The ECN No Name Newsletter is no longer being published. This is an archived issue.
[previous article] [next article]
Accounts allow people to use the computer. When you get an account, you are given a password and a home directory. The home directory is a place on a disk where you can put your files. Each account has a login associated with it. There is one login per account. For example, my login is "prm".
Each account has unique information associated with it. One of these data is the user id (or uid). It is a number that identifies the login. All files created by you will have your uid attached to them.
The operating system keeps track of who is logged on at any given time. It also keeps track of which commands you execute and how much time it takes to execute them. It also keeps track of where you logged in. In some cases, the operating system can keep track of who creates or modifies files.
It is very important that you keep your account secure; any user who has access to your login and password can masquerade as you. If that person does something illegal, you could get blamed. He or she could also remove or modify your files.
When you want to work on the computer, you must first identify yourself to the computer and prove you are who you say you are. This process of identification and identity verification is called "logging in". First, the computer identifies itself and prompts you for a login. Here is an example:
dynamo.ecn.purdue.edu login:
You would then type in your login and the computer would prompt for a password:
dynamo.ecn.purdue.edu login: prm
Password:
You then type in your password. The computer won't print the password as it is typed so other users can't see it on the screen. After the computer checks to see that the password matches the one associated with the given login, it starts a shell and grants you access to the machine.
You log in differently depending on what shell you are using. If you are using Bourne shell (your prompt is "$"), you log out by typing the control key and the "d" key at the same time. If you are using csh, type the word "exit" or "logout" and you will be logged out. The computer records the times you logged in and logged out.
Choosing a good password is very important, because unauthorized users are often able to steal accounts or gain access to a system by guessing passwords. People who try to gain unauthorized access to a computer or a specific account are called "crackers". If your account is compromised, because of either a bad password or other means, the cracker can not only remove or modify any of your files, but he/she can also attack other users on the system, or other systems on the network.
Good passwords are difficult to create; care and thought should go into each one. Here are some guidelines for choosing passwords.
Bad passwords are:
Good passwords are usually pieces of several words, with odd capitalizations. A good password may include punctuation or other non-alphabetic characters. Using digits in unexpected locations can make a password better.
If you need to know which machines you have accounts on here at ECN, you can type
"lname -l -v " ,
where
Use the passwd command to change your password. Just type
"passwd" and you will be prompted for your old password (to
verify that you are authorized to change it) and a new
password. Then you will be prompted for the new password
again, to make sure you didn't mis-type the new password.
To change your password on all ECN hosts on which you have
accounts, type "passwd -n" . Type "man passwd" for more
information about how to change your password.
Note: it may take up to fifteen minutes for a password
change to take effect, so you may want to wait awhile after
changing your password before you try the new one.
You should change your password as soon as you get an
account, and then you should change it once every one or two
months, just to be sure it isn't being used by anyone else.
Don't tell anyone what your password is, under any
circumstances. Let me emphasize that. Don't tell ANYONE.
Under ANY circumstances. There are crackers who have been
known to send mail that appears to be from the system
administrator, asking you to change your password to
something they give you. DON'T EVER DO THIS! There is *no*
legitimate reason for ANYONE to ask for your password. If
you ever get mail like this, go to your site specialist and
report the incident.
Don't write your password down. It's too easy for someone
to discover it. You should choose a password that you can
remember. If, however, you absolutely must write down your
password, don't write it anywhere obvious, like on a post-it
note stuck to your terminal, on the front of your notebook,
or on a piece of paper next to the terminal. Write it on
something in your wallet and then be tricky by changing the
written password in some way (like leaving out two key
letters); so you can still remember it, but it is harder for
a someone who sees the paper to get into the account. Don't
ever write your login and password on the same piece of
paper.
You should also be very careful that someone isn't watching
you when you log in. Many people can tell what you are
typing just by watching your fingers on the keyboard.
All information on the computer is stored in files. A file
is just what it sounds like, a container for data. A
directory is a special file that contains other files or
directories. You can list which files are in a directory
using the ls command. For example, here's what ls says about
the directory (/home/harbor3/prm/pub/articles) where I'm
located.
