This draft is under construction. Comments welcome
An account on a networked unix machine is quite different
from an isolated, non-networked personal computer.
There are a few issues of which all users should be aware.
Each file and each directory can have permissions set
to specify who may read, who may write (or modify)
and who may execute (in the case of a program) or search
(in the case of a directory).
Commands to know:
- ls -l List directory and permissions
- chmod Change permissions
- umask Set default permissions
- To set a file read/write by owner, read by others:
chmod 0644 file
- To set a file read/write by owner, unreadable by others:
chmod 0600 file
- To set a directory read/write/search by owner, unreadable by others:
chmod 0700 ~/letters
- To set your top-level directory so no one may see anything:
chmod 0700 ~
- To set your default file protection so no one may see anything:
Add a line to your file ~/.cshrc
N.B. The default mask of 022 (if you
do nothing) allows others to read but not modify.
- If you are uncomfortable with all this unix nonsense and
want to be sure to be left alone, do the preceding two
steps and protect everything.
- Many users choose to keep their top level directories
chmod 0755 ~ ) and to protect
Information available to local users
The following information may be available to
users with an account on the system:
Commands to know:
- Who is currently logged in and where
- When a user last logged in, where he or she logged in from,
whether there is any unread mail for a user, when a user last read mail
- All previous logins and locations for any user
- Processes currently running for each user
- Parameters of those processes. Note that this can include
information like file names and directory names
even if the contents of the files and directories are protected.
It also includes shell environment variables.
- Who you are sending mail to if the recipient's machine is down.
(Anyone know how to block this?)
- ps -aux Show all processes
- finger Who is logged on
- w Who is logged on
- last Last logins (try
- xlast - Last logins from an X terminal
- mailq - Unsent mail in the outgoing queue
- netstat All open network connections
Information available to outsiders
Some information about you and your activities is
available to anyone on the internet.
This can be useful. If you want some information
about you to be public if you are "fingered" put it
in a file "~/.plan" and/or "~/.project" in your
home directory. N.B. This doesn't work if the top
level directory is protected.
In addition, it is possible that virtually any network
activity you initiate could be logged by remote computers.
It may be logged by originating host only or by host
This includes all transfers by WWW, anonymous FTP
and e-mail servers. It certainly includes telnet
and regular FTP connections; it could included finger
requests, name lookup requests, anything.
While most servers treat transaction
information confidentially, as do libraries, they
are under no obligation to do so.
Commands to know:
Information available to system administrators
A very limited number of individuals responsible for
system maintenance have "root" or system-level access.
Anyone acting as "root" has in principle access to almost
anything on the system, including the contents of protected
files, unless the files are encrypted.
As a matter of strict policy, our system administrators never
examine the contents of any file without the express permission
of the owner at the time it is inspected. There are
a few technical exceptions:
- "Dot files" that affect system configuration and security
shouldn't be considered private property: think of them as shared
between you and "root".
Files such as ".rhosts", ".forward", ".vacation", ".login", ".logout"
can compromise security and privacy for all users. They
will be scanned without notice. In fact, ".rhosts" files
may be removed unless you've made prior arrangements.
Other files affecting individual setup (".cshrc", ".xsession",
for example) may on rare occasions have to be modified
for changes in system software.
- Mail that "bounces" back due to a bad address sometimes
ends up in the root mailbox.
All of the above referred to legitimate users.
Unfortunately the Internet, like any community,
has its share of criminals, vandals and jerks.
If they get in the door at all, expect
that they will get hold of root privileges
and then some. They may destroy data or lock users out
or just booby trap the system software and come back later.
At the very least, a confirmed break-in may
require disconnecting every machine in the group for
one or more days until all software can be reinstalled
from scratch and all files can be checked for trap doors.
This happened not long ago at SLAC.
Keeping the bad guys out depends on EVERYONE.
This can't be overemphasized enough.
The first line of defense is your password.
Choose it well.
You might want to
about passwords and how to select them.
A powerful tool in network "cracking" is the use
of "packet sniffers." Information sent over the network
is bundled up in little packets, addressed
to the destination machine, and sent out over a big party
line called Ethernet. Every machine that shares a wire
along the route of the packet can read it.
They're not supposed to if it isn't addressed to them,
of course. But that is what packet sniffing programs do.
They read, for example,
the password you type when you telnet to Brown over
the Internet from a remote site. They read everything
going between an X terminal and its host.
This means that if one machine in the department is broken
into and a packet sniffer is installed secretly, everything
from every computer (on the same subnet) is potentially
vulnerable to being read.