Privacy - making sure no one can read your files

This document describes how to prevent other users from reading, writing and, in general, messing with your files.

The short story:

To remove read/write/execute permission for all users, but the file owner, for all the files in your home directory, execute the following commands: 
	cd ~
	chmod go-rwx ../your_user_name
Edit ~/.bash_profile and add the line: 
	umask go-rwx
to remove read/write/execute permissions for all users, but the file owner, for all newly created files.

The disadvantages:

1) nobody could read your web-based data files, in this case, it is ~/www/*. 
2) mailer could not forward your mail specified in .forward file.

Common practices:  create a sub-directory,  e.g.

mkdir private
chmod go-rwx private

and put all your files there.

The long story (which you should read):

In Linux (and Unix in general) a file has three main groups of users associated with it: the user(u) who owns it, the group(g), and others(o). Each of these have a number of different permissions: read(r), write(w), execute(x) (or access for directories), etc. All put together allow the OS (operating system) to decide who has what type of access to a file.

Every user belongs to one or more groups and any group can have several users. All the users in a group have the same type of access to the files owned by the group.

To check file permissions you can use the command: 
	ls -l
And the output looks something like: 
	drwxrwxr-x   4 rsousa   red          2048 Jan 21 14:12 tmp
	-rw-------   1 rsousa   red        884584 Dec 27 06:47 p947_1.pdf

In the left column the first letter indicates if the file is a directory or not. The next three letters are the permissions for the user who owns the file, the other three for the group and the last three for others. The third and fourth columns indicate, respectively, the file owner and group.
So p947_1.pdf can be read/written only by the user rsousa and the directory tmp can be read/written/accessed by the user rsousa and also the group red. In addition any other user can read/access the directory.

To change file permissions use the command: 
	chmod ug+rw filename
This sets(+) read(r) and write(w) permissions for the owner(u) and group(g) of filename. To remove permissions you would use a - sign instead of the +.

Basically to prevent other users from accessing your home directory (and so every file/directory beneath it) you should do: 

	cd ~
	chmod go-rwx ../your_user_name
Beware that this might break some applications. Namely, if you have a web page set up in your home directory you have to allow everybody to read/access your home directory and all the files in the www directory. The solution in this case is to set only more restrictive permissions on a per file/directory basis: 
	chmod go-rwx top_secret_file
As always if something breaks you get to keep the pieces.

It is also possible to change the default permissions for newly created files so that you don't have to change them every time. You just have to add a line to ~/.bash_profile similar to: 

	umask go-rwx
the default should be something you are less likely to have to change.

References:


v0.2 10/24/2000 Rui Sousa v0.3 08/12/2002 Kim Ng (added: Disadvantages)