home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


UNIX Power Tools

UNIX Power ToolsSearch this book
Previous: 22.11 A Loophole: Modifying Files Without Write Access Chapter 22
File Security, Ownership, and Sharing
Next: 22.13 Groups and Group Ownership
 

22.12 A Directory that People Can Access but Can't List

Do you need to let someone use a file of yours, but you don't want everyone on the system to be able to snoop around in the directory? You can give execute permission, but not read permission, to a directory. Then, if a file in the directory is accessible, a person can use the file by typing the exact filename. ls will say the directory is "unreadable." Wildcards won't work.

Here's an example. Let's say that your home directory has rwxr-xr-x permissions (everyone can access and list files in it). Your username is hanna . You have a subdirectory named project ; you set its permissions so that everyone else on the system has execute-only permission.



-d
 

hanna% pwd


/home/hanna
hanna% chmod 711 project


hanna% ls -ld project project/myplan


drwx--x--x  2    hanna     512  Jul 26 12:14 project
-rw-r--r--  1    hanna    9284  Jul 27 17:34 project/myplan

Now you tell the other user, toria , the exact name of your file, myplan . Like everyone else on the system, she can access your project directory. She can't list it because she doesn't have read permission. Because she knows the exact filename, she can read the file because the file is readable (anyone else could read the file, too, if they knew its exact name):

toria% cd /home/hanna/project


toria% pwd


pwd: can't read .
toria% ls


ls: . unreadable
toria% more myplan


   ...File appears
...
toria% ln myplan /home/toria/project.hanna/plan

(We're using the "real" pwd command that reads the filesystem to find your current directory. That's why it complains can't read . . If you're using the shell's shortcut pwd , you probably won't get the error shown above. Article 14.4 has details.)

In the example above, toria made a hard link (18.5 ) to the myplan file, with a different name, in her own project.hanna directory. (She could have copied, printed, or used any other command that reads the file.) Now, if you (hanna ) want to, you can deny everyone's permission to your project directory. toria still has her link to the file, though. She can read it any time she wants to, follow the changes you make to it, and so on:

toria% cd


toria% ls -ld project.hanna project.hanna/plan


drwx------  2    toria     512  Jul 27 16:43 project.hanna
-rw-r--r--  2    hanna    9284  Jul 27 17:34 project.hanna/plan
toria% more project.hanna/plan


   ...File appears
...

toria has protected her project.hanna directory so that other users can't find her link to hanna 's file.

NOTE: If hanna denies permission to her directory, toria can still read the file through her hard link. If toria had made a symbolic link, though, she wouldn't be able to access the file any more. That's because a hard link keeps the file's i-number (1.22 , 18.2 ) but a symbolic link doesn't.

You might also want to give other users permission to list and access the files in a directory, but not make the directory open to all users. One way to do this is to put a fully accessible directory with an unusual name inside an unreadable directory. Users who know the exact name of the fully accessible directory can cd to it; other users can't find it without its name:

hanna% chmod 711 project


hanna% chmod 777 project/pLaN


hanna% ls -ld project project/pLaN


drwx--x--x  3    hanna     512  Jul 27 17:36 project
drwxrwxrwx  2    hanna     512  Jul 27 17:37 project/pLaN

Users who type cd /home/hanna/project/pLaN can list the directory's contents with ls . With the permissions you've set, other users can also create, delete, and rename files inside the pLaN directory - though you could have used more restrictive permissions like drwxr-xr-x instead.

This setup can still be a little confusing. For instance, as article 14.4 explains, the pwd command won't work for users in the pLaN directory because pwd can't read the project directory. Variables like $cwd (14.13 ) and $PWD (6.3 ) will probably have the absolute pathname. If another user gets lost in a restricted directory like this, the best thing to do is cd to the home directory and start again.

- JP


Previous: 22.11 A Loophole: Modifying Files Without Write Access UNIX Power Tools Next: 22.13 Groups and Group Ownership
22.11 A Loophole: Modifying Files Without Write Access Book Index 22.13 Groups and Group Ownership

The UNIX CD Bookshelf NavigationThe UNIX CD BookshelfUNIX Power ToolsUNIX in a NutshellLearning the vi Editorsed & awkLearning the Korn ShellLearning the UNIX Operating System