Unlocking Secure Access: Understanding and Implementing Standard File Permissions
Unlocking Secure Access: Understanding and Implementing Standard File Permissions |
Unlocking Secure Access: Understanding and Implementing Standard File Permissions - This chapter provides comprehensive information on basic file security, focusing on file ownership and permissions. Understanding and managing file ownership and permissions are crucial for maintaining system security and controlling access to files and directories.
In the realm of digital security, mastering standard file permissions is akin to wielding a powerful shield in the Linux operating system arena. Understanding how to navigate and manipulate these permissions empowers users to fortify their data fortress, ensuring that only authorized individuals can access sensitive information.
With precise control over read, write, and execute permissions, users can safeguard their files and directories against unauthorized intrusion, bolstering the overall security posture of their Linux-based systems.
File Ownership
Every file in a Unix-like system has both a user owner and a group owner. User owners and group owners are managed locally in /etc/passwd and /etc/group, or they can be part of a network information service (NIS), LDAP, or Samba domain. Users and groups can own files, and ownership information can be viewed using commands like ls -l. For example, the command ls -lh displays detailed information about files, including user and group ownership.
User owner and group owner
The users and groups of a system can be locally managed in /etc/passwd and /etc/group, or they can be in a NIS, LDAP, or Samba domain. These users and groups can own files. Actually, every file has a user owner and a group owner, as can be seen in the following screenshot.
paul@rhel65:~/owners$ ls -lh total 636K -rw-r--r--. 1 paul snooker 1.1K Apr 8 18:47 data.odt -rw-r--r--. 1 paul paul 626K Apr 8 18:46 file1 -rw-r--r--. 1 root tennis 185 Apr 8 18:46 file2 -rw-rw-r--. 1 root root 0 Apr 8 18:47 stuff.txt paul@rhel65:~/owners$
User paul owns three files; file1 has paul as user owner and has the group paul as group owner, data.odt is group owned by the group snooker, file2 by the group tennis.
The last file is called stuff.txt and is owned by the root user and the root group.
Listing user accounts
Local user accounts can be listed using commands like cut -d: -f1 /etc/passwd | column, which retrieves usernames from the /etc/passwd file.
You can use the following command to list all local user accounts.
paul@debian7~$ cut -d: -f1 /etc/passwd | column root ntp sam bert naomi daemon mysql tom rino matthias2 bin paul wouter antonio bram sys maarten robrecht simon fabric esync kevin bilal sven chimene games yuri dimitri wouter2 messagebus man william ahmed tarik roger lp yves dylan jan frank mail kris robin ian toon news hamid matthias ivan rinus uucp vladimir ben azeddine eddy proxy abiy mike eric bram2 www-data david kevin2 kamel keith backup chahid kenzo ischa jesse list stef aaron bart frederick irc joeri lorenzo omer hans gnats glenn jens kurt dries nobody yannick ruben steve steve2 libuuid christof jelle constantin tomas Debian-exim george stefaan sam2 johan statd joost marc bjorn tom2 sshd arno thomas ronald
The ownership of a file can be changed using the chown command, and the group ownership can be changed using the chgrp command. For example, chown paul FileForPaul changes the user owner of FileForPaul to paul.
chgrp
You can change the group owner of a file using the chgrp command.
root@rhel65:/home/paul/owners# ls -l file2 -rw-r--r--. 1 root tennis 185 Apr 8 18:46 file2 root@rhel65:/home/paul/owners# chgrp snooker file2 root@rhel65:/home/paul/owners# ls -l file2 -rw-r--r--. 1 root snooker 185 Apr 8 18:46 file2 root@rhel65:/home/paul/owners#
chown
The user owner of a file can be changed with chown command.
