mtilson

Posted on Jul 31, 2020

How to deal with Linux file and directory permission

#linux #security #bash #ubuntu

Linux File Permission Cheat Sheet

Necessary and sufficient knowledge on Linux file and directory permissions
With practical examples
Sourced from GitHub

User permission triads

There are three permission triads (rwx rwx rwx) corresponding to particular group of users
- The 1-st one (rwx --- ---) is for owner user
- The 2-nd one (--- rwx ---) is for group users
- The 3-rd one (--- --- rwx) is for other users
Each permission triad (rwx) corresponds to particular set of operations defined on files and directories
- r is for read operation
- w is for write operation
- x is for execute operation

File permissions

read file permission
- Allows the corresponding user (owner, group, other) to read the file
write file permission
- Allows the corresponding user to modify (create, move, rename, change attributes, delete) the file
execute file permission
- Allows the corresponding user to execute the file
All the above permissions have effect only if execute permission for the corresponding user is set on the directory and all its parent directories
- See Effects of unset execute directory permission on file permissions

File permission examples

Effects of `read` file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 21:59 file

user1@ubuntu20lts:~/tmp$ cat file
test

user1@ubuntu20lts:~/tmp$ chmod a-r file
user1@ubuntu20lts:~/tmp$ ls -l file
--w--w---- 1 user1 user1 5 Jul 26 21:59 file

user1@ubuntu20lts:~/tmp$ cat file
cat: file: Permission denied

Effects of `write` file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 5 Jul 26 22:00 file

user1@ubuntu20lts:~/tmp$ chmod a-w file
user1@ubuntu20lts:~/tmp$ ls -l file
-r--r--r-- 1 user1 user1 5 Jul 26 22:00 file

user1@ubuntu20lts:~/tmp$ echo test > file
-bash: file: Permission denied

Effects of `execute` file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rwxrwxr-x 1 user1 user1 24 Jul 26 22:02 file

user1@ubuntu20lts:~/tmp$ ./file
Sun 26 Jul 2020 10:02:35 PM UTC

user1@ubuntu20lts:~/tmp$ chmod a-x file
user1@ubuntu20lts:~/tmp$ ls -l file
-rw-rw-r-- 1 user1 user1 24 Jul 26 22:02 file

user1@ubuntu20lts:~/tmp$ ./file
-bash: ./file: Permission denied

Effects of unset `execute` directory permission on file permissions

`read` file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo test > file
user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
   259893      4 drwxrwxr-x   2 user1    user1        4096 Jul 26 22:03 ./tmp/
   259894      4 -rw-rw-r--   1 user1    user1           5 Jul 26 22:03 ./tmp/file

user1@ubuntu20lts:~$ cat ./tmp/file
test

user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
   259893      4 drw-rw-r--   2 user1    user1        4096 Jul 26 22:03 ./tmp/
find: ‘./tmp/file’: Permission denied

user1@ubuntu20lts:~$ cat ./tmp/file
cat: ./tmp/file: Permission denied

`write` file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ echo test > tmp/file
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drwxrwxr-x   2 user1    user1        4096 Jul 26 22:53 ./tmp/
   258941      4 -rw-rw-r--   1 user1    user1           5 Jul 26 22:53 ./tmp/file

user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drw-rw-r--   2 user1    user1        4096 Jul 26 22:53 ./tmp/
find: ‘./tmp/file’: Permission denied

user1@ubuntu20lts:~$ echo test > tmp/file
-bash: tmp/file: Permission denied

`execute` file permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user1@ubuntu20lts:~/tmp$ echo "date" >> file
user1@ubuntu20lts:~/tmp$ chmod a+x file

user1@ubuntu20lts:~/tmp$ cd ..
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drwxrwxr-x   2 user1    user1        4096 Jul 26 23:01 ./tmp/
   258941      4 -rwxrwxr-x   1 user1    user1          24 Jul 26 23:01 ./tmp/file

user1@ubuntu20lts:~$ ./tmp/file
Sun 26 Jul 2020 11:01:41 PM UTC

user1@ubuntu20lts:~$ chmod a-x tmp/
user1@ubuntu20lts:~$ find ./tmp/ -ls
   258932      4 drw-rw-r--   2 user1    user1        4096 Jul 26 23:01 ./tmp/
find: ‘./tmp/file’: Permission denied

