File Permissions: Web Server Secrets, Part 3

This does not come anywhere close to being a complete explanation of Unix/Linux file permissions. We are only covering the basics you need to deal with your server!

Directory and rwx Permissions

Unix/Linux file permissions are Read, Write, and Execute, abbreviated r, w, and x. The lack of a certain type of permission is shown with a dash. So, rwx means read, write and execute permission, and rw- means read and write permission but not execute.

“Directory” means the same thing as “folder.” However, with Unix and Linux they’re always called directories. How do you know if it’s a directory or an ordinary file? On the file listing, there will be a d in the left margin just before the file permissions list. In the below example, I highlighted the directlry lines. The first three items are directories, and the last item is a directory. A dash means it’s a plain file. Anything other than d or means your ftp program might get confused.

drwxr-xr-x 4 genealogist users 4096 Mar 30 19:24 .
drwx------ 5 genealogist users 4096 Mar 30 19:20 ..
drwx--x--x 2 genealogist users 4096 Mar 30 19:23 cgi-bin
-rw-r--r-- 1 genealogist users    8 Mar 30 19:21 .htaccess
-rw-r--r-- 1 genealogist users  747 Mar 30 19:21 index.html
-rw-r--r-- 1 genealogist users   32 Mar 30 19:23 main.html
drwxrwxrwx 2 genealogist users 4096 Mar 30 19:24 members

Unix and Linux directory permissions look the same as file permissions, but they are not the same! Directories have r, w, and x permission just like files… but r, w, and x don’t mean the same thing! Unfortunately, this means we need to look at r, w, and x one item at a time.

File Read Permission

What does file read permission mean? Just what you think it should. It means that if you know where the file is, you have permission to read it. What does directory read permission mean? Again, pretty much what you would expect. It means you’re allowed to scan the directory, to find out what files it contains, and anything else known about each file – when it was created, how big it is, what its permissions are, and so on. So far, so good.

File Write and Directory Write Permission

What does file write permission mean? It means you can edit the file; it means you can append to the file; it means you can truncate the file. It does not mean that you can delete the file! Can you see why? To delete the file is to remove its directory entry. The delete operation requires directory permission, not file permission. It’s the same with renaming a file… renaming or moving a file requires write permission for the directories involved. Unix and Linux don’t care if you can even read the file, so long as you have the right directory permission.

Why do you care? When you begin working with PHP Web pages or CGI scripts, the above becomes horrifically significant. But we’ll explain that in a bit.

I pretty much just explained what directory write permission means. If you do not have directory write permission, you can not create a file in that directory. Even if you can edit the file, you still can’t delete it!

File Execute and Directory Execute Permission

What does file execute permission mean? It means that – in theory – the file can be treated as a self-contained Unix or Linux program. It might be a “real” program like ls or cp, or it might be a text file such as a PHP or Perl program. Without the necessary x permission, Unix and Linux will refuse to recognize it. In the case of a Perl CGI script, you’ll see a Web page 500 error.

Directory execute permission, however, means something entirely different. You don’t “execute” a directory. That is, you don’t attempt to run it as a computer program. What else can you do with a directory? We already have scanning and updating the directory covered – that’s directory read and write permission. What’s left?

If you want to scan a directory to see what’s there, that’s directory read permission. But what if you already know what you need? You want main.html; you don’t need to go looking for it. You just want it. If that directory has execute permission, you can have it. If it doesn’t, you can’t. Read permission allows you to look around and be nosy; execute permission allows you to have the file you need.

Why in the world do you care about the difference? Because of how your server admin set up your server. I’ll explain, but there’s one more thing we need to cover first.