PERMISSIONS 2
 
     I received a rather frantic letter today about unix directory
permissions.  Apparently some people are finding their default
permissions to be set in such a way that might let others on your
machine read all your mail.
 
     Although this is possible, it is unlikely as most accounts come
with a default .cshrc that sets the permissions correctly, but if this
is omitted then it is quite possible that your data and files are wide
open to world read and write permissions!
 
     Directory and file permissions are probably one of the most
bizarre, confusing and mis understood elements of lizzard think
(unix), so the general response of new users to this stuff is to be in
apathy about them, and so of course they tend to live with the
defaults that their system gives them, which may not be all that sane.
 
     This posting threatens to be rather long and complicated, so for
those of you who wish a quick and dirty answer to securing your
accounts, the following is for you.
 
     QUICK AND DIRTY SECURITY
 
     Edit your .cshrc file, this is your C-shell start up file and it
should contain a statement that says umask 026 or some such thing.  If
it says something other than umask 066 doesn't have any umask
statement in it at all, then you may be at risk and you need to add
such a statement to it.
 
     That will fix all NEW directory and file creation, it will not
fix everything that has already been created.  However the most
important directory that needs to be corrected is your home directory,
as with that shut out, no one can see the rest of your stuff.
 
     Your home directory is usually the directory you are in when you
first log on.
 
     Get to your home directory using cd ~ (that's a tilda).  Make
sure you are in your home directory by using pwd (print working
directory), it should say something like /u5/homer or whatever your
account name is.  The u5 will change from person to person.
 
     Execute the following command,
 
     ls -ld .  (notice the spaces and period)
 
     ls is the list file command, -ld means print out the long form
for directories only, and the .  refers to your present directory
which should be your home directory.
 
     If it says something like
 
     d rwx --- ---  or
     d rwx --x --x
 
     then you are ok.
 
     If it says something like,
 
     d rwx rwx rwx  or
     d rwx r-x r-x
 
     then you are in danger.
 
     In any case you can secure your system quickly by entering,
 
     chmod go-rw .    (notice the spaces and period)
     chmod go+x  .    (notice the spaces and period)
 
     This will produce,
 
     d rwx --x --x
 
     which you can check with ls -ld . like before.
 
     SECURING THE REST OF YOUR DIRECTORIES.

     Do the following.
 
     ls -al > dir.data
 
     This will put your directory listing into dir.data.  Then download
it to your pc and print it out and use it for reference.
 
     All your directories should look like,
 
     d rwx --- ---  (umask 077, most secure)  or
     d rwx --x --x  (umask 066, if you have active .plan file)
 
     The first group of 3 refer to your own personal permissions as
user, the second set of three refer to the permissions of your group
which you probably should not have enabled, and the last set of three
refer to the rest of the world.
 
     Once your home directories and inner dcirectories are secured
using the above procedure it doesn't matter quite so much waht
the permissions on your files are inside those directories because
no one can list them out to see their names.  However they might
be able to guess the name of a file, and if that file has group or
world read permissions on it, then they can read it anyhow.

     However changing the permissions on all your files is tricky
especially if you have lots and lots that need to be reset.

     For this reason, we are not going to go into how to do this
in this quick and dirty section, but will talk about it more
later in this paper.

     Anyhow, for your peace of mind your files should like,
 
     - rw- --- ---  or
     - rwx --- ---  (means file is an executable)
 
     Make sure you use the ls -al command on all your directories,
especially your mail directories to find out what's going on there.
If you have questions, you can write me privately or send me the
dir.data files that you create and I will look at it for you.
 
     Remember some of you have 'Mail' as your mail directory and
others have 'mail' as the directory.  Check both if you are not sure.

     SUMMARY

     To sum up directories should look like:

     d rwx --x --x

     files should look like
 
     - rw- --- ---  or
     - rwx --- ---

     Your .plan file should look like:

     - rw- r-- r--
 
     You can check the permissions on directories or files by using

     ls -al filename
     ls -ald directoryname

     You can change the permissions of either by using

     chmod og-rwx filename
 
     chmod og-rw  directoryname (get rid of rw permission)
     chmod og+x   directoryname (add entrance permissions)
 
     The rest of this is only for lizzards.
 
