| Skip Navigation Links | |
| Exit Print View | |
|
System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
Using UNIX Permissions to Protect Files
Commands for Viewing and Securing Files
Special File Permissions (setuid, setgid and Sticky Bit)
Using Access Control Lists to Protect UFS Files
ACL Entries for UFS Directories
Commands for Administering UFS ACLs
Preventing Executable Files From Compromising Security
Protecting Files With UNIX Permissions (Task Map)
How to Display File Information
How to Change the Owner of a Local File
How to Change Group Ownership of a File
How to Change File Permissions in Symbolic Mode
Protecting UFS Files With ACLs (Task Map)
How to Check if a File Has an ACL
How to Add ACL Entries to a File
How to Change ACL Entries on a File
How to Delete ACL Entries From a File
How to Display ACL Entries for a File
Protecting Against Programs With Security Risk (Task Map)
How to Find Files With Special File Permissions
How to Disable Programs From Using Executable Stacks
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Oracle Solaris Secure Shell (Tasks)
20. Oracle Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
The following task map points to procedures that list file permissions, change file permissions, and protect files with special file permissions.
|
Display information about all the files in a directory by using the ls command.
% ls -la
Displays the long format that includes user ownership, group ownership, and file permissions.
Displays all files, including hidden files that begin with a dot (.).
Example 6-1 Displaying File Information
In the following example, a partial list of the files in the /sbin directory is displayed.
% cd /sbin % ls -la total 13456 drwxr-xr-x 2 root sys 512 Sep 1 14:11 . drwxr-xr-x 29 root root 1024 Sep 1 15:40 .. -r-xr-xr-x 1 root bin 218188 Aug 18 15:17 autopush lrwxrwxrwx 1 root root 21 Sep 1 14:11 bpgetfile -> ... -r-xr-xr-x 1 root bin 505556 Aug 20 13:24 dhcpagent -r-xr-xr-x 1 root bin 456064 Aug 20 13:25 dhcpinfo -r-xr-xr-x 1 root bin 272360 Aug 18 15:19 fdisk -r-xr-xr-x 1 root bin 824728 Aug 20 13:29 hostconfig -r-xr-xr-x 1 root bin 603528 Aug 20 13:21 ifconfig -r-xr-xr-x 1 root sys 556008 Aug 20 13:21 init -r-xr-xr-x 2 root root 274020 Aug 18 15:28 jsh -r-xr-xr-x 1 root bin 238736 Aug 21 19:46 mount -r-xr-xr-x 1 root sys 7696 Aug 18 15:20 mountall . . .
Each line displays information about a file in the following order:
Type of file – For example, d. For list of file types, see File and Directory Ownership.
Permissions – For example, r-xr-xr-x. For description, see File and Directory Ownership.
Number of hard links – For example, 2.
Owner of the file – For example, root.
Group of the file – For example, bin.
Size of the file, in bytes – For example, 7696.
Date the file was created or the last date that the file was changed – For example, Aug 18 15:20.
Name of the file – For example, mountall.
The file owner the Primary Administrator role or superuser can change any file's ownership.
% ls -l example-file -rw-r--r-- 1 janedoe staff 112640 May 24 10:49 example-file
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
# chown stacey example-file
# ls -l example-file -rw-r--r-- 1 stacey staff 112640 May 26 08:50 example-file
Example 6-2 Enabling Users to Change the Ownership of Their Own Files
Security Consideration – You need a good reason to change the setting of the rstchown variable to zero. This setting enables a user to change the ownership of their files to another username.
In this example, the value of the rstchown variable is set to zero in the /etc/system file. This setting enables the owner of a file to use the chown command to change the file's ownership to another user. This setting also enables the owner to use the chgrp command to set the group ownership of a file to a group that the owner does not belong to. The change goes into effect when the system is rebooted.
set rstchown = 0
For more information, see the chown(1) and chgrp(1) man pages.
Also, be aware that NFS-mounted file systems have further restrictions on changing ownership and groups. For more information on restricting access to NFS-mounted systems, see Chapter 6, Accessing Network File Systems (Reference), in System Administration Guide: Network Services.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
$ chgrp scifi example-file
For information on setting up groups, see Chapter 4, Managing User Accounts and Groups (Overview), in System Administration Guide: Basic Administration.
$ ls -l example-file -rw-r--r-- 1 stacey scifi 112640 June 20 08:55 example-file
Also see Example 6-2.
Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.
% chmod who operator permissions filename
Specifies whose permissions are to be changed.
Specifies the operation to be performed.
Specifies what permissions are to be changed. For the list of valid symbols, see Table 6-5.
Specifies the file or directory.
% ls -l filename
Example 6-3 Changing Permissions in Symbolic Mode
In the following example, read permission is taken away from others.
% chmod o-r example-file1
In the following example, read and execute permissions are added for user, group, and others.
$ chmod a+rx example-file2
In the following example, read, write, and execute permissions are assigned to group.
$ chmod g=rwx example-file3
Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.
% chmod nnn filename
Specifies the octal values that represent the permissions for the file owner, file group, and others, in that order. For the list of valid octal values, see Table 6-4.
Specifies the file or directory.
Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for other users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.
% ls -l filename
Example 6-4 Changing Permissions in Absolute Mode
In the following example, the permissions of a public directory are changed from 744 (read, write, execute; read-only; and read-only) to 755 (read, write, execute; read and execute; and read and execute).
# ls -ld public_dir drwxr--r-- 1 jdoe staff 6023 Aug 5 12:06 public_dir # chmod 755 public_dir # ls -ld public_dir drwxr-xr-x 1 jdoe staff 6023 Aug 5 12:06 public_dir
In the following example, the permissions of an executable shell script are changed from read and write to read, write, and execute.
% ls -l my_script -rw------- 1 jdoe staff 6023 Aug 5 12:06 my_script % chmod 700 my_script % ls -l my_script -rwx------ 1 jdoe staff 6023 Aug 5 12:06 my_script
Only the current owner or a user with superuser capabilities can use the chmod command to change the special permissions on a file or directory.
% chmod nnnn filename
Specifies the octal values that change the permissions on the file or directory. The leftmost octal value sets the special permissions on the file. For the list of valid octal values for special permissions, see Table 6-6.
Specifies the file or directory.
Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for additional users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.
% ls -l filename
Example 6-5 Setting Special File Permissions in Absolute Mode
In the following example, the setuid permission is set on the dbprog file.
# chmod 4555 dbprog # ls -l dbprog -r-sr-xr-x 1 db staff 12095 May 6 09:29 dbprog
In the following example, the setgid permission is set on the dbprog2 file.
# chmod 2551 dbprog2 # ls -l dbprog2 -r-xr-s--x 1 db staff 24576 May 6 09:30 dbprog2
In the following example, the sticky bit permission is set on the public_dir directory.
# chmod 1777 public_dir # ls -ld public_dir drwxrwxrwt 2 jdoe staff 512 May 15 15:27 public_dir
|