PERMISSIONS 2 I received a rather frantic letter today about unix directory permissions. Apparently some people are finding their default permissions to be set in such a way that might let others on your machine read all your mail. Although this is possible, it is unlikely as most accounts come with a default .cshrc that sets the permissions correctly, but if this is omitted then it is quite possible that your data and files are wide open to world read and write permissions! Directory and file permissions are probably one of the most bizarre, confusing and mis understood elements of lizzard think (unix), so the general response of new users to this stuff is to be in apathy about them, and so of course they tend to live with the defaults that their system gives them, which may not be all that sane. This posting threatens to be rather long and complicated, so for those of you who wish a quick and dirty answer to securing your accounts, the following is for you. QUICK AND DIRTY SECURITY Edit your .cshrc file, this is your C-shell start up file and it should contain a statement that says umask 026 or some such thing. If it says something other than umask 026 or doesn't have any umask statement in it at all, then you may be at risk and you need to add such a statement to it. For tightest possible permissions, use umask 006. The umask command will return simplly 6. That will fix all NEW directory and file creation, it will not fix everything that has already been created. However the most important directory that needs to be corrected is your home directory, as with that shut out, no one can see the rest of your stuff. Your home directory is usually the directory you are in when you first log on. Get to your home directory using cd ~ (that's a tilda). Make sure you are in your home directory by using pwd (print working directory), it should say something like /u5/homer or whatever your account name is. The u5 will change from person to person. On many systems, your home directory would be /home/homer. Execute the following command, ls -ld . (notice the spaces and period) ls is the list file command, -ld means print out the long form for directories only, and the . refers to your present directory which should be your home directory. If it says something like d rwx --- --- or d rwx --x --x then you are ok. If it says something like, d rwx rwx rwx or d rwx r-x r-x then you are in danger. In any case you can secure your system quickly by entering, chmod go-rw . (notice the spaces and period) chmod go+x . (notice the spaces and period) This will produce, d rwx --x --x which you can check with ls -ld . like before. SECURING THE REST OF YOUR DIRECTORIES. Do the following. ls -al > dir.data This will put your directory listing into dir.data. Then download it to your pc and print it out and use it for reference. All your directories should look like, d rwx --- --- (umask 077, most secure) or d rwx --x --x (umask 066, if you have active .plan file) The first group of 3 refer to your own personal permissions as user, the second set of three refer to the permissions of your group which you probably should not have enabled, and the last set of three refer to the rest of the world. Once your home directories and inner dcirectories are secured using the above procedure it doesn't matter quite so much what the permissions on your files are inside those directories because no one can list them out to see their names. However they might be able to guess the name of a file, and if that file has group or world read permissions on it, then they can read it anyhow. However changing the permissions on all your files is tricky especially if you have lots and lots that need to be reset. For this reason, we are not going to go into how to do this in this quick and dirty section, but will talk about it more later in this paper. Anyhow, for your peace of mind your files should like, - rw- --- --- or - rwx --- --- (means file is an executable) Make sure you use the ls -al command on all your directories, especially your mail directories to find out what's going on there. If you have questions, you can write me privately or send me the dir.data files that you create and I will look at it for you. Remember some of you have 'Mail' as your mail directory and others have 'mail' as the directory. Check both if you are not sure. SUMMARY To sum up directories should look like: d rwx --x --x files should look like - rw- --- --- or - rwx --- --- Your .plan file should look like: - rw- r-- r-- You can check the permissions on directories or files by using ls -al filename ls -ald directoryname You can change the permissions of either by using chmod og-rwx filename (get rid of rwx on that file) chmod og-rw directoryname (get rid of rw permission) chmod og+x directoryname (add entrance permissions) The rest of this is only for lizzards. DIRECTORY AND FILE PERMISSIONS Both files and directories have read (r), write (w) and execute (x) permissions attached to them. Since files are INSIDE directories, the permissions on the directory act as a cap to all the files in that directory. To make things more complex the meaning of rwx for directories is not exactly the same as for files, so here is where it gets a little complicated. Read (r) permission for a directory means you can LIST what is in the directory, you can read the DIRECTORY, it does not mean you can read what's in the FILES in the directory. Execute (x) permission for a directory means you can enter the directory with the cd command, and it means you can do