Posted on 02/27/2019 3:25:59 AM PST by ShadowAce
I remember the early days of the internet before WWW. Most of the time you were accessing UNIX systems. All text based using command lines. I remember logging into a server in Sarajevo during their civil war and thinking “well the country may be blown to hell but there is at least server running”.
"if our umask value is 022, then any new files will, by default, have the permissions 644 (666 - 022). Likewise, any new directories will, by default, be created with the permissions 755 (777 - 022)."
It is that third position that is important in this. The first octet refers to the Owner of the file, the second to the Group Owner, and the third to all Other users on the system. So, if you have a file with these permissions:
-rw-rw-r--
This means that the Owner can read and write to the file, any Group member can read and write to it, and all Other users on the system can read it.
Sometimes that's not really a problem from a security perspective, but I'd say that it is a bad habit to allow Other users to have access to any of your files by default. A better umask for this purpose would be 027, so by default if you create a file it will have permissions of 640 (-rw-r-----), and directories will have 750 (drwxr-x---).
Let's see what that looks like....
$ umask 0022 $ touch aaa $ mkdir aaaa $ ls -l -rw-r--r-- 1 amp amp 0 Feb 27 09:05 aaa drwxr-xr-x 2 amp amp 4096 Feb 27 09:06 aaaa $ umask 0026 $ touch bbb $ mkdir bbbb $ ls -l -rw-r--r-- 1 amp amp 0 Feb 27 09:05 aaa drwxr-xr-x 2 amp amp 4096 Feb 27 09:06 aaaa -rw-r----- 1 amp amp 0 Feb 27 09:22 bbb drwxr-x--x 2 amp amp 4096 Feb 27 09:22 bbbb $ umask 0027 $ touch ccc $ mkdir cccc $ ls -l -rw-r--r-- 1 amp amp 0 Feb 27 09:05 aaa drwxr-xr-x 2 amp amp 4096 Feb 27 09:06 aaaa -rw-r----- 1 amp amp 0 Feb 27 09:22 bbb drwxr-x--x 2 amp amp 4096 Feb 27 09:22 bbbb -rw-r----- 1 amp amp 0 Feb 27 09:22 ccc drwxr-x--- 2 amp amp 4096 Feb 27 09:22 cccc
Most would agree that it's better to have Other users have no access to their files by default. The downside is that if you're on a multiuser system and you do want to share files, you have to sometimes jump through extra hoops to do so. If you want others to have access to a specific file, you can always use chmod to change the file to less restricted settings....
$ chmod 644 ccc $ ls -l ccc -rw-r--r-- 1 amp amp 0 Feb 27 09:22 ccc $
Some programs check the permissions of it's files/directories. For instance the 'ssh' command will fail if your ~/.ssh directory is NOT set to 700 permissions. This makes sense as your encryption keys most emphatically should NOT be available to other users.
You can actually set even finer permissions if you want to on most modern Linux distros. For the advanced, and stout of heart look at the 'lsattr' command. It will allow you to lock a file down so much that not even the root user can delete/modify it.
For instance, for my own reasons, I really do not any program on my computer to mess with my DNS resolvers. If you look at my /etc/resolv.conf file, you'll see this...
$ ls -l /etc/resolv.conf -rw-r--r-- 1 root root 118 Jun 6 2018 /etc/resolv.conf $ lsattr /etc/resolv.conf ----i--------e-- /etc/resolv.conf $ sudo rm /etc/resolv.conf [sudo] password for zeugma: rm: cannot remove ‘/etc/resolv.conf’: Operation not permitted
Don't forget orphans and disowned processes!
Yup—I love ACLs. Although if you aren’t paying attention, they can cause some interesting times in your life, since they are not typically displayed in normal directory listings.
You and I appear to be rowing the same boat.
A common refrain among techie-types. Imagine being that sort of personality and getting a vindictive boss who punishes you by sending you to the call center to answer phones.
It sucks!
Huh?
This thread is about Linux specifically and Unix generally. Apple has nothing to do with it outside of the fact that MacOS is Unix and apple is a Unix contributor.
And I like my Mac, BTW.
More recently, there is an interesting extra code, which I occasionally know how to set and unset. When used, you end up with an extra “+” on the permissions, like:
-rw-r—r—+
I college, we used a version called “Multix”, which had some rudimentary machine-sharing properties; one particularly bad design had priorities that started “high”, and then would slowly lower until you had almost no priority, and then jump back to high.
People would get on the system, work 5 minutes, and then log off and back on, to get bumped back to the top of the queue.
I also remember using multix as my first word processor, using the “troff command.
The + sign means that ACLs have been set.
One of the reasons I like learning about Linux, is to hold on to my waning mental acuity. It's also the reason I've taken up music. YMMV. Thanks, S/A, for posting informative websites!
Next came Windows; I played around with Visual Basic, and did pretty good.
We had a visit from company headquarters in Japan, this was Fuji, who seemed excited about what I had created. He tooka CD of it back to Japan. Not long after, I got a nice gift from them. Banzai!
Next came Windows; I played around with Visual Basic, and did pretty good.
We had a visit from company headquarters in Japan, this was Fuji, who seemed excited about what I had created. He tooka CD of it back to Japan. Not long after, I got a nice gift from them. Banzai!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.