Preventing directory browsing

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Preventing directory browsing

Post by alex.barylski »

I have my home directory which I am directed to when I login...

Code: Select all

/home/hockey
hockey is the owner and the group
home is owned by root and the group root as well

I removed the X permissions on 'home' except for root and when I logged back in to 'hockey' I couldn't get anywhere inside ny home directory. I thought that by setting/removing X (except for root) on 'home' would simply prevent me from travelling outside of 'hockey' but instead I can't view the files in my own directory. LOL

How do I set the permissions so that once I login and see my 'hockey' files I cannot travel back outside of my directory, only forward such as into directories I create, etc???

EDIT | Looking at the directories in my default Debian distro...I'm actually sort of surprised that as 'hockey' I am capable of browsing the directory listings, albeit not capable of opening most files (as they are root). Would it not make sense to make those files only browsable by 'root' as an extra layer of security?
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: Preventing directory browsing

Post by ghurtado »

I am not aware of any combination of permissions that would disallow doing "cd .." As far as I know, it is always possible to change to the parent directory.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Preventing directory browsing

Post by alex.barylski »

Why then when I try to view the files in my directory...I get an "listings error"??? Unless I set the X permissions?
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: Preventing directory browsing

Post by ghurtado »

Where do you get that error, in bash?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Preventing directory browsing

Post by VladSun »

http://netsecurity.about.com/od/quickti ... ixfile.htm
Hockey wrote:How do I set the permissions so that once I login and see my 'hockey' files I cannot travel back outside of my directory, only forward such as into directories I create, etc???
Google for "jail" and "chroot" :)
Hockey wrote:EDIT | Looking at the directories in my default Debian distro...I'm actually sort of surprised that as 'hockey' I am capable of browsing the directory listings, albeit not capable of opening most files (as they are root). Would it not make sense to make those files only browsable by 'root' as an extra layer of security?
It's a "security" through obscurity.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Preventing directory browsing

Post by alex.barylski »

It's a "security" through obscurity.
I agree but any additional layer of security is that much better. For ages I was of the mindset that security was important but not *that* important.

Then I wrote my blog on software standards anf got thinking. If security is analogous to airline safety...then as a passenger I would the files of no interest to Joe Blow to be hidden, just as an extra precaution.

When a airplane take's off -- I'd take comfort in knowing the pilots did a double check before departure.

I figure if I'm going to be pedantic about security I might as well be crazy about it. :P
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Preventing directory browsing

Post by VladSun »

A lot of non root "uid-ed" processes would require access to files owned by root in directories owned by root. So they must be world readable.
At the same time you can't list or acces /root directory if you are not root.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Preventing directory browsing

Post by alex.barylski »

Wouldn't it just make sense to setuid on the processes or even make the files/directories accessible by root AND whoever instead of making them globally accessible? Actually that last part makes no sense...every application/daemon would need to add it's UID to the list...
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: Preventing directory browsing

Post by Jenk »

Tbh, daft idea.
Post Reply