First steps at a public unix shell computer

Important to know

Public unix shell access is a nice place to create something, for example to host a personal webspace or to receive emails and even to use it as personal backup for some files. It is one of the place which is niche amongst niche.

There are more than one user on the public unix shell service, which can be checked with commands such as who or finger. Those users can behave as good pubnix citizen or not according to their personal behavior.

Here, I will explain first step to be taken to secure the newly obtained public shell account.

Securing home directory permission

In unix based system, permission of files and directories can be viewed as read, write, and execute. The $HOME directory is where personal files live. So check the permission of $HOME directory so unauthorized viewing is prohobited. The command below will prevent every other users, other groups, and even the public internet from accessing $HOME directory.

chmod go-rwx $HOME

On a public unix system, it may be desirable to allow contents of some directory to be accessed, so lets make the permission less paranoid but still secure against prying eyes.

chmod go-rw $HOME
chmod go+x $HOME

With this setup, the permission of $HOME will be 711, i.e. the user as owner can do full access to $HOME contents, whilst others will be able to access the content if they know the full path of the content being accessed.

Now, let the permission setup propagate for files and directories inside $HOME.

cd $HOME
find . -type f -exec chmod go-rwx {} +
find . -type d -exec chmod go-rwx {} +

Ok, let’s allow others to access webspace, geminispace, and the gopherhole.

for dir in public_html public_gemini public_gopher do
find ~/$dir -type f -exec chmod go+r {} +
find ~/$dir -type d -exec chmod go+rx {} +

This will allow others to browse the content of public directories and access those files via the suitable web protocols.

For more paranoid setup, which doesn’t allow directory listing.

for dir in public_html public_gemini public_gopher do
find ~/$dir -type f -exec chmod go+r {} +
find ~/$dir -type d -exec chmod go-r {} +
find ~/$dir -type d -exec chmod go+x {} +

With the setup above, directory listing will be denied. More paranoid than the first setup which allows directory listing.

Cloaking shell command history

The default of shell profile, i.e. ~/.profile will save history of typed commands in a shell history file such as ~/.bash_history. To keep privacy, it will be needed to set some variables in shell initialization file.

$EDITOR ~/.profile

# Add or replace existing variable
HISTFILESIZE=0
HISTFILE="" #or /dev/null

It would be necessary to add those lines to shell initialization file such as ~/.bashrc or ~/.zshrc.

Permission for newly created files

It would be necessary to set permission for new files so only the owner have access to it.

$EDITOR ~/.profile

umask 077

With this command, only owner will have access to the newly created files.

Editor and others

There is a variable $EDITOR to set preferred text editor for some operation, such as committing git changes and editing systemd user unit. $PAGER will be used to read manual pages or systemd status or viewing git log.

$EDITOR ~/.profile
#Replace with preferred program
#Choices are vim, nano, vi, joe, emacs, and others
EDITOR=vim
VISUAL=$EDITOR
PAGER=less
LESSSECURE=1
LESSHISTFILE="-"
export EDITOR VISUAL PAGER LESSSECURE LESSHISTFILE

If vim is selected as the $EDITOR, here is a suggested ~/.vimrc content.

set bg=dark
syntax on
set backspace=indent,eol,start
set laststatus=2
set ruler
set mouse=a
set viminfo=
colorscheme industry

Persistence helper

Running a command over ssh without persistence helper risks program termination on a sudden network disruption. My preferred persistence helper is tmux but there are others such as screen, abduco, byobu, and dtach.

My ~/.tmux.conf is as follows.

set -g default-terminal tmux-256color
set -g mode-keys vi
set -g status-style bg=purple

Publishing content on public directories

There are some public directories on $HOME. The public_html is where web pages live. So we can put files there and those files will be accessible by the world via web browsers.

My workflow is writing content of my public folder in markdown and convert to html using pandoc. I have created a shell alias to make it easy to convert markdown text to html.

md2html()
{
if [ $# -lt 2 ] ; then
echo "This function needs two arguments: input.md and output.html"
return 1
fi
pandoc -f markdown -t html --template default.html5 < $1 > $2
}

I can then batch convert markdown files using the command below

# markdown files are in ~/markdown/
for file in $HOME/markdown/*md ; do
md2html $file $HOME/public_html/$(basename $file md)html
done

Don’t forget to fix public directory contents permissions.

find $HOME/public_html -type f -exec chmod go+r {} +
find $HOME/public_html -type d -exec chmod go+x {} +

Conclusion

The tilde is a nice place to have. But everybody is responsible for their files and what they publish out there. So be careful and live a happy life.

Thanks for your visit.

Donate to the author

Back to homepage