user1@ubuntu20lts:~$ ./tmp/file
-bash: ./tmp/file: Permission denied

Directory permissions

read directory permission
- Allows the corresponding user (owner, group, other) to display directory’s files and subdirectories
- Has effect only on the files and subdirectories which are directly beneath the subject directory
  - This means, for example, that if a directory has no read permission, but its subdirectory does have read permission, than it is possible to display the subdirectory’s files and subdirectories
  - See Effects of read directory permission propagate only on files and subdirectories which are directly beneath the subject directory
- Has effect only if execute permission for the corresponding user is also set on the directory and all its parent directories
  - If the execute permission is not set on the directory it is only possible to see the names of files and subdirectories directly beneath the subject directory, any details about these files and subdirectories and their content are not available
  - See Effects of unset execute directory permission on read directory permission
write directory permission
- Allows the corresponding user to modify (create, move, rename, change attributes, delete) files and subdirectories within the directory
- Has effect only on the files and subdirectories which are directly beneath the subject directory
  - This means, for example, that if a directory has write permission, but its subdirectory doesn't have write permission and it is not empty, than it is not possible to delete or move the subdirectory, as in this case there is no write permission on file within the subdirectory
  - See Effects of write directory permission propagate only on files and subdirectories which are directly beneath the subject directory
- Has effect on files and subdirectories of the subject directory independent of the permissions of these files and subdirectories
  - The directory write permission gives the corresponding user the permission to modify files and subdirectories beneath the subject directory independent on the permissions of these files and subdirectories, meaning that even if those files and subdirectories don't have write permissions, they can be modified
  - See Effects of write directory permission do not depend on permissions of files and subdirectories beneath the subject directory
  - This behavior can be changed with help of Sticky bit, see the section Additional flags: SUID, SGID, Sticky bit below
- Has effect only if execute permission for the corresponding user is also set on the directory and all its parent directories
  - If the execute permission is not set on the directory, directory write permission has no effect at all, and it is not depend on directory read permission
  - See Effects of unset execute directory permission on write directory permission
execute directory permission
- Allows the corresponding user to change their current working directory to this directory (via the cd command)
- Has effect as long as this execute permission is set on all parent directories as well
  - See Effects of execute directory permission propagate on all subdirectories of the subject directory
- Affects read and write directory permissions
  - rwx
  - Full access to a directory is provided by combining execute permission with read and write permissions
  - r-x
  - Read only access to a directory is provided by combining execute permission with read permission
    - See Effects of write directory permission
  - -wx
  - Combining execute and write directory permissions (without read permission) leads to weird access mode, where full access to the directory is enabled, but standard way of displaying names of files and directories is not possible
    - See Combining execute and write directory permissions with unset read directory permission
  - rw-, r--
  - Disabling execute permission for a directory with set read permission leads to weird access mode, where only reading names of files and directories directly beneath the subject directory is possible
    - See Effects of unset execute directory permission on read directory permission
  - -w-, ---
  - Disabling execute permission for a directory with unset read permission is the same as providing no access to the directory
    - See Effects of unset execute directory permission on read directory permission and Effects of unset execute directory permission on write directory permission
  - --x
  - Setting execute permission on a directory where read and write permissions are unset leads to weird access mode, where it is possible to change current working directory to subdirectories of the subject directory (if the names of those subdirectories are known preliminarily) and to do any operations except ones related to reading or modifying directory structures themselves (reading names from the directory; creating, moving, renaming, deleting files or subdirectories)
    - See Effects of setting only execute directory permission
Directory permissions short summary

permission triad	access mode	comments
`---`	no access
`r--`	weird mode	only reading file and subdirectory names is possible
`-w-`	no access	the same as `---`
`--x`	weird mode	only changing to subdirectories are possible if their names are known
`rw-`	weird mode	the same as `r--`
`r-x`	read only
`-wx`	weird mode	any operations on files and subdirectories are possible if their names are known
`rwx`	full

