Editing Basic UNIX Security the Tilde way

< back to wiki home



table of contents

“Unix is public by default. This means that other people who use the server can see your files. You can change that on a file-by-file basis. You can also change the default behavior for you. It is totally okay to keep your stuff private. Let us show you how.”

Unix was built with a fairly open security policy. It’s the kind of system you might expect a bunch of Berkley hippies to design. That said, if it bugs you that someone might be able to look the files in your home directory and you don’t want to read any more of this document then run these commands:

cd ~
chmod 711 .

Those will keep anyone on the system from looking at your directory while still allowing your ~youruser site to work. If you want to have more control over who can view what in your directory, then please read on. You can even come back and read this later, we’ll be here.

Users and Groups §

What is a user? For starters, you are a user and so is every other person on the system. Sometimes special user accounts are used for running specific processes (such as the web server) or for handling special administrative tasks.

There are several attributes that define a user.

For now we only need to know about the username.

Welcome to tilde.club, your new home (and homedir) §

When you registered for the system, you got an email that contained many things. One of those things was a username, and another was a password. When you logged into the server you were presented with what we call a prompt, and it looked a bit like this:


That’s boring so type the command ls -l public_html/index.html

sh-4.1$ ls -l public_html/index.html
rw-rw-r-- 1 youruser youruser 177 Oct 13 04:51 public_html/index.html

You’ll notice that your login shows up, but what does this actually show us?

First of all ls is a command to list files and directories. We’ve given it the command line switch -l that tells the ls command that we want a long listing of the file or directory attributes, and finally we’ve given it the filename my_file so that we can see its file attributes.

What does this long file listing of my_file show us?

-rw-rw-r--  1  youruser  youruser   177   Oct 13 04:51    my_file
---------- --- -------   --------  -----  ------------ -------------
    |       |     |        |         |         |             |
    |       |     |        |         |         |         File Name
    |       |     |        |         |         +---  Modification Time
    |       |     |        |         +-------------   Size (in bytes)
    |       |     |        +-----------------------     Group owner
    |       |     +--------------------------------      User owner
    |       +--------------------------------------    Number of links
    +----------------------------------------------   File Permissions

This seems like a lot to take in, but for the purpose of talking about files and security, we’ll only need three things: the file permissions, the group owner and the user owner.

Basics about file and directory permissions §

| |  |  |
| |  |  +--- Other Read/Write/Execute permissions
| |  +------ Group Read/Write/Execute permissions  
| +--------- User Read/Write/Execute permissions
+----------- Directory/Special flag

The first column at first glance looks like a bunch of alphabet soup, however if you look over a few of them, a pattern begins to emerge. Some lines begin with d and there are repeating instances of r, w and x. You might notice that the lines beginning with d refer to directories and that many files have rw- at the start of the column and r-- or even --- at the end of the column. These are important and indicate to the computer and to users how that file can be accessed.

Types of permissions §

There are three major types of permissions (and a hand full of others) - Read Read permission is represented as an r and will allow a listing of a directory and reading a file. - Write Write permission is represented with a w and allows a file or directory to be written to or deleted. - Execute Execute permission is represented as an x and allows a file (such as a script) to be executed and it allows for a directory to be “traversed”

Three classes of access permissions §

Changing file and directory permissions using chmod §


Basics about the finger and chfn commands §

How to see others in the system using finger

Type the command `finger`

Type the command `finger $USER`

How others see you.

Changing the information people see about you using chfn

creating a ~/.plan and ~/.project file that’s readable

More advanced topics §

Let’s look at the /etc/passwd file. What is it? It’s a file that contains most of the information about users in the system.

Back at our command line, lets type the command id:

sh-4.1$ id
uid=501(youruser) gid=501(youruser) groups=501(youruser)`

The id command is a tool to show us how the system keeps track of us. From this we can see that according to the system, our user ID (or uid) is 501, and our group id is also 501.

- Homework
    - Run `id` in your own directory, then run
    - Run `id -u root`
    - use the `grep` command to find your uid in the `/etc/passwd` file

As noted above, we can obtain our group id using the id command. Try locating your group in /etc/group using the commands that were specified above; your group name will probably be the same as your user (although at times this might not be true depending on the configuration of the system).