I'm almost ashamed to admit that there is one thing I am still unsure about when it comes to file permissions.
Let's say I have a directory with 750 permission (drwxr.x...). Then I create some descendant files inside it with a rather common 644 permission (.rw.r..r..).
Can the files in that directory be read by any other user on the system (outside of their owner or group), and why? On the one hand, those files have a world readable bit, so that should indicate the file is readable by anybody. On the other hand, the ascendant directory is not world executable (nor readable) so as long as this prevents access to the directory's contents, the world readable bit on the files would be irrelevant. Is that definitively true or is there any way around this?
Now, I seem to regularly see instances where someone recommends a chmod -R o-rwx or something. On example is in Debian's Maildir directories created by postfix I believe - all files, not just the directory, have had world/group read removed. Is it really necessary to remove that world read bit from the files inside if the directory has no world access? I ask as I'm trying to plan how to set up /var/www on a server and have it not world-readable ie by other local users.
What you're asking has more to do with the way the virtual file system performs directory traversals. Due to the fact that everything on a Linux system is a file, this creates a peculiarity when dealing with directories. While they have an execute field, it is fairly meaningless to attempt to execute a directory. Moreover, in the ext2/3/4 file system, the data structure used bears little resemblance to "true" file. Instead, the permissions have slightly different meanings when applied to directories.
Understanding those distinctions, we can see that if a user's permissions on a specific directory are
--xthen we can determine that the user is capable permitted to attempt a file access but without actually being able to view the directory entry itself. Or more succinctly, as per coredump, "with --x you can't list the directory, but you can read the files inside it if the file permissions allow it."Knowing all that, let's take the file
/home/user/public/fileas an example. Generally one should not open their home directory globally, however they want to offer files in 'public' globally. As such, you should set the permissions thusly:/home-- 755/home/user-- 711 (or possibly 751)/home/user/public-- 755Yes, the files can be read, because they are world readable, but if the directory is not world readable, assuming the user is not in group owning the directory, the user would need another link to the file. e.g.:
Now the user can access the file, but will have to do so using /tmp/file.
No, they can't. All the path trees to the file has to be accessible too.
[it is possible to create directories that you can't see the contents of, but you can still read files in; ie a directory of hidden files, but not with 0750 permissions like in your example]
It is safer to create all the files and directories based on how you want it accessed though. If you move that file out of the existing directory to one with world-readability then suddenly your file that you're used to thinking of as "protected" won't be. If you have the file permissions to also be o-rwx then the file will be protected itself and won't rely on the directory to protect it.
This behavior is easy to test yourself.