Directory permission examples

Effects of `read` directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file

user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 ./dirA
   258915      4 drwxrwxr-x   2 user1    user1        4096 Jul 24 20:59 ./dirA/dirB
   258916      0 -rw-rw-r--   1 user1    user1           0 Jul 24 20:59 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 20:59 ./dirA
   258915      4 d-wx-wx--x   2 user1    user1        4096 Jul 24 20:59 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 ./dirA
   258915      4 drwxrwxr-x   2 user1    user1        4096 Jul 24 21:02 ./dirA/dirB
   258916      0 -rw-rw-r--   1 user1    user1           0 Jul 24 21:02 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 .
   258308      4 d-wx-wx--x   3 user1    user1        4096 Jul 24 21:02 ./dirA
find: ‘./dirA’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+r ./dirA
user1@ubuntu20lts:~/tmp$ find . -ls
   258126      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 .
   258308      4 drwxrwxr-x   3 user1    user1        4096 Jul 24 21:02 ./dirA
   258915      4 drwxrwxr-x   2 user1    user1        4096 Jul 24 21:02 ./dirA/dirB
   258916      0 -rw-rw-r--   1 user1    user1           0 Jul 24 21:02 ./dirA/dirB/file

Effects of `read` directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Directory read permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 ./dirA/dirB
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 11:50 ./dirA/dirB/dirC
   258942      4 -rw-rw-r--   1 user1    user1           5 Jul 31 11:50 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:50 ./dirA
   258920      4 d-wx-wx--x   3 user1    user1        4096 Jul 31 11:50 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1    5 Jul 31 11:50 file

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ ls -la
total 12
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:50 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:50 ..
-rw-rw-r-- 1 user1 user1    5 Jul 31 11:50 file

user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cat file
test

Effects of `write` directory permission

We cannot create, move, rename, and delete files and subdirectories in the directory which have no write directory permissions

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 ./dirA
   258973      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:36 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:36 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:35 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 11:36 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:36 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:35 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
rm: cannot remove './dirA/dirB/file': Permission denied
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied

user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 ./dirA
   258973      4 drwxrwxrwx   3 user1    user1        4096 Jul 27 11:36 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:36 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:35 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:35 .
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:37 ./dirA

But we can write to files (if file's permission allows this) and change attributes of files and subdirectories in the directory which has no write directory permissions

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA
   258973      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:40 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:40 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-w ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA/dirB
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:40 ./dirA/dirB/file
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:40 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-rwx ./dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 11:40 ./dirA/dirB
   259894      0 ----------   1 user1    user1           0 Jul 27 11:40 ./dirA/dirB/file
   259889      4 d---------   2 user1    user1        4096 Jul 27 11:40 ./dirA/dirB/dirC
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+rw ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ echo "test" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test

Effects of `write` directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Directory write permission doesn't propagate to the directory hieracy further than the directory directly beneath the subject directory

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:13 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA/dirB
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 13:13 ./dirA/dirB/dirC
   259894      0 -rw-rw-r--   1 user1    user1           0 Jul 27 13:13 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ chmod o+w ./dirA/dirB/dirC/file1
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC/file1 ./
user1@ubuntu20lts:~/tmp$ mv file1 ./dirA/dirB/dirC/file2
user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ rm ./dirA/dirB/dirC/file3
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:14 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA
   258973      4 dr-xr-xr-x   3 user1    user1        4096 Jul 27 13:13 ./dirA/dirB
   259889      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 13:14 ./dirA/dirB/dirC
   259894      0 -rw-rw-rw-   1 user1    user1           0 Jul 27 13:13 ./dirA/dirB/dirC/file2

Effects of `write` directory permission do not depend on permissions of files and subdirectories beneath the subject directory

Within the directory with write permission we can modify (rename, change attributes, delete) files and subdirectories which have no write permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 ./dirA
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 11:05 ./dirA/file
   258973      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:05 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 ./dirA
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 11:05 ./dirA/file
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 11:05 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ mv dirA/file dirA/file1
user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/file1
user1@ubuntu20lts:~/tmp$ chmod a-rx ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:06 ./dirA
   259889      0 ----------   1 user1    user1           0 Jul 27 11:05 ./dirA/file1
   258973      4 d---------   2 user1    user1        4096 Jul 27 11:05 ./dirA/dirC
find: ‘./dirA/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr dirA/file1 dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 11:05 .
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 11:06 ./dirA

But within the directory with write permission we can only move files but not subdirectories which have no write permission, ⁉️ which looks strange ⁉️

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 ./dirA
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 12:34 ./dirA/file
   258973      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 12:34 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ chmod a-w dirA/file dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:34 ./dirA
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 12:34 ./dirA/file
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 12:34 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ mv ./dirA/file ./
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
mv: cannot move './dirA/dirB' to './dirB': Permission denied

user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:35 .
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 12:34 ./file
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:35 ./dirA
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 12:34 ./dirA/dirB

user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirB
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB ./
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   4 user1    user1        4096 Jul 27 12:36 .
   259889      0 -r--r--r--   1 user1    user1           0 Jul 27 12:34 ./file
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 12:36 ./dirA
   258973      4 drwxrwxrwx   2 user1    user1        4096 Jul 27 12:34 ./dirB

