Here is an explanation of the UNIX file permission system. Let's say I have a file called /homes/bell/goats/kinky that I want to make damn sure nobody else can read. First cd to my goats directory by typing (go ahead, do it) cd ~bell/goats (note: ~bell is UNIX shorthand for user bell's home directory) Now type ls -l -rw-r----- 1 bell 8 Sep 12 13:09 kinkier -rw------- 1 bell 9 Sep 12 13:08 kinkiest -rw-r--r-- 1 bell 61 Sep 12 13:07 kinky | | | | | |___ OH MY GOD! This little r right here indicates | | that the whole world (OTHERS) can READ my file! | | | |_____ This little r indicates that my GROUP can read | the file. (Since my group is "general," this also | means that just about everybody with an account on | math can read my file.) | |________ This little r indicates that I, the USER, can read my own file and the little w means that I can write, i.e., edit, my file. Go ahead and see for yourself. If you are still in my goats directory, you can type more kinky and you will see my file. (If you are not in my goats directory, you will have to type more ~bell/goats/kinky ) Notice that if you type more kinkiest, you will get PERMISSION DENIED because the absence of those little r's means that others and group members do not have permission to read my file. (Only I and my Group can read kinkier.) To fix this embarrassing situation, I would cd to my goats directory and type chmod og-r kinky This "changes the mode" of my kinky file, taking away r=Read permission from o=Others and g=Group members. (To give them back, I would type chmod og+r kinky ) (Donu Arapura notes that if you create a file on your machine at home and transfer it to the math dept SUNs via ftp (Fetch on a Mac), it will be world readable by default. If the file is sensitive, you'll want to make sure to log in and change permissions immediately.) You now know enough to save yourself from leaking out sensitive information (like promotion documents and qualifier exams). However, there are some more facts about directory permissions and permission defaults that you might want to know about. If you use subdirectories to sort your files, you can make the entire contents of the directory unreadable by making the directory itself unreadable. For example, if you have a directory called "confidential," with filemode drwx------ it doesn't make a difference what the permissions are on files in that directory, only you will be able to see them. cd to my goat directory again and type ls -l -a drwxr-xr-x 2 bell 512 Sep 12 15:44 ./ <-----+ -rw-r----- 1 bell 8 Sep 12 13:09 kinkier | -rw------- 1 bell 9 Sep 12 13:08 kinkiest | -rw-r--r-- 1 bell 110 Sep 12 15:57 kinky | | | This line describes the permissions on ./ (which is UNIX shorthand for the "present directory," i.e. goats). drwxr-xr-x 2 bell 512 Sep 12 15:44 goats | | | | | |_____ This little x means that others can cd to goats | | | |_______ This little r means that others can ls goats | |______________ This d means that goats is a directory (x stands for EXECUTE.) To remove these permissions for Others and Group members, I would cd to the directory that contains goats and type chmod og-rx goats If you are constantly worried about security, you will want to change your "umask" line in your .cshrc file. Here's what mine looks like: umask 077 # No access to anyone -- the most paranoid choice. This makes all files I create or copy automatically have the -rw------- permission (r and w for u=user only), and all directories I create have the drwx------ permission. (But I can change them with chmod afterwards.) Here are the relevant lines in your .cshrc file to fix. #umask 022 # Group and others may read and dir search (but not write). #umask 027 # Group may read and directory search, but not others. #umask 077 # No access to anyone -- the most paranoid choice. | |______ delete this little # to make your umask 077 and make sure the # is in front of the other umask lines. The change takes effect the next time you log in. Type man chmod for more details. (See also the man pages for umask, ls, and groups.) To see an explanation of the required file permissions for home pages on the web, you can type more ~bell/pub/home_page (or copy the file like this: cp ~bell/pub/home_page your_file_name Neil Carlson pointed out something I hadn't known about. It seems kind of dumb to have groups if EVERYBODY belongs to the same "general" group by default. I discovered how to change the group ownership of my files to the smaller group "scv" of which I am a member. (Type "finger your_login_id" to find out if you belong to any smaller groups.) For example, if I want to change the group ownership of a file called "myfile" to "scv," I would type chgrp scv myfile If I want all the new files I create to have scv group ownership from now on, I might even put the line newgrp scv in my .cshrc file. Type "man chgrp" and "man newgrp" for more details. -Steve Bell