This chapter describes the procedures for securing files. This is a list of the step-by-step instructions in this chapter.
This section describes file security concepts and terminology needed to understand file security.
For each file, there are three classes of users:
The file or directory owner--usually the user who created the file. The owner of a file can decide who has the right to read it, to write to it (make changes to it), or, if it is a command, to execute it.
Members of a group.
All others who are not the file or group owner.
Only the owner of the file or root can assign or modify file permissions.
Table 51-1 lists and describes the file permissions.
Table 51-1 File Permissions
Symbol |
Permission |
Means Designated Users ... |
---|---|---|
r |
Read |
Can open and read the contents of a file. |
w |
Write |
Can write to the file (modify its contents), add to it, or delete it. |
x |
Execute |
Can execute the file (if it is a program or shell script), or run it with one of the exec(1) system calls. |
- |
Denied |
Cannot read, write, or execute the file. |
These file permissions apply to special files such as devices, sockets, and named pipes (FIFOs), as they do to regular files.
For a symbolic link, the permissions that apply are those of the file the link points to.
Table 51-2 lists and describes the directory permissions.
Table 51-2 Directory Permissions
Symbol |
Permission |
Means Designated Users Can ... |
---|---|---|
r |
Read |
List files in the directory. |
w |
Write |
Add or remove files or links in the directory. |
x |
Execute |
Open or execute files in the directory. Also can make the directory and the directories beneath it current. |
You can protect the files in a directory (and in its subdirectories) by disallowing access to that directory. Note, however, that superuser has access to all files and directories on the system.
When you create a file or directory, it has a default set of permissions. These default permissions are determined by the value of umask in the system file /etc/profile, or in your .cshrc or .login file. By default, the system sets the permissions on a text file to 666, granting read and write permission to user, group, and others, and to 777 on a directory or executable file.
The value assigned by umask is subtracted from the default. This has the effect of denying permissions in the same way that chmod grants them. For example, while the command chmod 022 grants write permission to group and others, umask 022 denies write permission for group and others.
Table 51-3 shows some typical umask settings, and the effect on an executable file.
Table 51-3 umask Settings for Different Security Levels
Level of Security |
umask |
Disallows |
---|---|---|
Permissive (744) |
022 |
w for group and others |
Moderate (740) |
027 |
w for group, rwx for others |
Moderate (741) |
026 |
w for group, rw for others |
Severe (700) |
077 |
rwx for group and others |
A file can be one of six types. Table 51-4 lists the possible file types.
Table 51-4 File Types
Symbol |
Type |
---|---|
- |
Text or program |
d |
Directory |
b |
Block special file |
c |
Character special file |
p |
Named pipe (FIFO) |
l |
Symbolic link |
This section describes how to display file information.
Display information about all the files in a directory by using the ls command.
$ ls -la |
-l |
Displays the long format. |
-a |
Displays all files, including hidden files that begin with a dot (.). |
Each line in the display has the following information about a file:
Type of file and its permissions
Number of hard links
Owner of the file
Group of the file
Size of the file, in bytes
Date the file was created or the last date it was changed
Name of the file
The following example displays the partial list of the files in the /sbin directory.
$ cd /sbin $ ls -la total 5980 drwxrwxr-x 2 root sys 512 May 1 1996 ./ drwxr-xr-x 33 root root 1024 Sep 5 14:42 ../ -r-xr-xr-x 1 bin bin 118840 Oct 25 1995 autopush* lrwxrwxrwx 1 root root 21 May 1 1996 bpgetfile -> ... -r-xr-xr-x 1 bin bin 515272 Oct 25 1995 hostconfig* -r-xr-xr-x 1 bin bin 569792 Oct 25 1995 ifconfig* -r-xr-xr-x 1 root sys 246688 Oct 25 1995 init* -r-xr-xr-x 2 bin root 189364 Oct 25 1995 jsh* -r-xr-xr-x 1 bin bin 161140 Oct 25 1995 mount* -r-xr-xr-x 1 root sys 6908 Jan 1 1970 mountall* . . . |
This section describes how to change the ownership of a file.
If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chown command to change the owner of a file or directory.
Change the owner of a file by using the chown command.
$ chown newowner filename |
newowner |
Name of the new owner of the file or directory. |
filename |
File or directory. |
Verify the owner of the file is changed.
$ ls -l filename |
The following example sets the ownership on myfile to the user rimmer.
$ chown rimmer myfile $ ls -l myfile -rw-r--r-- 1 rimmer scifi 112640 May 24 10:49 myfile |
If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chgrp command to change the group of a file or directory.
Change the group owner of a file by using the chgrp command.
$ chgrp group filename |
group |
Name of the new group of the file or directory. |
filename |
File or directory. |
Verify the group owner of the file is changed.
