Do I really need recursive chmod to restrict access to a folder?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







40















If I want to restrict access to a folder secret on a shared machine, do I really need recursive chmod on the folder



chmod -R g=,o= secret


or is chmod on the folder sufficient?



chmod g=,o= secret


What's the practical difference?










share|improve this question





























    40















    If I want to restrict access to a folder secret on a shared machine, do I really need recursive chmod on the folder



    chmod -R g=,o= secret


    or is chmod on the folder sufficient?



    chmod g=,o= secret


    What's the practical difference?










    share|improve this question

























      40












      40








      40


      6






      If I want to restrict access to a folder secret on a shared machine, do I really need recursive chmod on the folder



      chmod -R g=,o= secret


      or is chmod on the folder sufficient?



      chmod g=,o= secret


      What's the practical difference?










      share|improve this question














      If I want to restrict access to a folder secret on a shared machine, do I really need recursive chmod on the folder



      chmod -R g=,o= secret


      or is chmod on the folder sufficient?



      chmod g=,o= secret


      What's the practical difference?







      linux permissions chmod






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked yesterday









      clemischclemisch

      33328




      33328






















          3 Answers
          3






          active

          oldest

          votes


















          54














          For a directory, "read" access lets you list the contents, and "execute" access lets your traverse the directory to open one of its children (file or subdirectory). So if you remove:




          • just the read access, people can still access subdirectories by guessing their names

          • just the execute flag, people can still list the names of the contents even if they cannot access them, and this can still be revealing

          • both read and execute privileges on a directory, anything below it becomes unreachable, and you don't need to make a recursive change.


          Of course if you make a recursive change, an accidental non-recursive reset of the access rights to the top directory will have less consequences.






          share|improve this answer

































            29














            It goes without saying that,
            if you created a file two days ago (with a publicly readable mode),
            and somebody read the file yesterday, or made a copy of it,
            then there’s nothing you can do today to make that file private.



            xenoid says (somewhat simplistically) that,
            if you remove group and other permission from your directory (today, now),
            “anything below it becomes unreachable,
            and you don't need to make a recursive change.” 
            I agree that, if you chmod your (top-level) directory appropriately,
            nobody but yourself1
            will be able to get into it in the future (i.e., from now on). 
            But there are some gotchas.



            Hard links



            Remember that file you created two days ago? 
            Suppose that your adversary made a hard link to that file yesterday
            (instead of copying it).
            If you chmod only your (top-level) directory,
            then that file will continue to have the publicly readable permissions
            you assigned when you created it,
            and so the bad guy will still be able to read it in the future
            — (potentially) even if you subsequently modify it. 
            If you do a recursive chmod,
            that will secure the permissions on the file,
            which will affect the link. 
            The bad guy will still be able to do ls -l on it,
            so they’ll be able to see when you change it, and how big it is,
            but they won’t be able to read it again.



            Working directory



            Suppose that, under your secret directory,
            you have a plans directory, and it also it publicly readable. 
            And suppose that, five minutes ago,
            the bad guy opened a terminal window and said



            cd /home/clemisch/secret/plans


            Now, after you do the chmod on secret,
            the bad guy’s working directory is still  /home/clemisch/secret/plans,
            and they can continue to list that directory and access the files there,
            potentially forever. 
            Of course, once they cd elsewhere, or close that window,
            or log out, or the machine is rebooted, then they lose access.



            If you do a recursive chmod, that will secure the permissions
            on all the files and all the directories,
            causing the squatter to lose access immediately.



            This might not be a very big risk if the machine is a personal computer
            that is accessed only through the console. 
            But, if the bad guy might have left a screen or tmux session
            in the background, then they could use this attack. 
            And, if the machine supports ssh
            (or other remote access; maybe even FTP would be enough),
            this attack can be used.



            Human error



            As xenoid pointed out in their answer:
            If you do a recursive chmod on secret today,
            and then the day after tomorrow you accidentally
            chmod (only) the top-level directory back to 755,
            then you will still be protected by today’s recursive chmod
            all the files and directories under secret will still be unreadable. 
            (Of course, if you create a new file in secret tomorrow,
            and you allow it to be publicly readable, then it will be exposed
            when you open the permissions on the secret directory. 
            But that would be true
            no matter whether today’s chmod was recursive or not.)



            mazunki made a comment, “I believe cp carries permissions.” 
            I’m not sure what they meant, but consider this scenario. 
            You want to do a diff between two files:




            • secret/plans/the/quick/brown/fox/file1

            • secret/jumps/over/the/lazy/dog/file2


            But you aren’t sure exactly where those files are,
            and you have to poke around to find them. 
            You might be tempted to do



            cd plans
            cd the/quick # looking for file1
            cd brown/fox # found it!
            cp file1 /tmp
            cd ../../../../..
            cd jumps/over
            cd the # looking for file2
            cd lazy/dog # found it!
            diff /tmp/file1 file2


            If you do this, then /tmp/file1 will have the same protection
            as secret/plans/the/quick/brown/fox/file1
            so that’s another reason to do the recursive chmod today.



            ONE more thing



            If the bad guy opened one of your secret files five minutes ago,
            and keeps it open, they will be able to read it in the future
            potentially even if you modify it. 
            The good news is that this is a somewhat tricky attack to execute —
            the bad guy has to have put some thought into it, before you do the chmod
            The bad news is that this attack is very difficult to defend against
            — a recursive chmod won’t help.

            __________
            1 and, of course, privileged users / processes



            P.S. You can shorten your command a little:
            chmod go= is equivalent to chmod g=,o=
            (That won’t make the recursive chmod any faster, of course.)






            share|improve this answer


























            • Thank you for the detailed answer! I will still keep xenoid's answer "accepted" because it's so concise, but the info about hard links and working directories is very interesting!

              – clemisch
              16 hours ago













            • Hmmm. when you copy a file, you are the owner of the copy... and you can change the flags to your heart's desire.

              – xenoid
              15 hours ago






            • 3





              The hardlink part is interesting. Would it be possible for someone to guess the inode number and create a hardlink even after the directory rights were changed?

