Can I list a directory with `-wx` permissions by brute force?

Question

As I understand it, denying a user the reading permission on a directory should prevent them from listing its content. Giving them the execute permission allows them to access its content, but only if they use a path to something that exists.

What prevents a user with said permissions from blindly attempting to access various paths inside such a directory, to get a list of what's in it anyway? If they can do that, is there really a point in e.g setting 711 permissions on a home folder to protect its content while allowing access to things like SSH keys? (I've read people advise this.)

Answer 1

Yes you can brute force such a directory.

Unix was originally created in a very co-operative environment, so a set of permissions that said don't browse here would have been respected.

If the users of your machine don't have that sort of culture then (assuming you can't change your users) don't create directories with execute permissions if you want to keep the contents secret. Likewise don't make files readable rather than hoping people will not be able to guess the name.

Of course to brute force a big directory with very long filenames will take a long time. Each component can be 254 characters long, chosen from a set of 254 characters (can't be \0 or /, but any other 8 bit pattern is OK), so about 10⁶¹⁰ possible filenames. There are roughly 10⁸⁰ atoms in the know universe.

Answer 2

If they can do that, is there really a point in e.g setting 711 permissions on a home folder to protect its content while allowing access to things like SSH keys? (I've read people advise this.)

Then either (a) they were misguided, or (b) you have probably comprehended only part of the advice.

OpenSSH (at least) requires that SSH keys have restricted permissions:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/muru/.ssh/id_ed25519' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/muru/.ssh/id_ed25519": bad permissions

It won't even use a key which is readable by others.

711 on the home directory is fine — as long as you do remove read permissions to group/others from truly private files (SSH private keys and GPG private keys definitely, maybe also items like shell history files, known_hosts, etc. which reveal information about your activity).

Answer 3

Good luck doing that. For even shortish filenames (10 characters) that are readable (letters and digits only) you already have $36^{10} = 3.16×10^{15}$ possible names to check...