From the KnowledgeBase
The following are instructions for setting permissions for your account so that this is not possible for anyone to gain access to files in your Central File Server space (H: drive), yet leave your web site accessible on the Internet.
Solution:
Lock down your Central File Server account securely and completely so that
no one has access. Here are the steps:
- First visit the Enable Unix Account web page in order to log in.
- Log into your Unix account using SSH
-
Enter the following command:
~helpdesk/scripts/protect
- Log out of your Unix account
This script does the following:
- Changes the home directory to permissions 711 (allowing FTP to drop the user into their home directory properly). Note that the default permissions for all accounts created after June 2003 are 711.
- Recursively works through each sub-directory to change the permissions to 700, and files within them to 600.
- Leaves or changes your public_html folders (your web folder) to the proper 755 or 644 permissions for world readability.
- Note that the script changes all the permissions to the default settings.
For complete security and protection of your Central File Server account, this is the Help Desk recommended method. Important note: If you have set any folder permissions using Windows ACL settings, these will be overwritten by this script.
Web interface to setting your security
You can view your current directory permissions and update the directory
permissions to prevent the viewing of your files by others. Log in to the
following secure web site (using your University netID and password):
https://sweb.Princeton.EDU/cgi-bin/DirSec/view.pl
It is recommended that you select Medium Security on your directory (also known as your H: drive). Medium security means that only you (and those you have given permission through Unix permissions) can view your files and folders, yet still permits everyone to view the files you wish to publish on the web in your public_html directory via a web browser. If you are not interested in publishing a web site on your account, select High Security. It is not recommended that you select the Insecure Option. Click on the Submit button at the bottom of the page for changes to take effect.
Note that this interface only affects the root level of your home directory and does not work recursively through sub-directories, including the public_html directory. If you have been working with permissions on sub-directories, or just want to make sure that your directory is completely secure, use the Help Desk script above.
Windows users can use ACLs to set permissions
Windows computer users can use Access Control Lists (ACLs) on specific folders
to set permissions for user access. If you use ACLs, do not use either procedure
described above unless you are aware that they will override any permissions
you have set with ACLs. On the other hand, if you are having trouble with
ACL's and need to reset all your permissions back to default recursively
through all your folder and sub-folders, use the Help Desk script option
described above. For more infomation on ACLs, see:
http://kb.princeton.edu/9680.
Only Windows computer users can use ACLs on the Central File Server. This
method is not available to Macintosh and Unix/Linux computer users.
