Guidelines for proper file and directory permission settings

The following are guidelines for proper file and directory permissions on Webserve:

First and foremost, from the /ip/{account_name} all the way down, no file or directory is permitted to be group or other "writable". There should be no exceptions.

1. Top-level directory (/ip/{account_name} should be protected for all access to owner and execute only to group and others.

2. Common dot (".") files and directories in the login directory which are normally hidden like .ssh, .ssh2, .login, .profile, .cshrc, .bash_history, .bashrc, etc should be set to all access to owner and no access to group and others.

3. Generally *all* other non-dot (".") directories like bin should be set to all access to owner and no access to group and other.

4. Generally *all* other non-dot (".") files in the login directory should be protected for all access to owner and no access to group and other.

5. Generally *all* executable file in the entire account directory should be proected for all access to owner and no access to group or other.
   In the www and wwws directories the ~accountname feature of the webserver will ensure that the executable file executes *as* the account name.

6. If the account is a member of the the UNIX "ip" group, all files in the entire /ip/{account_name} directory tree should have their owner set to the account name and the group set to ip

7. The www and wwws (if present) directories should be set to all access to owner and execute only to group and other.

You can find out whether there are files/directories that have improper permission settings in your account, by running a script, check_file_security. To run this script,

1. Login to your account using SSH Secure Shell Client. For information on how to use SSH Secure Shell Client, please see How to use SSH.



2. Type /usr/local/bin/check_file_security



3. Type y, when prompted with the question,
   
   
   Do you want to continue and run the report? (y/n).
   
   
4. The result will be written to a file named account_name-check-file-security-report.txt, located in the login directory.

For information on how to change file/directory permissions, please see http://kb.iu.edu/data/abdb.html.

 

• Webmaster News
  • Current
  • Archive
• Accounts
  • Applying for an Account
  • Account Maintenance
  • Passphrase Information
• Tools/Guides
  • Policies and Guidelines
  • Images and Templates
  • Publishing to Webserve
  • Web Site Maintenance
  • Logs and Statistics
  • Web Site Security
  • Using Unix
  • Programming Languages
  • Server Configuration
  • Forms Using Transform
  • IU Search Service
  • Electronic Commerce
  • Virtual Host Name Service
  • Digital Media Streaming
  • MySQL Database Service

Search IU Webmaster:

• Webserve Features
• Getting Started
• Contact Us
• Site Map

• UITS Services and Support
• IU Webmaster
• Site Map
• Comments

• Copyright 1999-2008, The Trustees of Indiana University
• Copyright Complaints
• Last Updated: 19 June 2008