22

I was reading up on chmod and its octal modes. I saw that 1 is execute only. What is a valid use case for an execute only permission? To execute a file, one typically would want read and execute permission.

$ echo 'echo foo' > say_foo
$ chmod 100 ./say_foo
$ ./say_foo
bash: ./say_foo: Permission denied
$ chmod 500 ./say_foo
$ ./say_foo
foo
devoutsalsa
  • 673
  • 5
  • 14

4 Answers4

44

Shell scripts require the read permission to be executed, but binary files do not:

$ cat hello.cpp
#include<iostream>

int main() {
    std::cout << "Hello, world!" << std::endl;
    return 0;
}
$ g++ -o hello hello.cpp
$ chmod 100 hello
$ ./hello
Hello, world!
$ file hello
hello: executable, regular file, no read permission

Displaying the contents of a file and executing them are two different things. With shell scripts, these things are related because they are "executed" by "reading" them into a new shell (or the current one), if you'll forgive the simplification. This is why you need to be able to read them. Binaries don't use that mechanism.

For directories, the execute permission is a little different; it means you can do things to files within that directory (e. g. read or execute them). So let's say you have a set of tools in /tools that you want people to be able to use, but only if they know about them. chmod 711 /tools. Then executable things in /tools can be run explicitly (e. g. /tools/mytool), but ls /tools/ will be denied. Similarly, documents could be stored in /private-docs which could be read if and only if the file names are known.

Mat
  • 52,586
DopeGhoti
  • 76,081
  • 1
    Incidentally there's no point in setting execute-only on system binaries anymore unless you run anonymous ftp. – Joshua Mar 11 '17 at 00:07
  • 1
    Also, setting the executable bit on a directory allows you to cd to it. – gardenhead Mar 11 '17 at 00:19
  • 1
  • 1
    BTW, There is no need for including the C header stdio.h here. I suggest removing it. – Spikatrix Mar 11 '17 at 04:19
  • Is there a reason people don't always do this to /etc/ and friends? Not a lot of "typical" software needs to enumerate those directories. – Kevin Mar 11 '17 at 08:12
  • 1
    @Kevin: Probably because not having ls and tab completion working makes maintenance work annoying, and it provides little if any actual security benefit. Most of the files that an attacker could be interested in are at known standard locations anyway, or their locations can be discovered indirectly from data in other files (else how would the programs that legitimately use those files know where to find them?). – Ilmari Karonen Mar 11 '17 at 16:08
  • 1
    Also, a lot of utilities do read the configuration files in /etc to know how to behave properly. /etc is, among other things, the common location for default settings (e. g. /etc/profile) or messages (/etc/motd). – DopeGhoti Mar 11 '17 at 16:10
  • @DopeGhoti: Nobody said you had to deny execute permission to /etc. – Kevin Mar 11 '17 at 17:16
  • 1
    A common use for the x bit on directories is disallowing read access to other users, but allowing the web server to traverse down to the public_html directory (which has read permission for other). – Simon Richter Mar 12 '17 at 01:21
4

On Gentoo, executable programs that are setuid (set to run with the permissions of their owner instead of their invoker) are denied read access (mode 4711). This is to add a layer of protection against exploitation of bugs to aid in privilege escalation.

If an unprivileged attacker can read a setuid file, and knows of a bug that allows a return-to-libc-style attack, they may be able to use the contents of the file to predict where certain useful functions or libraries are likely to be placed in memory when the program is invoked.

Modern systems often include additional protections that are more effective, such as ASLR, but the restrictions present in 32-bit platforms may leave them more easily exploitable.

Nobody
  • 51
  • 1
  • Note that the protection only applies to source-based distros. With binary-based distros, the attacker can just look at their own copy of the program to figure out where interesting things are. – Mark Mar 12 '17 at 03:08
  • An executable-only binary can also have embedded passwords. The user can run the program, and it can send the password to the server, but the user won't be able to get the password from it (the system shouldn't allow them to make core dumps, either). – Barmar Mar 15 '17 at 18:49
2

It looks like the value of "execute only" doesn't have much use for a file, but it can be used to prevent one from reading the contents of a directory.

$ mkdir foo
$ touch foo/bar
$ ls foo/
bar
$ chmod 100 foo
$ ls foo/
ls: cannot open directory foo/: Permission denied
devoutsalsa
  • 673
  • 5
  • 14
  • 1
    It's worth mentioning that the reason this is useful is because you can still read foo/bar if you know the filename. I've used this on web servers. – Random832 Mar 11 '17 at 03:56
0

You need to have read and execute permissions in order to execute a script. Reading the contents of a script is what allows it to execute, so you need to be able to read and execute. Otherwise, you can't run a script without it.

What is a valid use case for an execute only permission?

Security. Some may want to protect their files and stop others from executing or using them.

  • Regarding security, to lock down a file so it's unusable, is "execute only" ever preferable to "none". Why not just use chmod 000 /path/to/something? – devoutsalsa Mar 10 '17 at 20:39
  • 2
    chmod 000 Will regard permissions to nobody except root. Sometimes you don't need to go that extensive just for protection - it depends on user intentions. In order to, let's say "re-chmod" the file back to readable and writable permissions you would have to do this through root. If you're not able to access root, then it will prove difficult. – Jordan Savell Mar 10 '17 at 20:44
  • 2
    Let's say you have a set of tools in /tools that you want people to be able to use, but only if they know about them. chmod 711 /tools. Then executable things in /tools can be run explicitly, but ls /tools/ will be denied. – DopeGhoti Mar 10 '17 at 20:45
  • 1
    Good answer! Taught me something there too. Why do binary files not need the read permission to be executed? – Jordan Savell Mar 10 '17 at 20:46
  • 2
    Because displaying the contents of a file and executing them are two different things. Shell scripts are "executed" by "reading" them into a new shell (if you'l forgive the simplification), which is why you need to be able to read them. Binaries don't use that mechanism. – DopeGhoti Mar 10 '17 at 20:47
  • 1
    Ah common sense. I thought it was something different - thanks! – Jordan Savell Mar 10 '17 at 20:48