              – allo
              11 hours ago











            • @xenoid: Yes, of course.  I didn’t say “If you copy your file to /Users/Public, you’ll have a problem”, because I would expect that the user wouldn’t copy a file from their secret directory to /Users/Public unless they intended to make it public.  My point is that, when you’re dealing with two things, you sometimes use a third place.  If you have a chair and a table, and you want to swap them (i.e., move them to each other’s locations), you’ll drag one of them into the middle of the room, move the second one to where the first one was, … (Cont’d)

              – G-Man
              10 hours ago






            • 2





              @allo: Good question. I’m pretty sure that there is no program or system call that lets you create a link just by knowing the inode number.  If a user had full access to the disk (i.e., read/write access to /dev/sda1, or whatever), they could probably create such a link with a hex editor or a filesystem editor (like debugfs).  But that’s moot; anybody who has full read access to the disk can read any file; that’s why that access is typically given only to root (and possibly some other system services).

              – G-Man
              10 hours ago



















            -2














            Recursive chmod affects all subdirectories and folders too, not just the folder itself.



            .:
            total 16
            drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
            drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
            d--------- 3 mazunki mazunki 4096 april 15 11:46 a
            d--------- 2 mazunki mazunki 4096 april 15 11:42 b

            ./a:
            total 12
            d--------- 3 mazunki mazunki 4096 april 15 11:46 .
            drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
            -----w---- 1 mazunki mazunki 0 april 15 11:42 a
            dr-xr-xr-x 2 root root 4096 april 15 11:46 aa
            -----w---- 1 mazunki mazunki 0 april 15 11:42 b

            ./a/aa:
            total 8
            dr-xr-xr-x 2 root root 4096 april 15 11:46 .
            d--------- 3 mazunki mazunki 4096 april 15 11:46 ..

            ./b:
            total 8
            d--------- 2 mazunki mazunki 4096 april 15 11:42 .
            drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
            -----w---- 1 mazunki mazunki 0 april 15 11:42 a
            -----w---- 1 mazunki mazunki 0 april 15 11:42 b
            ~:~/test ▶
            ~:~/test ▶
            ~:~/test ▶ sudo chmod -R +w a
            ~:~/test ▶
            ~:~/test ▶
            ~:~/test ▶ sudo ls -alR
            .:
            total 16
            drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
            drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
            d-w------- 3 mazunki mazunki 4096 april 15 11:46 a
            d--------- 2 mazunki mazunki 4096 april 15 11:42 b

            ./a:
            total 12
            d-w------- 3 mazunki mazunki 4096 april 15 11:46 .
            drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
            --w--w---- 1 mazunki mazunki 0 april 15 11:42 a
            drwxr-xr-x 2 root root 4096 april 15 11:46 aa
            --w--w---- 1 mazunki mazunki 0 april 15 11:42 b

            ./a/aa:
            total 8
            drwxr-xr-x 2 root root 4096 april 15 11:46 .
            d-w------- 3 mazunki mazunki 4096 april 15 11:46 ..

            ./b:
            total 8
            d--------- 2 mazunki mazunki 4096 april 15 11:42 .
            drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
            -----w---- 1 mazunki mazunki 0 april 15 11:42 a
            -----w---- 1 mazunki mazunki 0 april 15 11:42 b


            If you don't explicitly give access to ., you won't be able to read the contents of the folder.



             ~:~/test ▶ ls -l
            total 8
            drwxr-xr-x 3 mazunki mazunki 4096 april 15 11:46 a
            d--------- 2 mazunki mazunki 4096 april 15 11:42 b
            ~:~/test ▶
            ~:~/test ▶
            ~:~/test ▶ sudo chmod +xxx b
            ~:~/test ▶ cd b
            ~:~/test/b ▶ ls
            ls: cannot open directory '.': Permission denied
            ~:~/test/b ▶ sudo chmod +xxx .
            ~:~/test/b ▶ ls
            ls: cannot open directory '.': Permission denied
            ~:~/test/b ▶ sudo chmod +rrr .
            ~:~/test/b ▶ ls
            a b
            ~:~/test/b ▶


            Likewise, you won't be able to cd into subdirectories of said folder unless you explicitly +x them.






            share|improve this answer





















            • 6





              I think the OP understands what "recursive" means. What's your answer to the title question? (yes or no?) What about "practical difference"?

              – Kamil Maciorowski
              yesterday






            • 5





              Sorry, what you wrote may all be true but I don't see how it answers the question. I think the question can be rephrased: after chmod g=,o= secret/, do permissions of objects inside secret/ matter? Well, do they?

              – Kamil Maciorowski
              yesterday











            • Thanks for the answer! I still don't see a difference concerning the secrecy of the folder though. Could it be that you could still cd into a specific subfolder if you knew the path beforehand?

              – clemisch
              yesterday











            • I just tested that and it does not seem to work. Then I really don't see any difference. As -R takes much longer (of course) for many files, I will stick to normal chmod I guess.

              – clemisch
              yesterday






            • 2





              I agree with @KamilMaciorowski — you don’t seem to be saying anything wrong, but it’s not clear what you are saying. Your example is long and confusing, and you muddy the waters with your use of sudo and directories with mode 0.

              – Scott
              22 hours ago












            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1425574%2fdo-i-really-need-recursive-chmod-to-restrict-access-to-a-folder%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            54














            For a directory, "read" access lets you list the contents, and "execute" access lets your traverse the directory to open one of its children (file or subdirectory). So if you remove:




            • just the read access, people can still access subdirectories by guessing their names

            • just the execute flag, people can still list the names of the contents even if they cannot access them, and this can still be revealing

            • both read and execute privileges on a directory, anything below it becomes unreachable, and you don't need to make a recursive change.


            Of course if you make a recursive change, an accidental non-recursive reset of the access rights to the top directory will have less consequences.






            share|improve this answer






























              54














              For a directory, "read" access lets you list the contents, and "execute" access lets your traverse the directory to open one of its children (file or subdirectory). So if you remove:




              • just the read access, people can still access subdirectories by guessing their names

              • just the execute flag, people can still list the names of the contents even if they cannot access them, and this can still be revealing

              • both read and execute privileges on a directory, anything below it becomes unreachable, and you don't need to make a recursive change.


