4

I understand this first example:

> mkdir foo
> chmod u-w foo
> touch foo/test
touch: cannot touch `foo/test': Permission denied
> echo "BAD" >> foo/test
bash: foo/test: Permission denied

This makes sense: I don't have write permission on the directory so I shouldn't be able to write any changes. I can not touch nor create a file that can be appended to. Why does this work however?

> mkdir bar
> touch bar/test
> chmod u-w bar
> echo "BAD" >> bar/test 
> cat bar/test 
BAD
Gilles 'SO- stop being evil'
  • 829,060
Hooked
  • 1,373
  • 3
  • 17
  • 24
  • 7
    Think about it - the write permissions are on the directory and apply only to the directory itself, not to any files listed in the directory. When you are appending to a file, you are not writing to the directory, but to the file itself. – jw013 Oct 16 '12 at 15:26
  • 1
    @jw013 I'm sure this sounds like a newbie comment, but the way I understood dir permissions was that no changes could be written to the directory, are not files part of the directory? – Hooked Oct 16 '12 at 15:28
  • 3
    A useful analogy I have heard is to think of a directory like a phone book - a list of directory entries. Your phone book doesn't contain actual physical people - only their names and phone numbers. Directories don't contain actual physical files - only their names and inode numbers. Removing write access to the phone book means you can't add or remove or change entries, but the people whose numbers are listed in your phone book can still change. Removing write access to the directory means you can't add, remove, or change entries, but the files themselves can still change. – jw013 Oct 16 '12 at 15:30

1 Answers1

5

You have no write permission on the directory. That means you cannot modify the directory. Creating or removing a file in the directory (which includes creating or deleting a file, as well as moving the file in or out of the directory) modifies the directory. If you modify a file inside the directory (by appending or overwriting it), that doesn't modify the directory itself.

You can also modify the file's metadata (dates, permissions, etc.) as long as you own the file, regardless of the permissions on the directory and on the file. You can even indirectly modify a file's access time by reading it, even if reading is the only permission you have on the file. Access to file metadata isn't controlled by permissions.

The only permission on the directory that's relevant to modifying files inside it is the execute permission. It controls whether you can access the file at all. (The read permission on the directory controls whether you can list the directory's files; with read but not execute, you can see the file names but not access the files; with execute but not read, you can access files in the directory, but only if you know their name.) As long as you can access the file, the directory's permissions don't matter further.

If you want to make a whole directory tree read-only, you can't do it by changing the permissions on the directory alone, you have to change the permission of every file. Alternatively, create a read-only view.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060