The easiest and quickest way to ensure the privacy of the files beneath your home directory is to set the permission mode of your home directory so that access is denied to all other accounts. Given that, other accounts will not be able to read, write, or even list files in any directory under and including your home directory regardless of the individual mode settings of the files and sub-directories.
The following commands will first take you to your home directory and then set the permission mode so that access is denied to all other accounts.
% cd (to take you to your home directory)
% chmod go= . (set restrictive mode on home directory
please note that the period is required)
The first part of the report describes the permission settings in a notation which looks something like this
-rwxr-x---
The first character can be either "-" indicating an ordinary file, or "d" indicating a directory.
The next nine characters are read as three groups of three for user, group and others. If we separate the groups in the example shown above we have:
u g o
- rwx r-x ---
In this example the user who owns the file has permission to read, write, and execute the file (rwx), group members have permission to read and execute (r-x), and all other accounts have no permission (---).
Exactly what these permissions mean is discussed in the sections below.
Permissions can be specified for each of three separate categories of people or accounts:
| u — | the user who owns the file (or directory) |
| g — | accounts which are co-members in a file sharing group See additional information concerning groups below. |
| o — | others, i.e. the rest of the world |
The permissions which can be allowed or denied to each category are
| r — | read |
| w — | write |
| x — | execute (i.e run as a program) |
Using the same example from the previous section:
u g o
- rwx r-x ---
The user who owns the file has permission to read the file, write to it, and execute the file (rwx). Group members have permission to read and execute only; they can't change the contents of the file (r-x). All other accounts have no permission; they cannot view it, change it, or execute it (---).
Permissions on directories are interpreted somewhat differently from permissions on files.
| r — | The contents of the directory can be listed. |
| w — | The contents of the directory can be changed (ie, files can be created, removed, and/or renamed). |
| x — | Users can read a file in, write to a file in, and execute programs in the directory. They can also "cd" to the directory or pass through it on the way to lower subdirectories. |
Some examples:
drwxr-xr-x
u g o
d rwx r-x r-x
"d" indicates it's a directory
rwx for the user means that the owner of the directory can list it, change the contents, and "cd" to it.
r-x for the group and others means they can list the contents of the directory and "cd" to it.
drwx--x--x
u g o
d rwx --x --x
As before, "d" indicates it's a directory.
The user can list it, write to it, and "cd" to it (rwx)
The group and the world can only "cd" to it. They cannot learn its contents, nor write to it.
Permission mode settings are changed using the "chmod" command. + adds permissions, - takes away permissions, and = sets them to just those specified.
For example:
chmod o+r chap1
gives (adds) "others" read access to the file chap1.
chmod og-w chap1
removes (subtracts) write access for group and "others".
chmod og= chap1
sets permissions for group and others to null, i.e. denies any access.
chmod u=rwx,go=rx run_report
give the user who owns run_report read, write and execute permission, and gives group and others read and execute permission. This setting is useful for a shell script that you want the system to recognize as a command (x signifying executable).
This section is of particular importance to users wishing to offer documents through the World Wide Web. They will want to fine tune the permissions on files and directories to allow other internet users access to their public_html directory and the files contained within, but nothing else. (See Setting Up a Personal Website)
Giving "others" execute permission on your home directory allows other users on the machine the ability to "cd" to your home directory and pass through it on the way to lower subdirectories (such as public_html). Without "read" permission on the directory, however, they cannot directly obtain a listing of its contents. But there's a catch: if an outside user already knows the name of a file in the directory AND read permission is given for others on that file, they will be able to view the contents of the file.
The solution here is to make sure that the files and subdirectories you want to keep others out of do not have read, write, or execute permission for "others." But files that you DO want others to be able to get access to should have read or execute permissions, as applicable to the type of file or directory. In general, you should not give write access for any file to anyone except yourself.
In summary, when you want outsiders to have access to specific files and directories in your account:
Set execute permission for "others" only on the directories you want accessible to the outside.
chmod o+x public_html
Set read permission for "others" only on the files you want accessible to the outside.
chmod o+r index.html
Turn off all permissions for "others" on all other files.
chmod o= .cshrc Mail phone_numbers etc...
For further information, see the Unix manual pages for chmod and ls
man chmod
man ls