              Of course if you make a recursive change, an accidental non-recursive reset of the access rights to the top directory will have less consequences.






              share|improve this answer




























                54












                54








                54







                For a directory, "read" access lets you list the contents, and "execute" access lets your traverse the directory to open one of its children (file or subdirectory). So if you remove:




                • just the read access, people can still access subdirectories by guessing their names

                • just the execute flag, people can still list the names of the contents even if they cannot access them, and this can still be revealing

                • both read and execute privileges on a directory, anything below it becomes unreachable, and you don't need to make a recursive change.


                Of course if you make a recursive change, an accidental non-recursive reset of the access rights to the top directory will have less consequences.






                share|improve this answer















                For a directory, "read" access lets you list the contents, and "execute" access lets your traverse the directory to open one of its children (file or subdirectory). So if you remove:




                • just the read access, people can still access subdirectories by guessing their names

                • just the execute flag, people can still list the names of the contents even if they cannot access them, and this can still be revealing

                • both read and execute privileges on a directory, anything below it becomes unreachable, and you don't need to make a recursive change.


                Of course if you make a recursive change, an accidental non-recursive reset of the access rights to the top directory will have less consequences.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited yesterday

























                answered yesterday









                xenoidxenoid

                4,4623921




                4,4623921

























                    29














                    It goes without saying that,
                    if you created a file two days ago (with a publicly readable mode),
                    and somebody read the file yesterday, or made a copy of it,
                    then there’s nothing you can do today to make that file private.



                    xenoid says (somewhat simplistically) that,
                    if you remove group and other permission from your directory (today, now),
                    “anything below it becomes unreachable,
                    and you don't need to make a recursive change.” 
                    I agree that, if you chmod your (top-level) directory appropriately,
                    nobody but yourself1
                    will be able to get into it in the future (i.e., from now on). 
                    But there are some gotchas.



                    Hard links



                    Remember that file you created two days ago? 
                    Suppose that your adversary made a hard link to that file yesterday
                    (instead of copying it).
                    If you chmod only your (top-level) directory,
                    then that file will continue to have the publicly readable permissions
                    you assigned when you created it,
                    and so the bad guy will still be able to read it in the future
                    — (potentially) even if you subsequently modify it. 
                    If you do a recursive chmod,
                    that will secure the permissions on the file,
                    which will affect the link. 
                    The bad guy will still be able to do ls -l on it,
                    so they’ll be able to see when you change it, and how big it is,
                    but they won’t be able to read it again.



                    Working directory



                    Suppose that, under your secret directory,
                    you have a plans directory, and it also it publicly readable. 
                    And suppose that, five minutes ago,
                    the bad guy opened a terminal window and said



                    cd /home/clemisch/secret/plans


                    Now, after you do the chmod on secret,
                    the bad guy’s working directory is still  /home/clemisch/secret/plans,
                    and they can continue to list that directory and access the files there,
                    potentially forever. 
                    Of course, once they cd elsewhere, or close that window,
                    or log out, or the machine is rebooted, then they lose access.



                    If you do a recursive chmod, that will secure the permissions
                    on all the files and all the directories,
                    causing the squatter to lose access immediately.



                    This might not be a very big risk if the machine is a personal computer
                    that is accessed only through the console. 
                    But, if the bad guy might have left a screen or tmux session
                    in the background, then they could use this attack. 
                    And, if the machine supports ssh
                    (or other remote access; maybe even FTP would be enough),
                    this attack can be used.



                    Human error



                    As xenoid pointed out in their answer:
                    If you do a recursive chmod on secret today,
                    and then the day after tomorrow you accidentally
                    chmod (only) the top-level directory back to 755,
                    then you will still be protected by today’s recursive chmod
                    all the files and directories under secret will still be unreadable. 
                    (Of course, if you create a new file in secret tomorrow,
                    and you allow it to be publicly readable, then it will be exposed
                    when you open the permissions on the secret directory. 
                    But that would be true
                    no matter whether today’s chmod was recursive or not.)



                    mazunki made a comment, “I believe cp carries permissions.” 
                    I’m not sure what they meant, but consider this scenario. 
                    You want to do a diff between two files:




                    • secret/plans/the/quick/brown/fox/file1

                    • secret/jumps/over/the/lazy/dog/file2


                    But you aren’t sure exactly where those files are,
                    and you have to poke around to find them. 
                    You might be tempted to do



                    cd plans
                    cd the/quick # looking for file1
                    cd brown/fox # found it!
                    cp file1 /tmp
                    cd ../../../../..
                    cd jumps/over
                    cd the # looking for file2
                    cd lazy/dog # found it!
                    diff /tmp/file1 file2


                    If you do this, then /tmp/file1 will have the same protection
                    as secret/plans/the/quick/brown/fox/file1
                    so that’s another reason to do the recursive chmod today.



                    ONE more thing



                    If the bad guy opened one of your secret files five minutes ago,
                    and keeps it open, they will be able to read it in the future
                    potentially even if you modify it. 
                    The good news is that this is a somewhat tricky attack to execute —
                    the bad guy has to have put some thought into it, before you do the chmod
                    The bad news is that this attack is very difficult to defend against
                    — a recursive chmod won’t help.

                    __________
                    1 and, of course, privileged users / processes



                    P.S. You can shorten your command a little:
                    chmod go= is equivalent to chmod g=,o=
                    (That won’t make the recursive chmod any faster, of course.)






                    share|improve this answer


























                    • Thank you for the detailed answer! I will still keep xenoid's answer "accepted" because it's so concise, but the info about hard links and working directories is very interesting!

                      – clemisch
                      16 hours ago













                    • Hmmm. when you copy a file, you are the owner of the copy... and you can change the flags to your heart's desire.

                      – xenoid
                      15 hours ago






                    • 3





                      The hardlink part is interesting. Would it be possible for someone to guess the inode number and create a hardlink even after the directory rights were changed?

                      – allo
                      11 hours ago











                    • @xenoid: Yes, of course.  I didn’t say “If you copy your file to /Users/Public, you’ll have a problem”, because I would expect that the user wouldn’t copy a file from their secret directory to /Users/Public unless they intended to make it public.  My point is that, when you’re dealing with two things, you sometimes use a third place.  If you have a chair and a table, and you want to swap them (i.e., move them to each other’s locations), you’ll drag one of them into the middle of the room, move the second one to where the first one was, … (Cont’d)

                      – G-Man
                      10 hours ago






                    • 2





                      @allo: Good question. I’m pretty sure that there is no program or system call that lets you create a link just by knowing the inode number.  If a user had full access to the disk (i.e., read/write access to /dev/sda1, or whatever), they could probably create such a link with a hex editor or a filesystem editor (like debugfs).  But that’s moot; anybody who has full read access to the disk can read any file; that’s why that access is typically given only to root (and possibly some other system services).