Also within the directory with write permission we cannot delete subdirectories which have no write permission and are not empty, but can rename them and change their attributes

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 ./dirA
   258973      4 dr-xr-xr-x   2 user1    user1        4096 Jul 27 12:51 ./dirA/dirB
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 12:51 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB
rm: cannot remove 'dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirB/file
rm: cannot remove 'dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ mv dirA/dirB dirA/dirC
user1@ubuntu20lts:~/tmp$ chmod o+t ./dirA/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:52 ./dirA
   258973      4 dr-xr-xr-t   2 user1    user1        4096 Jul 27 12:51 ./dirA/dirC
   259889      0 -rw-rw-r--   1 user1    user1           0 Jul 27 12:51 ./dirA/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a+w dirA/dirC
user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/file
user1@ubuntu20lts:~/tmp$ chmod a-w dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:52 ./dirA
   258973      4 dr-xr-xr-t   2 user1    user1        4096 Jul 27 12:55 ./dirA/dirC

user1@ubuntu20lts:~/tmp$ rm -fr dirA/dirC/
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 27 12:51 .
   258943      4 drwxrwxr-x   2 user1    user1        4096 Jul 27 12:55 ./dirA

Effects of `execute` directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 ./dirA
   258921      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 ./dirA/dirB
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 28 15:19 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp

user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:19 ./dirA
   258921      4 drw-rw-r--   3 user1    user1        4096 Jul 28 15:19 ./dirA/dirB
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
-bash: cd: ./dirA/dirB: Permission denied

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB/dirC
-bash: cd: ./dirA/dirB/dirC: Permission denied

Effects of `execute` directory permission propagate on all subdirectories of the subject directory

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 12:34 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 12:34 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 12:34 ./dirA/dirB
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 12:34 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ cd dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC/
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp

user1@ubuntu20lts:~/tmp$ chmod a-x dirA/dirB

user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB
ls: cannot access 'dirA/dirB/.': Permission denied
ls: cannot access 'dirA/dirB/dirC': Permission denied
ls: cannot access 'dirA/dirB/..': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
d????????? ? ? ? ?            ? dirC

user1@ubuntu20lts:~/tmp$ ls -la dirA/dirB/dirC
ls: cannot access 'dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ cd dirA/dirB
-bash: cd: dirA/dirB: Permission denied

user1@ubuntu20lts:~/tmp$ cd dirA/dirB/dirC
-bash: cd: dirA/dirB/dirC: Permission denied

Effects of unset `execute` directory permission on `read` directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 ./dirA
   258921      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 16:00 ./dirA/dirB
   258942      0 -rw-rw-r--   1 user1    user1           0 Jul 28 16:00 ./dirA/dirB/file
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 28 16:00 ./dirA/dirB/dirC
   258943      0 -rw-rw-r--   1 user1    user1           0 Jul 28 16:00 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 28 15:59 ./dirA
   258921      4 drw-rw-r--   3 user1    user1        4096 Jul 28 16:00 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB
ls: cannot access './dirA/dirB/file': Permission denied
ls: cannot access './dirA/dirB/dirC': Permission denied
total 0
d????????? ? ? ? ?            ? dirC
-????????? ? ? ? ?            ? file

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
ls: cannot access './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
ls: cannot access './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
cat: ./dirA/dirB/file: Permission denied

Effects of unset `execute` directory permission on `write` directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/file dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 ./dirA/dirB
   258922      0 -rw-rw-r--   1 user1    user1           0 Jul 31 06:11 ./dirA/dirB/file
   258921      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 06:11 ./dirA/dirB/dirC
   258924      0 -rw-rw-r--   1 user1    user1           0 Jul 31 06:11 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-x ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 06:11 ./dirA
   258920      4 drw-rw-r--   3 user1    user1        4096 Jul 31 06:11 ./dirA/dirB
find: ‘./dirA/dirB/file’: Permission denied
find: ‘./dirA/dirB/dirC’: Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: failed to access './dirA/dirB/file1': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: failed to access './dirA/dirB/dirD': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot stat './dirA/dirB/file': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot stat './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
chmod: cannot access './dirA/dirB/file': Permission denied

