File Systems and Security

Bama has a lot of disk storage space. It is divided up into several large file systems to make the administration easier. You can see how much space exists and how much is available with the command

df -k

This will display all the filesystems. An example of the output showing four of the interesting file systems is:

Filesystem          kbytes     used      avail      capacity  Mounted on 
/dev/dsk/c3t5d0s0   24953411   1416784   21041287   7%        /st1 
/dev/dsk/c3t5d1s0   24955459   682743    21777176   4%        /st2 
/dev/dsk/c0t4d2s0   24953411   723441    21734630   4%        /st3 
/dev/dsk/c0t4d3s0   24955459   7567533   14892386   34%       /fs

There are many more file systems than these. The actual name of the filesystem in the first column is pretty confusing. The name which gets used by users is in the last column ("/st1" etc). The second column shows how much total space is in the file system. In this case there are 25 Gbytes in each file system. The third column shows how much is used and the fourth is how much is still available. The fifth column expresses how much space is available in terms of percent of the total size. The file systems shown here are the three that are allocated to students and the one that is allocated to faculty and staff.

Students have been assigned a quota on their disk usage. The "soft" limit is 9.5 Mbytes and the "hard" limit is 10 Mbytes. You can exceed the soft limit but not for a long time. There is a command, called "quota", which shows quota information but it will not display anything unless you are over your quota. Of course, it would be nice to know how much space you have left before you exceed your quota. To find out how much material you have in your entire directory structure go to your home directory and use the "du" command. The commands to do this are

cd du -ks

The output would look something like this:

4384 .

The number given is the size of all your files in kilobytes. In fact, the "-k" switch for both the "df" and "du" commands is telling Bama to give you the numbers in kilobytes. In thes example, the amount of space being use is just over 4.3 Mbytes.

Since the system directories are so easily seen there has to be some security to make sure other users aren't looking through all your files. There are three levels of security associated with every directory and file. The first is the "user" which is you. The next is the "group" which is either "student" or "facstaff." You are assigned to the appropriate group when you get your account. The last level is "other" which is everyone on the system. You can give or take away permission to read, write, or execute to any of user, group, or other. To see what permissions are set, use the command

ls -l

Here are two lines of example output

-rw-r--r-- 1 jsmit001 student 29607 Jun 16 09:34 tutor.vi 
drwxr-xr-- 1 jsmit001 student 512   Jun 28 11:21 mystuff

They show your userid (in this case, jsmit001) and your group (jsmit001 is a student). The first character indicates whether the listing is a file or a directory. In this example, the first listing is a file, the second is a directory. The permissions are given next. They are listed in three sets of three characters each ("r" for read, "w" for write, and "x" for execute). When the permission is turned off there is simply a "-" in the column. The first set is the permissions for the user, the next set of three is the permissions for the group, and the last set is the permissions for everyone else. The file "tutor. vi " is readable by everyone and writable by the user. To read a file means you can see the contents. It is a plain file so it doesn't make sense to have execute permission. The directory "mystuff" is readable by everyone, it can be executed by the user and group members and written to by the user. To be able to execute a directory means to be able to do a "cd" into that directory

You change the permissions on a directory with the "chmod" command. In "chmod" you refer to user, group, and other with "u", "g", or "o" and you refer to read, write, and execute with "r", "w", and "x". Permission is given with the "+" and taken away with the "-". For example, to completely protect a directory from anyone else but you, go to the directory where the one you want to protect is located and type this:

chmod go-rwx dirname

where "dirname" is the actual directory name. Chmod only changes the permissions you specificially reference and leaves the rest alone. If I had done this to "mystuff" the new listing would look like:

drwxr----- 1 jsmit001 student 512   Jun 28 11:21 mystuff

The contents of this directory and everything below it in the directory structure would be protected from prying eyes. For very tight security, you might want to turn off read permission for everyone including yourself, only turning it back on when you need to see the contents of the file. Occasionally you might want to share a directory and its files with others. There could be many files and/or subdirectories which need to have the permission set so that others can look at them. In this case we would want to start at the first directory of interest and "recursively" change the permission. Using the directory "mystuff" as an example you would change directories to where "mystuff" is located and type

chmod -R go+rx mystuff

Note: you must use an uppercase "R" for the switch, otherwise chmod will mistake it for read permission and it will turn off read permission for you on the directory. If this happens you won't be able to access your own directory, but you can just turn it back on with a "+r".

Web Directory Permissions

Setting permissions on a web directory can be somewhat confusing. The confusion arises because people who come on to Bama to browse web pages are actually running as the user "nobody" in the group "nobody." Therefore the permission that controls what a web browser will show from your web pages is set by the permissions for "other". More information about permission can be found on the web at

http://www.bama.ua.edu/~unixinfo/unix/unix-perm.html
and
http://www.bama.ua.edu/~unixinfo/unix/server-perm.html

© 1998, The University of Alabama. The information included here is for the University of Alabama central computing facility as it was configured on the document date. It may or may not apply to other Unix systems.