     DIRECTORY AND FILE PERMISSIONS
 
     Both files and directories have read (r), write (w) and execute
(x) permissions attached to them.  Since files are INSIDE directories,
the permissions on the directory act as a cap to all the files in that
directory.
 
     To make things more complex the meaning of rwx for directories is
not exactly the same as for files, so here is where it gets a little
complicated.
 
     Read (r) permission for a directory means you can LIST what is in
the directory, you can read the DIRECTORY, it does not mean you can
read what's in the FILES in the directory.
 
     Execute (x) permission for a directory means you can enter the
directory with the cd command, and it means you can do what ever you
wish with the files that THAT ALREADY EXIST IN THE DIRECTORY, but only
according to the permissions that are on the files themselves which we
will get to.  x permissions ALONE on a directory does not give you the
ability to erase files, nor to create new files, nor to create or
remove directories within the directory.  These actions involve having
write permission to that directory so you can change the directory
special file itself.

     YOU CAN HOWEVER DESTROY A FILE THAT IS ALREADY IN A DIRECTORY BY
WRITING TO IT IF THAT FILE ALSO HAS WRITE PERMISSIONS ENABLED FOR
ITSELF.  This does not write or change the directory!  (See below)
 
     Write (w) permission for a directory allows you to erase and
create files and directories inside of that directory whether or not
they already exist.  Write permission only works if you ALSO HAVE x
or entrance permissions.
 
     Just remember that r and w directory permissions allow you to
read and write the DIRECTORY and have nothing to do with reading or
writing to the files themselves within the directory!
 
     One reads a directory by listing it with the ls or dir command.
One writes to a directory by creating or erasing files.  Writing to a
file that already exists IS NOT WRITING TO THE DIRECTORY so can be
enabled with a write permission on the file itself even if you don't
have permission to write to the directory!
 
     Thus without write permission to the directory you can not erase
the file, which would erase it from the directory, but you may be able
to still write trash to the file effectively destroying it's contents,
if the file itself has write permissions on it for the same class of
beings that have entrance permissions to the directory (user, group,
others.)
 
     This is why, since most directories have entrance permissions for
everyone, even if they don't have read or write permissions, it is
never a good idea to give every write access to the files in those
directories.  They can't be erased which changes (w) the directory,
but they can be overwritten which only changes the file.
 
     Confused?  Good.  The fun has just begun.
 
     Now files themselves have r, w and x permissions.
 
     Let's recap.
 
     r permissions for a directory mean you can list the directory.
 
     x permissions for a directory mean you can enter a directory and
do with the files there what the files say you can do, including read
them, write to them and execute them.  Of course if you don't have r
permission you can't list for the file names so its hard to know
what's there, but if you do know what's there, you have full access to
them on a read, write, execute basis if the files give that to you.
 
     w permissions for a directory mean you can create and erase files
and more directories inside that directory.  But w permissions only
hold if you ALSO have x permission to enter the directory in the first
place.
 
     Having r permissions ONLY on a directory means you can list the
contents of the directory, get the file NAMES, but not any other
information about the file nor the contents of the file.  You can not
create nor erase files (w directory permission) nor can you read,
write to the files, or execute them (x directory permission).
 
     Having w permission ONLY on a directory gives you nothing.
 
     Having x permissions only on a directory allows you to enter, and
do with pre existing files anything they say you can do with their own
permissions.  This includes read them, write to them, OVERWRITE THEM!,
or execute them.  You can't list the directory to find out the names
of what's there, (r directory permissions) and you can't create or
erase files or directories (w directory permissions).
 
     (Thus it is clear that if you are going to give --x or r-x access
to your directories, the file permissions themselves must be set
correctly in order to protect them from being read, written to,
or executed.)
 
     Having r and x permissions on your directory allows you list the
files in the directory plus do what the files say you can do with
them.  This is the usual mode for sharing files with others or your
group.  You give them read (r) access to the directory so they can see
what is there using the ls or dir commands, and you give them entrance
(x) to the directory so they can do what they can with the files.
Remember the files THEMSELVES say what can be done with them.