Combining `execute` and `write` directory permissions with unset `read` directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ touch dirA/dirB/dirC/file
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 ./dirA/dirB
   258943      4 -rw-rw-r--   1 user1    user1           5 Jul 31 11:39 ./dirA/dirB/file
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 11:39 ./dirA/dirB/dirC
   258942      0 -rw-rw-r--   1 user1    user1           0 Jul 31 11:39 ./dirA/dirB/dirC/file

user1@ubuntu20lts:~/tmp$ chmod a-r ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 11:39 ./dirA
   258920      4 d-wx-wx--x   3 user1    user1        4096 Jul 31 11:39 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 11:39 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB/dirC
total 8
drwxrwxr-x 2 user1 user1 4096 Jul 31 11:39 .
d-wx-wx--x 3 user1 user1 4096 Jul 31 11:39 ..
-rw-rw-r-- 1 user1 user1    0 Jul 31 11:39 file

user1@ubuntu20lts:~/tmp$ cd ./dirA/dirB
user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
   258920      4 d-wx-wx--x   3 user1    user1        4096 Jul 31 11:39 .
find: ‘.’: Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la .
ls: cannot open directory '.': Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ mkdir dirD
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirD dirE
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr dirE

user1@ubuntu20lts:~/tmp/dirA/dirB$ touch file1
user1@ubuntu20lts:~/tmp/dirA/dirB$ mv file1 file2
user1@ubuntu20lts:~/tmp/dirA/dirB$ rm -fr file2

user1@ubuntu20lts:~/tmp/dirA/dirB$ mv dirC ../

user1@ubuntu20lts:~/tmp/dirA/dirB$ chmod a+x file
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la file
-rwxrwxr-x 1 user1 user1 5 Jul 31 11:39 file

Effects of setting only `execute` directory permission

user1@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user1@ubuntu20lts:~/tmp$ mkdir -p dirA/dirB/dirC
user1@ubuntu20lts:~/tmp$ echo test > dirA/dirB/file
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 ./dirA
   258920      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 ./dirA/dirB
   258942      4 -rw-rw-r--   1 user1    user1           5 Jul 31 13:48 ./dirA/dirB/file
   258924      4 drwxrwxr-x   2 user1    user1        4096 Jul 31 13:48 ./dirA/dirB/dirC

user1@ubuntu20lts:~/tmp$ chmod a-wr ./dirA/dirB
user1@ubuntu20lts:~/tmp$ find . -ls
   258312      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 .
   258916      4 drwxrwxr-x   3 user1    user1        4096 Jul 31 13:48 ./dirA
   258920      4 d--x--x--x   3 user1    user1        4096 Jul 31 13:48 ./dirA/dirB
find: ‘./dirA/dirB’: Permission denied

user1@ubuntu20lts:~/tmp$ ls -la ./dirA/dirB
ls: cannot open directory './dirA/dirB': Permission denied

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rw-rw-r-- 1 user1 user1 5 Jul 31 13:48 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/dirC
total 0

user1@ubuntu20lts:~/tmp$ cd dirA/dirB/
user1@ubuntu20lts:~/tmp/dirA/dirB$ ls -la
ls: cannot open directory '.': Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ find . -ls
   258920      4 d--x--x--x   3 user1    user1        4096 Jul 31 13:48 .
find: ‘.’: Permission denied

user1@ubuntu20lts:~/tmp/dirA/dirB$ cd dirC
user1@ubuntu20lts:~/tmp/dirA/dirB/dirC$ cd ~/tmp

user1@ubuntu20lts:~/tmp$ cat ./dirA/dirB/file
test

user1@ubuntu20lts:~/tmp$ echo "date" > ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ chmod a+x ./dirA/dirB/file
user1@ubuntu20lts:~/tmp$ ls -l ./dirA/dirB/file
-rwxrwxr-x 1 user1 user1 5 Jul 31 13:49 ./dirA/dirB/file

user1@ubuntu20lts:~/tmp$ ./dirA/dirB/file
Fri 31 Jul 2020 01:49:55 PM UTC

user1@ubuntu20lts:~/tmp$ touch ./dirA/dirB/file1
touch: cannot touch './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mkdir ./dirA/dirB/dirD
mkdir: cannot create directory ‘./dirA/dirB/dirD’: Permission denied

user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/file
rm: cannot remove './dirA/dirB/file': Permission denied
user1@ubuntu20lts:~/tmp$ rm -fr ./dirA/dirB/dirC
rm: cannot remove './dirA/dirB/dirC': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./dirA/dirB/file1
mv: cannot move './dirA/dirB/file' to './dirA/dirB/file1': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./dirA/dirB/dirD
mv: cannot move './dirA/dirB/dirC' to './dirA/dirB/dirD': Permission denied

user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/file ./
mv: cannot move './dirA/dirB/file' to './file': Permission denied
user1@ubuntu20lts:~/tmp$ mv ./dirA/dirB/dirC ./
mv: cannot move './dirA/dirB/dirC' to './dirC': Permission denied

