jerryp@tektools.UUCP (10/21/86)
In article <810@aimmi.UUCP> gilbert@aimmi.UUCP (Gilbert Cockton) writes: > ...UNIX books and lecturers encourage the > reading of files in other people's bin directories and up in the /usr > partition. It's a good way of learning your way around UNIX. Especially if you're interested in learning stuff that's not in the books... like local programs available only on your system, and programs that other users have written which might be useful to *you*. Fortunately, a lot of good books have come out recently... but a few years ago, reading other users' files and asking "gurus", was almost the only way to learn. (At places I've worked, anyway.) > The question is though, how many people outside the friendly `snoop > and learn' UNIX tradition feel there is a big difference. One systems' > administrator I've worked with saw none whatsoever, and charged > snoopers with gross moral deficiencies and latent hacker's syndrome. The first things a new user should be taught include: - how to use "chmod" to make a "personal" (safe) directory and - how to use "chmod" to protect an individual file. Not using "chmod", then screaming about someone reading your files, is like not locking your house and complaining when a burglar walks in. --Jerry Peek, Tektronix, Inc. US Mail: MS 74-900, P.O. Box 500, Beaverton, OR 97077 uucp: {allegra,decvax,hplabs,ihnp4,ucbvax}!tektronix!tektools!jerryp CS,ARPAnet: jerryp%tektools@tektronix.csnet Phone: +1 503 627-1603
yba@mit-trillian.MIT.EDU (Mark H Levine) (10/22/86)
In article <1759@tektools.UUCP> jerryp@tektools.UUCP (Jerry Peek) writes: >In article <810@aimmi.UUCP> gilbert@aimmi.UUCP (Gilbert Cockton) writes: >The first things a new user should be taught include: > - how to use "chmod" to make a "personal" (safe) directory and > - how to use "chmod" to protect an individual file. >Not using "chmod", then screaming about someone reading your files, is like >not locking your house and complaining when a burglar walks in. That seems a bit strong. At our place, there is a Committee on Privacy that worries about such things. Their major concern was that we could not teach our four or five thousand novices about chmod BEFORE they had casually created private files which others would then browse -- in other words: were users giving informed consent or just using a defualt of "friendly" which novices (the reasonable man?) would not expect? (Imagine you stayed at a hotel where the door locks only worked if you called the desk to have them turned on -- the normal expectation is that the door locks when you close it, and only you and the maid can get in; only a UNIX hotel is open to visitors at all hours). The compromise we use is to start new users off with a directory mode of 0711 (allows file references IF they gave you the pathname), and a umask which only allows the user access. This puts the burden on a user to learn how to share his files rather than to learn how to protect them. While it runs contrary to the UNIX tradition, it is probably a good compromise for the uninitiated. There seems to be more potential for damage in having people's private data made public accidentally than in putting a stumbling block in the way of sharing data intentionally. We also tell users loudly the system is not secure, and they should not have any sensitive data on a UNIX machine with a network connection. -- Eleazor bar Shimon, Carolingia
katinsky@topaz.RUTGERS.EDU (David Katinsky) (10/22/86)
<At our place, there is a Committee on Privacy that worries about
<such things. Their major concern was that we could not teach our
<four or five thousand novices about chmod BEFORE they had
<casually created private files which others would then browse --
<in other words: were users giving informed consent or just using
<a defualt of "friendly" which novices (the reasonable man?) would
<not expect?
What about a default umask????
--
"Life's a piece of shit, when you look at it......"
