[Look, I'm a newbie, OK?] My computer -- SuSE 8.2 (and no other OS), for exclusive use by me -- is totally unsecured. It's lucky that I don't keep my credit card numbers on it. But I do keep other numbers on it, so. . . . Today I finally ran out of excuses for not using chmod (or similar). Rather than attempting to make some sweeping change, and therefore perhaps messing up in grand style, I wandered down close to a few minor twigs of a directory tree of stuff (XyWrite and text files, mostly) imported from my old 'Doze system, and typed chmod -v -R 600 * I quickly discovered the mistake there: a subdirectory has to be executable. Thus I had to follow up with chmod 700 subdirectoryname The Linux guides I've looked at -- quite a pile of them! -- are keen to explain how to use chmod for this or that file, but don't talk explicitly about trees that may include thousands of files. None of the stuff in this tree is for the eyes of anyone other than me and my good friend Mr Root. I can't see anything wrong with going to the top and typing chmod -R 700 * but I find something aesthetically (?) displeasing about "executable" text files. Well, I've started by going to /home and, since I'm "peter", typing chmod 700 peter Is that enough? (I doubt it.) If not, what's the recommended procedure? (I do realize that there are many other major security considerations as well, but I'm not asking for a potted guide to Linux security. For now, just permissions.)
On Tue, Jul 15, 2003 at 06:26:36PM +0900, peter@despammed.com wrote:
[Look, I'm a newbie, OK?]
My computer -- SuSE 8.2 (and no other OS), for exclusive use by me -- is totally unsecured. It's lucky that I don't keep my credit card numbers on it. But I do keep other numbers on it, so. . . .
Today I finally ran out of excuses for not using chmod (or similar). Rather than attempting to make some sweeping change, and therefore perhaps messing up in grand style, I wandered down close to a few minor twigs of a directory tree of stuff (XyWrite and text files, mostly) imported from my old 'Doze system, and typed
chmod -v -R 600 *
A better way of doing this would be: chmod -R go-rwx * As this will remove read, write and execute permission for "group" and "other". [snip]
Is that enough? (I doubt it.) If not, what's the recommended procedure? [snip]
Others have suggested combining "find" with "chmod"; this is probably what you want to do to recover the situation. Read some stuff about 'umask', since this might help you avoid having to do these permission changes in the first place... -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 617910 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith@st.com BRISTOL, BS32 4SQ | Home Email: David.Smith@ds-electronics.co.uk
Thank you, Peer, Rikard, and Dave.
find $HOME -type d -exec chmod 0700 {} \; find $HOME -type f -exec chmod 0600 {} \;
This seems to be what I want.
If you are proficient in PERL or bash programming (which i aint) you ought to be able to write a small script that checks the 'file' status on each file and acts correspondingly to each and every type.
That looks good, and I'll bear it in mind -- but for now, it's a lot more than I want. I don't know about you, but back in the days of small partitions (or, strictly, logical drives) I started with all My Own Stuff (written, photographed, etc. by me; as opposed to others' software, fonts, etc.) in E: or G: or something. This migrated to one directory (plus descendants) from the root directory of one drive, and now I just want to plonk the whole lot in one directory tree of the drive of this SuSE system and not worry about others snooping around. (Of course, I must also make sure that the system can't be booted from a diskette, etc. etc.) Meanwhile, if they want to read OpenOffice.org helpfiles, etc., they're welcome.
chmod -v -R 600 *
A better way of doing this would be:
chmod -R go-rwx *
As this will remove read, write and execute permission for "group" and "other".
I may understand even less than I realize, but it seems to me that this is a description of "chmod -R 600 *" as well. Ah, the Bash shell. It's good; I'm not knocking it -- but I do rather wish that (as in Take Command) ".../" could be used for "../../", "..../" could be used for "../../../", etc. Still, I'm sure that if I were migrating in the opposite direction, I'd be cursing Take Command (which of course is a lot more limited).
Small self-correction:
chmod -v -R 600 *
A better way of doing this would be:
chmod -R go-rwx *
As this will remove read, write and execute permission for "group" and "other".
Me with foot in mouth:
I may understand even less than I realize, but it seems to me that this is a description of "chmod -R 600 *" as well.
WRONG! As realized milliseconds after hitting the "send" button. (Which I say only to prevent others from wasting their time correcting me.)
On Tue, Jul 15, 2003 at 07:18:39PM +0900, peter@despammed.com wrote:
David Smith wrote:
A better way of doing this would be: chmod -R go-rwx *
As this will remove read, write and execute permission for "group" and "other".
I may understand even less than I realize, but it seems to me that this is a description of "chmod -R 600 *" as well.
The difference is that with "600", you set the "user" permissions as well as "group" and "other". If you use "go-rwx" then it will leave the "user" permissions alone. "600" is the equivalent of "u=rw,go=".
Ah, the Bash shell. It's good; I'm not knocking it -- but I do rather wish that (as in Take Command) ".../" could be used for "../../", "..../" could be used for "../../../", etc. Still, I'm sure that if I were migrating in the opposite direction, I'd be cursing Take Command (which of course is a lot more limited).