                      – G-Man
                      10 hours ago
















                    29














                    It goes without saying that,
                    if you created a file two days ago (with a publicly readable mode),
                    and somebody read the file yesterday, or made a copy of it,
                    then there’s nothing you can do today to make that file private.



                    xenoid says (somewhat simplistically) that,
                    if you remove group and other permission from your directory (today, now),
                    “anything below it becomes unreachable,
                    and you don't need to make a recursive change.” 
                    I agree that, if you chmod your (top-level) directory appropriately,
                    nobody but yourself1
                    will be able to get into it in the future (i.e., from now on). 
                    But there are some gotchas.



                    Hard links



                    Remember that file you created two days ago? 
                    Suppose that your adversary made a hard link to that file yesterday
                    (instead of copying it).
                    If you chmod only your (top-level) directory,
                    then that file will continue to have the publicly readable permissions
                    you assigned when you created it,
                    and so the bad guy will still be able to read it in the future
                    — (potentially) even if you subsequently modify it. 
                    If you do a recursive chmod,
                    that will secure the permissions on the file,
                    which will affect the link. 
                    The bad guy will still be able to do ls -l on it,
                    so they’ll be able to see when you change it, and how big it is,
                    but they won’t be able to read it again.



                    Working directory



                    Suppose that, under your secret directory,
                    you have a plans directory, and it also it publicly readable. 
                    And suppose that, five minutes ago,
                    the bad guy opened a terminal window and said



                    cd /home/clemisch/secret/plans


                    Now, after you do the chmod on secret,
                    the bad guy’s working directory is still  /home/clemisch/secret/plans,
                    and they can continue to list that directory and access the files there,
                    potentially forever. 
                    Of course, once they cd elsewhere, or close that window,
                    or log out, or the machine is rebooted, then they lose access.



                    If you do a recursive chmod, that will secure the permissions
                    on all the files and all the directories,
                    causing the squatter to lose access immediately.



                    This might not be a very big risk if the machine is a personal computer
                    that is accessed only through the console. 
                    But, if the bad guy might have left a screen or tmux session
                    in the background, then they could use this attack. 
                    And, if the machine supports ssh
                    (or other remote access; maybe even FTP would be enough),
                    this attack can be used.



                    Human error



                    As xenoid pointed out in their answer:
                    If you do a recursive chmod on secret today,
                    and then the day after tomorrow you accidentally
                    chmod (only) the top-level directory back to 755,
                    then you will still be protected by today’s recursive chmod
                    all the files and directories under secret will still be unreadable. 
                    (Of course, if you create a new file in secret tomorrow,
                    and you allow it to be publicly readable, then it will be exposed
                    when you open the permissions on the secret directory. 
                    But that would be true
                    no matter whether today’s chmod was recursive or not.)



                    mazunki made a comment, “I believe cp carries permissions.” 
                    I’m not sure what they meant, but consider this scenario. 
                    You want to do a diff between two files:




                    • secret/plans/the/quick/brown/fox/file1

                    • secret/jumps/over/the/lazy/dog/file2


                    But you aren’t sure exactly where those files are,
                    and you have to poke around to find them. 
                    You might be tempted to do



                    cd plans
                    cd the/quick # looking for file1
                    cd brown/fox # found it!
                    cp file1 /tmp
                    cd ../../../../..
                    cd jumps/over
                    cd the # looking for file2
                    cd lazy/dog # found it!
                    diff /tmp/file1 file2


                    If you do this, then /tmp/file1 will have the same protection
                    as secret/plans/the/quick/brown/fox/file1
                    so that’s another reason to do the recursive chmod today.



                    ONE more thing



                    If the bad guy opened one of your secret files five minutes ago,
                    and keeps it open, they will be able to read it in the future
                    potentially even if you modify it. 
                    The good news is that this is a somewhat tricky attack to execute —
                    the bad guy has to have put some thought into it, before you do the chmod
                    The bad news is that this attack is very difficult to defend against
                    — a recursive chmod won’t help.

                    __________
                    1 and, of course, privileged users / processes



                    P.S. You can shorten your command a little:
                    chmod go= is equivalent to chmod g=,o=
                    (That won’t make the recursive chmod any faster, of course.)






                    share|improve this answer


























                    • Thank you for the detailed answer! I will still keep xenoid's answer "accepted" because it's so concise, but the info about hard links and working directories is very interesting!

                      – clemisch
                      16 hours ago













                    • Hmmm. when you copy a file, you are the owner of the copy... and you can change the flags to your heart's desire.

                      – xenoid
                      15 hours ago






                    • 3





                      The hardlink part is interesting. Would it be possible for someone to guess the inode number and create a hardlink even after the directory rights were changed?

                      – allo
                      11 hours ago











                    • @xenoid: Yes, of course.  I didn’t say “If you copy your file to /Users/Public, you’ll have a problem”, because I would expect that the user wouldn’t copy a file from their secret directory to /Users/Public unless they intended to make it public.  My point is that, when you’re dealing with two things, you sometimes use a third place.  If you have a chair and a table, and you want to swap them (i.e., move them to each other’s locations), you’ll drag one of them into the middle of the room, move the second one to where the first one was, … (Cont’d)

                      – G-Man
                      10 hours ago






                    • 2





                      @allo: Good question. I’m pretty sure that there is no program or system call that lets you create a link just by knowing the inode number.  If a user had full access to the disk (i.e., read/write access to /dev/sda1, or whatever), they could probably create such a link with a hex editor or a filesystem editor (like debugfs).  But that’s moot; anybody who has full read access to the disk can read any file; that’s why that access is typically given only to root (and possibly some other system services).