what ever you wish with the files that THAT ALREADY EXIST IN THE DIRECTORY, but only according to the permissions that are on the files themselves which we will get to. x permissions ALONE on a directory does not give you the ability to erase files, nor to create new files, nor to create or remove directories within the directory. These actions involve having write permission to that directory so you can change the directory special file itself. YOU CAN HOWEVER DESTROY A FILE THAT IS ALREADY IN A DIRECTORY BY WRITING TO IT IF THAT FILE ALSO HAS WRITE PERMISSIONS ENABLED FOR ITSELF. This does not write or change the directory! (See below) Write (w) permission for a directory allows you to erase and create files and directories inside of that directory whether or not they already exist. Write permission only works if you ALSO HAVE x or entrance permissions. Just remember that r and w directory permissions allow you to read and write the DIRECTORY and have nothing to do with reading or writing to the files themselves within the directory! One reads a directory by listing it with the ls or dir command. One writes to a directory by creating or erasing files. Writing to a file that already exists IS NOT WRITING TO THE DIRECTORY so can be enabled with a write permission on the file itself even if you don't have permission to write to the directory! Thus without write permission to the directory you can not erase the file, which would erase it from the directory, but you may be able to still write trash to the file effectively destroying it's contents, if the file itself has write permissions on it for the same class of beings that have entrance permissions to the directory (user, group, others.) This is why, since most directories have entrance permissions for everyone, even if they don't have read or write permissions, it is never a good idea to give everyone write access to the files in those directories. They can't be erased which changes (w) the directory, but they can be overwritten which only changes the file. Confused? Good. The fun has just begun. Now files themselves have r, w and x permissions. Let's recap. r permissions for a directory mean you can list the directory. x permissions for a directory mean you can enter a directory and do with the files there what the files say you can do, including read them, write to them and execute them. Of course if you don't have r permission you can't list for the file names so its hard to know what's there, but if you do know what's there, you have full access to them on a read, write, execute basis if the files give that to you. w permissions for a directory mean you can create and erase files and more directories inside that directory. But w permissions only hold if you ALSO have x permission to enter the directory in the first place. Having r permissions ONLY on a directory means you can list the contents of the directory, get the file NAMES, but not any other information about the file nor the contents of the file. You can not create nor erase files (w directory permission) nor can you read, write to the files, or execute them (x directory permission). Having w permission ONLY on a directory gives you nothing. Having x permissions only on a directory allows you to enter, and do with pre existing files anything they say you can do with their own permissions. This includes read them, write to them, OVERWRITE THEM!, or execute them. You can't list the directory to find out the names of what's there, (r directory permissions) and you can't create or erase files or directories (w directory permissions). (Thus it is clear that if you are going to give --x or r-x access to your directories, the file permissions themselves must be set correctly in order to protect them from being read, written to, or executed.) Having r and x permissions on your directory allows you list the files in the directory plus do what the files say you can do with them. This is the usual mode for sharing files with others or your group. You give them read (r) access to the directory so they can see what is there using the ls or dir commands, and you give them entrance (x) to the directory so they can do what they can with the files. Remember the files THEMSELVES say what can be done with them. Having r and w permissions on your directory allows you to list the directory but since you don't have x permission, the w permission gives you nothing. You also can not read from, write to or execute any files in the directory. Nor can you create or erase files in the directory because w gives you nothing without x. Here is a summary table to clarify things a bit. Directory permissions: --- r-- -w- --x rw- r-x -wx rwx List directory N Y N N Y Y N Y Create files N N N N N N Y Y Erase files N N N N N N Y Y Overwrite files N N N Y! N Y! Y Y File permissions active. N N N rwx N rwx rwx rwx FILE PERMISSIONS Now let's talk about permissions for files. These too are read (r), write (w) and execute (x), but their meanings are a little different. File permissions ONLY come into play once you have given someone entrance (x) to the directory. Without that, the following is moot. Read (r) permission for a file means you can print it out, or look at it with an editor, or even copy it to your own directory etc. Write (w) permission for a file means you can change it, alter it, add to it, or overwrite it. You can NOT erase it unless you also have write (w) permission on the directory, but as long as you have entrance (x) permissions on the directory, you can as good as erase the