Using Directory Permissions

Unlike many other operating systems, UNIX stores the contents of directories in ordinary files. These files are similar to other files, but they are specially marked so that they can only be modified by the operating system.

As with other files, directories have a full complement of security attributes: owner, group, and permission bits. But because directories are interpreted in a special way by the filesystem, the permission bits have special meanings (see Table 5.11).

If you want to prevent other users from reading the contents of your files, you have two choices:

1. You can set the permission of each file to 0600, so only you have read/write access.
2. You can put the files in a directory and set the permission of that directory to 0700, which prevents other users from accessing the files in the directory (or in any of the directory's subdirectories) unless there is a link to the file from somewhere else.

Note the following:

• You must have execute access for a directory to make it your current directory (via cd or chdir) or to change to any directory beneath (contained in) that directory.
• If you do not have execute access to a directory, you cannot access the files within that directory, even if you own them.
• If you have execute access to a directory but do not have read access, you cannot list the names of files in the directory (e.g., you cannot read the contents of the directory). However, if you have access to individual files, you can run programs in the directory or open files in it. Some sites use this technique to create secret files - files that users can access only if they know the files' names.
• To unlink a file from a directory, you need only have write and execute access to that directory even if you have no access rights to the file itself.
• If you have read access to a directory but do not have execute access, you will be able to display a short listing of the files in the directory (ls); however, you will not be able to find out anything about the files other than their names and inode numbers (ls -i) because you can't stat the files. Remember that the directory itself only contains name and inode information.

  This processing can cause quite a bit of confusion, if you are not expecting it. For example:

  % ls -ldF conv  dr------ 4 rachel 1024 Jul 6 09:42 conv/ % ls conv 3ps.prn bizcard.ps letterhead.eps retlab.eps % ls -l conv conv/3ps.prn not found conv/retlab.eps not found conv/letterhead.eps not found conv/bizcard.ps not found total 0 %
  

  
  
  

Removing Funny Files

One of the most commonly asked questions by new UNIX users is "How do I delete a file whose name begins with a dash? If I type rm -foo the rm command treats the filename as an option." There are two simple ways to delete such a file. The first is to use a relative pathname:

% rm ./-foo %

A second way is to supply an empty option argument, although this does not work under every version of UNIX:

% rm - -foo %

If you have a file that has control characters in it, you can use rm command with the -i option and an asterisk, which gives you the option of removing each file in the directory - even the ones that you can't type.

% rm -i * rm: remove faq.html (y/n)? n rm: remove foo (y/n)? y %

A great way to discover files with control characters in them is to use the -q option to the UNIX ls command. You can, for example, alias the ls command to be ls -q. Files that have control characters in their filenames will then appear with question marks:

% alias ls ls -q % ls f* faq.html fmMacros fmdictionary fo?o faxmenu.sea.hqx fmMacrosLog.backup fmfilesvisited % 

Table 5.12 contains some common directory permissions and their uses.