                      – G-Man
                      10 hours ago














                    29












                    29








                    29







                    It goes without saying that,
                    if you created a file two days ago (with a publicly readable mode),
                    and somebody read the file yesterday, or made a copy of it,
                    then there’s nothing you can do today to make that file private.



                    xenoid says (somewhat simplistically) that,
                    if you remove group and other permission from your directory (today, now),
                    “anything below it becomes unreachable,
                    and you don't need to make a recursive change.” 
                    I agree that, if you chmod your (top-level) directory appropriately,
                    nobody but yourself1
                    will be able to get into it in the future (i.e., from now on). 
                    But there are some gotchas.



                    Hard links



                    Remember that file you created two days ago? 
                    Suppose that your adversary made a hard link to that file yesterday
                    (instead of copying it).
                    If you chmod only your (top-level) directory,
                    then that file will continue to have the publicly readable permissions
                    you assigned when you created it,
                    and so the bad guy will still be able to read it in the future
                    — (potentially) even if you subsequently modify it. 
                    If you do a recursive chmod,
                    that will secure the permissions on the file,
                    which will affect the link. 
                    The bad guy will still be able to do ls -l on it,
                    so they’ll be able to see when you change it, and how big it is,
                    but they won’t be able to read it again.



                    Working directory



                    Suppose that, under your secret directory,
                    you have a plans directory, and it also it publicly readable. 
                    And suppose that, five minutes ago,
                    the bad guy opened a terminal window and said



                    cd /home/clemisch/secret/plans


                    Now, after you do the chmod on secret,
                    the bad guy’s working directory is still  /home/clemisch/secret/plans,
                    and they can continue to list that directory and access the files there,
                    potentially forever. 
                    Of course, once they cd elsewhere, or close that window,
                    or log out, or the machine is rebooted, then they lose access.



                    If you do a recursive chmod, that will secure the permissions
                    on all the files and all the directories,
                    causing the squatter to lose access immediately.



                    This might not be a very big risk if the machine is a personal computer
                    that is accessed only through the console. 
                    But, if the bad guy might have left a screen or tmux session
                    in the background, then they could use this attack. 
                    And, if the machine supports ssh
                    (or other remote access; maybe even FTP would be enough),
                    this attack can be used.



                    Human error



                    As xenoid pointed out in their answer:
                    If you do a recursive chmod on secret today,
                    and then the day after tomorrow you accidentally
                    chmod (only) the top-level directory back to 755,
                    then you will still be protected by today’s recursive chmod
                    all the files and directories under secret will still be unreadable. 
                    (Of course, if you create a new file in secret tomorrow,
                    and you allow it to be publicly readable, then it will be exposed
                    when you open the permissions on the secret directory. 
                    But that would be true
                    no matter whether today’s chmod was recursive or not.)



                    mazunki made a comment, “I believe cp carries permissions.” 
                    I’m not sure what they meant, but consider this scenario. 
                    You want to do a diff between two files:




                    • secret/plans/the/quick/brown/fox/file1

                    • secret/jumps/over/the/lazy/dog/file2


                    But you aren’t sure exactly where those files are,
                    and you have to poke around to find them. 
                    You might be tempted to do



                    cd plans
                    cd the/quick # looking for file1
                    cd brown/fox # found it!
                    cp file1 /tmp
                    cd ../../../../..
                    cd jumps/over
                    cd the # looking for file2
                    cd lazy/dog # found it!
                    diff /tmp/file1 file2


                    If you do this, then /tmp/file1 will have the same protection
                    as secret/plans/the/quick/brown/fox/file1
                    so that’s another reason to do the recursive chmod today.



                    ONE more thing



                    If the bad guy opened one of your secret files five minutes ago,
                    and keeps it open, they will be able to read it in the future
                    potentially even if you modify it. 
                    The good news is that this is a somewhat tricky attack to execute —
                    the bad guy has to have put some thought into it, before you do the chmod
                    The bad news is that this attack is very difficult to defend against
                    — a recursive chmod won’t help.

                    __________
                    1 and, of course, privileged users / processes



                    P.S. You can shorten your command a little:
                    chmod go= is equivalent to chmod g=,o=
                    (That won’t make the recursive chmod any faster, of course.)






                    share|improve this answer















                    It goes without saying that,
                    if you created a file two days ago (with a publicly readable mode),
                    and somebody read the file yesterday, or made a copy of it,
                    then there’s nothing you can do today to make that file private.



                    xenoid says (somewhat simplistically) that,
                    if you remove group and other permission from your directory (today, now),
                    “anything below it becomes unreachable,
                    and you don't need to make a recursive change.” 
                    I agree that, if you chmod your (top-level) directory appropriately,
                    nobody but yourself1
                    will be able to get into it in the future (i.e., from now on). 
                    But there are some gotchas.



                    Hard links



                    Remember that file you created two days ago? 
                    Suppose that your adversary made a hard link to that file yesterday
                    (instead of copying it).
                    If you chmod only your (top-level) directory,
                    then that file will continue to have the publicly readable permissions
                    you assigned when you created it,
                    and so the bad guy will still be able to read it in the future
                    — (potentially) even if you subsequently modify it. 
                    If you do a recursive chmod,
                    that will secure the permissions on the file,
                    which will affect the link. 
                    The bad guy will still be able to do ls -l on it,
                    so they’ll be able to see when you change it, and how big it is,
                    but they won’t be able to read it again.



                    Working directory



                    Suppose that, under your secret directory,
                    you have a plans directory, and it also it publicly readable. 
                    And suppose that, five minutes ago,
                    the bad guy opened a terminal window and said



                    cd /home/clemisch/secret/plans


                    Now, after you do the chmod on secret,
                    the bad guy’s working directory is still  /home/clemisch/secret/plans,
                    and they can continue to list that directory and access the files there,
                    potentially forever. 
                    Of course, once they cd elsewhere, or close that window,
                    or log out, or the machine is rebooted, then they lose access.



                    If you do a recursive chmod, that will secure the permissions
                    on all the files and all the directories,
                    causing the squatter to lose access immediately.



                    This might not be a very big risk if the machine is a personal computer
                    that is accessed only through the console. 
                    But, if the bad guy might have left a screen or tmux session
                    in the background, then they could use this attack. 
                    And, if the machine supports ssh
                    (or other remote access; maybe even FTP would be enough),
                    this attack can be used.



