+-------+
  | Copy file (into directory)   | cp       | - w x | r - - | N C M |
  | Create file                  | > FILE   | - w x | - - - | N C M |
  | Rename file                  | mv       | - w x | - - - | N     |
  | Move file                    | mv       | - w x | - - - | N     |
  | Delete file                  | rm       | - w x | - - - | N   M |
  +------------------------------+----------+-------+-------+-------+
  | Execute binary program       | FILE     | - - x | - - x | N C   |
  | Execute shell script (A)     | FILE     | - - x | r - x | N C   |
  | Execute shell script (B)     | sh FILE  | - - x | r - - | N C   |
  | Create hard link to file     | ln       | - w x | - - - | N   M |
  | Create soft link to file     | ln -s    | - w - | - - - | N     |
  | Use soft link to file        |          | - - x | - - - | N     |
  +------------------------------+----------+-------+-------+-------+
  | Change owner                 | chown    |   root only   |     M |
  | Change owner group           | chgrp    |  owner only   |     M |
  | Change permissions           | chmod    |  owner only   |     M |
  | Change attributes (date)     | touch    |  owner only   |     M |
  +------------------------------+----------+---------------+-------+
    REFER = N)ame, C)ontent, M)etadata

HINT: If a directory is not readable (permission "r" missing) a FILENAME to be
accessed in it has to be known by heart (as a directory content listing via
"ls" is impossible then)!