Monty Python's Life of Brian
ARPA: katinsky@aim.rutgers.edu
UUCP: ...{ihnp4,pyrnj}!topaz!katinskyjbs@mit-eddie.MIT.EDU (Jeff Siegal) (10/23/86)
>In article <810@aimmi.UUCP> gilbert@aimmi.UUCP (Gilbert Cockton) writes: >The first things a new user should be taught include: > - how to use "chmod" to make a "personal" (safe) directory and > - how to use "chmod" to protect an individual file. >Not using "chmod", then screaming about someone reading your files, is like >not locking your house and complaining when a burglar walks in. >[Mark Levine compares Unix to a hotel] While I'm not sure I agree with Mark, that users necessarily expect security to be activated by default, I _definitely_ disagree with Gilbert's implied contention that burglarizing a house with unlocked doors is not illegal, immoral, and generally unacceptable behavior. I have lived in an area where people generally do _not_ lock their doors at all times, and the police take burglaries very seriously, whether or not the doors were locked. Does someone's home being unlocked give you the right to violate it without permission? Does someone's desk being unlocked, or in an unlocked office give you the right to look through it? Does someone's files being in a world-readable directory, or set world-readable give you the right to read them. I think not. If you want to read someone's files, whether you are able to read them or not, ASK PERMISSION. If they want to share, fine. If they do not give you permission, don't read them, whether you are able to or not. Why is it that people often become so confused about such basic issues as privacy and individual rights as soon as the word "computer" enters the conversation? Jeff Siegal
mcvoy@rsch.WISC.EDU (Lawrence W. McVoy) (10/23/86)
In article <3561@mit-eddie.MIT.EDU> jbs@mit-eddie.UUCP (Jeff Siegal) writes: >>In article <810@aimmi.UUCP> gilbert@aimmi.UUCP (Gilbert Cockton) writes: >>The first things a new user should be taught include: >> - how to use "chmod" to make a "personal" (safe) directory and >> - how to use "chmod" to protect an individual file. >>Not using "chmod", then screaming about someone reading your files, is like >>not locking your house and complaining when a burglar walks in. > >Does someone's home being unlocked give you the right to violate it >without permission? Does someone's desk being unlocked, or in an >unlocked office give you the right to look through it? Does someone's >files being in a world-readable directory, or set world-readable give >you the right to read them. I think not. >Jeff Siegal Well, Jeff, you are 100% wrong here. The analogy between a home and a computer is not in any way shape or form a valid one. Unless that disk that is spinning around belongs to you personally, you can't tell me which bytes I can and cannot look at by suggesting that it is immoral for me to look at bytes without my name on them. You have been given a means by which you may deny me access. If you choose not use this mechanism, then you have given me implicit permission to look at your files. If you insist on a real world analogy, try this: it's as if someone said, "Here, use my house. There are other people that I let use my house, so here are some keys. Use them to lock up your stuff. If you don't, anyone else can play with your stuff, just as you may play with anything you find." See the difference? It's not *your* house, it's everyones' house. -- Larry McVoy mcvoy@rsch.wisc.edu, {seismo, topaz, harvard, ihnp4, etc}!uwvax!mcvoy "They're coming soon! Quad-stated guru-gates!"
jbs@mit-eddie.MIT.EDU (Jeff Siegal) (10/23/86)
In his article mcvoy@rsch.WISC.EDU (Lawrence W.McVoy) writes: >In his article jbs@mit-eddie.UUCP (Jeff Siegal) writes: >>>[Gilbert Cockton makes a house analogy] >>Does someone's home being unlocked give you the right to violate it >>without permission? Does someone's desk being unlocked, or in an >>unlocked office give you the right to look through it? [..] I think >>not. >Well, Jeff, you are 100% wrong here. The analogy between a >home and a computer is not in any way shape or form a valid one. >Unless that disk that is spinning around belongs to you personally, >you can't tell me which bytes I can and cannot look at by suggesting >that it is immoral for me to look at bytes without my name on them. >[...] >See the difference? It's not *your* house, it's everyones' >house. The house analogy was not a very good one; I did not invent it, I just wanted to demonstrate that leaving a house unlocked does not constitute granting any sort of permission (in the human sense). The office analogy is much better. "My" desk is not really "mine." Neither is "my" office. Giving someone the _ability_ to access either or both of these does not give him _permission_ to access them. Accessing the contents of "my" office, "my" desk, or "my" files without my permission is unacceptable behavior. Jeff Siegal
mwm@eris.berkeley.edu (Mike (Don't have strength to leave) Meyer) (10/23/86)