                    Human error



                    As xenoid pointed out in their answer:
                    If you do a recursive chmod on secret today,
                    and then the day after tomorrow you accidentally
                    chmod (only) the top-level directory back to 755,
                    then you will still be protected by today’s recursive chmod
                    all the files and directories under secret will still be unreadable. 
                    (Of course, if you create a new file in secret tomorrow,
                    and you allow it to be publicly readable, then it will be exposed
                    when you open the permissions on the secret directory. 
                    But that would be true
                    no matter whether today’s chmod was recursive or not.)



                    mazunki made a comment, “I believe cp carries permissions.” 
                    I’m not sure what they meant, but consider this scenario. 
                    You want to do a diff between two files:




                    • secret/plans/the/quick/brown/fox/file1

                    • secret/jumps/over/the/lazy/dog/file2


                    But you aren’t sure exactly where those files are,
                    and you have to poke around to find them. 
                    You might be tempted to do



                    cd plans
                    cd the/quick # looking for file1
                    cd brown/fox # found it!
                    cp file1 /tmp
                    cd ../../../../..
                    cd jumps/over
                    cd the # looking for file2
                    cd lazy/dog # found it!
                    diff /tmp/file1 file2


                    If you do this, then /tmp/file1 will have the same protection
                    as secret/plans/the/quick/brown/fox/file1
                    so that’s another reason to do the recursive chmod today.



                    ONE more thing



                    If the bad guy opened one of your secret files five minutes ago,
                    and keeps it open, they will be able to read it in the future
                    potentially even if you modify it. 
                    The good news is that this is a somewhat tricky attack to execute —
                    the bad guy has to have put some thought into it, before you do the chmod
                    The bad news is that this attack is very difficult to defend against
                    — a recursive chmod won’t help.

                    __________
                    1 and, of course, privileged users / processes



                    P.S. You can shorten your command a little:
                    chmod go= is equivalent to chmod g=,o=
                    (That won’t make the recursive chmod any faster, of course.)







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited 20 hours ago

























                    answered 20 hours ago









                    G-ManG-Man

                    5,913112462




                    5,913112462













                    • Thank you for the detailed answer! I will still keep xenoid's answer "accepted" because it's so concise, but the info about hard links and working directories is very interesting!

                      – clemisch
                      16 hours ago













                    • Hmmm. when you copy a file, you are the owner of the copy... and you can change the flags to your heart's desire.

                      – xenoid
                      15 hours ago






                    • 3





                      The hardlink part is interesting. Would it be possible for someone to guess the inode number and create a hardlink even after the directory rights were changed?

                      – allo
                      11 hours ago











                    • @xenoid: Yes, of course.  I didn’t say “If you copy your file to /Users/Public, you’ll have a problem”, because I would expect that the user wouldn’t copy a file from their secret directory to /Users/Public unless they intended to make it public.  My point is that, when you’re dealing with two things, you sometimes use a third place.  If you have a chair and a table, and you want to swap them (i.e., move them to each other’s locations), you’ll drag one of them into the middle of the room, move the second one to where the first one was, … (Cont’d)

                      – G-Man
                      10 hours ago






                    • 2





                      @allo: Good question. I’m pretty sure that there is no program or system call that lets you create a link just by knowing the inode number.  If a user had full access to the disk (i.e., read/write access to /dev/sda1, or whatever), they could probably create such a link with a hex editor or a filesystem editor (like debugfs).  But that’s moot; anybody who has full read access to the disk can read any file; that’s why that access is typically given only to root (and possibly some other system services).

                      – G-Man
                      10 hours ago



















                    • Thank you for the detailed answer! I will still keep xenoid's answer "accepted" because it's so concise, but the info about hard links and working directories is very interesting!

                      – clemisch
                      16 hours ago













                    • Hmmm. when you copy a file, you are the owner of the copy... and you can change the flags to your heart's desire.

                      – xenoid
                      15 hours ago






                    • 3





                      The hardlink part is interesting. Would it be possible for someone to guess the inode number and create a hardlink even after the directory rights were changed?

                      – allo
                      11 hours ago











                    • @xenoid: Yes, of course.  I didn’t say “If you copy your file to /Users/Public, you’ll have a problem”, because I would expect that the user wouldn’t copy a file from their secret directory to /Users/Public unless they intended to make it public.  My point is that, when you’re dealing with two things, you sometimes use a third place.  If you have a chair and a table, and you want to swap them (i.e., move them to each other’s locations), you’ll drag one of them into the middle of the room, move the second one to where the first one was, … (Cont’d)

                      – G-Man
                      10 hours ago






                    • 2





                      @allo: Good question. I’m pretty sure that there is no program or system call that lets you create a link just by knowing the inode number.  If a user had full access to the disk (i.e., read/write access to /dev/sda1, or whatever), they could probably create such a link with a hex editor or a filesystem editor (like debugfs).  But that’s moot; anybody who has full read access to the disk can read any file; that’s why that access is typically given only to root (and possibly some other system services).

                      – G-Man
                      10 hours ago

















                    Thank you for the detailed answer! I will still keep xenoid's answer "accepted" because it's so concise, but the info about hard links and working directories is very interesting!

                    – clemisch
                    16 hours ago







                    Thank you for the detailed answer! I will still keep xenoid's answer "accepted" because it's so concise, but the info about hard links and working directories is very interesting!

                    – clemisch
                    16 hours ago















                    Hmmm. when you copy a file, you are the owner of the copy... and you can change the flags to your heart's desire.

                    – xenoid
                    15 hours ago





                    Hmmm. when you copy a file, you are the owner of the copy... and you can change the flags to your heart's desire.

                    – xenoid
                    15 hours ago




                    3




                    3





                    The hardlink part is interesting. Would it be possible for someone to guess the inode number and create a hardlink even after the directory rights were changed?

                    – allo
                    11 hours ago





                    The hardlink part is interesting. Would it be possible for someone to guess the inode number and create a hardlink even after the directory rights were changed?

