acl/directory security question

devzero@xxxxxx · Mon, 20 Jul 2015 16:20:30 +0200

hi, 

please forgive if this is a little bit offtopic here or sounds dumb...

i`d like to implement a file-sharing solution for an internal lan and 
consider sharing a directory via different protocols/daemons and place 
"secret" subdirs inside.

let`s say, i chmod the parent directory to 711 (rwx--x--x), any non-root
user get`s "permission denied" when trying to list the subdir`s contents. 
anyway, he will be able to access the contents of a secret subdir if 
that subdir is at leaast readable for him and he knows the subir`s name.
(examples see below)

can such a method of hiding subdirs and creating names which cannot be 
guessed considered to be a safe method, or is there some way to bypass
this sort of protection ? (despite software/kernel bugs, brute-force or 
admin error like setting wrong acl)

is there some "list the content`s of the first, second, third dir" or
"list directory contents by inode"-syscall ?

as nobody of the linux people i asked could answer this barely sufficient 
to me, i`d like to ask some people who really may know about... (as you`re
into acl, vfs, syscalls and that stuff)

thanks
roland

root@linux:/daten# ls -al
total 100856
drwxr-xr-x   7 root root      4096 Jul 17 13:55 .
drwxr-xr-x  23 root root      4096 Jul 30  2014 ..
drwx------   2 root root      4096 Feb  2 16:53 lost+found
drwx--x--x   4 root root      4096 Jul 17 12:35 sharedir

root@linux:/daten# ls -la sharedir/
total 20
drwx--x--x  4 root root 4096 Jul 17 12:35 .
drwxr-xr-x  7 root root 4096 Jul 17 13:55 ..
drwxrwxrwx 11 root root 4096 Jul 20 12:28 DUrXd3PgdGgj5th9

root@linux:/daten# su - roland

roland@linux:~$ cd /daten/
roland@linux:/daten$ ls -la sharedir
ls: cannot open directory sharedir: Permission denied

roland@linux:/daten$ ls -la sharedir/*
ls: cannot access sharedir/*: No such file or directory

roland@linux:/daten/sharedir$ find .
.
find: `.': Permission denied

roland@linux:/daten/sharedir$ tree --inodes -f -F
. [error opening dir]

0 directories, 0 files

roland@linux:/daten$ ls -la sharedir/DUrXd3PgdGgj5th9
total 48
drwxrwxrwx 11 root     root     4096 Jul 20 12:28 .
drwx--x--x  4 root     root     4096 Jul 17 12:35 ..
drwxr-xr-x  2 public   public   4096 Jul 17 14:16 .DAV
drwx------  2 public   public   4096 Jul 20 12:15 New Folder
-rwxrwxrwx  1 public   public      0 Jul 17 14:18 test

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html