In article <2849@rsch.WISC.EDU> mcvoy@rsch.WISC.EDU (Lawrence W. McVoy) writes: >In article <3561@mit-eddie.MIT.EDU> jbs@mit-eddie.UUCP (Jeff Siegal) writes: >>Does someone's home being unlocked give you the right to violate it >>without permission? Does someone's desk being unlocked, or in an >>unlocked office give you the right to look through it? Does someone's >>files being in a world-readable directory, or set world-readable give >>you the right to read them. I think not. > >>Jeff Siegal > >Well, Jeff, you are 100% wrong here. The analogy between a home and a >computer is not in any way shape or form a valid one. Unless that disk >that is spinning around belongs to you personally, you can't tell me >which bytes I can and cannot look at by suggesting that it is immoral >for me to look at bytes without my name on them. You have been given >a means by which you may deny me access. If you choose not use this >mechanism, then you have given me implicit permission to look at your >files. No, it's perfectly valid. Unless you own the disk, you have no right to assume that you can look at anything that DOESN'T have your name on it. Let's look at YOUR version of the analogy, and see how it works in the real world. > If you insist on a real world analogy, try this: it's as if >someone said, "Here, use my house. There are other people that I let >use my house, so here are some keys. Use them to lock up your stuff. >If you don't, anyone else can play with your stuff, just as you may >play with anything you find." See the difference? It's not *your* >house, it's everyones' house. Would you rent an apartment under those conditions? I damned well wouldn't. Would you get upset if you left your door unlocked while you left for a short time, and came back and found your neighbors rummaging around in your apartment? How about your landlord? Most people would, and that's because the defaults for the real world are that your home & property are private, unless you give permission for others to play with them. If the conditions differ from the default, then this should be stated FROM THE START. I hope you see the problem with your analogy - you want to make the default conditions different from the real world, and assume that you don't have to tell people that this is so. And note that this still isn't *my* house, someone else owns the building. And it isn't "everybody," either. The same applies to a computer - someone owns the thing, and chances are that it isn't "the users." Like a landlord, if you run the system, you can use whatever rules you like. But if the defaults are different from the real world, the onus is on YOU to make sure that users know it. If the rules are "anybody can read anything," then that's fine - so long as you tell the users. Likewise, if the rules are "reading files you don't own without permission is a criminal act," this is also fine. And since that's the way the real world works, that's the correct default. [Of course, you should still tell people that there may be users with defective ethical systems, and that NOTHING is save from being read by others. Like the quote that started this - if you leave the door unlocked and someone rummages around in your home, you don't have much room to complain. But the rummagers actions are still illegal and unethical.] <mike
ken@rochester.ARPA (Comfy chair) (10/23/86)
Before the flames get too high, may I state that the Unix community includes all types of environments, ranging from corporate to research. It all depends on who you work for and with. My point of view is that anybody is free to read anything I have left unprotected. In a place like mine, it could be a hassle to have to wait until one can contact me, since I come in at weird hours. If I want to stop *casual* perusal, I protect the files. I never keep anything sensitive on the computer, firstly for computer breakdown considerations and secondly because I don't trust the security, knowing how easy a determined person can bypass it. But then I work in an environment where we don't mind letting fellow grad students walk in our offices and borrow a book all by themselves if they leave a note. Ken
richter@randvax.UUCP (Susan Richter) (10/23/86)
In article <1759@tektools.UUCP> jerryp@tektools.UUCP (Jerry Peek) writes: >In article <810@aimmi.UUCP> gilbert@aimmi.UUCP (Gilbert Cockton) writes: >> ...UNIX books and lecturers encourage the >> reading of files in other people's bin directories and up in the /usr ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^ these are very different cases!! >> partition. It's a good way of learning your way around UNIX. > >Not using "chmod", then screaming about someone reading your files, is like >not locking your house and complaining when a burglar walks in. > I couldn't complain if a burglar (read "malicious user") walked in. Burglars have no compunction about going where they know they're not supposed to be; in fact, that's their job :-). If I knew that burglars were in the neighborhood, I would be sure to take the necessary precautions to make it at least inconvenient