Today


Wednesday, February 9, 2011

Security basics, Part 1


Understanding file attribute bits and modes

Summary
In this month's Unix 101, Mo Budlong begins a three-part series on Unix security. In this installment, he explains how to set basic file and directory permissions. (1,500 words)


Security is always an issue in multiuser computing systems. Unix provides a rich set of security options, and this month we begin a three-part security series by exploring some basics.
As a true multiuser, multitasking operating system, Unix has a fairly sophisticated method for setting file and directory permissions.
The chmod command is simple once you've grasped the basics. To understand it, let's start with a small directory listing that can be generated by the ls -l command. 

$ ls -l
  drwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 adir
  -rw-rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif
  -rwxrwxr-x    1 mob      wp    8525 Sep  4 02:48 command.sh

$
The permissions are indicated by a series of letters on the left-hand side of the listing. The first character indicates the type of the entry. For our purposes, the first character will be either a dash (-) to indicate that the entry is a file or a d to indicate that it's a directory.
After the initial character, a series of rwxs (or the absence of the same) on the left side of the listing indicates the access permissions for that file or entry.
The nine characters after the initial entry-type indicator are broken into three groups, each containing three characters. Each group of three from left to right indicates the permissions given to the owner, group, and others, respectively.
An r indicates that read permission is given to the user who owns the file, group the owner belongs to, or the rest of the world. An r allows a file to be read, and a directory to be listed with ls and related utilities. A w indicates write permission. If this is an entry for a directory, w means that new files can be created within it.
In the following example, the owner, mob, has read and write permissions on picture.gif. The group wp has read permission only, and no other permissions are given. 

$ ls -l
  -rw-r-----    1 mob      wp    8755 Aug 30 23:37 picture.gif

$
An x indicates execute permission for executable files, and search permission for directories.
In the following example mob members of the group wp, and all others have search permission for adir. 

$ ls -l
  drwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 adir
  -rw-rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif
  -rwxrwxr-x    1 mob      wp    8525 Sep  4 02:48 command.sh

$
An x permission on a standard data file has no effect.
To change the permissions on a file, use chmod, followed by the permissions you want to change and the file name. A permission is expressed as a one-character identifier that signifies (u)ser, (g)roup, (o)thers, or (a)ll, followed by +, -, or =, meaning add, remove, or set, respectively. After these characters, add one or more of the following permissions: r, w, or x. The permission strings should look something like the following examples: 

u+rw
a-w
o+x
a=rwx
Some more examples are shown below. Line 3 adds write privileges to group, line 6 removes write privileges, and line 9 adds read privileges for others. Line 12 sets privileges for others to write only. In line 14, the r has disappeared and the w has appeared. Line 15 removes read and write privileges for all; note the result at line 17. Line 18 uses ug+rw to add read and write privileges for both user and group. 

1  $ ls -l
2    -rw-r-----    1 mob      wp    8755 Aug 30 23:37 picture.gif
3  $ chmod g+w picture.gif
4  $ ls -l
5    -rw-rw----    1 mob      wp    8755 Aug 30 23:37 picture.gif
6  $ chmod u-w picture.gif
7  $ ls -l
8    -r--rw----    1 mob      wp    8755 Aug 30 23:37 picture.gif
9  $ chmod o+r picture.gif
10 $ ls -l
11   -r--rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif
12 $ chmod o=w picture.gif
13 $ ls -l
14   -r--rw--w-    1 mob      wp    8755 Aug 30 23:37 picture.gif
15 $ chmod a-rw picture.gif
16 $ ls -l
17   ----------    1 mob      wp    8755 Aug 30 23:37 picture.gif
18 $ chmod ug+rw picture.gif
19 $ ls -l
20   -rw-rw----    1 mob      wp    8755 Aug 30 23:37 picture.gif
$

User and group categories
In a Unix system, a user is a member of a higher-echelon grouping, simply called a group. Some common groups on Unix systems are root, admin, users, and mail.
superuser and root would be members of the root group. Users that have administrative access to backup, restore, and mount operations might be placed in the admin group. Whoever handles the mail system might be in the mail group. The remaining mortals would be in the users group.
A user is given a new group when first created. To see your group, type the following command, using your login where I have mob in the command. 

cat /etc/passwd|grep mob
mob:x:537:500::/home/mob/:/bin/ksh
$
The first field, mob, is the login ID. The second field, x, is the encrypted password, which will appear as an x or an unreadable character. The third field is your user ID, the value returned when you type id and press enter. The fourth field, 200, is the group ID. Keep that number written down, and search in your group file to find out which group is 500 and who the members of that group are. In this example, wp is group 500 and is password protected. The members of the wp group are mob and jjk. 

cat /etc/group|grep 200
wp:x:500:mob,jjk
$
If you want to see all the groups you're in, repeat the command but grep out your user ID. In this example, mob shows up in the groups wp, accounting, and admin. 

cat /etc/group|grep mob
wp:x:500:mob,jjk
accounting:x:512:mob,jan,ded
admin:x:mob,root
$
When you first log in, you're set to the default group specified in your /etc/passwd file.
When you create a new file and then ls -l it, you'll find it's assigned to you as owner and your default group as a group.
This example uses touch to create an empty file, and then displays the directory entry. 

$ touch newfile
$ ls -l
  -rw-rw-r--    1 mob      wp    0 Sep 22 23:37 newfile

$
You may change to a new group if you're a member of that group by using newgrp. If the group is password protected, you'll be asked for a password. Once you've changed to the new group, if you create a new file, it will be owned by the new group. 

newgrp accounting
$ touch nextfile
$ ls -l
  -rw-rw-r--    1 mob    wp           0 Sep 22 23:37 newfile
  -rw-rw-r--    1 mob    accounting   0 Sep 22 23:37 nextfile

$
As an exercise, you should create a new file with vi and put a couple of lines into it. Close the file and change permissions by adding and subtracting read and write privileges from user, group, and others. Try to edit the file. If you can get your hands on another user login that's not part of your group, try logging in as that person and editing the file.
Here are some general rules. Start with a file that has read and write privileges for all users, -rw-rw-rw-; anyone should be able to edit the file. If you chmod o-rw to -rw-rw----, only you and members of your group will be able to edit it. If you chmod g-rw to -rw-------, only you can edit the file. If you chmod u-w to -r--------, only you can view the document, but you cannot change it or delete it.
Try some similar experiments with a directory. Anyone can read, write (create new files), or search in a directory with a privilege string of drwxrwxrwx. A more typical string for a directory would be drwxrwxr-x, indicating that you and your group have full access, while other users can only read and search. A very secured directory might be set up as dr--------, allowing only the owner to read the directory.

Posted by Appleman at 4:57 AM  

Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)