Recipe 7.3 Prohibiting Directory Listings

7.3.1 Problem

You want to prohibit directory listings for a particular directory, yet still permit the files within to be accessed by name.

7.3.2 Solution

Use a directory that has read permission disabled, but execute permission enabled:

$ mkdir dir
$ chmod 0111 dir
$ ls -ld dir
d--x--x--x    2 smith   smith     4096 Apr  2 22:04 dir/
$ ls dir
/bin/ls: dir: Permission denied

$ echo hello world > dir/secretfile
$ cd dir
$ cat secretfile
hello world

More practically, to permit only yourself to list a directory owned by you:

$ chmod 0711 dir
$ ls -ld dir
drwx--x--x    2 smith   smith     4096 Apr  2 22:04 dir/

7.3.3 Discussion

A directory's read permission controls whether it can be listed (e.g., via ls), and the execute permission controls whether it can be entered (e.g., via cd). Of course the superuser can still access your directory any way she likes.

This technique is useful for web sites. If your web pages are contained in a readable, non-listable directory, then they can be retrieved directly by their URLs (as you would want), but other files in the containing directory cannot be discovered via HTTP. This is one way to prevent web robots from crawling a directory.

FTP servers also use non-listable directories as private rendezvous points. Users can transfer files to and from such directories, but third parties cannot eavesdrop as long as they cannot guess the filenames. The directories need to be writable for users to create files, and you might want to restrict deletions or renaming via the sticky bit. [Recipe 7.2]

7.3.4 See Also


    Chapter 9. Testing and Monitoring