Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 5.3 The umaskChapter 5
The UNIX Filesystem
Next: 5.5 SUID
 

5.4 Using Directory Permissions

Unlike many other operating systems, UNIX stores the contents of directories in ordinary files. These files are similar to other files, but they are specially marked so that they can only be modified by the operating system.

As with other files, directories have a full complement of security attributes: owner, group, and permission bits. But because directories are interpreted in a special way by the filesystem, the permission bits have special meanings (see Table 5.11).

Table 5.11: Permissions for Directories

Contents

Permission

Meaning

r

read

You can use the opendir() and readdir() functions (or the ls command) to find out which files are in the directory.

w

write

You can add, rename, or remove entries in that directory.

x

execute

You can stat the contents of a directory (e.g., you can determine the owners and the lengths of the files in the directory). You also need execute access to a directory to make that directory your current directory or to open files inside the directory (or in any of the directory's subdirectories).

If you want to prevent other users from reading the contents of your files, you have two choices:

  1. You can set the permission of each file to 0600, so only you have read/write access.

  2. You can put the files in a directory and set the permission of that directory to 0700, which prevents other users from accessing the files in the directory (or in any of the directory's subdirectories) unless there is a link to the file from somewhere else.

Note the following:

Table 5.12 contains some common directory permissions and their uses.

Table 5.12: Common Directory Permissions

Octal Number

Directory

Permission

0755

/

Anybody can view the contents of the directory, but only the owner or superuser can make changes.

1777

/tmp

Any user can create a file in the directory, but a user cannot delete another user's files.

0700

$HOME

A user can access the contents of his home directory, but nobody else can.


Previous: 5.3 The umaskPractical UNIX & Internet SecurityNext: 5.5 SUID
5.3 The umaskBook Index5.5 SUID