     Having r and w permissions on your directory allows you to list
the directory but since you don't have x permission, the w permission
gives you nothing.  You also can not read from, write to or execute
any files in the directory.  Nor can you create or erase files in the
directory because w gives you nothing without x.

     Here is a summary table to clarify things a bit.

     Directory permissions:      --- r-- -w- --x rw- r-x -wx rwx

     List directory               N   Y   N   N   Y   Y   N   Y
     Create files                 N   N   N   N   N   N   Y   Y
     Erase files                  N   N   N   N   N   N   Y   Y
     Overwrite files              N   N   N   Y!  N   Y!  Y   Y
     File permissions active.     N   N   N  rwx  N  rwx rwx  rwx

     FILE PERMISSIONS
 
     Now let's talk about permissions for files.  These too are read
(r), write (w) and execute (x), but their meanings are a little
different.
 
     File permissions ONLY come into play once you have given someone
entrance (x) to the directory.  Without that, the following is moot.
 
     Read (r) permission for a file means you can print it out, or
look at it with an editor, or even copy it to your own directory etc.
 
     Write (w) permission for a file means you can change it, alter
it, add to it, or overwrite it.  You can NOT erase it unless you also
have write (w) permission on the directory, but as long as you have
entrance (x) permissions on the directory, you can as good as erase
the file by overwriting it with nothing.  It will still exist in the
directory as a name, but it will have 0 bytes in it!
 
    (One does this with echo "" > filename.)

     Execute permissions (x) for a file means it is a shell script, or
machine code module which can be run like a program.  Most of your
text files and mail files don't need execute permission.
 
     So directory x permission means ENTRANCE, and file x permission
means EXECUTE.
 
     EXAMPLES
 
     OK, now let's give some concrete examples to get some mass on
this mess.
 
     Permissions are usually stated as three characters in a row, like
rwx, or r-x, or --x, or ---.  If the letter is there it means that
permission is on, if its a dash then its off.
 
     There are 3 complete sets of permissions on each directory or
file, one for the user, that's you, one for your group, and one for
the whole rest of the world.  We will talk only about the user
permissions for the moment to simplify things, but it applies to all
three.
 
     DIRECTORIES AND FILES
 
     There are permissions for directories which hold files and
permissions for the files in the directory.
 
     Take a look at the following:
 
     EXAMPLE 1:
 
     dir  rwx
     file rwx
 
     In this example the person can list (r) the directory, enter (x)
the directory, and THEREFORE write (w) new files and directories to
the directory. Since he can enter the directory, he can also read
(r) the file, write (w) to the file, and execute (x) it (if its
executable).
 
     EXAMPLE 2:
 
     dir  r-x
     file rw-
 
     This means he can list (r) the directory, and enter (x) it, but
he can not create (-) new files or directories, nor even erase old
files or directories.  SINCE he can enter the directory he can read
(r) the file, and write (w) to it, but not execute (-) it.  Since the
file can be written to, it can be destroyed by anyone who has this
entrance permission to the directory, and so this is a very dangerous
permission for anyone to have except for the user.
 
     EXAMPLE 3:
 
     dir  r-x
     file r--
 
     In this case the directory can be listed (r) and entered (x) and
the file can be read (r) but not written to nor executed.  This is
very safe and is in fact what most people use to share files with
others, like archive files at rahul.
 
     EXAMPLE 4:
 
     dir  ---
     file ---
 
     Since the person has no directory permissions at all, it
doesn't matter what the file permissions are because he can't get at it.
This is the super secure permissions you would set for others to
lock absolutely everyone out of your account.
 
 
     EXAMPLE 5:
 
     dir  --x
     file ---
 
     This is an interesting one, and will be taken up in greater
deatil later when we get to the serious security concerns with mail.
Although at first glance it looks like lousy security because the
person has entrance (x) permission to the directory, it in fact is
very secure because the file forbids him from doing anything with it.
He can't read, write, overwrite, or execute the file, and he can't
even LIST it to find out it is there, because he doesn't have read (r)
access on the directory!   Even if he guesses what the file name
is he can't do anything with it.

     HE CAN HOWEVER LIST THE FILE IF HE KNOWS ITS NAME USING
THE LS COMMAND SO HE CAN VERIFY THAT THE FILE IS THERE.
 
