Using Secure File Permissions
You need to keep the files in your account secure so unauthorised people can't read, edit, delete or run them.
You do this by managing Unix file permissions attached to them.
Most importantly: never make anything world-writable, as that's a huge security risk.
Any world-writable files will have that permission removed automatically overnight.
What permissions should I set?
This depends on whether you need to give other people access to your files, or put anything in your public_html directory.
Completely private, no public_html
This is the simplest case:
- Your home directory
- 700 or rwx------
- All other directories
- 700 or rwx------
- Scripts and programs
- 700 or rwx------
- All other files
- 600 or rw-------
Completely private, but with files in public_html
Your home directory and public_html directories need to be world-executable, and the files in public_html need to be world-readable.
This is because the webserver runs as a different user, and needs to be able to traverse into public_html and read the files there.
Set permissions as above, except:
- Your home directory
- 701 or rwx-----x
- public_html
- 701 or rwx-----x
- Directories in public_html
- 701 or rwx-----x
- Files in public_html
- 604 or rw----r--
Shared directories
To share files with other members of a group you're in, your home directory needs to be group-executable, so group members can traverse into the shared directory.
It's really important that you don't make your whole home directory readable or writable by others - it's a huge security risk, and can lock you out of your account.
- Your home directory
- 710 or rwx--x--- (or 711 / rwx--x--x if you're using public_html)
You will need to chgrp shared files and directories to the group, then make them group-readable / writable / executable as appropriate:
Read only
- Shared directories
- 750 or rwxr-x---
- Shared scripts and programs
- 750 or rwxr-x---
- All other shared files
- 640 or rw-r-----
Group-writable
- Shared directories
- 770 or rwxrwx---
- Shared scripts and programs
- 750 or rwxrwx---
- All other shared files
- 660 or rw-rw----
Utility and course accounts
For these accounts, it's reasonable to set group-read on the account home directory, so that group members can browse the contents:
- Account home directory
- 750 or rwxr-x--- (or 751 / rwx--x--x if you're using public_html)
Once again, however, don't make the home directory group-writable.
For files and directories within the account home directory, set permissions as for shared files in the section above.
You may want to set the setgid bit on those directories (2771 / g+s) so that files created there are group-owned automatically.