I was recently asked to explain the difference between setting permissions on a directory to either 755 or 751.
In 751 mode, a user who isn’t the owner and isn’t in the group assigned to that directory can still execute anything within that directory, provided they know the name of the executable file. They are unable to browse the contents of that directory to find the name. Therefore, 751 is inherently more secure than 755.
The funky, geeky bit
For reference, each number of 7 5 1 is an octal representation of the number of permission bits set on the file/folder. There are 3 bits per field.
Taking the 7, from 751, this means all bits are set to 1. This is how it works (think of it like a lookup table):
meaning: r w x (read, write, execute)
bit value: 4 2 1 (< - this is the octal lookup bit)
bit set to: 1 1 1 == 4 + 2 + 1 == 7.
If you take the value 5, then this is how that’s set in the bit fields:
bit set to: 1 0 1 == 4 + 0 + 1 == 5.
Remember, there are three fields! So each field – the “owner”, “group” and “others” fields – contains the sum of permission bits set for that field. The “751” is actually a nice, easy way to see permissions. The actual permissions set in a 751 situation are, in binary “nibbles”, 0111, 0101 and 0001.
Demo – try it yourself!
As root, set up a test dir in /tmp/ called test, with 751 perms. Then create a file within that called hello.sh which simply outputs “hello” on the command line when executed. To achieve that, simply do this (as root, remember):
# mkdir /tmp/test# touch /tmp/test/hello.sh# chmod +x /tmp/test/hello.sh
Then edit /tmp/test/hello.sh and put these two lines in:
#!/bin/shecho Hello
/tmp/test is owned by root (rwx / 7) , has the root group (r-x / 5) and the "world" just has execute (--x / 1). When using your own user account, trying to do a # ls /tmp/test - should tell you that permission was denied.
However, you should be able to do # /tmp/test/hello.sh which outputs "Hello" as expected.
If you bump that world permission to r-x / 5, you would be able to see that file because ls has the necessary permission to read the directory contents.
