Your home directory contains files you need to do your work. Some of these will be private, such as program assignments and letters. Since the default in UNIX is to make files accessible, you need to understand the UNIX protection scheme in order to keep your files from being read by others.
There are three types of access for each UNIX file, read (r)(4), write (w)(2), and execute (x)(1). In addition, there are different categories of users, each of which may have different permissions. Here is an example of these permissions:
% ls -lg install.log install.dir install.exec
drwxrwxr-x 1 news newsgrp 2048 Jun 17 1988 install.dir
-rwxr-xr-x 1 news newsgrp 56672 Jun 17 1988 install.exec
-rw-rw---- 1 news newsgrp 6979 Jun 17 1988 install.log
The permissions for each file are listed in the left-most field.
There are three sets of permissions for each file. The first set is
for the owner of the file ('news'), the second for a group of users
(in this case 'newsgrp'), and the last for all other users. Therefore
'install.exec' can be read and executed by everyone, but 'install.log'
can be read and written only by the user 'news' and other members of
'newsgrp'. The directory 'install.dir' can be read and executed by
everyone (anyone can 'cd' into and 'ls' the directory). The user
'news' and members of the group 'newsgrp' can also write into the
directory.The default permissions for most files is rwxr-xr-x or rw-r--r--, depending on whether it is executable or not. With these permissions, only the owner can change the file, but others can read it.
If you have a text file you want to prevent all others from seeing, you can change its permissions to rw-------. This is done by the chmod command. To change rw-r--r-- to rw-------, you subtract permissions:
% chmod og-r
which is equivalent to
% chmod 600
where
6=owner permissions of 4(read) + 2(write)
0=group permissions (none)
0=world permissions (none)
This removes group (g) and other (o) read permissions. For more
information, execute "man chmod".You can set your environment so that newly created files will always have certain permissions removed. This is done by the umask command in your .login. To remove all write permissions by group members and others, include
umask 022
in your .login. If you want all your files protected from read, write, and
execute access, use
umask 077
Log out and back in again, and all files created from that point will
have the new permissions. Any files that already exist will not have
their permissions changed, and you will need to use chmod to change
them.Since you as owner can read and change all your files, it is important that you never give another user your password. Also, you should never stay logged in unattended, as that would make it very easy for someone to come by and change your files or permissions.
You need to decide when to protect a file. Consider whether you care if anyone else reads or executes that file, since that is what the default permissions allow. Any file created for a class assignment should of course be protected, as should most correspondence. Files with financial information should also be kept private. If most of your files contain sensitive material, consider using the umask command to limit access automatically.
It is also recommended that you don't allow public or group write access to any of your directories. If you have write permission for group 'other' on one of your directories, it allows anyone with a login to erase or create files of their choice in that particular directory. An intruder can delete files you own, simply because he or she has write permissions on the directory. The intruder can also install a program of the same name as one you normally use, and there may be serious consequences if you run the intruder's program.
If you have group writable directories, and would like to change them, issue the commands:
cd ~
find . -type d -group other -exec /bin/chmod g-w {} \;