Additional flags: `SUID`, `SGID`, `Sticky bit`

SUID (Set User ID) flag — works only on files
- On fies
  - A process executing a file keeps its effective UID (User ID) the same as UID of the user running the executable
  - If the executable file has the SUID flag set, the process sets its effective UID equals to the file's owner
  - Due to security reason SUID flag only works on Linux ELF executables, meaning it does nothing on a Bash or Python scripts files
  - Examples of well-known Linux system executables with SUID flag set
  - /usr/bin/passwd
    - SUID flag set because the passwords are stored in the /etc/shadow file, which has no permission on group or other user level
  - /usr/bin/mount
    - SUID flag set because only the root can mount filesystems, but when /etc/fstab contains the user option, anybody can mount the corresponding filesystem
SGID (Set Group ID) flag — works both on files and directories
- On files
  - A process executing a file keeps its effective GID (Group ID) the same as GID of the user running the executable
  - If the executable file has the SGID flag set, the process sets its effective GID equals to the file's group
  - Due to security reason SGID flag works only on Linux ELF executables, meaning it does nothing on a Bash or Python scripts files
  - Examples of well-known Linux system executables with SGID flag set
  - /usr/bin/ssh-agent
    - SGID flag set to prevent ptrace(2) attacks retrieving private key material
  - /usr/bin/crontab
    - SGID flag set to provide the following restrictions (together with crontab binary owned by crontab group, and crontab spool directory owned by crontab group and Sticky bit set on it)
    - limiting access to crontab spool directory (/var/spool/cron/crontabs)
    - limiting edit or read access to users' crontab files (/var/spool/cron/crontabs/<username>) only via crontab binary
- On directories
  - When a file is created by a process, its GID (Group ID) can be either the GID of the creator process or the GID of the parent directory, depending on the value of the SGID flag of the parent directory
  - This behavior is applied only to SGID flag, but not to SUID flag, SUID flag doesn't have such a behavior
  - SGID on directories is used for creating collaborative directories where some users work together on some project and belong to the same group and should be able to see each other's files providing read file permission on that group level
Sticky bit — currently works only on directories (using it on files is deprecated)
- ~~On files~~
  - This approach has become obsolete and is deprecated now, sharing of code pages is used
  - ~~Running an executable file with the Sticky bit set requests the kernel to keep the program in memory after its execution terminates~~
- On directories
  - With the Sticky bit set on a directory, only the file's owner, the directory's owner, or root user can modify (for example delete or rename) the files and subdirectories in the directory
  - Without the Sticky bit set on a directory, any user with write and execute permissions for the directory can modify contained files and subdirectories in the directory, regardless of the their owners
  - If a user wants to create files and subdirectories in some directory, he/she needs write and exectute permissions on that directory
  - These write and exectute permissions on the directory gives the user the privilege to create files and subdirectories as well as the privilege to modify them
  - At the same time the user can modify any files or subdirectories in this directory, the permissions of those files and subdirectories do not have any effect on modification
  - With Sticky bit set on a directory, anyone can create files in the directory, but can modify his/her own files only - files owned by other users cannot be modified
  - Examples of well-known Linux system directories with SGID flag set
  - /tmp
    - The Sticky bit is used for /tmp directory because it has to have all the rights on all the user's permission triads allowing all the users to create/delete their temporary files there
  - /var/spool/cron/crontabs
    - For details why the Sticky bit is used here, see the explanation of SGID flag set on /usr/bin/crontab above

`SUID`, `SGID`, and `Sticky bit` examples

Effects of `SUID` flag

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chown user1 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod u+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwsr-xr-x 1 user1 user3 47480 Jul 26 11:07 ./id

user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)

user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) euid=2001(user1) groups=2003(user3)