You can use ls to find out additional information about
files by using the "-l" option. For example, if I wanted
more information about the file acct.sec in the list above,
I would type "ls -l acct.sec" . Here is what happens when I
do that:
The first field shown as, " -rw-r--r--", is the file type
and permission bits. More information about permission
codes is given below.
The second field, "1", is the number of links to the file.
In this case, the file has only one name. Other links can
be made with the "ln" command.
The third field, "prm", is the file's owner. The login prm
owns this file.
The fourth field, "8058", is the size of the file in number
of characters.
The fifth field, "Aug 19 11:22", is the time the file was
last modified.
The last field is the name of the file.
The first character in the type/permission field is the file
type. If the file is a directory, the first character will
be a "d". If it is a regular file, the first character will
be "-".
The next nine characters are access permission flags. The
leftmost three are owner permissions, the middle three are
group permissions, and the rightmost three are world
permissions. The letter "r" grants read permission, the
letter "w" grants write permission, and the letter "x"
grants execute permission.
In the above example, the permissions for the owner, "prm",
are "rw-". That means the owner "prm" can read and write
the file, but not execute it. The permissions for the
file's group are "r--", as they are for the world. NOTE
THAT ALL ECN USERS ARE BY DEFAULT IN GROUP "OTHER"! FILES
OWNED BY GROUP OTHER WITH GROUP WRITE PERMISSION SET ARE
VERY CLOSE TO BEING WORLD WRITABLE! If a file has modes "
rw-rw----" and is owned by group other, everyone on the
computer can write to the file! You can see group ownership
on a file by using the "g" option with the "l" option to ls.
For example, when I type "ls -lg acct.sec" I get the
following:
The "other" is the group owner of the file.
You can use the chmod command to change file permissions.
The character "+" means add permission and the character "-"
means deny permission. For example, if I wanted to let
people in group "other" write on my file, I would type
"chmod g+w acct.sec" . Whereas if I want to deny other
people permission to look at this file, I could type
"chmod go-r acct.sec" and the read permission on the file
would be revoked.
There is a shorthand way of representing file modes. Each
permission category (owner, group, and world) is given a
number which represents the bits set in the permission
field. Here is a table that explains this numbering system:
To use this table, merely add up the permissions you want.
For example, a file that is mode 644 has owner read and
write permission (400 + 200), group read permission (40),
and world read permission (4).
You can use this shorthand with chmod as well. Just use the
number instead of the symbolic representation. If you want
to change the mode of your .login from 755 to 644, you can
type "chmod 644 .login" .
Your home directory should be mode 700, 711, or 755. You
should not allow others write permission to your directory!
That would give them permission to create or destroy files
at will.
Important files should be mode 644 or 600. Only rarely is
it important to make a file mode 666, which is world-
writable.
Most accounts have special files called "dot" files. These
files control the startup, environment, and execution of the
shell and some programs. It is very, very important that
these files not be writable by anyone but you! If someone
else can write those files, they can take control of your
account in a matter of minutes! Then they'll be you, which
means they can do anything you can do: read, write or modify
files; send mail; talk to other users; print documents.
Make sure that permissions on these files are set to 644,
or, better yet, 600:
KEEPING YOUR PASSWORD SECURE
DIRECTORIES AND FILES
RFC1147.ps acct.sec imp.tech new.security
orange-book privacy pu.environ ritalin
s.serv s.serv.tr style wwarticle
zap
-rw-r--r-- 1 prm 8058 Aug 19 11:22 acct.sec
PERMISSION CODE
-rw-r--r-- 1 prm other 8058 Aug 19 11:22 acct.sec
Owner Group World
Read 400 40 4
Write 200 20 2
Execute 100 10 1
None 0 0 0
IMPORTANT FILES
.login .logout .cshrc
.bashrc .kshrc .xinitrc
webmaster@ecn.purdue.edu
Last modified: Thursday, 23-Oct-97 17:28:45 EST
HTML