Rational Action

So I was sitting in CS class on Thursday. The prof was showing us how to use CUNIX (The Columbia computer system). He logged in and then went into his public website directory:

command me, baby: cd public_html

Yes, he set bash to display “command me, baby” instead of “$“.

Then he listed the files in the directory, and look what popped up:

command me, baby: ls
final.pdf

He said “oops.” I was sitting there with my laptop connected on wifi. If I had been a quicker thinker, I could have downloaded the final right then and there. But alas, I didn’t even know his username, so finding the file would have been tough.

(He may have been using telnet to get at CUNIX in the first place. Had my wifi card been in monitor mode — had I been a sneaky Linux user, that is — I could have stolen his password as he transmitted it cleartext through the air.)

Anyway, realizing that his final was world accessible, he quickly moved it:

command me, baby: mv final.pdf ..

Thus final.pdf now sat in his home directory. It no longer was shared to the world over the web, but it still sat in a folder on CUNIX. Since I assumed that home directores in CUNIX were set a-r (in other words, unbrowseable by everyone), I assumed that the file would be unviewable by everyone as well.

Later that day I was ambling around the campus, thinking about geeky things like the Mars landers, when an epiphany hit me.

After I regained consciousness, I considered some points:

• The home directory, in which the file now resided, was probably marked a-r (effectively, you can’t list files in it)
• However, the home directory — if it had the same permissions as mine — was probably marked a+x (files inside directory can be accessed by their names)
• I couldn’t list the files in his home directory. But I could access them, as long as the permissions on the specific file were correct, and I knew the right filename
• The file was named final.pdf
• The file had been in the public_html directory, meaning that it was probably set to be a+r (world readable)

If you haven’t gotten my point yet: final.pdf was accessible to everyone under the sun. Nothing was stopping me from logging in and copying the file into my own directory (Except my moral standards and a fear of getting caught — both of which were surprisingly effective.)

I sent the prof an e-mail and hopefully he’ll remedy the problem.

This entry was posted on Saturday, January 31st, 2004 at 2:52 pm and is filed under Computer Geek. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.