                    – allo
                    11 hours ago













                    @xenoid: Yes, of course.  I didn’t say “If you copy your file to /Users/Public, you’ll have a problem”, because I would expect that the user wouldn’t copy a file from their secret directory to /Users/Public unless they intended to make it public.  My point is that, when you’re dealing with two things, you sometimes use a third place.  If you have a chair and a table, and you want to swap them (i.e., move them to each other’s locations), you’ll drag one of them into the middle of the room, move the second one to where the first one was, … (Cont’d)

                    – G-Man
                    10 hours ago





                    @xenoid: Yes, of course.  I didn’t say “If you copy your file to /Users/Public, you’ll have a problem”, because I would expect that the user wouldn’t copy a file from their secret directory to /Users/Public unless they intended to make it public.  My point is that, when you’re dealing with two things, you sometimes use a third place.  If you have a chair and a table, and you want to swap them (i.e., move them to each other’s locations), you’ll drag one of them into the middle of the room, move the second one to where the first one was, … (Cont’d)

                    – G-Man
                    10 hours ago




                    2




                    2





                    @allo: Good question. I’m pretty sure that there is no program or system call that lets you create a link just by knowing the inode number.  If a user had full access to the disk (i.e., read/write access to /dev/sda1, or whatever), they could probably create such a link with a hex editor or a filesystem editor (like debugfs).  But that’s moot; anybody who has full read access to the disk can read any file; that’s why that access is typically given only to root (and possibly some other system services).

                    – G-Man
                    10 hours ago





                    @allo: Good question. I’m pretty sure that there is no program or system call that lets you create a link just by knowing the inode number.  If a user had full access to the disk (i.e., read/write access to /dev/sda1, or whatever), they could probably create such a link with a hex editor or a filesystem editor (like debugfs).  But that’s moot; anybody who has full read access to the disk can read any file; that’s why that access is typically given only to root (and possibly some other system services).

                    – G-Man
                    10 hours ago











                    -2














                    Recursive chmod affects all subdirectories and folders too, not just the folder itself.



                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 aa
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 .
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod -R +w a
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo ls -alR
                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 a
                    drwxr-xr-x 2 root root 4096 april 15 11:46 aa
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    drwxr-xr-x 2 root root 4096 april 15 11:46 .
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b


                    If you don't explicitly give access to ., you won't be able to read the contents of the folder.



                     ~:~/test ▶ ls -l
                    total 8
                    drwxr-xr-x 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod +xxx b
                    ~:~/test ▶ cd b
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +xxx .
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +rrr .
                    ~:~/test/b ▶ ls
                    a b
                    ~:~/test/b ▶


                    Likewise, you won't be able to cd into subdirectories of said folder unless you explicitly +x them.






                    share|improve this answer





















                    • 6





                      I think the OP understands what "recursive" means. What's your answer to the title question? (yes or no?) What about "practical difference"?

                      – Kamil Maciorowski
                      yesterday






                    • 5





                      Sorry, what you wrote may all be true but I don't see how it answers the question. I think the question can be rephrased: after chmod g=,o= secret/, do permissions of objects inside secret/ matter? Well, do they?

                      – Kamil Maciorowski
                      yesterday











                    • Thanks for the answer! I still don't see a difference concerning the secrecy of the folder though. Could it be that you could still cd into a specific subfolder if you knew the path beforehand?

                      – clemisch
                      yesterday











                    • I just tested that and it does not seem to work. Then I really don't see any difference. As -R takes much longer (of course) for many files, I will stick to normal chmod I guess.

                      – clemisch
                      yesterday






                    • 2





                      I agree with @KamilMaciorowski — you don’t seem to be saying anything wrong, but it’s not clear what you are saying. Your example is long and confusing, and you muddy the waters with your use of sudo and directories with mode 0.

                      – Scott
                      22 hours ago
















                    -2














                    Recursive chmod affects all subdirectories and folders too, not just the folder itself.



                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 aa
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 .
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod -R +w a
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo ls -alR
                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 a
                    drwxr-xr-x 2 root root 4096 april 15 11:46 aa
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    drwxr-xr-x 2 root root 4096 april 15 11:46 .
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b


                    If you don't explicitly give access to ., you won't be able to read the contents of the folder.



                     ~:~/test ▶ ls -l
                    total 8
                    drwxr-xr-x 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod +xxx b
                    ~:~/test ▶ cd b
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +xxx .
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +rrr .
                    ~:~/test/b ▶ ls
                    a b
                    ~:~/test/b ▶


                    Likewise, you won't be able to cd into subdirectories of said folder unless you explicitly +x them.






                    share|improve this answer





















                    • 6





                      I think the OP understands what "recursive" means. What's your answer to the title question? (yes or no?) What about "practical difference"?

                      – Kamil Maciorowski
                      yesterday






                    • 5





                      Sorry, what you wrote may all be true but I don't see how it answers the question. I think the question can be rephrased: after chmod g=,o= secret/, do permissions of objects inside secret/ matter? Well, do they?

                      – Kamil Maciorowski
                      yesterday











                    • Thanks for the answer! I still don't see a difference concerning the secrecy of the folder though. Could it be that you could still cd into a specific subfolder if you knew the path beforehand?

                      – clemisch
                      yesterday











                    • I just tested that and it does not seem to work. Then I really don't see any difference. As -R takes much longer (of course) for many files, I will stick to normal chmod I guess.

                      – clemisch
                      yesterday






                    • 2





                      I agree with @KamilMaciorowski — you don’t seem to be saying anything wrong, but it’s not clear what you are saying. Your example is long and confusing, and you muddy the waters with your use of sudo and directories with mode 0.

                      – Scott
                      22 hours ago














                    -2












                    -2








                    -2







                    Recursive chmod affects all subdirectories and folders too, not just the folder itself.



                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 aa
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 .
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod -R +w a
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo ls -alR
                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 a
                    drwxr-xr-x 2 root root 4096 april 15 11:46 aa
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    drwxr-xr-x 2 root root 4096 april 15 11:46 .
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b


                    If you don't explicitly give access to ., you won't be able to read the contents of the folder.



                     ~:~/test ▶ ls -l
                    total 8
                    drwxr-xr-x 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod +xxx b
                    ~:~/test ▶ cd b
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +xxx .
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +rrr .
                    ~:~/test/b ▶ ls
                    a b
                    ~:~/test/b ▶


                    Likewise, you won't be able to cd into subdirectories of said folder unless you explicitly +x them.






                    share|improve this answer















                    Recursive chmod affects all subdirectories and folders too, not just the folder itself.



