File and directory permissions protect your private documents from prying eyes, allow groups of people to share files, and prevent unauthorized persons from modifying or damaging the system.
chmod 600 fooif it's a simple file, and
chmod 700 fooif it's an executable program or a directory. This gives you the privileges to read and modify the file, and takes those privileges away from all other users.
umask 077at the beginning of the session.
If you want this to be the default, add this command near the end of the .cshrc file in your directory. It will then take effect every time you log in or create a new shell, e.g. a window (if you use another shell, you may have to alter some other configuration file, e.g. .tcshrc). There are cases when having such a restricted default setting is not desireable (see below). Note that this will affect only the newly created files.
umask 027instead (as a one-time command, or a part of your shell's configuration). This is the recommended setting in most cases. Again, it is sometimes not what you want, since you may want to share your files with graduate students, etc. If that's the case then you should keep your existing umask setting.
cd mkdir Exams chmod 700 Exams mv test1.tex final.tex roster Exams
Some of your files are automatically protected for privacy: the mailbox, anything saved from mail, Netscape bookmarks, etc. Others may not be, depending on the "umask" setting that's in effect (type umask with no arguments to see what it is). The normal setting that has traditionally been used on our system is a "relaxed" value which causes most of the new files to be readable (but not modifiable) by all users. We suggest that you keep a "relaxed" umask setting of 022 and protect your secrets using subdirectories as mentioned above, or by protecting the whole home directory.
If you decide to use a restrictive umask such as 077, remember that anything that you want to be available to the Web server must be readable by all users since the server does not have any special privileges. Your Web directory, if any, already has correct permissions. But you have to remember to run chmod 644 on each file, and chmod 755 or at least chmod 711 on every directory inside the Web area.
You can check which group(s) you are in by typing the command groups. On our system some of the main groups are `math' (Math faculty), `stat' (Statistics faculty), `grad' (graduate students) and `office' (office staff).
Permissions for each category are further divided into three types: "read" permission, "write" permission, and "execute" permission (the latter has a somewhat different meaning for directories, as opposed to regular files; it means "access", i.e. the ability to "get inside"). Again, we use letter shortcuts: "r", "w", "x". There are a couple of other special permissions which you normally don't need to worry about.
The command used to change permissions has the following general form:
chmod mode file_nameThe "mode" part can be specified using symbols or a numeric value. Symbolic notation involves specifying, in sequence, the category of users ("u", "g" or "o"), what do you want to do ("-" to remove and "+" to add the permission), and finally the type of permission ("r", "w" or "x"). For example:
|chmod o-r file_name||prevent "others" from reading ("others" = everyone except you and your group)|
|chmod u+x file_name||to let yourself execute the file|
|chmod o-w file_name||to prevent "others" from altering the file|
|chmod o-x file_name||to prevent "others" from executing|
|chmod g-r file_name||to prevent group members from reading|
To change permissions recursively, going into subdirectories, use
chmod -R mode directorye.g.
chmod -R o-r,o-w,g-w directoryYou can check permissions of your files by looking at the output of ls -lg
abcdefghij ..... file_name ^^^^^^^^^^ |||||||||| |||||||||x if everyone can execute, - if not ||||||||w if everyone can write (edit, remove), - if not |||||||r if everyone can read and copy, - if not ||||||x if group members can execute |||||w if group members can write (edit, remove) ||||r if group members can read and copy |||x if you can execute ||w if you can write (edit, remove) |r if you can read and copy d if directory, - if plain file(you should ignore some other letters such as `s' and `t' for now...)
So after the directory/plain file indicator, permissions are listed in three triplets: user, group, others.
For example, a file which shows up as
-rwxrw-rw- johndoe friendis an executable which everyone can access and modify (bad!!!), while
-rw------- johndoe friendis "highly protected", and
-rw-r----- johndoe friendis moderately secure (only users in group "friend" can read it, but not alter the file).
The symbols "r", "w" and "x" in each triplet can be interpreted additively as powers of 2; "r" corresponds to 4, "w" to 2, and "x" to 1. A permission which is not set (displayed as a minus) stands for zero. So in the examples above we have "protection modes" 766, 600, and 640.
As we mentioned, the chmod command can be given such numeric mode:
chmod 600 *will make all files in the current directory readable and writeable only by you. But make sure not to give such protections to directories; they usually need the execute permission. Directories should always be given mode 7.. so the owner can `cd' to them and list them.
Now we can explain what the "umask" setting is for. The current value of the "umask" is always subtracted from the mode of any file or directory you create; umask of 077 will cause all new files and directories to be created without any permissions for the "group" and "others", while 027 leaves the group read and execute permissions intact.
Last but not least: whatever permissions you set, the person in charge of the system can read all files, if he chooses to. The only protection against that is cryptographic encoding (e.g. PGP) of your data. The present system manager will never do anything with your files without your permission, unless it is directly related to system administration (and even then, files are copied, moved, shrunk etc. and not read), but you have to weigh your trust in this pledge against your need for privacy.
Back to the NIU Math Department Web page