if I want to share a directory with some other user who do not share any group with me, do all directories above it have o+rx?

for example, if I want to share /home/my/trade-secret/publisized/declassifed.txt with all other users, it appears the directory trade-secret must also have o+rw permission set or other wise even if publisized/ has 777, users won't be able to access it.

but a more important question is, if I want to protect stuff from a certain directory and downwards, e.g.

/home/my/grandmas_recipes

is it good enough (and safe enough) to set permission o-rwx on the directory grandma_recipes/, and I dont' have to recursively set the permission on all subdirectories

I know this is a very newbie question, but strange enough, I never knew the exact answers. Thanks!

Perhaps an example may be of use.

I have a directory named /spares -- the name is not relevant, it could be anything. The permission mask for this directory is
That's 775. Root owns it, any member of the users group write in that directory and any other user can read from that directory.

The entire directory looks like this:
Almost all the directories have read-write for owner, read for group, read for public. The "special" directories are lost+found (the /spares directory is a mounted file system, mounted to a partition, and lost+found is automatically created, at least by ext4 file systems) and gnis, which contains geographic information, lots of it, and it doesn't need write for any user, including root just because I want it that way to protect the content from accidental overwrite (no big deal).

The owner, trona just happens to be me, so I can write in those directories; the permission mask for those directories is a good default of 755.

Why is 755 a good default? It means read-write for owner, read for group, read for public; i.e., nobody can write in it but me but everybody else can read the content.

If I wanted to keep public from reading, I'd use a mask of 750.

If I wanted to keep the group and the public from reading, I'd use a mask of 700.

So, if you wanted to keep everybody but you out of grandma_recipes, you'd do
If you wanted to let the group (say, users) read but not write, you'd do
And if you wanted to let anybody in the group or public read but not write
The numbers are a little easier to remember than the batches of characters, methinks; others will not agree, without doubt.

Now, that's directories. Files are a different story.

You make a file executable with
You own it, you can write, group can read, public can read with
You own it, you can write, group can write, public can read with
You own it, anybody can write
That's called Attila the Hun permissions, ravage and pillage.

And, last but not least, you own it and everybody can read only
In both cases -- directory and file -- the first digit is owner, the second is group and the third is public.

When you initially create a directory or file, the system-wide umask value sets the permission mask; a pretty standard, widely-used value for umask is display with
Read the manual page for more information about umask (particularly how to determine the value 0022).

That sets newly-created directories 755 and file 644 and is a pretty good default for all files and directories you may create. After creating something you can restrict or add permissions as described above, but, generally, a value of 0022 is just about right in most cases.

Hope this helps some.

1 members found this post helpful.

These might also help you:
http://mywiki.wooledge.org/Permissions
http://www.grymoire.com/Unix/Permissions.html

thank you so much for the long and detailed explanation on file and directory permissions, tronayne. likewise, i also find the numbers easier to remember than characters in most cases, except when I want to do a batch job of enabling and/or disable certain permissions, but the existing permissions are different on the dirs and files, then the ugoa+/-rwx is much better since they preserve the existing permissions.

so take the grandma's recipe case as an example again. say my grandma has a million-dollar worth of chicken noodle soup recipe which resides in the directory:

/home/my/grandmas_recipes/chicken_noodle_soup/ingredients.txt

and chicken_noodle_soup/ has permission 755 by default as well as the file ingredients.txt

if I set grandmas_recipes/ to 700, without setting chicken_noodle_soup/ to 700 (so it remains in 755), will others be able to read the ingredients.txt file and steal the recipe?

Nope.

But, keep it even simpler, set all the directories to 755 (the default when created) and set ingredients.txt to 400 (or 600) will accomplish what you want. At 600, the owner (I'm assuming you) will be able to read and write and nobody else will be able to access it; they'll be able to see the file name but will get
if they try to do anything with it.

Hope this helps some.