     In other words 'ls -al dirname' will get him nothing,
but 'ls -al dirname/filename' will get him a directory listing
for that file only.

     Feature or Bug?  I don't know.

     USERS, GROUPS and OTHERS
 
     Now here we go into the next level of complexity on this lizzard
think.  People are categorized into three broad categories.
 
     The USER is you.  There is a set of permissions just for the USER.
As the user you usually will have the following permissions:
 
     dir  rwx
     file rw-  (or rwx if the file is executable)
 
     That gives you total control over your own directories and your
files.
 
     GROUPS are those who you have chosen to be in your wider group,
usually for work related things.  You write something and you want
everyone in your group to have immediate read access to it.  There is
a set of permissions just for the group.  They will usually be:
 
     dir  r-x
     file r--  (or r-x if it is executable)
 
     This allows your group to list and enter your directory, but
only read (and maybe execute) the file.

     In general your files default to the system wide group of
'users' or 'other' which is the same for everyone, so if you
enable your group read permissions, you give these permissions
to everyone!

     You can however create special limited groups, and assign
your files to that one group only, then when you enable your
group permissions, only your group can access them.
 
     OTHERS is everyone else in the world and except for a very few
files, they have no business having any contact with what's in your
directories or files at all.  There is a set of permissions for others
and usually they should be set to,
 
     dir   ---
     files ---
 
     Since they have no directory permissions at all, the file
permissions don't actually matter.
 
     But here is where all the broohaha comes in.  You have a file in
your home directory called .plan which is printed out when people
finger you.  It allows you to leave anyone data about yourself, the
.plan file can be as long as you like.  For example do
 
     finger homer@lightlink.com
 
     and see what you get.  That's my .plan file.  Now this file is in
my home directory but it is world readable by others.  So my home
directory MUST!  allow at least entrance to 'others'.  Sounds scary
doesn't it!
 
     Here is the actual arrangement,
 
               others
     home dir   --x
     .plan      r--
     files      ---      <--- all other files in directory
 
     The x permission on the directory means they can enter my home
directory, but they can not list for what's in it, nor can they create
files nor erase files.  They can only read the .plan file.  As long as
no other files grant read, write or execute status to others, then
they can't do anything with them either.  So its secure.
 
     However if they can guess the name of a file in a directory, they
could get a directory listing on it, but as long as its permissions
are set to --- for other, they can't do anything with it.
 
     UMASK

     OK, let's look at the next level of complexity to this lizzard
think.
 
     As we have said, directory and file permissions are divided into
three groups, permissions for your self (user), your group (group),
and the rest of the world (others).  Thus an actual directory listing
would look something like
 
         (u) (g) (o)   <--  (user, group, others)
1.     d rwx --x --x        homer  (home directory for me)
2.     - rw- r-- r--        .plan  (my .plan file)
3.     - rw- --- ---        files  (all other files)
 
     The first line shows the full permissions for my home directory,
which is the same for all my inner directories too, the second line
shows the full permissions for my .plan file, and the third line
shows the full permission for all my other files.
 
     Let's take the first line first.
 
1.     d rwx r-x --x        homer  (home directory for me)
 
     The opening d means it is a directory rather than a file.
 
     The first rwx means that you as the user have read, write and
entrance permission on your own home directory.  Thank the Lord for
small miracles.
 
1.     d rwx --x --x        homer  (home directory for me)
 
     The second --x means that your group (which you probably do not
have) has entrance permission to your home directory,
 
1.     d rwx --x --x        homer  (home directory for me)
 
     The third --x means that the whole rest of the world gets
entrance permission to your home directory, mainly to read your .plan
file through the finger command.
 
     Now let's look at the second line.
 
         (u) (g) (o)   <--  (user, group, others)
1.     d rwx r-x --x        homer  (home directory for me)
2.     - rw- r-- r--        .plan  (my .plan file)
3.     - rw- r-- ---        files  (all other files)
 
     The opening - means it is a file rather than a directory.
 
     The first rw- means you have read and write permissions to your
own .plan file.
 
