PERMISSIONS 1
 
     There are some considerations about unix that many new users are
not aware of.  Coupled with the obscure nature of unix commands, this
can cause troubles.
 
     Unix allows three levels of access to your files on your account,
this applies to others on the same machine.  Others on other machines
in general don't have any access at all.
 
     There three levels of access are,
 
     1) User   (that's you).
     2) Group  (that's you and a group that you can assign)
     3) Others (that's everyone else on the machine)
 
     There are three KINDS of access that a file may have,
 
     1.) Read    (r - means person can read it.)
     2.) Write   (w-  means person can write to it, or erase it)
     3.) Execute (x - means person can run it.)
 
     Thus users, groups and others can be assinged various
combinations of read, write and execute access to your files.
 
     BY DEFAULT SOME UNIX SYSTEMS ALLOW READ AND WRITE ACCESS TO
EVERYONE!
 
     Some systems only allow read write access to the owner, but they
allow read access to everyone.

     The default permissions depend on the system you are using and
what your system administrator has set for system wide defaults.
 
     Some files, like mail files, by default are more protected, but
in general anyone wandering around in your directories may be able to
find unprotected files, such as .letter or .article that are created
the the default protections which are used to send private mail and
post news.
 
     Further files that you simply create yourself with your editor,
are created with the default protections.  Particularly files you down
load or upload or ftp to your account.
 
     First thing you should do is check the protections that currently
exist on your files.  This is done using the following command.
 
     ls -al   (list all files in long format, like DOS DIR command)
 
     This will produce an output similar to the following.
 
drwx--x--x 20 homer        1536 Sep 30 01:53 .
drwx--x--x190 root         3584 Jul 20 11:04 ..
-rw-------  1 homer        6665 Sep 26 23:16 .addressbook
-rw-------  1 homer        1526 Sep 26 03:02 .alias
-rw-r-----  1 homer         449 Sep 28 12:32 .article
-rw-------  1 homer          77 Sep 30 01:50 .cshrc
-rw-------  1 homer        3882 Oct 13  1993 .emacs
-rw-------  1 homer         956 Sep 26 09:02 .login
-rw-------  1 homer        9637 May 29 00:30 .mailrc
-rw-------  1 homer      121278 Sep 30 01:42 .newsrc
-rw-------  1 homer      121230 Sep 30 01:41 .oldnewsrc
-rw----r--  1 homer         406 Sep  2 02:05 .plan
drwxr-x---  3 homer         512 Sep 29 09:47 News
-rw-r--r--  1 homer           0 Sep 30 01:53 junk.script
drwxr-x---  2 homer        1024 Sep 30 01:52 mail
-rw-------  1 homer        1612 Sep 30 01:52 posting.safe
 
     The left hand column are your protections, and we will go into
them in detail in a minute.  The right hand column are the file and
directory names.
 
drwx--x--x  20 homer        1536 Sep 30 01:53 .
drwx--x--x 190 root         3584 Jul 20 11:04 ..
 
     Notice that the first line has a file name of '.', that refers
to the present directory whatever it is, and '..' which refers to
the next directory out.  Very similar to dos.
 
     Now the first thing you need to do is take a look at the first
two lines of output.
 
drwx--x--x  20 homer        1536 Sep 30 01:53 .
drwx--x--x 190 root         3584 Jul 20 11:04 ..
 
     This says that the present directory '.' is owned by homer, and
the next directory out is owned by root, which is the system.  This
happens to be a listing of my main directory so of course the next
directory out is the system's, but if I had done this listing from
inside my mail directory, then the next directory out would be THIS
directory and so of course would also be owned by homer.
 
     Now the protections.
 
drwx--x--x  20 homer        1536 Sep 30 01:53 .
 
    The protections are split into 4 fields.
 
     d  rwx  --x  --x
         u    g    o
 
     It's important to be able to visually parse them, or they won't
make any sense to you.  The first 'd' means this is a directory rather
than a file or a link to a directory or a file.  If it had been a link
it would have been a 'l', and for a file its just a dash '-'.
 
     The next three characters (rwx) are the user protections.  This
means that the user, you, can read (list out the contents of) the
directory, write to the directory (create new files in the directory)
and enter the directory with the cd command (x means enter for
directories, rather than execute.)
 
     NOTICE THAT BEING ABLE TO READ A DIRECTORY DOES NOT MEAN BEING
ABLE TO READ ANY OF THE FILES IN THE DIRECTORY AS THEY HAVE THEIR OWN
INDIVIDUAL PROTECTIONS.  It does mean however that someone with read
access to your directory can LIST the directory using the ls -al
command or others and find out what your files are named.
even if they can't read the files themselves.

     Remember that a directory is essentially a file itself, a special
file that lists all the normal files in that directory.  The directory
permissions then apply to that special directory file only and not to
any of the files listed in the directory.
 
     Thus having read permission on a directory means you can
read the special directory file, namely see the directory listing.
It does NOT mean you can read any file listed in the directory.

