History of statistics at UVa and Halsey Hall.
Degree programs and application materials.
The Statistical Consulting Service at UVa.
Computing information and resources.
Course offerings and links to class web pages.
Recent news, announcements, and the statistics events/seminar calendar.
Faculty, staff and graduate student directory.
Listing of publications by people in the department.
Go to the University of Virginia Home Page.Go to the UVa Statistics Home Page.Go to the UVa Biostatistics Home Page.Go to the UVa Mathematics Home Page.Find statistics related sites.
UNIX File Protection Overview (cont.)

page: 1 | 2 | 3 | 4

YOUR HOME DIRECTORY
When we create your account, we make a "home directory" for you to store your files. We make you the owner of this directory and when you login, this is your base of operations. To keep everyone else out, we ordinarily chmod your home directory to 700 (drwx------), so that only you (and superuser) have any access. This makes the permissions on the other objects in your account inconsequential because no one else can get past your home directory to even try to access anything. Some folks find this too restrictive because they have files that they want other users to be able to read, copy, or execute. For example, if another user wants to get more information about you, they can use the "finger" command. This command prints information about you and also prints the files ".plan" and ".project" in your home directory. However, if your home directory is protected, then when other users "finger" you, they won't see your ".plan" or ".project". So if you want to allow other users into your home directory, you should "chmod 755 $HOME". Beware that once you remove this firewall, you are relying on the access modes of your individual objects for protection. Chances are that you do not have anything writable by anyone other than you. However, everything in your account is probably readable by group and other. With a little work you can still maintain some privacy. An easy way to protect private files is to create a new directory, move sensitive files in there, and protect the directory with "chmod 700 dir".

SHARED WRITE ACCESS FOR A GROUP OF USERS
Sometimes a group of people want to have shared write access to a directory of files in order to collaborate on a project. But they don't want anyone outside the group to have access. To accomplish this, give your system administrator the loginids of the users that belong in the group. You and the system administrator should decide on a name for the group. When the new group is ready, you need to login again, as this adds the group to the list of groups that you belong to.

Create a directory to contain the project and chgrp the directory to your group with "chgrp groupname dir". You want to allow group members to create and delete files in the directory, so you need to grant group read, write and execute access. Use "chmod 775 dir" (or you could use 770 to completely disable "other" access). To be sure that new objects have the correct group, you need to enable "set group" mode on the shared directory (it may already be). Use "chmod g+s dir".

If your home directory is protected, then your collaborators cannot get past it to get to the shared directory, so you need to open up your home directory. If you only want to let group members into your home directory, then you should change its group with "chgrp groupname $HOME" and then allow group read and execute access with "chmod 750 $HOME". You could use 710 if you don't want group members to be able to list the contents of your home directory.

When working in the shared directory, you want anything that you create to have group write access by default. Change your umask to allow this with "umask 002". You could also use 007 to completely disable any "other" access. Note that when outside the shared area, you probably do not want to create objects with group write access, so you should set your umask back to 022.

If one of your collaborators ever inadvertently creates a file that denies you write access, and you need to modify it, you can get around the problem if you have write and execute access on the directory and read access on the file. Make a copy of the bad file. You own the copy, so you can correctly set the permissions on it. Remove the original, which is legal because you have write access on the directory. Rename the copy to the original name and your problem is solved. To summarize:

cp badfile myfile
chmod 664 myfile
rm badfile
mv myfile badfile

INSTRUCTORS, STUDENTS, AND CLASS ACCOUNTS
Unfortunately, Unix does not handle classroom situations very well. There is no concept of hierarchical access where the instructor has access to all student files, but the students only have access to their own files. The usual precautions that students use to keep others from copying or stealing their work also keep the instructor out. Furthermore, security guidelines are voluntary, because students have the power to change the access modes of anything they own.

Restricting access based on group is the closest Unix can come to hierarchical access. The system administrator creates a group of instructors. Each student has a directory for storing classwork that is assigned to the instructor group and with permissions 750. This allows read, write, and execute access for the student (user modes) and read and execute access for the instructor (group modes). No "other" users have access to the directory. Note that superuser must chgrp the classwork directories, because students are not members of the instructor group.

Rather than go to all this trouble, here is the simplest solution by far. If a student needs help, he logs in to his account at the instructor's workstation and then the instructor uses this session to give assistance. To turn in assignments, students mail them to the instructor electronically.

page: 1 | 2 | 3 | 4