                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 aa
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    dr-xr-xr-x 2 root root 4096 april 15 11:46 .
                    d--------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod -R +w a
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo ls -alR
                    .:
                    total 16
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 .
                    drwxr-xr-x 35 mazunki mazunki 4096 april 15 11:42 ..
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b

                    ./a:
                    total 12
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 a
                    drwxr-xr-x 2 root root 4096 april 15 11:46 aa
                    --w--w---- 1 mazunki mazunki 0 april 15 11:42 b

                    ./a/aa:
                    total 8
                    drwxr-xr-x 2 root root 4096 april 15 11:46 .
                    d-w------- 3 mazunki mazunki 4096 april 15 11:46 ..

                    ./b:
                    total 8
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 .
                    drwxrwxr-x 4 mazunki mazunki 4096 april 15 11:42 ..
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 a
                    -----w---- 1 mazunki mazunki 0 april 15 11:42 b


                    If you don't explicitly give access to ., you won't be able to read the contents of the folder.



                     ~:~/test ▶ ls -l
                    total 8
                    drwxr-xr-x 3 mazunki mazunki 4096 april 15 11:46 a
                    d--------- 2 mazunki mazunki 4096 april 15 11:42 b
                    ~:~/test ▶
                    ~:~/test ▶
                    ~:~/test ▶ sudo chmod +xxx b
                    ~:~/test ▶ cd b
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +xxx .
                    ~:~/test/b ▶ ls
                    ls: cannot open directory '.': Permission denied
                    ~:~/test/b ▶ sudo chmod +rrr .
                    ~:~/test/b ▶ ls
                    a b
                    ~:~/test/b ▶


                    Likewise, you won't be able to cd into subdirectories of said folder unless you explicitly +x them.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited yesterday

























                    answered yesterday









                    mazunkimazunki

                    1005




                    1005








                    • 6





                      I think the OP understands what "recursive" means. What's your answer to the title question? (yes or no?) What about "practical difference"?

                      – Kamil Maciorowski
                      yesterday






                    • 5





                      Sorry, what you wrote may all be true but I don't see how it answers the question. I think the question can be rephrased: after chmod g=,o= secret/, do permissions of objects inside secret/ matter? Well, do they?

                      – Kamil Maciorowski
                      yesterday











                    • Thanks for the answer! I still don't see a difference concerning the secrecy of the folder though. Could it be that you could still cd into a specific subfolder if you knew the path beforehand?

                      – clemisch
                      yesterday











                    • I just tested that and it does not seem to work. Then I really don't see any difference. As -R takes much longer (of course) for many files, I will stick to normal chmod I guess.

                      – clemisch
                      yesterday






                    • 2





                      I agree with @KamilMaciorowski — you don’t seem to be saying anything wrong, but it’s not clear what you are saying. Your example is long and confusing, and you muddy the waters with your use of sudo and directories with mode 0.

                      – Scott
                      22 hours ago














                    • 6





                      I think the OP understands what "recursive" means. What's your answer to the title question? (yes or no?) What about "practical difference"?

                      – Kamil Maciorowski
                      yesterday






                    • 5





                      Sorry, what you wrote may all be true but I don't see how it answers the question. I think the question can be rephrased: after chmod g=,o= secret/, do permissions of objects inside secret/ matter? Well, do they?

                      – Kamil Maciorowski
                      yesterday











                    • Thanks for the answer! I still don't see a difference concerning the secrecy of the folder though. Could it be that you could still cd into a specific subfolder if you knew the path beforehand?

                      – clemisch
                      yesterday











                    • I just tested that and it does not seem to work. Then I really don't see any difference. As -R takes much longer (of course) for many files, I will stick to normal chmod I guess.

                      – clemisch
                      yesterday






                    • 2





                      I agree with @KamilMaciorowski — you don’t seem to be saying anything wrong, but it’s not clear what you are saying. Your example is long and confusing, and you muddy the waters with your use of sudo and directories with mode 0.

                      – Scott
                      22 hours ago








                    6




                    6





                    I think the OP understands what "recursive" means. What's your answer to the title question? (yes or no?) What about "practical difference"?

                    – Kamil Maciorowski
                    yesterday





                    I think the OP understands what "recursive" means. What's your answer to the title question? (yes or no?) What about "practical difference"?

                    – Kamil Maciorowski
                    yesterday




                    5




                    5





                    Sorry, what you wrote may all be true but I don't see how it answers the question. I think the question can be rephrased: after chmod g=,o= secret/, do permissions of objects inside secret/ matter? Well, do they?

                    – Kamil Maciorowski
                    yesterday





                    Sorry, what you wrote may all be true but I don't see how it answers the question. I think the question can be rephrased: after chmod g=,o= secret/, do permissions of objects inside secret/ matter? Well, do they?

                    – Kamil Maciorowski
                    yesterday













                    Thanks for the answer! I still don't see a difference concerning the secrecy of the folder though. Could it be that you could still cd into a specific subfolder if you knew the path beforehand?

                    – clemisch
                    yesterday





                    Thanks for the answer! I still don't see a difference concerning the secrecy of the folder though. Could it be that you could still cd into a specific subfolder if you knew the path beforehand?

                    – clemisch
                    yesterday













                    I just tested that and it does not seem to work. Then I really don't see any difference. As -R takes much longer (of course) for many files, I will stick to normal chmod I guess.

                    – clemisch
                    yesterday





                    I just tested that and it does not seem to work. Then I really don't see any difference. As -R takes much longer (of course) for many files, I will stick to normal chmod I guess.

                    – clemisch
                    yesterday




                    2




                    2





                    I agree with @KamilMaciorowski — you don’t seem to be saying anything wrong, but it’s not clear what you are saying. Your example is long and confusing, and you muddy the waters with your use of sudo and directories with mode 0.

                    – Scott
                    22 hours ago





                    I agree with @KamilMaciorowski — you don’t seem to be saying anything wrong, but it’s not clear what you are saying. Your example is long and confusing, and you muddy the waters with your use of sudo and directories with mode 0.

                    – Scott
                    22 hours ago


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1425574%2fdo-i-really-need-recursive-chmod-to-restrict-access-to-a-folder%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    數位音樂下載

                    格利澤436b

                    When can things happen in Etherscan, such as the picture below?