for them. However, I *certainly* wouldn't expect any average, law-abiding citizen (user) to take the liberty of walking into my house uninvited. In fact, I wouldn't expect said citizen to even try the door to *see* whether it's unlocked. People (read "normal, non-criminal types") follow a certain ethic of respect for others' real property; why does there seem to be a suspension of that ethic when we're talking about information stored in files and directories? I mean, "access to the UNIX file system" is remarkably analogous to "access to buildings in the real world". In the real world, there are "public" or corporately owned areas, which may or may not be actually accessible to the public: for example, libraries have large stacks for browsing, but many also have areas that either require special permission to go into, or contain materials that librarians must handle on your behalf. People are *expected* to walk into public libraries and browse around; no one accuses them of "snooping" or "breaking and entering". The restricted areas are clearly marked, and most people (at least, the sort of people you find in public libraries) wouldn't think of trying to break into them. In the real world, people don't go around trying the doors on strange houses to "look around and see what they can find". No one says, "Hmm, the door is unlocked -- it must be OK to come in here." ==> Public places have different rules than private places. <== - Susan trwrb!randvax!richter
dmb@morgoth.UUCP (David M. Brown) (10/23/86)
[] It occurs to me that whenever you have a shared resource (ie, disk space), you have entered the domain of politics. There are several ways to deal with this. One is anarchy (anyone may do whatever s/he is able to do). In a system in which there are no controls, it is impossible to totally prevent this mode of politics from occurring. My favorite way of dealing with political situations is to use the concepts of etiquette and convention. An example of etiquette is 'using only what you need.' An example of convention is 'it is permissible to read files for which you have read permission.' Essentially, it is all wrapped up in the word "permission." By setting the appropriate _read_ _permission_ on your files and directories, you are giving me _permission_ to read them. Novices will learn. dmb@morgoth Dave Brown GZA (617) 969-0050 #include '/usr/local/disclaimer'
spp@oz.berkeley.edu (Steve Pope) (10/25/86)
>Essentially, it is all wrapped up in the word "permission." By >setting the appropriate _read_ _permission_ on your files and >directories, you are giving me _permission_ to read them. Novices >will learn. I am really surprised that so many people are expressing this attitude. I should think it would be obvious that reading through the files in someone else's directory just for the hell of it is a violation of privacy, regardless of permissions. Consider somebody who leaves his office and file cabinets unlocked. Does this give everybody else the right to come in and browse through their papers? The convenience of having an open system where read permission is on by default is that if somebody has a good reason to access someone else's file, they can do it. It turns out that setting a policy by which users routinely turn off read permissions is bad for security. What happens in every case is people start trading passwords, using each other's accounts, and security rapidly goes to hell. If you can trust your computer users to behave like adults in the first place, you'll be way ahead. steve
stuart@BMS-AT.UUCP (Stuart D. Gathman) (10/25/86)
In article <1501@jade.BERKELEY.EDU>, mwm@eris.berkeley.edu (Mike (Don't have strength to leave) Meyer) writes: > In article <2849@rsch.WISC.EDU> mcvoy@rsch.WISC.EDU (Lawrence W. McVoy) writes: > > If you insist on a real world analogy, try this: it's as if > >someone said, "Here, use my house. There are other people that I let > >use my house, so here are some keys. Use them to lock up your stuff. > >If you don't, anyone else can play with your stuff, just as you may > >play with anything you find." See the difference? It's not *your* > >house, it's everyones' house. > Would you rent an apartment under those conditions? I damned well > wouldn't. Would you get upset if you left your door unlocked while you > left for a short time, and came back and found your neighbors > rummaging around in your apartment? How about your landlord? The answer to the above questions depends on whether we are talking about strangers or family. In a family or community setting we have the situation described by Mr McVoy as typical of a *nix environment. The assumption is that all users are friendly (non-hostile). This is not a good assumption for a public time sharing service. It is hopefully a good assumption for a company computer. In a formal setting such as landlord and tenant, we are much more private and not so trusting. This is the better approach for public systems. -- Stuart D. Gathman <..!seismo!{vrdxhq|dgis}!BMS-AT!stuart>
