UNIX Accounts

This page discusses several issues involved in the security of UNIX accounts

• Passwords
• Security Attacks (Cracking)
• UNIX File Permissions
• Changing File Permissions

Passwords

Choose a good password for your account.

• Use some upper-case letters and special characters. A password consisting only of the 26 lower-case letters is too easy to crack. Modern computers can run through all the 26⁸ possibilites rapidly.
• Use a password that is not easily guessed. Not a word in any language. Not "frodo" or "batman" or the like. Not your birthday, social security number, or any other publically available personal information.
• Use a password that you can remember. Do not write it down.

Do not let other people use your account.

• Even if you share a toothbrush with someone, you should not share computer accounts.
• You are responsible for anything and everything done by your account unless access has been obtained illegally. If your significant other does something stupid with your account, you're responsible.
• Even if you trust someone completely and are sure they could never do anything embarrassing with your account, don't share your account. They may still do something stupid, like accidently erase all your files.

Protect the security of your password.

• Never reveal your UNIX password to anyone for any reason. This includes the system administrators, they do not need it. A common "social engineering" attack obtains passwords from naive users just by asking, pretending some official purpose. Don't be fooled.
• Be careful typing your password. Do not reveal it to persons who are "shoulder surfing".
• Do not send your password in the clear (unencrypted) over the internet. Use ssh rather than telnet or rlogin to access remote computers.
• Change your password (using the UNIX yppasswd command) if you think it has been compromised.

Security Attacks (Cracking)

Activites called "hacking" by the media and "cracking" by those knowledgeable about computers (see the entries cracker and hacker in the Jargon File) are forbidden. This includes using the accounts of other users, whether done by sophisticated attacks exploiting security holes or simply using a computer that another user has walked away from while logged in. It also includes other activities that attempt to learn about security holes, such as running crack, satan and the like.

If you're not sure what you can get away with, don't do it! Or at least ask the system administrators before you do it.

UNIX File Permissions

On computers running variants of the UNIX operating system (currently the HP workstations and the SGI server superior.stat.umn.edu) data privacy is controlled by the UNIX file permission system. If you understand file permissions, then you can control who can see each file you own.

If you do a long listing (ls -l) you see file permissions, for example

   isles% ls -l
   total 36
   drwxr-xr-x   2 charlie  faculty       24 May 20 12:31 Foo
   -rwxr-xr-x   1 charlie  faculty    16384 May 20 12:36 hello
   -rw-r--r--   1 charlie  faculty       76 May 20 12:36 hello.c

In the permissions, the first character says whether the file is a directory (d) or a plain file (-). The next nine characters are the permissions, which say who can do what to the file. From the man page

   +------------------ 0400  read by owner (r or -)
   | +---------------- 0200  write by owner (w or -)
   | | +-------------- 0100  execute (search directory) by owner
   | | |                     (x, s, S, or -)
   | | | +------------ 0040  read by group (r or -)
   | | | | +---------- 0020  write by group (w or -)
   | | | | | +-------- 0010  execute/search by group
   | | | | | |               (x, s, S, or -)
   | | | | | | +------ 0004  read by others (r or -)
   | | | | | | | +---- 0002  write by others (w or -)
   | | | | | | | | +-- 0001  execute/search by others
   | | | | | | | | |         (x, t, T, or -)
   | | | | | | | | |
   r w x r w x r w x

• The r permission allows the file to be read.
• The w permission allows the file to be written.
• The x permission allows the file to be executed.

For directories the meanings are slightly different.

• The r permission allows the directory to be read.
• The w permission allows the directory to be written.
• The x permission allows the directory to be listed.

All users must be aware that the default permissions allow anyone on the system to read most of their files. Only a few programs (mailers and netscape) make files readable only by the user. If you want to deny permission for other users to read your files, you must take explicit action.

Changing File Permissions

The UNIX command chmod changes file permissions. The UNIX command umask changes the default file permissions used when new files are created.

If you want to deny permissions for anyone else to look at any files you create (Warning: don't do this until you have read everything in this section!), put

   umask 77

   chmod -R og= ~

Before you do this, you should be warned that it is a bad idea. If no one can look at any of your files, then they can never help you with anything! Nor will e-mail work! Nor can you have a personal web page! A more selective approach is called for.

Make some subdirectories like Mail, Class, and the like. Put the files you want to keep private in them, and deny access to those directories with

   chmod -R og= Mail
   chmod -R og= Class

   chmod -R o= Class