1

At the moment I am playing around with linux on my raspbery pi and Im trying to learn how the permission system works.

I created a group of two users one of them created a python script in his own documents folder with the permissions: -rwx--x---.

The other group member should execute the file with the command python hello.py but he says permission denied.

The only way is to give the group also reading permission so: -rwxr-x---

Why is the execution permission not enough to execute the python script?

peterh
  • 9,731
Hendrik Hoster
  • 13

2 Answers2

1

Scripts don't need an "x" permission to run. From the view of the kernel, they are simple text files, and not they running, rather their interpreter. If you run a python script, you start the python binary, and not your something.py .

But you need the r flag on the script, because the interpreter has to be able to read the script, to execute it.

And most interpreters won't execute scripts without an executable flag. Although they could, it is a security precaution convention.

Thus, for scripts, you need both the r and x flag to run them.

peterh
  • 9,731
1

The execute permissions are enough for the kernel to execute the file.

If the file starts with #!, then it will see it's a script, parse that line to find out the path of the interpreter and an optional argument, and then execute that interpreter with that optional argument and the file path as argument.

For instance, if the file starts with:

#! /usr/bin/python -E

The kernel changes the execve("/path/to/the-script", ["the-script", "arg"], [envs]) to execve("/usr/bin/python", ["/usr/bin/python", "-E", "/path/to/the-script", "arg"], [envs]).

Without the execute permissions, it would never have gotten that far.

Now, at that point, what matters is the execution permission of the interpreter. It it's executables, then it works as normal.

However, later, /usr/bin/python will want to open the /path/to/the-script to read and interpret the code in it. And for that, it will need read permission to the file. Unless maybe it has changed euid since last time (for instance if the /usr/bin/python file had the suid/sgid bit), if you didn't have read permissions earlier, you still don't have it.

So you can execute a script alright if you have only execute permission to it. It's just that if the interpreter needs to open it to read its content that it fails (and you see the error message comes from the interpreter, not the shell you're trying to run that script from). In a script like:

#! /bin/echo Here goes

You'll see that not having read permission doesn't matter since echo is not trying to open the file for reading.

Stéphane Chazelas
  • 544,893
  • thanks IS there a possibility to allow user1 to only execute a python script but giving this task to user2 which will automaticly execute it with all permissions needet for the interpreter? so that user1 cant read the file? – Hendrik Hoster Aug 20 '17 at 11:29
  • @HendrikHoster, not sure I understand what you mean, but maybe you'll want to look into sudo which you can configure to allow one user to execute a given command as another user. – Stéphane Chazelas Aug 20 '17 at 11:34