File Security

Notice of Policy Change

The default permissions of files in ECE domain has changed effective September 1, 1997. This will only effect new files and accounts created after September. The default permissions were readable by all. They are now readable by user only.

Default Permissions

The standard setting from the system cshrc file is ‘umask 066’, meaning the owner of the file has full privileges, and other people may traverse your directories but not read them or the files contained within them. Moreover, the permissions on home directories created after September 1997 will only allow read and write to the owner. If you wish to increase the security on your files to match the current policy, please type

chmod -R go-r ~

Users who wish to have the old behavior should, add the follow line to the top of their .cshrc file.

umask 022

and type the following line

chmod a+r ~

Be warned, this will allow any user to read files.

To give access to a file or directory to others for the purposes of sharing files or making a web page, type

chmod a+r <filename or directory>

File transfers should be through the /tmp directory, so do not make directories or files under your home directory writable to others. Users who are working on group projects that need to share files frequently should email for further instructions.

Do not under any circumstances give write access to your home directory as this will allow any user to impersonate you and read your files! They may login without a password to your account and do anything they want, including reading mail, erasing files, and forging mail.

Additional Security

Although the current umask will not allow reading of files, there are circumstances in which a file is created with less security. In those cases, it may be possible for another user to read that file because our default umask still allows for directories to be traversed. In these cases it may be desirable to have your directories non-traversable so that files can not be access even if they have read permission.

If you have sensitive files in your account, you can change the default setting to eliminate access by anyone else by adding the line,

umask 077

to your .cshrc file. To increase the security on an individual file, type

chmod go-rwx <filename or directory>

Comments are closed.