Unix File Security Considerations
Other than the login password mechanism (and you should take great care to protect your password), the basic mechanism used by Unix to control a user's access to files and directories is a method of access control often referred to as permission bits. Large Unix systems may also employ an access control list mechanism (ACL) to enable systems administrators to provide more specificity in the kind of access particular users have for specific files and directories.
1. chmod
Basic permissions for files and directories are set with the Unix "chmod" command. In particular, chmod ijk
Write permission for a file implies that you can delete the file as well as edit it. If write permission is not set for a file which you own, you can still delete it, but the system will prompt you for permission if you attempt to delete the file. You can check what permissions are set for a file by running ls -l
If you set permissions for a file myfile that you own by chmod 006 myfile then you no longer have access to myfile, no one in your group has access to myfile, but everyone else who has a valid system account does! Since you are the owner of myfile, you can still change permissions, so you have not lost control of the file, but you can’t access it again without resetting permissions.
chmod also has a "symbolic" mode for setting bits; e.g., chmod u+x myfile will set execute permission for the owner if not already set. Run man chmod for more details.
2. What permission should you set for directories?
The Unix cd command is the means for changing to a different “working directory” (the current directory can be determined by running the Unix pwd (print working directory) command). Having execute permission for a directory is interpreted to mean that you can “cd” to it from its parent directory. Hence, you cannot “cd” to a directory unless you can “cd” to every directory on the path leading to it. If you can’t “cd” to a directory, you cannot access any files stored in the directory, no matter the permission settings for these files. Therefore, the easiest way to protect your work is by using appropriate directory permissions.
Suppose that you have a subdirectory named “mywork” in your current working directory. Then chmod 700 mywork will protect all files stored in mywork from access by others since they cannot “cd” to mywork, regardless of the permissions you have set on files and directories within mywork. This is the setting that you should use for the directory in which you have your class work.
Suppose that you have a subdirectory named subdir within your mywork directory. Then if you do chmod 700 mywork/subdir chmod 000 mywork you will no longer be able to access subdir! You must have at least execute permission for everything in the path to subdir.
If you do chmod 100 mywork then you can access subdir but you won’t be able to list mywork. However, if there is a file in mywork for which you have access privileges, then you can still access it (you just have to remember the name!).
Be careful in setting permissions for your home directory (you could inadvertently lock yourself out of it if you turn off execute permission, which may require getting the systems administrator to reset permissions). You can ensure that you are in your home directory by doing one of cd cd ~ cd ~
Generally, a recommended setting for your home directory is · all permissions for owner · execute permission only for all others i.e., from within your home directory execute chmod 711 . (the period is allowed shorthand for the current directory).
This setting permits others to access subdirectories for which you have set the appropriate permissions, but not list what you have in your home directory. This is the kind of setting needed if you want to have a personal web page on the system.
3. Requirements for a personal web page
Web pages are usually viewed over the internet using a web browser program such as Netscape or Internet Explorer, both of which come with most PCs.
The UNF system is set up so that when a browser requests (via the internet) a user’s web page with "url" (uniform resource locator) http://www.unf.edu/~
For example, if the account-id is ustx0001, then for the url http://www.unf.edu/~ustx0001/ the browser will bring up index.html and for the url http://www.unf.edu/~ustx0001/abc.html the browser will bring up abc.html (assuming read permission for all others has been set for abc.html).
Preparing your account for web access is as simple as cd configure the home directory chmod 711 . mkdir homepage create and configure chmod 711 homepage the homepage directory You can construct a crude index.html page to verify access from the internet by using output redirection (">") as follows: cd homepage echo "under construction" > index.html
While the contents of the crude index.html file given above is not an html program, the browser program should be smart enough to compensate for the missing elements until a working page has been crafted. Read access for the index.html file generated via the redirection ">" is probably set by default to include all others, but if not, it can be set manually by chmod 744 index.html
Via "plug-ins" or built-in capabilities, web browsers are usually able to process many types of files other than html program files. A recommended source for a complete presentation of html syntax is The Bare Bones Guide to HTML, on the internet at the url http://werbach.com/barebones/
4. System default permissions
The umask command sets a mask for those permissions to not set when a new file is created. To see what the system default is simply run it with no arguments; e.g., umask may return 022 which means that nothing is masked for the owner, and only write permission is masked for the other two categories. Hence, when you generate a new file with this mask in place you will find (via ls –l) that permissions are set to -rw-r--r— (if you create a directory, the execute bit will also be turned on since execute permission is not masked). umask 077 resets the mask so that nothing is masked for the owner and everything is masked for the other two categories. You may want to set umask in your .profile script, which runs automatically each time you log on to your account.
On Osprey, when you copy an executable from the class directory (such as rand-ints or sicsimrun), execute permission gets turned off, which means you must set execute permission using chmod before the executable can be run; e.g., chmod u+x sicsimrun (this is an example use of “symbolic” mode for chmod; in this case the execute bit is set for the owner if it is not already on) 5. The sticky bit and other permission bits
For completeness of discussion, there is a 4th set of permissions (whose use is generally restricted to system administrators). Under chmod, these are set by an octal digit which proceeds those for the 3 categories described above. The three bits are as follows: 1. bit 4=set user id to that of the owner when executing a program (when running as if executed by the owner, the program can do things, such as modify the pass word file, for which the user does not have permission to do otherwise) 2. bit 2=set group id to that of the owner when executing a program (in effect bestowing the privileges of the group of the owner while the program is executing) 3. bit 1=the sticky bit (this can only be set in super user mode); for a file, the sticky bit is used to keep a file (usually an executable) resident in memory; for a directory, the sticky bit is used to restrict the files that you can delete to those which you own, even if you have write permission for other files in the directory.