2.     - rw- r-- r--        .plan  (my .plan file)
 
     The second r-- means your group has read only permissions to your
.plan file.
 
2.     - rw- r-- r--        .plan  (my .plan file)
 
     The third r-- means the whole rest of the world has read only
permissions to your .plan file
 
     Now here we come to the hard part.  There are two ways to set
permissions on your files.  One is explicitly using the CHMOD (change
mode) command, and the other is the UMASK command which sets it for
all time and makes what you ask for the default for all future
settings.
 
     No one in their right mind wants to use the CHMOD command to set
the permissions for every file and directory, who can bother to
understand this stuff for more than 3 minutes anyway?  Ironically the
CHMOD command is quite easy to use so its too bad no one is going to
want to use it.
 
     So that leaves us with the UMASK command, for setting the all
time defaults for our system, and this is where the problems come in.
 
     Now actually the UMASK command will only effect ALL NEW files and
directories created, it won't fix ones that were already created with
dangerous permissions.  Thus learning to use the CHMOD command at
least for 10 minutes is of use to fix the prior damage, which we will
get to later in this posting.  But right now the umask command needs
to be understood.
 
     In the first place the umask command only sets the permissions
for your one session, so it has to be put in your .cshrc file (NOT
your .login!) in order to be executed automatically every time you log
on.
 
     Use an editor and edit .cshrc and put the umask command in as the
very first line after all the comments or change the line that your
system admin gave you when you first got your account.  In any case at
least LOOK at your .cshrc file to see if there is a umask command in
there somewhere and see what it says.
 
     Make sure your umask is set to 066 in your .cshrc and VERIFY this
from the command line after your sign on by typing 'umask', it should
return 66.
 
     Now true to form, the lizzies really went out of their way on
this one.  If you can remember this 24 hours after your read it, you
should immediately check in at your nearest Grey Recruitment center, I
am sure they could find a job for you.
 
     The umask commands takes 3 numbers to set the permissions, one
for user, group and others.  The first number sets it for user, the
second for group and the third for others.
 
     The numbers must be in octal, that's base 8.
 
     For example umask 066.
 
     You see?  Three numbers 0, 6, and 6, and they are in base 8 as
all are less than 8.
 
     The 0 refers to the permissions for user, the 6 to group and the
6 to others.
 
     The actual permissions are derived FROM these three numbers by
the following method which you do NOT need to know, I just want to
impress you with the fact that lizzies have taken over the whole
planet.
 
     If you already know this, skip now to 'SKIP TO HERE' below.
 
     One converts the numbers to base 2, that's easy:
 
           (0) (2) (6)
     umask 000 010 110
 
     Directory permissions are then derived from these numbers by
XORing 777 (111 111 111) with the above numbers, and file permissions
are derived by XORing 666 (110 110 110) with the above numbers.
 
     XOR is the exclusive OR, which means true only if not the same.
 
     0 XOR 0 = 0
     0 XOR 1 = 1
     1 XOR 0 = 1
     1 XOR 1 = 0
 
     It really means 'one or the other but not both are true' where 1
means true and 0 means false.
 
     OK so take the original numbers and xor them with 777 and 666 and
you get,
 
           Directories:                    Files:
 
     umask 000 110 110  (0 6 6)      umask 000 110 110  (0 6 6)
       xor 111 111 111  (7 7 7)        xor 110 110 110  (6 6 6)
   -------------------             -------------------
   permis: 111 001 001             permis: 110 000 000
           rwx --x --x                     rw- --- ---
           (u) (g) (o)                     (u) (g) (o)
 
     And that's what we usually want for our defaults, for user,
groups and others.
 
     You as user get rwx for your directories, and rw for your files.
 
     Groups get --x for your directories, and --- for your files.
 
     Others get --x for your directories and --- for your files.
 
     What this means in terms of security is that others get entrance
to all your directories by default, but they get to do squat with any
of them, unless you explicitly change the permissions on a file to
allow them to read or execute them using the chmod command.
 
     SKIP TO HERE.
 
     THE UMASK COMMAND
 
     The umask command takes 3 numbers, each number can range from 0
to 7.  Each number sets the rwx permissions for one of user, group and
others.
 
     For example the common umask setting is umask 0 7 6.
 