file by overwriting it with nothing. It will still exist in the directory as a name, but it will have 0 bytes in it! (One does this with echo "" > filename.) Execute permissions (x) for a file means it is a shell script, or machine code module which can be run like a program. Most of your text files and mail files don't need execute permission. So directory x permission means ENTRANCE, and file x permission means EXECUTE. EXAMPLES OK, now let's give some concrete examples to get some mass on this mess. Permissions are usually stated as three characters in a row, like rwx, or r-x, or --x, or ---. If the letter is there it means that permission is on, if its a dash then its off. There are 3 complete sets of permissions on each directory or file, one for the user, that's you, one for your group, and one for the whole rest of the world. We will talk only about the user permissions for the moment to simplify things, but it applies to all three. DIRECTORIES AND FILES There are permissions for directories which hold files and permissions for the files in the directory. Take a look at the following: EXAMPLE 1: dir rwx file rwx In this example the person can list (r) the directory, enter (x) the directory, and THEREFORE write (w) new files and directories to the directory. Since he can enter the directory, he can also read (r) the file, write (w) to the file, and execute (x) it (if its executable). EXAMPLE 2: dir r-x file rw- This means he can list (r) the directory, and enter (x) it, but he can not create (-) new files or directories, nor even erase old files or directories. SINCE he can enter the directory he can read (r) the file, and write (w) to it, but not execute (-) it. Since the file can be written to, it can be destroyed by anyone who has this entrance permission to the directory, and so this is a very dangerous permission for anyone to have except for the user. EXAMPLE 3: dir r-x file r-- In this case the directory can be listed (r) and entered (x) and the file can be read (r) but not written to nor executed. This is very safe and is in fact what most people use to share files with others, like archive files at rahul. EXAMPLE 4: dir --- file --- Since the person has no directory permissions at all, it doesn't matter what the file permissions are because he can't get at it. This is the super secure permissions you would set for others to lock absolutely everyone out of your account. EXAMPLE 5: dir --x file --- This is an interesting one, and will be taken up in greater deatil later when we get to the serious security concerns with mail. Although at first glance it looks like lousy security because the person has entrance (x) permission to the directory, it in fact is very secure because the file forbids him from doing anything with it. He can't read, write, overwrite, or execute the file, and he can't even LIST it to find out it is there, because he doesn't have read (r) access on the directory! Even if he guesses what the file name is he can't do anything with it. HE CAN HOWEVER LIST THE FILE IF HE KNOWS ITS NAME USING THE LS COMMAND SO HE CAN VERIFY THAT THE FILE IS THERE. In other words 'ls -al dirname' will get him nothing, but 'ls -al dirname/filename' will get him a directory listing for that file only. Feature or Bug? I don't know. USERS, GROUPS and OTHERS Now here we go into the next level of complexity on this lizzard think. People are categorized into three broad categories. The USER is you. There is a set of permissions just for the USER. As the user you usually will have the following permissions: dir rwx file rw- (or rwx if the file is executable) That gives you total control over your own directories and your files. GROUPS are those who you have chosen to be in your wider group, usually for work related things. You write something and you want everyone in your group to have immediate read access to it. There is a set of permissions just for the group. They will usually be: dir r-x file r-- (or r-x if it is executable) This allows your group to list and enter your directory, but only read (and maybe execute) the file. In general your files default to the system wide group of 'users' or 'other' which is the same for everyone, so if you enable your group read permissions, you give these permissions to everyone! You can however create special limited groups, and assign your files to that one group only, then when you enable your group permissions, only your group can access them. OTHERS is everyone else in the world and except for a very few files, they have no business having any contact with what's in your directories or files at all. There is a set of permissions for others and usually they should be set to, dir --- files --- Since they have no directory permissions at all, the file permissions don't actually matter. But here is where all the broohaha comes in. You have a file in your home directory called .plan which is printed out when people finger you. It allows you to leave anyone data about yourself, the .plan file can be as long as you like. For example do finger homer@lightlink.com and see what you get. That's my .plan file. Now this file is in my home directory but it is world readable by others. So my home directory MUST! allow at least entrance to 'others'. Sounds scary doesn't it! Here is the actual arrangement, others home dir --x .plan r-- files --- <--- all other files in directory The x permission on the directory means they can enter my home directory, but they can not list for what's in it, nor can they create files nor erase files. They