PERMISSIONS 1 There are some considerations about unix that many new users are not aware of. Coupled with the obscure nature of unix commands, this can cause troubles. Unix allows three levels of access to your files on your account, this applies to others on the same machine. Others on other machines in general don't have any access at all. There three levels of access are, 1) User (that's you). 2) Group (that's you and a group that you can assign) 3) Others (that's everyone else on the machine) There are three KINDS of access that a file may have, 1.) Read (r - means person can read it.) 2.) Write (w- means person can write to it, or erase it) 3.) Execute/Enter (x - means person can run or enter it.) Thus users, groups and others can be assigned various combinations of read, write and execute access to your files. BY DEFAULT SOME UNIX SYSTEMS ALLOW READ AND WRITE ACCESS TO EVERYONE! Some systems only allow read write access to the owner, but they allow read access to everyone. The default permissions depend on the system you are using and what your system administrator has set for system wide defaults. Some files, like mail files, by default are more protected, but in general anyone wandering around in your directories may be able to find unprotected files, such as .letter or .article that are created with the default protections which are used to send private mail and post news. Further files that you simply create yourself with your editor, are created with the default protections. Particularly files you down load or upload or ftp to your account. First thing you should do is check the protections that currently exist on your files. This is done using the following command. ls -al (list all files in long format, like DOS DIR command) This will produce an output similar to the following. drwx--x--x 20 homer 1536 Sep 30 01:53 . drwx--x--x190 root 3584 Jul 20 11:04 .. -rw------- 1 homer 6665 Sep 26 23:16 .addressbook -rw------- 1 homer 1526 Sep 26 03:02 .alias -rw-r----- 1 homer 449 Sep 28 12:32 .article -rw------- 1 homer 77 Sep 30 01:50 .cshrc -rw------- 1 homer 3882 Oct 13 1993 .emacs -rw------- 1 homer 956 Sep 26 09:02 .login -rw------- 1 homer 9637 May 29 00:30 .mailrc -rw------- 1 homer 121278 Sep 30 01:42 .newsrc -rw------- 1 homer 121230 Sep 30 01:41 .oldnewsrc -rw----r-- 1 homer 406 Sep 2 02:05 .plan drwxr-x--- 3 homer 512 Sep 29 09:47 News -rw-r--r-- 1 homer 0 Sep 30 01:53 junk.script drwxr-x--- 2 homer 1024 Sep 30 01:52 mail -rw------- 1 homer 1612 Sep 30 01:52 posting.safe The left hand column are your protections, and we will go into them in detail in a minute. The right hand column are the file or directory names. drwx--x--x 20 homer 1536 Sep 30 01:53 . drwx--x--x 190 root 3584 Jul 20 11:04 .. Notice that the first line has a file name of '.', that refers to the present directory whatever it is, and '..' which refers to the next directory out. Very similar to dos. Now the first thing you need to do is take a look at the first two lines of output. drwx--x--x 20 homer 1536 Sep 30 01:53 . drwx--x--x 190 root 3584 Jul 20 11:04 .. This says that the present directory '.' is owned by homer, and the next directory out is owned by root, which is the system. This happens to be a listing of my main directory so of course the next directory out is the system's, but if I had done this listing from inside my mail directory, then the next directory out would be THIS directory and so of course would also be owned by homer. Now the protections. drwx--x--x 20 homer 1536 Sep 30 01:53 . The protections are split into 4 fields. d rwx --x --x u g o It's important to be able to visually parse them, or they won't make any sense to you. The first 'd' means this is a directory rather than a file or a link to a directory or a file. If it had been a link it would have been a 'l', and for a file its just a dash '-'. The next three characters (rwx) are the user protections. This means that the user, you, can read (list out the contents of) the directory, write to the directory (create new files in the directory) and enter the directory with the cd command (x means enter for directories, rather than execute.) NOTICE THAT BEING ABLE TO READ A DIRECTORY DOES NOT MEAN BEING ABLE TO READ ANY OF THE FILES IN THE DIRECTORY AS THEY HAVE THEIR OWN INDIVIDUAL PROTECTIONS. It does mean however that someone with read access to your directory can LIST the directory using the ls -al command or others and find out what your files are named, even if they can't read the files themselves. Remember that a directory is essentially a file itself, a special file that lists all the normal files in that directory. The directory permissions then apply to that special directory file only and not to any of the files listed in the directory. Thus having read permission on a directory means you can read the special directory file, namely see the directory listing. It does NOT mean you can read any file listed in the directory. Having write permission on a directory means you can change the special directory file, mainly by adding new files to it. It does not mean you can write to any file already in the directory. Showing it again... drwx--x--x 20 homer 1536 Sep 30 01:53 . d rwx --x --x u g o The next three characters (--x) are the group protections. You can assign others on your machine to be part of your 'work group'. This allows many people in a group to access directories and files, but not necessarily write them or erase them. The --x means in this case that my group can enter the directory. If I had wanted them to be able to list the directory too, I would have used r-x. Notice if you can enter but not a list a directory, you won't be able to know what is in the directory, unless you already do, in which case you can read, write, or execute those files according to THEIR permissions. d rwx --x --x u g o Clearly the next three character (--x) are the protections for everyone else on the