This is more of a Unix thing, rather than a bash thing, but yes, I agree - I thought of it myself a few years ago, but I didn't realise that anyone else had actually implemented it... -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2
You could always enter the following aliases in your .bashrc file alias '.../'='../../' alias '..../'='../../../' and as many more as you see fit. Basil Fowler On Tuesday 15 Jul 2003 10:18, Peter Evans wrote:
Thank you, Peer, Rikard, and Dave.
Ah, the Bash shell. It's good; I'm not knocking it -- but I do rather wish that (as in Take Command) ".../" could be used for "../../", "..../" could be used for "../../../", etc. Still, I'm sure that if I were migrating in the opposite direction, I'd be cursing Take Command (which of course is a lot more limited).
Peter Evans wrote:
[Look, I'm a newbie, OK?]
We all were once.
My computer -- SuSE 8.2 (and no other OS), for exclusive use by me -- is totally unsecured. It's lucky that I don't keep my credit card numbers on it. But I do keep other numbers on it, so. . . .
Today I finally ran out of excuses for not using chmod (or similar). Rather than attempting to make some sweeping change, and therefore perhaps messing up in grand style, I wandered down close to a few minor twigs of a directory tree of stuff (XyWrite and text files, mostly) imported from my old 'Doze system, and typed
chmod -v -R 600 *
I quickly discovered the mistake there: a subdirectory has to be executable. Thus I had to follow up with
chmod 700 subdirectoryname
The Linux guides I've looked at -- quite a pile of them! -- are keen to explain how to use chmod for this or that file, but don't talk explicitly about trees that may include thousands of files. None of the stuff in this tree is for the eyes of anyone other than me and my good friend Mr Root. I can't see anything wrong with going to the top and typing
chmod -R 700 *
but I find something aesthetically (?) displeasing about "executable" text files.
Well, I've started by going to /home and, since I'm "peter", typing
chmod 700 peter
Is that enough? (I doubt it.) If not, what's the recommended procedure?
Well what I would do, if you want to remove all permissions for group and others, is to use the ability of the chmod(1) command to add/remove permissions. In your particular example I would do something like: $ cd $ chmod -R go-rwx . What that means is do a recursive chmod from the current directory (.) downwards, applying the rule 'go-rwx'. This rule tells chmod to remove r, w and x permissions for group and others, but leaving those of the user untouched. This also means that executables do not end up non-executable, or ordinary text files ending up as executable. Here's two files: -rw-r--r-- 1 bruce users 0 Jul 15 11:05 jink -rwxrwxr-x 1 bruce users 0 Jul 15 11:05 jonk Now run the command: $ chmod go-rwx jink jonk The files are now: -rw------- 1 bruce users 0 Jul 15 11:05 jink -rwx------ 1 bruce users 0 Jul 15 11:05 jonk Think this is what you need. Cheers, -Bruce
Peter, et al -- ...and then Peter Evans said... % % [Look, I'm a newbie, OK?] No problem. We like newbies :-) % % My computer -- SuSE 8.2 (and no other OS), for exclusive use by me -- is % totally unsecured. It's lucky that I don't keep my credit card numbers % on it. But I do keep other numbers on it, so. . . . Besides, there's a principle here! % % Today I finally ran out of excuses for not using chmod (or similar). % Rather than attempting to make some sweeping change, and therefore % perhaps messing up in grand style, I wandered down close to a few minor % twigs of a directory tree of stuff (XyWrite and text files, mostly) Excellent plan. % imported from my old 'Doze system, and typed % % chmod -v -R 600 * Heh. % % I quickly discovered the mistake there: a subdirectory has to be % executable. Thus I had to follow up with Yep :-) % % chmod 700 subdirectoryname OK. % % The Linux guides I've looked at -- quite a pile of them! -- are keen to % explain how to use chmod for this or that file, but don't talk % explicitly about trees that may include thousands of files. None of the A good concept to understand is 'recursion'. It comes up in *NIX all of the time. The nice thing about understanding it is that you suddenly understand the process for trees with thousands of files :-) % stuff in this tree is for the eyes of anyone other than me and my good % friend Mr Root. I can't see anything wrong with going to the top and typing % % chmod -R 700 * % % but I find something aesthetically (?) displeasing about "executable" % text files. Ewww. Ick, indeed. % % Well, I've started by going to /home and, since I'm "peter", typing % % chmod 700 peter % % Is that enough? (I doubt it.) If not, what's the recommended procedure? To keep people out? Yep. Nobody except root and you can get through that bottleneck, so unless you hardlink a file out to an open tree you should be fine. [Anyone who can hack his way in through that single point will also be able to see past any other permission barriers you erect, so worrying about what's below isn't particularly important.] % % (I do realize that there are many other major security considerations as % well, but I'm not asking for a potted guide to Linux security. For now, % just permissions.) Good enough. A good place to start is the chmod man page, accessed by man chmod and excellent reading. [In fact, although some people decry man pages and even I have occasional trouble with the sed man page, they are usually quite straightforward and VERY informative. It's a shame GNU has abandoned man for their texinfo garbage.] In it you'll find a discussion of symbolic modes (letters of permission groupings) versus absolute modes (the numbers you used above). In particular, I'm surprised nobody has mentioned the X bit settings; it's perfect for recursing down trees. HTH & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@justpickone.org * society and not sufficient moral courage. (work) davidtgwork@justpickone.org -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
participants (5)
-
Basil Fowler
-
Bruce Munro
-
Dave Smith
-
David T-G
-
Peter Evans