Effects of `SGID` flag on files

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ cp $(which id) ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user2 ./id
user3@ubuntu20lts:~/tmp$ sudo chmod g+s ./id
user3@ubuntu20lts:~/tmp$ ls -l ./id
-rwxr-sr-x 1 user3 user2 47480 Jul 26 11:13 ./id

user3@ubuntu20lts:~/tmp$ id
uid=2003(user3) gid=2003(user3) groups=2003(user3)

user3@ubuntu20lts:~/tmp$ ./id
uid=2003(user3) gid=2003(user3) egid=2002(user2) groups=2002(user2),2003(user3)

Effects of `SGID` flag on directories

If SGID flag is not set the created file get its GID from the creator process

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file

user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxr-x   2 user3    user1        4096 Jul 27 06:25 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:25 ./file

user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxr-x   2 user3    user1        4096 Jul 27 06:26 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:25 ./file
   258941      0 -rw-rw-r--   1 user3    user3           0 Jul 27 06:26 ./test

If SGID flag is set the created file get its GID from the parent directory

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file

user3@ubuntu20lts:~/tmp$ chmod g+s ./
user3@ubuntu20lts:~/tmp$ sudo chgrp user1 ./
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwsr-x   2 user3    user1        4096 Jul 27 06:27 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:27 ./file

user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwsr-x   2 user3    user1        4096 Jul 27 06:27 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:27 ./file
   258941      0 -rw-rw-r--   1 user3    user1           0 Jul 27 06:27 ./test

No effects of `SUID` flag on directories

Even if SUID flag is set, it has no effect on a directory

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ echo "#/usr/bin/env bash" > file
user3@ubuntu20lts:~/tmp$ echo "touch test" >> file
user3@ubuntu20lts:~/tmp$ chmod a+x file

user3@ubuntu20lts:~/tmp$ chmod u+s ./
user3@ubuntu20lts:~/tmp$ sudo chown user2 ./
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwsrwxr-x   2 user2    user3        4096 Jul 27 06:29 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:30 ./file

user3@ubuntu20lts:~/tmp$ ./file
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwsrwxr-x   2 user2    user3        4096 Jul 27 06:30 .
   258938      4 -rwxrwxr-x   1 user3    user3          30 Jul 27 06:30 ./file
   258941      0 -rw-rw-r--   1 user3    user3           0 Jul 27 06:30 ./test

Effects of `Sticky bit`

If the Sticky bit is not set it allows user1 to delete files of user3

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxrwx   3 user3    user3        4096 Jul 27 07:08 .
   258941      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:08 ./user3-dir
   258938      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:07 ./user3-file

user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp

user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp

user1@ubuntu20lts:/home/user3/tmp$ find . -ls
   258932      4 drwxrwxrwx   3 user3    user3        4096 Jul 27 07:08 .
   258941      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:08 ./user3-dir
   258938      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:07 ./user3-file

user1@ubuntu20lts:/home/user3/tmp$ rm -fr user3*
user1@ubuntu20lts:/home/user3/tmp$ find . -ls
   258932      4 drwxrwxrwx   2 user3    user3        4096 Jul 27 07:09 .

user1@ubuntu20lts:/home/user3/tmp$ logout
user3@ubuntu20lts:~/tmp$ find . -ls
   258932      4 drwxrwxrwx   2 user3    user3        4096 Jul 27 07:09 .

If the Sticky bit is set it doesn't allow user1 to delete files of user3

user3@ubuntu20lts:~$ cd $HOME && rm -fr tmp && mkdir tmp && cd tmp

user3@ubuntu20lts:~/tmp$ chmod a+rwx ./
user3@ubuntu20lts:~/tmp$ chmod o+t ./
user3@ubuntu20lts:~/tmp$ touch user3-file
user3@ubuntu20lts:~/tmp$ mkdir user3-dir
user3@ubuntu20lts:~/tmp$ find . -ls
   258917      4 drwxrwxrwt   3 user3    user3        4096 Jul 27 07:42 .
   258932      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:42 ./user3-dir
   258918      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:42 ./user3-file

user3@ubuntu20lts:~/tmp$ pwd
/home/user3/tmp

user3@ubuntu20lts:~/tmp$ sudo -i -u user1
user1@ubuntu20lts:~$ cd /home/user3/tmp

user1@ubuntu20lts:/home/user3/tmp$ find . -ls
   258917      4 drwxrwxrwt   3 user3    user3        4096 Jul 27 07:42 .
   258932      4 drwxrwxr-x   2 user3    user3        4096 Jul 27 07:42 ./user3-dir
   258918      0 -rw-rw-r--   1 user3    user3           0 Jul 27 07:42 ./user3-file

user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-file
rm: cannot remove './user3-file': Operation not permitted

user1@ubuntu20lts:/home/user3/tmp$ rm -fr ./user3-dir
rm: cannot remove './user3-dir': Operation not permitted