root@laika:/home/paul# ls -l FileForPaul -rw-r--r-- 1 root paul 0 2008-08-06 14:11 FileForPaul root@laika:/home/paul# chown paul FileForPaul root@laika:/home/paul# ls -l FileForPaul -rw-r--r-- 1 paul paul 0 2008-08-06 14:11 FileForPaul You can also use chown to change both the user owner and the group owner. root@laika:/home/paul# ls -l FileForPaul -rw-r--r-- 1 paul paul 0 2008-08-06 14:11 FileForPaul root@laika:/home/paul# chown root:project42 FileForPaul root@laika:/home/paul# ls -l FileForPaul -rw-r--r-- 1 root project42 0 2008-08-06 14:11 FileForPaul
List of special files
When you use ls -l, for each file you can see ten characters before the user and group owner. The first character tells us the type of file. Regular files get a -, directories get a d, symbolic links are shown with an l, pipes get a p, character devices a c, block devices a b, and sockets an s.
Table Unix special files
Below a screenshot of a character device (the console) and a block device (the hard disk).
paul@debian6lt~$ ls -ld /dev/console /dev/sda crw------- 1 root root 5, 1 Mar 15 12:45 /dev/console brw-rw---- 1 root disk 8, 0 Mar 15 12:45 /dev/sda And here you can see a directory, a regular file and a symbolic link. paul@debian6lt~$ ls -ld /etc /etc/hosts /etc/motd drwxr-xr-x 128 root root 12288 Mar 15 18:34 /etc -rw-r--r-- 1 root root 372 Dec 10 17:36 /etc/hosts lrwxrwxrwx 1 root root 13 Dec 5 10:36 /etc/motd -> /var/run/motd
Permissions
File permissions control access to files and directories. Permissions are denoted by the characters r (read), w (write), and x (execute). These permissions are represented in three sets of triplets for the user owner, group owner, and others. For instance, rwx indicates full permissions, while - indicates no permission.
rwx
The nine characters following the file type denote the permissions in three triplets. A permission can be r for read access, w for write access, and x for execute. You need the r permission to list (ls) the contents of a directory. You need the x permission to enter (cd) a directory. You need the w permission to create files in or remove files from a directory.
Table standard Unix file permissions
Three sets of rwx
We already know that the output of ls -l starts with ten characters for each file. This screenshot shows a regular file (because the first character is a - ).
paul@RHELv4u4:~/test$ ls -l proc42.bash -rwxr-xr-- 1 paul proj 984 Feb 6 12:01 proc42.bash
Below is a table describing the function of all ten characters.
Table Unix file permissions position
When you are the user owner of a file, then the user owner permissions apply to you. The rest of the permissions have no influence on your access to the file.
When you belong to the group that is the group owner of a file, then the group owner permissions apply to you. The rest of the permissions have no influence on your access to the file.
When you are not the user owner of a file and you do not belong to the group owner, then the others permissions apply to you. The rest of the permissions have no influence on your access to the file.
Permission examples
Some example combinations on files and directories are seen in this screenshot. The name of the file explains the permissions.
paul@laika:~/perms$ ls -lh total 12K drwxr-xr-x 2 paul paul 4.0K 2007-02-07 22:26 AllEnter_UserCreateDelete -rwxrwxrwx 1 paul paul 0 2007-02-07 22:21 EveryoneFullControl.txt -r--r----- 1 paul paul 0 2007-02-07 22:21 OnlyOwnersRead.txt -rwxrwx--- 1 paul paul 0 2007-02-07 22:21 OwnersAll_RestNothing.txt dr-xr-x--- 2 paul paul 4.0K 2007-02-07 22:25 UserAndGroupEnter dr-x------ 2 paul paul 4.0K 2007-02-07 22:25 OnlyUserEnter paul@laika:~/perms$
To summarise, the first rwx triplet represents the permissions for the user owner. The second triplet corresponds to the group owner; it specifies permissions for all members of that group. The third triplet defines permissions for all other users that are not the user owner and are not a member of the group owner.