     Here is a chart that shows the permissions corresponding to each
value from 0 to 7 that each of the 3 numbers can take on.
 
     Remember we are doing just one number now, in its full range from
0 to 7.
 
     UMASK         0    1    2    3    4    5    6    7
     directories  rwx  rw-  r-x  r--  -wx  -w-  --x  ---
     files        rw-  rwx  r--  r-x  -w-  -wx  ---  --x
 
     Notice that umask gives different results for directories and
files, namely for files 0 and 1 are swapped, 2 and 3 are swapped, etc.
 
     Thus if you choose umask 066 like you probably should,
you will get
 
     umask 0   6   6
 
     dir  rwx --x --x
     file rw- --- ---
          (u) (g) (o)
 
     Which is what we have said is the optimum DEFAULT situation for
user, group and others.
 
     Now here is the catch.  There is only one umask command which
sets things BOTH for files AND for directories.  Thus once you have
set it for directories, you have also set it for files, and visa
versa, so this limits your options somewhat between the two of them,
unless you want to HAND CHANGE permissions using the chmod command.
Remember we are only talking about DEFAULTS here so that you don't
have to worry about it all the time.
 
     The PROBLEM is that if you want others to have --- as the default
FILE permission, which is a good idea to give them squat, then you
must live with --x as the default DIRECTORY permission, which gives
them entrance into your directories, which hopefully will be
a totally dark room since they can't list anything out.
 
     However if by mistake you manage to get some files with the wrong
others permissions, such as rw- into your directories then everyone
will be able to read them because they have entrance to your
directory, although they still will have to guess their names.
 
     So you might say, well why not just set the directory permissions
for others to --- and be done with it?  Yes, that is certainly the
most secure setting, but it locks out access to your .plan file, and
it sets your file permissions to --x, which means all your files are
executable, which they are not!  
 
     However since this only applies to others, not the user and the
group, and since the others can't get into your directory in the first
place, it doesn't really matter that all your files are marked
executable now does it, no one will ever be able to know.  So really
the only reason to not use the most secure scheme is the .plan file
problem.
 
     There are also some times when various system programs like mail
and things wish to use your home directory and if its locked out they
can't.  On those systems having the directory permissions set to --x
is a must.  This does not apply to everyone and shouldn't apply to
anyone but it does.  So in general allowing others entrance to your
directories has become the unix defacto standard, umask 066.
 
     But as I said, if other files, created before you became aware of
these problems have insecure permissions, then giving others entrance
to your directory might allow them to read or write to those files if
they can quess the names of them.
 
     For example, everyone has a .newsrc file, which shows what
newsgroups you are reading.  They could copy that file out and look at
it, if you happened to have the permissions for your .newsrc file set
to rw- r-- r--.
 
     How else can this happen?  Well some ftp sites will down load
files to your private directories with world read and write
permissions attached!  Of course it was probably public data in the
first place, but do you want everyone knowing you are downloading gifs
of naked teddy bears?
 
     Or you could do it by mistake.  So the best thing to do is to
check periodically that all directories and files are of the form
 
     dir  rwx --x --x
     file rw- --- ---
 
     Then you are safe and secure from the prying eyes of your enemies.
 
     CHANGING INCORRECT PERMISSIONS.
 
     If you have many files that are in danger, this can be painful,
but doing global changes can be dangerous and cause more trouble than
its worth.  So this is how to change your insecure files and
directories file by file and directory by directory.
 
     Get a complete printout of your directories and files using the
 
     ls -al > dir.data
 
command I showed you before.  Download it and print it out.
 
     Notice every directory that does not say
 
     d rwx --x --x  and change it using the chmod command.
 
     chmod og-rwx directoryname  (others and groups loose rwx)
     chmod og+x    directoryname  (others get x)
 
     Notice every file that does not say
 
     - rw --- ---  and change it using the chmod command.
 
     chmod og-rwx filename
 
     Then check the directory or filename again with the ls -al command.
 
     You can check single individual files with
 
     ls -al filename
 
     You can check single individual directories with
 
     ls -ld directoryname    (don't use -al on directory names!)
 
     Send questions to homer@lightlink.com
 
     Homer