DEV Community

How to deal with Linux file and directory permission

Linux File Permission Cheat Sheet

User permission triads

File permissions

File permission examples

Effects of `read` file permission

Effects of `write` file permission

Effects of `execute` file permission

Effects of unset `execute` directory permission on file permissions

`read` file permission

`write` file permission

`execute` file permission

Directory permissions

Directory permission examples

Effects of `read` directory permission

Effects of `read` directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Effects of `write` directory permission

Effects of `write` directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Effects of `write` directory permission do not depend on permissions of files and subdirectories beneath the subject directory

Effects of `execute` directory permission

Effects of `execute` directory permission propagate on all subdirectories of the subject directory

Effects of unset `execute` directory permission on `read` directory permission

Effects of unset `execute` directory permission on `write` directory permission

Combining `execute` and `write` directory permissions with unset `read` directory permission

Effects of setting only `execute` directory permission

Additional flags: `SUID`, `SGID`, `Sticky bit`

`SUID`, `SGID`, and `Sticky bit` examples

Effects of `SUID` flag

Effects of `SGID` flag on files

Effects of `SGID` flag on directories

No effects of `SUID` flag on directories

Effects of `Sticky bit`

Top comments (0)

Read next

Amazon Inspector Explained: Boosting Cloud Security for Your AWS Workloads

Programmable tab completion with bash

Unlock Ultimate Security: How to Use YubiKey (or Any Security Key) for Passwordless Access in Azure Virtual Machines!

Introducing the AWS CDK L2 Construct: Simplified Security for Amazon CloudFront with Origin Access Control (OAC)

Linux File Permission Cheat Sheet

User permission triads

File permissions

File permission examples

Effects of read file permission

Effects of write file permission

Effects of execute file permission

Effects of unset execute directory permission on file permissions

read file permission

write file permission

execute file permission

Directory permissions

Directory permission examples

Effects of read directory permission

Effects of read directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Effects of write directory permission

Effects of write directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Effects of write directory permission do not depend on permissions of files and subdirectories beneath the subject directory

Effects of execute directory permission

Effects of execute directory permission propagate on all subdirectories of the subject directory

Effects of unset execute directory permission on read directory permission

Effects of unset execute directory permission on write directory permission

Combining execute and write directory permissions with unset read directory permission

Effects of setting only execute directory permission

Additional flags: SUID, SGID, Sticky bit

SUID, SGID, and Sticky bit examples

Effects of SUID flag

Effects of SGID flag on files

Effects of SGID flag on directories

No effects of SUID flag on directories

Effects of Sticky bit

Read next

Amazon Inspector Explained: Boosting Cloud Security for Your AWS Workloads

Programmable tab completion with bash

Unlock Ultimate Security: How to Use YubiKey (or Any Security Key) for Passwordless Access in Azure Virtual Machines!

Introducing the AWS CDK L2 Construct: Simplified Security for Amazon CloudFront with Origin Access Control (OAC)

Effects of `read` file permission

Effects of `write` file permission

Effects of `execute` file permission

Effects of unset `execute` directory permission on file permissions

`read` file permission

`write` file permission

`execute` file permission

Effects of `read` directory permission

Effects of `read` directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Effects of `write` directory permission

Effects of `write` directory permission propagate only on files and subdirectories which are directly beneath the subject directory

Effects of `write` directory permission do not depend on permissions of files and subdirectories beneath the subject directory

Effects of `execute` directory permission

Effects of `execute` directory permission propagate on all subdirectories of the subject directory

Effects of unset `execute` directory permission on `read` directory permission

Effects of unset `execute` directory permission on `write` directory permission

Combining `execute` and `write` directory permissions with unset `read` directory permission

Effects of setting only `execute` directory permission

Additional flags: `SUID`, `SGID`, `Sticky bit`

`SUID`, `SGID`, and `Sticky bit` examples

Effects of `SUID` flag

Effects of `SGID` flag on files

Effects of `SGID` flag on directories

No effects of `SUID` flag on directories

Effects of `Sticky bit`