Setting permissions (chmod)
Permissions can be modified using the chmod command. Permissions can be set using symbolic notation (e.g., u+x to add execute permission for the user owner) or octal notation (e.g., chmod 777 permissions.txt to set full permissions for all).
paul@laika:~/perms$ ls -l permissions.txt -rw-r--r-- 1 paul paul 0 2007-02-07 22:34 permissions.txt paul@laika:~/perms$ chmod u+x permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwxr--r-- 1 paul paul 0 2007-02-07 22:34 permissions.txt
This example removes the group owners read permission.
paul@laika:~/perms$ chmod g-r permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwx---r-- 1 paul paul 0 2007-02-07 22:34 permissions.txt
This example removes the others read permission.
paul@laika:~/perms$ chmod o-r permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwx------ 1 paul paul 0 2007-02-07 22:34 permissions.txt
This example gives all of them the write permission.
paul@laika:~/perms$ chmod a+w permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwx-w--w- 1 paul paul 0 2007-02-07 22:34 permissions.txt
You don't even have to type the a.
paul@laika:~/perms$ chmod +x permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwx-wx-wx 1 paul paul 0 2007-02-07 22:34 permissions.txt
You can also set explicit permissions.
dr-x paul@laika:~/perms$ chmod u=rw permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rw--wx-wx 1 paul paul 0 2007-02-07 22:34 permissions.txt
Feel free to make any kind of combination.
dr-x paul@laika:~/perms$ chmod u=rw,g=rw,o=r permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rw-rw-r-- 1 paul paul 0 2007-02-07 22:34 permissions.txt
Even fishy combinations are accepted by chmod.
paul@laika:~/perms$ chmod u=rwx,ug+rw,o=r permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwxrw-r-- 1 paul paul 0 2007-02-07 22:34 permissions.txt
Setting octal permissions
Most Unix administrators will use the old school octal system to talk about and set permissions. Look at the triplet bitwise, equating r to 4, w to 2, and x to 1.
Table Octal permissions
This makes 777 equal to rwxrwxrwx and by the same logic, 654 mean rw-r-xr-- . The chmod command will accept these numbers.
paul@laika:~/perms$ chmod 777 permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwxrwxrwx 1 paul paul 0 2007-02-07 22:34 permissions.txt paul@laika:~/perms$ chmod 664 permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rw-rw-r-- 1 paul paul 0 2007-02-07 22:34 permissions.txt paul@laika:~/perms$ chmod 750 permissions.txt paul@laika:~/perms$ ls -l permissions.txt -rwxr-x--- 1 paul paul 0 2007-02-07 22:34 permissions.txt
umask
The umask command determines default permissions when creating files or directories. It specifies permissions that are not set by default.
When creating a file or directory, a set of default permissions are applied. These default permissions are determined by the umask. The umask specifies permissions that you do not want set on by default. You can display the umask with the umask command.
[Harry@RHEL4b ~]$ umask 0002 [Harry@RHEL4b ~]$ touch test [Harry@RHEL4b ~]$ ls -l test -rw-rw-r-- 1 Harry Harry 0 Jul 24 06:03 test [Harry@RHEL4b ~]$
As you can also see, the file is also not executable by default. This is a general security feature among Unixes; newly created files are never executable by default. You have to explicitly do a chmod +x to make a file executable. This also means that the 1 bit in the umask has no meaning--a umask of 0022 is the same as 0033.
mkdir -m
When creating directories with mkdir you can use the -m option to set the mode. This screenshot explains.
paul@debian5~$ mkdir -m 700 MyDir paul@debian5~$ mkdir -m 777 Public paul@debian5~$ ls -dl MyDir/ Public/ drwx------ 2 paul paul 4096 2011-10-16 19:16 MyDir/ drwxrwxrwx 2 paul paul 4096 2011-10-16 19:16 Public/
cp -p
To preserve permissions and time stamps from source files, use cp -p.
paul@laika:~/perms$ cp file* cp paul@laika:~/perms$ cp -p file* cpp paul@laika:~/perms$ ll * -rwx------ 1 paul paul 0 2008-08-25 13:26 file33 -rwxr-x--- 1 paul paul 0 2008-08-25 13:26 file42 cp: total 0 -rwx------ 1 paul paul 0 2008-08-25 13:34 file33 -rwxr-x--- 1 paul paul 0 2008-08-25 13:34 file42 cpp: total 0 -rwx------ 1 paul paul 0 2008-08-25 13:26 file33 -rwxr-x--- 1 paul paul 0 2008-08-25 13:26 file42
Practice: standard file permissions
A series of exercises are provided to practice managing file permissions, including creating files and directories, changing ownership, setting permissions, and using symbolic and octal notation.