can only read the .plan file. As long as no other files grant read, write or execute status to others, then they can't do anything with them either. So its secure. However if they can guess the name of a file in a directory, they could get a directory listing on it, but as long as its permissions are set to --- for other, they can't do anything with it. UMASK OK, let's look at the next level of complexity to this lizzard think. As we have said, directory and file permissions are divided into three groups, permissions for your self (user), your group (group), and the rest of the world (others). Thus an actual directory listing would look something like (u) (g) (o) <-- (user, group, others) 1. d rwx --x --x homer (home directory for me) 2. - rw- r-- r-- .plan (my .plan file) 3. - rw- --- --- files (all other files) The first line shows the full permissions for my home directory, which is the same for all my inner directories too, the second line shows the full permissions for my .plan file, and the third line shows the full permission for all my other files. Let's take the first line first. 1. d rwx r-x --x homer (home directory for me) The opening d means it is a directory rather than a file. The first rwx means that you as the user have read, write and entrance permission on your own home directory. Thank the Lord for small miracles. 1. d rwx --x --x homer (home directory for me) The second --x means that your group (which you probably do not have) has entrance permission to your home directory, 1. d rwx --x --x homer (home directory for me) The third --x means that the whole rest of the world gets entrance permission to your home directory, mainly to read your .plan file through the finger command. Now let's look at the second line. (u) (g) (o) <-- (user, group, others) 1. d rwx r-x --x homer (home directory for me) 2. - rw- r-- r-- .plan (my .plan file) 3. - rw- r-- --- files (all other files) The opening - means it is a file rather than a directory. The first rw- means you have read and write permissions to your own .plan file. 2. - rw- r-- r-- .plan (my .plan file) The second r-- means your group has read only permissions to your .plan file. 2. - rw- r-- r-- .plan (my .plan file) The third r-- means the whole rest of the world has read only permissions to your .plan file Now here we come to the hard part. There are two ways to set permissions on your files. One is explicitly using the CHMOD (change mode) command, and the other is the UMASK command which sets it for all time and makes what you ask for the default for all future settings. No one in their right mind wants to use the CHMOD command to set the permissions for every file and directory, who can bother to understand this stuff for more than 3 minutes anyway? Ironically the CHMOD command is quite easy to use so its too bad no one is going to want to use it. So that leaves us with the UMASK command, for setting the all time defaults for our system, and this is where the problems come in. Now actually the UMASK command will only effect ALL NEW files and directories created, it won't fix ones that were already created with dangerous permissions. Thus learning to use the CHMOD command at least for 10 minutes is of use to fix the prior damage, which we will get to later in this posting. But right now the umask command needs to be understood. In the first place the umask command only sets the permissions for your one session, so it has to be put in your .cshrc file (NOT your .login!) in order to be executed automatically every time you log on. Use an editor and edit .cshrc and put the umask command in as the very first line after all the comments or change the line that your system admin gave you when you first got your account. In any case at least LOOK at your .cshrc file to see if there is a umask command in there somewhere and see what it says. Make sure your umask is set to 066 in your .cshrc and VERIFY this from the command line after your sign on by typing 'umask', it should return 66. Now true to form, the lizzies really went out of their way on this one. If you can remember this 24 hours after your read it, you should immediately check in at your nearest Grey Recruitment center, I am sure they could find a job for you. The umask commands takes 3 numbers to set the permissions, one for user, group and others. The first number sets it for user, the second for group and the third for others. The numbers must be in octal, that's base 8. For example umask 066. You see? Three numbers 0, 6, and 6, and they are in base 8 as all are less than 8. The 0 refers to the permissions for user, the 6 to group and the 6 to others. The actual permissions are derived FROM these three numbers by the following method which you do NOT need to know, I just want to impress you with the fact that lizzies have taken over the whole planet. If you already know this, skip now to 'SKIP TO HERE' below. One converts the numbers to base 2, that's easy: (0) (2) (6) umask 000 010 110 Directory permissions are then derived from these numbers by XORing 777 (111 111 111) with the above numbers, and file permissions are derived by XORing 666 (110 110 110) with the above numbers. XOR is the exclusive OR, which means true only if not the same. 0 XOR 0 = 0 0 XOR 1 = 1 1 XOR 0 = 1 1 XOR 1 = 0 It really means 'one or the other but not both are true' where 1 means true and 0 means false. OK so take the original numbers and xor them with 777 and 666 and you get, Directories: Files: umask 000 110 110 (0 6 6) umask 000 110 110 (0 6 6) xor 111 111 111 (7 7 7) xor 110 110 110 (6 6 6) ------------------- ------------------- permis: 111 001 001 permis: 110 000 000 rwx --x --x rw- --- --- (u) (g) (o) (u) (g) (o) And that's what we usually want for our defaults, for user, groups and others. You as user get rwx for your directories, and rw for your files. Groups get --x for your directories, and --- for your files. Others get --x for your directories and --- for your files. What this means in terms of security is that others get entrance to all your directories by default, but they get to do squat with any of them, unless you explicitly change the permissions on a file to allow them to read or execute them using the chmod command. SKIP TO HERE. THE UMASK COMMAND The umask command takes 3 numbers, each number can range from 0 to 7. Each number sets the rwx permissions for one of user, group and others. For example the common umask setting is umask 0 7 6. Here is a chart that shows the permissions corresponding to each value from 0 to 7 that each of the 3 numbers can take on. Remember we are doing just one number now, in its full range from 0 to 7. UMASK 0 1 2 3 4 5 6 7 directories rwx rw- r-x r-- -wx -w- --x --- files rw- rwx r-- r-x -w- -wx --- --x Notice that umask gives different results for directories and files, namely for files 0 and 1 are swapped, 2 and 3 are swapped, etc. Thus if you choose umask 066 like you probably should, you will get umask 0 6 6 dir rwx --x --x file rw- --- --- (u) (g) (o) Which is what we have said is the optimum DEFAULT situation for user, group and others. Now here is the catch. There is only one umask command which sets things BOTH for files AND for directories. Thus once you have set it for directories, you have also set it for files, and visa versa, so this limits your options somewhat between the two of them, unless you want to HAND CHANGE permissions using the chmod command. Remember we are only talking about DEFAULTS here so that you don't have to worry about it all the time. The PROBLEM is that if you want others to have --- as the default FILE permission, which is a good idea to give them squat, then you must live with --x as the default DIRECTORY permission, which gives them entrance into your directories, which hopefully will be a totally dark room since they can't list anything out. However if by mistake you manage to get some files with the wrong others permissions, such as rw- into your directories then everyone will be able to read them because they have entrance to your directory, although they still will have to guess their names. So you might say, well why not just set the directory permissions for others to --- and be done with it? Yes, that is certainly the most secure setting, but it locks out access to your .plan file, and it sets your file permissions to --x, which means all your files are executable, which they are not! However since this only applies to others, not the user and the group, and since the others can't get into your directory in the first place, it doesn't really matter that all your files are marked executable now does it, no one will ever be able to know. So really the only reason to not use the most secure scheme is the .plan file problem. There are also some times when various system programs like mail and things wish to use your home directory and if its locked out they can't. On those systems having the directory permissions set to --x is a must. This does not apply to everyone and shouldn't apply to anyone but it does. So in general allowing others entrance to your directories has become the unix defacto standard, umask 066. But as I said, if other files, created before you became aware of these problems have insecure permissions, then giving others entrance to your directory might allow them to read or write to those files if they can quess the names of them. For example, everyone has a .newsrc file, which shows what newsgroups you are reading. They could copy that file out and look at it, if you happened to have the permissions for your .newsrc file set to rw- r-- r--. How else can this happen? Well some ftp sites will down load files to your private directories with world read and write permissions attached! Of course it was probably public data in the first place, but do you want everyone knowing you are downloading gifs of naked teddy bears? Or you could do it by mistake. So the best thing to do is to check periodically that all directories and files are of the form dir rwx --x --x file rw- --- --- Then you are safe and secure from the prying eyes of your enemies. CHANGING INCORRECT PERMISSIONS. If you have many files that are in danger, this can be painful, but doing global changes can be dangerous and cause more trouble than its worth. So this is how to change your insecure files and directories file by file and directory by directory. Get a complete printout of your directories and files using the ls -al > dir.data command I showed you before. Download it and print it out. Notice every directory that does not say d rwx --x --x and change it using the chmod command. chmod og-rwx directoryname (others and groups loose rwx) chmod og+x directoryname (others get x) Notice every file that does not say - rw --- --- and change it using the chmod command. chmod og-rwx filename Then check the directory or filename again with the ls -al command. You can check single individual files with ls -al filename You can check single individual directories with ls -ld directoryname (don't use -al on directory names!) Send questions to homer@lightlink.com Homer