wmf@chinet.UUCP (William M. Fischer) (10/25/86)
In article <1501@jade.BERKELEY.EDU> mwm@eris.UUCP (Mike (Don't have strength to leave) Meyer) writes: >In article <2849@rsch.WISC.EDU> mcvoy@rsch.WISC.EDU (Lawrence W. McVoy) writes: >>In article <3561@mit-eddie.MIT.EDU> jbs@mit-eddie.UUCP (Jeff Siegal) writes: >>>Does someone's home being unlocked give you the right to violate it >>> [...] I think not. >>Well, Jeff, you are 100% wrong here. The analogy between a home and a >>computer is not in any way shape or form a valid one. >No, it's perfectly valid. >Let's look at YOUR version of the analogy, [...] >[...] and that's because the defaults for the real world >[Of course, you should still tell people that there may be users with >defective ethical systems, and that NOTHING is save from being read by Sheesh.... everybody chmod the files they want private and let's move this discussion to net.philosophy. :-) -- ==================================================== | Fortiter in re, || Bill Fischer | | suaviter in modo. || ...ihnp4!chinet!wmf | ====================================================
rlk@mit-trillian.MIT.EDU (Robert L Krawitz) (10/26/86)
It seems that the people who disagree with the concept of looking through other people's publicly-readable files are using the analogy of an unlocked house, and a burglar. I believe that this analogy is flawed. One major difference is that reading files from other people's directories does not deprive the other people of use of their information; taking a physical object from someone's house is. This is a general difference between information and physical property -- creation of duplicate pieces of information is free, whereas one cannot duplicate physical property in this trivial way. This is one reason why different codes of behavior may be appropriate in the two cases of "access to the UNIX file system" and "access to buildings in the real world." (richter@randvax). Since all copies of the same piece of information are completely equivalent (we'll ignore bizarre cases such as dbm(3) databases, with their holes), it is reasonable to claim that leaving a file world-readable is equivalent to inviting the world to share this information. If leaving information freely available to everyone is not granting them permission to read it, then what is? I would like the people arguing against (read access == read permission) to state a way in which I can permit anyone to read my files, without worrying about who is doing it (i. e. I don't want to grant individual permission to 4000 users; if someone wants to walk through my home directory, they're welcome to it). Similarly, if I can't get in touch with someone because they are away on vacation, but their files are readable, and it is reasonable to assume that they don't want to stop someone else from reading their files (i. e. some code I want to see, or the like), what do I do? Public places do have different rules than private places, as any number of people have pointed out. However, due to the difference in nature between information and physical property, the analogy doesn't hold up too well. Here at Athena, we set up user's accounts by default with a home directory protection of 711, and a umask of 66. People who change this have to do it deliberately, which I would interpret as giving implied permission to inspect their files (although I don't feel right simply doing a recursive cat on their home directory). -- Robert^Z
mash@mips.UUCP (10/26/86)
I missed the early stages of this, so let me add just a few terse
facts to the discussion:
a) In early years in UNIX, it was explicitly assumed by everybody that
files left readable could be looked at by everybody, and that you would
keep files not to be desired so under unreadable directories.
On many machines, default file creation mode was 0666, and in fact, many
people left most files writable, as well as readable.
b) New people were often explicitly told to rummage around; often the most
interesting stuff was not yet placed into the public source directories.
Thus, this style was a generally approved part of UNIX culture/folklore.
c) As there got to be more UNIX systems living in computer centers [as opposed
to serving small tight-knit groups), it was less clear that a) and b) were
uniformly desired by everybody.
d) After a lot of wrangling around amongst groups with differing philosophies,
umask(2) was added specifically to allow the "open-ness level" of system to be
controlled at the system, group, and user level, because it was CLEAR that
people disagreed, quite legitimately, about the appropriate levels needed.
Thus, this issue comes down to cultural expectations, which reasonably
differ. There is no right or wrong answer, only the need for people to
understand the local rules and deal with them appropriately. A good analogy,
since people have been talking about doors, and burglars, etc, is the following:
What does it mean if somebody has their office door closed?
In some places, it means "Absolutely do not disturb".