- As normal user, create a directory ~/permissions. Create a file owned by yourself in there.
- Copy a file owned by root from /etc/ to your permissions dir, who owns this file now ?
- As root, create a file in the users ~/permissions directory.
- As normal user, look at who owns this file created by root.
- Change the ownership of all files in ~/permissions to yourself.
- Make sure you have all rights to these files, and others can only read.
- With chmod, is 770 the same as rwxrwx--- ?
- With chmod, is 664 the same as r-xr-xr-- ?
- With chmod, is 400 the same as r-------- ?
- With chmod, is 734 the same as rwxr-xr-- ?
- Display the umask in octal and in symbolic form.
- Set the umask to 077, but use the symbolic format to set it. Verify that this works.
- Create a file as root, give only read to others. Can a normal user read this file ? Test writing to this file with vi.
- Create a file as normal user, give only read to others. Can another normal user read this file? Test writing to this file with vi.
- Can root read this file? Can root write to this file with vi?
- Create a directory that belongs to a group, where every member of that group can read and write to files, and create files. Make sure that people can only delete their own files.
Solution: standard file permissions
1. As normal user, create a directory ~/permissions. Create a file owned by yourself in there.
mkdir ~/permissions ; touch ~/permissions/myfile.txt
2. Copy a file owned by root from /etc/ to your permissions dir, who owns this file now?
cp /etc/hosts ~/permissions/
The copy is owned by you.
3. As root, create a file in the users ~/permissions directory.
(become root)# touch /home/username/permissions/rootfile
4. As normal user, look at who owns this file created by root.
ls -l ~/permissions
The file created by root is owned by root.
5. Change the ownership of all files in ~/permissions to yourself.
chown user ~/permissions/*
You cannot become owner of the file that belongs to root.
6. Make sure you have all rights to these files, and others can only read.
chmod 644 (on files) chmod 755 (on directories)
7. With chmod, is 770 the same as rwxrwx--- ?
yes
8. With chmod, is 664 the same as r-xr-xr-- ?
No
9. With chmod, is 400 the same as r-------- ?
yes
10. With chmod, is 734 the same as rwxr-xr-- ?
no
11. Display the umask in octal and in symbolic form.
umask ; umask -S
12. Set the umask to 077, but use the symbolic format to set it. Verify that this works.
umask -S u=rwx,go=
13. Create a file as root, give only read to others. Can a normal user read this file ? Test writing to this file with vi.
(become root) # echo hello > /home/username/root.txt # chmod 744 /home/username/root.txt (become user) vi ~/root.txt
14. Create a file as normal user, give only read to others. Can another normal user read this file ? Test writing to this file with vi.
echo hello > file ; chmod 744 file
Yes, others can read this file
15. Can root read this file ? Can root write to this file with vi ?
Yes, root can read and write to this file. Permissions do not apply to root.
16. Create a directory that belongs to a group, where every member of that group can read and write to files, and create files. Make sure that people can only delete their own files.
mkdir /home/project42 ; groupadd project42 chgrp project42 /home/project42 ; chmod 775 /home/project42
You can not yet do the last part of this exercise...
Conclusion
Understanding and managing file ownership and permissions are fundamental aspects of maintaining file security in Unix-like systems. By properly configuring ownership and permissions, users can control access to files and directories, ensuring system security and integrity.
Post a Comment for "Unlocking Secure Access: Understanding and Implementing Standard File Permissions"
Post a Comment