July 6, 1998 Vol. 1 Index Back to Vol. 1, No. 5 Ahead to Vol. 1, No. 7		Search:

	E-mail Internet Access Software Assistance Computer Labs Software Licensing Web Publishing Calendaring Computer Security Unix Training

	File Systems and Security Bama has a lot of disk storage space. It is divided up into several large file systems to make the administration easier. You can see how much space exists and how much is available with the command `df -k` This will display all the filesystems. An example of the output showing four of the interesting file systems is: Filesystem kbytes used avail capacity Mounted on /dev/dsk/c3t5d0s0 24953411 1416784 21041287 7% /st1 /dev/dsk/c3t5d1s0 24955459 682743 21777176 4% /st2 /dev/dsk/c0t4d2s0 24953411 723441 21734630 4% /st3 /dev/dsk/c0t4d3s0 24955459 7567533 14892386 34% /fs There are many more file systems than these. The actual name of the filesystem in the first column is pretty confusing. The name which gets used by users is in the last column ("/st1" etc). The second column shows how much total space is in the file system. In this case there are 25 Gbytes in each file system. The third column shows how much is used and the fourth is how much is still available. The fifth column expresses how much space is available in terms of percent of the total size. The file systems shown here are the three that are allocated to students and the one that is allocated to faculty and staff. Students have been assigned a quota on their disk usage. The "soft" limit is 9.5 Mbytes and the "hard" limit is 10 Mbytes. You can exceed the soft limit but not for a long time. There is a command, called "quota", which shows quota information but it will not display anything unless you are over your quota. Of course, it would be nice to know how much space you have left before you exceed your quota. To find out how much material you have in your entire directory structure go to your home directory and use the "du" command. The commands to do this are `cd du -ks` The output would look something like this: `4384 .` The number given is the size of all your files in kilobytes. In fact, the "-k" switch for both the "df" and "du" commands is telling Bama to give you the numbers in kilobytes. In thes example, the amount of space being use is just over 4.3 Mbytes. Since the system directories are so easily seen there has to be some security to make sure other users aren't looking through all your files. There are three levels of security associated with every directory and file. The first is the "user" which is you. The next is the "group" which is either "student" or "facstaff." You are assigned to the appropriate group when you get your account. The last level is "other" which is everyone on the system. You can give or take away permission to read, write, or execute to any of user, group, or other. To see what permissions are set, use the command `ls -l` Here are two lines of example output -rw-r--r-- 1 jsmit001 student 29607 Jun 16 09:34 tutor.vi drwxr-xr-- 1 jsmit001 student 512 Jun 28 11:21 mystuff They show your userid (in this case, jsmit001) and your group (jsmit001 is a student). The first character indicates whether the listing is a file or a directory. In this example, the first listing is a file, the second is a directory. The permissions are given next. They are listed in three sets of three characters each ("r" for read, "w" for write, and "x" for execute). When the permission is turned off there is simply a "-" in the column. The first set is the permissions for the user, the next set of three is the permissions for the group, and the last set is the permissions for everyone else. The file "tutor. vi " is readable by everyone and writable by the user. To read a file means you can see the contents. It is a plain file so it doesn't make sense to have execute permission. The directory "mystuff" is readable by everyone, it can be executed by the user and group members and written to by the user. To be able to execute a directory means to be able to do a "cd" into that directory You change the permissions on a directory with the "chmod" command. In "chmod" you refer to user, group, and other with "u", "g", or "o" and you refer to read, write, and execute with "r", "w", and "x". Permission is given with the "+" and taken away with the "-". For example, to completely protect a directory from anyone else but you, go to the directory where the one you want to protect is located and type this: `chmod go-rwx dirname` where "dirname" is the actual directory name. Chmod only changes the permissions you specificially reference and leaves the rest alone. If I had done this to "mystuff" the new listing would look like: drwxr----- 1 jsmit001 student 512 Jun 28 11:21 mystuff The contents of this directory and everything below it in the directory structure would be protected from prying eyes. For very tight security, you might want to turn off read permission for everyone including yourself, only turning it back on when you need to see the contents of the file. Occasionally you might want to share a directory and its files with others. There could be many files and/or subdirectories which need to have the permission set so that others can look at them. In this case we would want to start at the first directory of interest and "recursively" change the permission. Using the directory "mystuff" as an example you would change directories to where "mystuff" is located and type `chmod -R go+rx mystuff` Note: you must use an uppercase "R" for the switch, otherwise chmod will mistake it for read permission and it will turn off read permission for you on the directory. If this happens you won't be able to access your own directory, but you can just turn it back on with a "+r". Web Directory Permissions Setting permissions on a web directory can be somewhat confusing. The confusion arises because people who come on to Bama to browse web pages are actually running as the user "nobody" in the group "nobody." Therefore the permission that controls what a web browser will show from your web pages is set by the permissions for "other". More information about permission can be found on the web at http://www.bama.ua.edu/~unixinfo/unix/unix-perm.html and http://www.bama.ua.edu/~unixinfo/unix/server-perm.html © 1998, The University of Alabama. The information included here is for the University of Alabama central computing facility as it was configured on the document date. It may or may not apply to other Unix systems.
Copyright © 1998-2004 The University of Alabama \| Disclaimer \| Contact: Help.Desk@ua.edu