Note: This document is based on an article that appeared in the CIS newsletter, Occasional Downtime.

The first step in protecting your data is to become familiar with the concept of file protection. On a multi-user system all of your files have protection levels associated with them. These specify what degree of access you and other users have to your files. By setting file protections, you can control who can read, write and execute your files. Protecting your directories and files is an important step in preventing your data from being changed or deleted by accident or by a malicious user.

File protections are usually associated with different categories of users. For instance, a file always has an owner who is the person who created it. Each file is also assigned to a group which is just a collection of users. For example, some of the groups defined on Odin include students (for all students), ac (for the CIS staff), and sysadmin (for the Odin system administrators). Each user has a default group which is the group that a file belongs to when it is created by that user.

File Protection in UNIX

To see the protections on your files in UNIX, type ls -l. The third column of each line shows the owner of the file and the fourth column shows the file's group. The first column indicates the protections, and will look something like -rw-r--r--. If the first character of this column is a 'd', then the entry is a directory; if it is a '-', then the entry is a file. The next three characters indicate the permissions granted to the owner of the file. The three positions indicate read, write, and execute access, respectively. If the permission is enabled, an r, w, or x will appear in the corresponding space; if not there will be a dash. The next three characters are organized the same way, but specify the permissions for members of the file owner's group. The last three specify permissions for "world", that is, any other user who is not in the owner's group. So, in the above example, the file owner would be able to read the file and write to the file, while all other users would only be able to read the file.

The chmod command is used to modify the permissions on a file. It is used by specifying which set or sets of permissions should be modified, followed by how the permissions should be changed, and finally a file or list of files to apply the changes to. When specifying which user category's permissions are being modified, u (for user) specifies the owner, g specifies the group, o (for other) specifies world, and a specifies all. A minus sign indicates that permissions should be removed, a plus sign indicates that they should be added and an equals sign indicates that the specified permissions should be added, while removing all others for that user category. Read, write, and execute permissions are specified by r, w, and x, respectively. For example, the command chmod go-rx homework.cpp would remove read and execute access for group and world for the file homework.cpp.

File Protection on VMS

In VMS, the command DIR/SECURITY will show file and directory protections. The first column lists the files and directories. The second column shows the group and owner of the file or directory and the third displays the protections. The protections will look something like (RW,RWED,RE,RE). This lists the protections for four categories of users. The first is system, and applies only to system administrators. The second category specifies access for the owner of the file. The next set of permissions applies to the file owner's group, and the last set is for world; i.e. anyone who does not fall into any of the other three categories. There are four types of permissions in VMS: read, write, execute, and delete, indicated by R, W, E, and D, respectively. Permissions are modified with the SET PROTECTION command. The new permissions are specified by the file (or list of files) that they are to be applied to. For example: $ SET PROTECTION= (S:RW,O:RWED,G,W) HOMEWORK.PAS will give read and write access to system, all access to the owner of the file, and no access to group and world. Protections are only altered for the categories specified, so a command like SET PROTECTION= (G:RE,W:RE) only modifies the group and world categories.

File Protection on the File Server

File protection can also be set for the files stored in your home directory on the file servers Charlie and Alice. Student home directories are created so that only the individual student can read and write to the directory.

Faculty and staff home directories are created as requested. Generally they are created so that the owner can read and write to the directory and others can read the directory. This is so that faculty members can use their home directories to share files with students in their classes. Some faculty members have both private and public folders in their home directory with the former being readable and writable only by them and the latter being readable by everyone.

To see the protections on the files in your home directory on the file server (the H: drive) you must use a PC and type the command NDIR at the DOS prompt. You will be able to see the protections on all of your files, including your Macintosh files.

It is not recommended to grant ANYONE access to files located in your home directory. If you need to have files shared out to a group for departmental, academic, or administrative puposes, please fill out a share request or email help-desk@hmc.edu with the following :

subject : Share request

In the body of the email include the information below:

Location {e.g. \\Charlie.ac.hmc.edu/hmcdfs/home/cis/public_downloads}
Individual or group access and restrictions in the form [group]; [access options]
(access options are: Full Control, Modify, Read & Execute, List Folder Contents, Read, Write)
{e.g. CIS ; Full control
HMC_everyone ; List Folder Contents and Read }

File Protection on Your Personal Computer

In general, most people have their personal computers set up so that only they have access to their files and directories. However, it is possible in the Macintosh operating system and in Windows 95 and 98 to set up your computer to share files over the network. If you do decide to do this you should make sure that you use passwords to limit access to your computer. Otherwise you may find yourself sharing your files with the entire network. In addition, students must register their computer with CIS if they are sharing files over the network (for more information on this policy see the documentation here.)

There are also numerous software packages that allow you to protect the data on your personal computer's hard drive from people who might have physcial access to your computer. These programs usually work by requiring you to enter a password when you start-up your computer. Most will also let you password-protect individual files and directories on your hard drive. CIS does not support these programs, however, so if you decide to use them you do so at your own risk. Most importantly, if you forget your password CIS cannot reset it for you!