In some, it means "Probably don't bother me, but since I don't have my
"DO NOT DISTURB" sign up, it's OK."
In some, it doesn't mean anything: everyone always has their door closed.
(I've heard that this is more the style in Germany, for example. See
Edward T. Hall, "The Hidden Dimension", 1969, Doubleday Anchor, Garden City, NY,
for example, on the use and meaning of space. Especially interesting are
the sections dealing with the problems when people's unconscious
assumptions clash due to different cultural backgrounds.)
--
-john mashey DISCLAIMER: <generic disclaimer, I speak for me only, etc>
UUCP: {decvax,ucbvax,ihnp4}!decwrl!mips!mash, DDD: 408-720-1700, x253
USPS: MIPS Computer Systems, 930 E. Arques, Sunnyvale, CA 94086fgd3@jc3b21.UUCP (Fabbian G. Dufoe) (10/27/86)
It is only prudent to use whatever techniques are available to you to
secure your files from unauthorized access. However, your failure to do so
does not imply that you are granting permission to others to use them.
Common courtesy requires that you do not use other people's property
without their express permission, that you do not read their mail even if
it is not locked up, and that you do not poke around in their files unless
they explicitly tell you it is all right to do so.
Unfortunately, there are many people who are pretty weak in the
courtesy and honor departments. It's because of them that you really ought
to keep your possessions, letters, and files secured.
Fabbian Dufoe
350 Ling-A-Mor Terrace South
St. Petersburg, Florida 33705
813-823-2350
UUCP: ...akgua!usfvax2!jc3b21!fgd3 dmb@morgoth.UUCP (David M. Brown) (10/30/86)
--text follows this line-- [] > It is only prudent to use whatever techniques are > available to you to secure your files from unauthorized > access. However, your failure to do so does not imply > that you are granting permission to others to use them. > Common courtesy requires that you do not use other > people's property without their express permission, > that you do not read their mail even if it is not > locked up, and that you do not poke around in their > files unless they explicitly tell you it is all right > to do so. This whole debate is caused by the clash between two different value systems. One system is described above (keywords: "common courtesy"). The other has been espoused by others on the net (as well as myself), and goes sort of like this: "If you set your permissions, you are permitting." At the risk of repeating myself, the use of shared resources implies a political situation. Politics may be resolved with *force*, *law*, or *convention*. Force usually works, but is undesirable and socially unacceptable. Law seldom achieves it ends in the face of determined opposition, especially when the opposition sees the law as a challenge. Therefore, convention (read: "value system") is the usual choice. Every site is free to choose its own conventions. You pick yours and we'll pick ours. On our site, it is acceptable to access anything which you can access. Of course, if we get some real losers, that may have to change. dmb@morgoth Dave Brown GZA 320 Needham St. Newton Upper Falls, MA 02164 (617) 969-0050 #include '/usr/local/disclaimer'
page@ulowell.UUCP (Bob Page) (11/01/86)
One (academic) installation I know of has the philosophy: If it's not worth making public, it's not worth having on the system. I agree in principle; in practice it's tough to enforce. User's can adopt their own philosophies, System Managers must adopt everyone's philosophies. As a (multi-)System Manager, I respect people's assumed rights (although I do not always agree with them) of privacy, not going any further than `grep'. People must be re-educated to what ``Multi User System'' means. If you have _personal_ files you don't want people to see, put them on a _personal_ computer. Use your own disk space, not your organization's. You might say, ``what about cheating on class assignments, not everybody has an amiga/mac/ibmpc'' ... you can't stop cheating even if you disable world read access, remove mail, printers, and most of what makes a multi-user system usable. Besides, cheating can be considered information-gathering, and isn't this the Information Age? :-) Please note that the University of Lowell and the Massachusetts Board of Regents may not (probably don't!) agree with me. In fact, there's a statewide policy of 'Electronic Data Security' or somesuch that is in my job description to police. And no, you can't have an account. :-) ..Bob -- UUCP: wanginst!ulowell!page Bob Page, U of Lowell CS Dept VOX: +1 617 452 5000 x2976 Lowell MA 01854 USA