UvA FNWI UvA
ICT | Guides | Protect your files


 
  1 visitors in
March 2010
 
  last update
26 - 09 - 2004
 
 

 

Protect your files

Introduction
Permissions
The default permissions
Changing the permissions
   Using UNIX
   Using Windows NT
   Using Windows 2000
   Using Windows XP
   Using MacOS 9
   Using MacOS X
Your personal homepage
The hairy details: ACLs

Introduction

Your homedirectory is the location where you store your files on the network. The actual data is stored on one of the central fileservers. The FNWI fileservers are all Sun Solaris based (Sun's UNIX implementation).

Depending on which type of workstation you use different methods are used to access your homedirectory.

On Windows systems your homedirectory is available to you through a network disk that is always connected to drive letter "N:".

On Macintosh systems your homedirectory is available to you through a network disk named "username on servername" located on the desktop.

On unix (Linux, Solaris, HPUX) your homedirectory is available to you as "/home/username", or simply by issueing the "cd" command.

Permissions

The fileservers provide a simple, yet powerful, protection mechanism. Every file and directory (folder) has three access permissions:

  • the rights for the file owner,
  • the rights for the group you belong to,
  • the rights for all others in the faculty.

If you are member of a research institute the group constitutes the institute staff.

If your are working in the faculty organisation the group is the department you work for (e.g., "fz", "pz" or "arbo").

The owner, the group and all others can have any combination of access permissions from:

permissionapplied to fileapplied to directory/folder
Readread the filesee the contents
Writemodify the filecreate/delete files and subdirectories
Executeexecute a program fileopen the directory

Note that the Execute permission has a different meaning for files and directories.

For a file if the Execute permission is set, you can run (execute) the program. In a graphical userinterface you can double click on it and the program starts executing.

For a directory if the Execute permission is set, you can open the directory, which is also accomplished by double clicking on it when using a graphical userinterface. But contrary to a normal file, to see the contents of a directory -even when you are allowed to open it- you must also have Read permission.

The default permissions

For all users the default permissions for your homedirectory are:

UserPermission
OwnerRead + Write + Execute
GroupExecute
OthersExecute

So the owner of the homedirectory (you) can do everything with it; the group members and the others can only open the directory but not see what's in it.

Since the group cannot see the contents of your homedirectory you may tell a member of the group the name of a file or directory in your homedirectory which they can access.

The reason for giving others Execute permission to your homedirectory is to allow the webserver to access the "public_html" subdirectory in your homedirectory where you should store your personal homepage.

Changing the permissions

Before trying to change the permissions on your homedirectory, please make sure you understand the permission system. Generally there is no need to change the permissions for your homedirectory since permissions to it are configured once by the ICT group.

If you change permissions and relax the permissions you may give access to users within your department, or even to others. So be careful, and remember: it's your own responsibility.

Changing the permissions to your homedirectory is achieved differently depending on the workstation that you use.

Of course this applies also for other directories and files that you own.

Using UNIX

On Solaris, Linux and HPUX workstations you change file and directory permissions through the "chmod" command.

For example, 

    cd
    chmod o+r .
will allow all users read access to your homedirectory, i.e., everybody can see what's in there. Similarly, "chmod o-r" will revoke this right. For tweaking the write and execute permissions you use the characters "w" and "x". For example, 
    cd
    chmod o+rwx .
will give everybody read, write and open permissions for your homedirectory, which is a very bad idea.

To change your own permissions use the prefix "u" and for the group permissions use the prefix "g". E.g., "chmod g+w ." and "chmod u+w .".

For more details on the chmod command, see "man chmod".

Some windowmanagers (kde, gnome, etc) allow you to select the "properties" window for a file or directory which presents a graphical interface to the same permission system.

Using Windows NT

  1. Open the explorer or "My computer"
  2. Right click on the icon or line of your home directory
  3. Choose the option "properties" (a dialog window appears)
  4. Choose the "Security" tab
  5. Choose "permissions" (the dialog window to the right will appear)
  6. The permissions can be changed by using the dropdown menu behind "Type of access".

Using Windows 2000

  1. Open the explorer or "My computer"
  2. Right click on the icon or line of your home directory
  3. Choose the option "properties"
  4. Choose the "Security" tab (the dialog window to the right will be presented)
  5. The permissions can be changed by marking the option buttons in the lower pane.

Using Windows XP

  1. Open the explorer or "My computer"
  2. Right click on the icon or line of your home directory
  3. Choose the option "properties"
  4. Choose the "Security" tab (the dialog window to the right will be presented)
  5. The permissions can be changed by marking the option buttons in the lower pane.

Using MacOS 9

  1. select the icon of your home directory on the desktop
  2. click on "File", and choose "General info" or type command key + "i"
  3. choose for the option "Sharing" (behind "show"), the dialog window to the right will be presented
  4. The permissions can be changed by clicking on the buttons under "privileges".

    Note: the "execute" permission is not available.

Using MacOS X

  1. select the icon of your home directory on the desktop
  2. click on "File" and choose "Get info or type command key + "i"
  3. Click on "Ownership and Permissions" (the dialog window to the right will be presented)
  4. The permissions can be changed by clicking on the buttons behind "Access".

    Note: the "execute" permission is not available. However, when using the "terminal application", the Unix chmod command may be used (see above under "Unix").

Your personal home page

If you want to create a personal homepage, you must create a subdirectory named "public_html" in your homedirectory. If someone on the internet accesses 

    http://www.science.uva.nl/~username
the FNWI webserver will look in your homedirectory for a directory named "public_html". For this to succeed you should give other users the open permission on your homedirectory (i.e, others should have the Execute permission), since the webserver runs under the username of "nobody" and this user is not in your group.

To be able to search the contents of the "public_html" directory, the webserver "nobody" must also have Read and Execute permissions on the "public_html" directory in order to search in that directory.

The hairy details

File and directory permissions lie at the very core of operating systems and are part of the filesystem semantics. Different operating systems have different filesystem semantics.

The filesystem semantics for Solaris, Linux, HPUX, MacOS X and other UNICES are all the same.

Windows and MacOS 9 have completely different filesystem semantics. We will not discuss MacOS 9 here since it will soon be obsolete.

The Windows filesystem semantics lists the following permissions:

permissionapplied to fileapplied to directory/folder
Readread the filesee the contents
Writemodify the fileadd items to the directory
Executeexecute a program fileopen the directory
Deletedelete the filedelete the directory
Change Permissionchange permissions change permissions
Take Ownershipbecome ownerbecome owner

In the Windows filesystem only the owner is recorded; unlike in UNIX there is no group ownership associated with a file or a directory.

Windows ACLs

This leads to the question "how is it then possible to give a group access to a file or directory?"

The file permissions are stored in so called Access Control Lists or ACLs. To give a group a permission to a file or directory you simply add the group to the ACL and give the group one or more permissions. All this is done through the Security tab in the Properties window of the file or directory.

UNIX ACLs

In view of the Windows ACL system, the UNIX filepermissions seem inadequate. Not so, UNIX also has ACLs, but many people don't know them.

Consider the chmod command 

    chmod u=rwx,g=rx,o=x somedirectory
giving permissions to a directory "somedirectory". How can I give read and open access to this directory for a user not in my group?

Enter the UNIX ACL system. Apply the following command to the "somedirectory": 

    setfacl -m user:someuser:r-x somedirectory

This adds the user "someuser" to the ACL controlling access to "somedirectory" and permits read and open access.

UNIX ACLs use the same Read Write and Execute permissions and extend the standard permission system.

For more information on ACLs, see the manualpages for "setfacl" and "getfacl".