     Having write permission on a directory means you can change the
special directory file, mainly by adding new files to it.  It does not
mean you can write to any file already in the directory.
 
drwx--x--x  20 homer        1536 Sep 30 01:53 .
 
     d  rwx  --x  --x
         u    g    o
 
     The next three characters (--x) are the group protections.  You
can assign others on your machine to be part of your 'work group'.
This allows many people in a group to access directories and files,
but not necessarily write them or erase them.  The --x means in this
case that my group can enter the directory.  If I had wanted them to
be able to list the directory too, I would have used r-x.
 
     d  rwx  --x  --x
         u    g    o
 
     Clearly the next three character (--x) are the protections for
everyone else on the system (others) and are the same for the group.
This might seem a problem that just anyone can enter my
directories, and perhaps it is, but it is actually necessary for
various unix functions of socialability to work properly such as the
.plan file discussed below.  
 
     In general your home directory should have permissions as set out
here, and will by default in most cases.
 
     Your home directory should look like this:
 
drwx--x--x  20 homer        1536 Sep 30 01:53 .

     This gives entrance permissions to everyone, but they can't
list your directory contents nor add files to it.
 
     Now let's take a look at two different files in my directory.
 
-rw-r-----  1 homer         449 Sep 28 12:32 .article
-rw-r--r--  1 homer           0 Sep 30 01:53 junk.script
 
     These parse to
 
     -  rw-  r-- ---    .article
     -  rw-  r-- r--    junk.script
         u    g   o
 
     The first dash in the line means simply that both are files and
not directories nor links.
 
     The rw- means I have read and write access to both files.
Niether are executable so there is no need for the 'x' permission.
 
     The second group of r-- means that my group has read only
permission, but not write or execute permission.  So they can read
them but not change or erase them.
 
     -  rw-  r-- ---    .article
     -  rw-  r-- r--    junk.script
 
     The third group however is very interesting.  The first one for
.article (---) means others have no permission at all on that file.
This is secure.
 
     However on junk.script the r-- means others have READ permission!
Now I created junk.script just for this posting, to prove that indeed
the default protections are as I say they are, and there is the proof.
 
     This is system dependent.  You can check your system out by
using the following:

     echo "hello there" > junk.script
     ls -al junk.script

     Those of you who are new to unix, if you do an ls -al | more on
your home directory, you will notice a number of files that allow read
access to others in this way, and this is the security breach that we
want to fix in this posting.
 
     There are two steps to fixing this security breach.
 
     1.) Change the defaults so that all new files created don't grant
nothing to no one outside yourself.
 
     2.) Fix the files that have already been created with the wrong
security protections.
 
     The first change is simple.  Most of you are using csh as your
main shell.  You need to edit your .cshrc file (notice the period) and
add one line to the top of the file.
 
     You do this by typing,
 
     pico .cshrc (spell it right!)
 
     Then add
 
     umask 066
 
     as the first line of the file, maybe after all the #'s comments.

     Then sign off and on again, and check your results by using
the 'umask' command.  It should say 66.
 
     The umask command is too complex to explain, I don't think even
the people who wrote it understand it, but it does set your default
file creation protections to rw- --- ---.  You get read/write,
and everyone else gets squat.  The reason you don't want your group
to get read permissions, is because EVERYONE BELONGS TO THE SAME
GROUP at first!  This group is usually named 'users' or 'other'.

     You can find out what default groups you belong to using the
'groups' command, and you can find out what group all your files are
grouped under with the "ls -alg" command.  It will usually be 'users'
or 'other'.  (Don't confuse this 'other' with the 'others'
permissions we have been talking about which is everyone else in
the world.

     This 'users' or 'other' is a GROUP NAMED USERS OR OTHER.

     Once you learn enough to create a special closed group for a
limited number of people, then you can set your files to that group
only, and enable read or write permissions for your group.  Until then
leave your file group permissions closed (---) and your directory
group permissions to entrance only (--x).
 
     Now fixing the other files that have already been miscreated is
more difficult, even dangerous.  I remember locking my self out of my
own home directory the first time I played around with this.
 
     The safest way is to do each one individually by hand.  I would
simply erase .article and .letter and dead.* and then the next time
they are created they will have the proper protections because of the
new umask 066.  But any other files will have to be changed by hand if
they are important to you, like your .addressbook etc.
 
     One can change an individual file with,
 
     chmod o-rwx file.name
 
     This means change mode of file.name for others (o) to minus rwx,
that means take away all read, write and execute permissions.
 
     Remember your directories should look like,
 
     d rwx --x --x
 
     but files should look like
 
     - rw- --- ---
 
     Those of you who are adventurous and have LOTS of files with
the wrong protections can do a global change, but I can't guarantee
that there won't be strange aftermaths because this effects directories
inside your main directory too.  It shouldn't matter, except if your
system needs some kind of special 'others' protection for your inner
directories.
 
     chmod o-rwx *            Remember this is for mad men
     chmod o-rwx .*           only.!
     chmod o+rx  .
 
     The first command takes away rwx on all files AND DIRECTORIES
except .* files.
 
     The second command does the same for .* files, but ALSO does it
to '.' which is your present directory.
 
     The third command gives rx back to your home directory or what
ever directory you are in.
 
     OK comming up is your .plan file.
 
     Homer