Changes between Version 1 and Version 2 of faq/files/privacy-standard-servers


Ignore:
Timestamp:
Aug 27, 2008, 10:20:44 AM (12 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • faq/files/privacy-standard-servers

    v1 v2  
    1 = Is my data private? =
     1= How do I share and restrict access to my files? =
    22
    3 This page was inspired by ticket #1104 to provide a clear and concise explanation of what files are read-able and by whom on our shared servers.
     3This question comes up a lot. And, often there are as many variations of the question as there are questioners. This page attempts to give an overview of how file sharing and permissions work on our standard servers to help members make smart decisions on how they want to share and restrict access to their files. There are a number of discussions proposing changes to our system (see below for links to those tickets).
    44
    5 == Files only readable by the user that created them ==
     5== Directories on a May First/People Link server ==
    66
    7 == Files only readable by members of your group ==
     7If you have ever used [wiki:secure_shell ssh] or [wiki:sftp sftp] to login to a May First/People Link server, you've probably noticed that you can explore the entire server's directory structure. You can go all the way to the top of the filesystem hierarchy (know as the "root" directory), explore the server configuration directory (/etc) and even traverse the directories of other members (/home/members). At first glance, it may even appear that you can view every file and directory on the entire server.
    88
    9 == Files only readable by other MFPL members who share your server ==
     9In practice, however, you will find that certain files and directories are restricted. For example, /etc/shadow, which contains user passwords is restricted. So is every member's mail directory. You'll also find that the settings.php file containing the database username and password for Drupal installations is only read-able by the owner of that web site.
    1010
    11 == Files readable by anyone ==
     11
     12== General policy ==
     13
     14The two main permissions a user has with regard to a file or directory on a server are: read access and write access.
     15
     16Write access is relatively simple:
     17
     18The general policy on read access is: open first, close second. In other words, rather than restrict users from reading all files and directories and then selectively opening the ones they are allowed to have access, we open access to everything, and then selectively restrict access to the files and directories they should not have access to. This approach is based on good security: by focusing on the few pieces that really need to be restricted we can more effectively maintain security than by attempting to secure much more than is necessary. It's also based on a principle of collaboration: we ''want'' our members to share with each other, to see who is on their server, and to have the opportunity to explore how our servers are configured and setup.