system (others) and are the same for the group. This might seem a problem that just anyone can enter my directories, and perhaps it is, but it is actually necessary for various unix functions of socialability to work properly such as the .plan file discussed below. In general your home directory should have permissions as set out here, and will by default in most cases. Your home directory should look like this: drwx--x--x 20 homer 1536 Sep 30 01:53 . This gives entrance permissions to everyone, but they can't list your directory contents nor add files to it. Now let's take a look at two different files in my directory. -rw-r----- 1 homer 449 Sep 28 12:32 .article -rw-r--r-- 1 homer 0 Sep 30 01:53 junk.script These parse to - rw- r-- --- .article - rw- r-- r-- junk.script u g o The first dash in the line means simply that both are files and not directories nor links to files or directories. The rw- means I have read and write access to both files. Niether are executable so there is no need for the 'x' permission. The second group of r-- means that my group has read only permission, but not write or execute permission. So they can read them but not change, erase or run them. - rw- r-- --- .article - rw- r-- r-- junk.script The third group however is very interesting. The first one for .article (---) means others have no permission at all on that file. This is secure. However on junk.script the r-- means others have READ permission! Now I created junk.script just for this posting, to prove that indeed the default protections are as I say they are, and there is the proof. This is system dependent. You can check your system out by using the following: echo "hello there" > junk.script ls -al junk.script Those of you who are new to unix, if you do an ls -al | more on your home directory, you will notice a number of files that allow read access to others in this way, and this is the security breach that we want to fix in this posting. There are two steps to fixing this security breach. 1.) Change the defaults so that all new files created don't grant nothing to no one outside yourself. 2.) Fix the files that have already been created with the wrong security protections. The first change is simple. Most of you are using csh as your main shell. You need to edit your .cshrc file (notice the period) and add one line to the top of the file. You do this by typing, pico .cshrc (spell it right!) Then add umask 066 as the first line of the file, maybe after all the #'s comments. Then sign off and on again, and check your results by using the 'umask' command. It should say 66. The umask command is too complex to explain, I don't think even the people who wrote it understand it, but it does set your default file creation protections to rw- --- ---. You get read/write, and everyone else gets squat. The reason you don't want your group to get read permissions, is because EVERYONE BELONGS TO THE SAME GROUP at first! This group is usually named 'users' or 'other'. You can find out what default groups you belong to using the 'groups' command, and you can find out what group all your files are grouped under with the "ls -alg" command. It will usually be 'users' or 'other'. (Don't confuse this 'other' with the 'others' permissions we have been talking about which are permission restraints on everyone else in the world. If your group name is OTHER, then the group permissions pertain to everyone else in the world, but only if they are in the OTHER group also. The OTHER permissions apply to everyone else in the world that is NOT in any same group as you. Few if any unix systems create an other group any more, its too confusing so you probably don't have to worry about this, unless YOU create an OTHER group and explicitly put users in it! So don't. Once you learn enough to create a special closed group for a limited number of people, then you can set your file's ownership to you and that group only, and enable read or write permissions on those files for that group. Until then leave your file group permissions closed (---) and your directory group permissions to entrance only (--x), and leave yourself in the group called USERS. When you get more advanced you can create the group with the same name as your username and put yourself in it, then the group permisssons don't matter because they only apply to you anyhow. Now fixing the other files that have already been miscreated is more difficult, even dangerous. I remember locking my self out of my own home directory the first time I played around with this. The safest way is to do each one individually by hand. I would simply erase .article and .letter and dead.* and then the next time they are created they will have the proper protections because of the new umask 066. But any other files will have to be changed by hand if they are important to you, like your .addressbook etc. One can change an individual file with, chmod o-rwx file.name This means change mode of file.name for others (o) to minus rwx, that means take away all read, write and execute permissions. Remember your directories should look like, d rwx --x --x but files should look like - rw- --- --- Those of you who are adventurous and have LOTS of files with the wrong protections can do a global change, but I can't guarantee that there won't be strange aftermaths because this effects directories inside your main directory too. It shouldn't matter, except if your system needs some kind of special 'others' protection for your inner directories. chmod o-rwx * Remember this is for mad men chmod o-rwx .* only.! chmod o+rx . The first command takes away rwx on all files AND DIRECTORIES except files and directories starting with a period like .article. The second command does the same for .* files, but ALSO does it to '.' which is your present directory. The third command gives rx back to your home directory or what ever directory you are in. OK coming up is your .plan file. Homer