$ ls -l filename |
The following example sets the group ownership on myfile to the group scifi.
$ chgrp scifi myfile $ ls -l myfile -rwxrw-- 1 rimmer scifi 12985 Nov 12 16:28 myfile |
The chmod command enables you to change the permissions on a file. You must be superuser or the owner of a file or directory to change its permissions.
You can use the chmod command to set permissions in either of two modes:
Absolute Mode - Use numbers to represent file permissions (the method most commonly used to set permissions). When you change permissions by using the absolute mode, represent permissions for each triplet by an octal mode number.
Symbolic Mode - Use combinations of letters and symbols to add or remove permissions.
Table 51-5 lists the octal values for setting file permissions in absolute mode.
Table 51-5 Setting File Permissions in Absolute Mode
Octal Value |
File Permissions Set |
Permissions Description |
---|---|---|
0 |
--- |
No permissions |
1 |
--x |
Execute permission only |
2 |
-w- |
Write permission only |
3 |
-wx |
Write and execute permissions |
4 |
r-- |
Read permission only |
5 |
r-x |
Read and execute permissions |
6 |
rw- |
Read and write permissions |
7 |
rwx |
Read, write, and execute permissions |
Table 51-6 lists the symbols for setting file permissions in symbolic mode. Symbols can specify whose permissions are to be set or changed, the operation to be performed, or the permissions being assigned or changed.
Table 51-6 Setting File Permissions in Symbolic Mode
Symbol |
Function |
Description |
---|---|---|
u |
Who |
User (owner) |
g |
Who |
Group |
o |
Who |
Others |
a |
Who |
All |
= |
Operation |
Assign |
+ |
Operation |
Add |
- |
Operation |
Remove |
r |
Permission |
Read |
w |
Permission |
Write |
x |
Permission |
Execute |
l |
Permission |
Mandatory locking, setgid bit is on, group execution bit is off |
s |
Permission |
setuid or setgid bit is on |
S |
Permission |
suid bit is on, user execution bit is off |
t |
Permission |
Sticky bit is on, execution bit for others is on |
T |
Permission |
Sticky bit is on, execution bit for others is off |
The who operator permission designations in the function column specifies the symbols that change the permissions on the file or directory.
who |
Specifies whose permissions are changed. |
operator |
Specifies the operation to perform. |
permissions |
Specifies what permissions are changed. |
If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.
Change permissions in absolute mode by using the chmod command.
$ chmod nnn filename |
nnn |
Specifies the octal values that change permissions on the file or directory. See Table 51-5 for the list of valid octal values. |
filename |
File or directory. |
Verify the permissions of the file have changed.
$ ls -l filename |
The following example sets rwxr-xr-x permissions on myfile.
$ chmod 755 myfile $ ls -l myfile -rwxr-xr-x 1 kryten staff 6144 May 24 10:49 myfile |
If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.
Change permissions in symbolic mode by using the chmod command.
$ chmod who operator permission filename |
who operator permission |
who specifies whose permissions are changed, operator specifies the operation to perform, and permission specifies what permissions are changed. See Table 51-6 for the list of valid symbols. |
filename |
Is the file or directory. |
Verify the permissions of the file have changed.
$ ls -l filename |
The following example takes away read permission from others.
$ chmod o-r filea |
The following example adds read and execute permissions for user, group, and others.
$ chmod a+rx fileb |
The following example assigns read, write, and execute permissions to group.
$ chmod g=rwx filec |
Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the permissions of the owner (or group) of the executable file.
You must be extremely careful when setting special permissions, because special permissions constitute a security risk. For example, a user can gain superuser permission by executing a program that sets the user ID to root.
You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. See "How to Find Files With setuid Permissions" to search for the file systems and print out a list of all programs using these permissions. A suspicious listing would be one that grants ownership of such a program to a user rather than to bin or sys. Only superuser can set these permissions.
When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who created the process. This allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID:
-r-sr-sr-x 1 root sys 10332 May 3 08:23 /usr/bin/passwd |
This presents a security risk, because some determined users can find a way to maintain the permissions granted to them by the setuid process even after the process has finished executing.
Using setuid permissions with the reserved UIDs (0-99) from a program may not set the effective UID correctly. Use a shell script instead or avoid using the reserved UIDs with setuid permissions.
The set-group identification (setgid) permission is similar to setuid, except that the process's effective group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group. The /usr/bin/mail program has setgid permissions:
-r-x--s--x 1 bin mail 62504 May 3 07:58 /usr/bin/mail |
When setgid permission is applied to a directory, files created in this directory belong to the group the directory belongs to, not the group the creating process belongs to. Any user who has write permission in the directory can create a file there--however, the file will not belong to the group of the user, but will belong to the group of the directory.
You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. See "How to Find Files With setuid Permissions" to search for the file systems and print out a list of all programs using these permissions. A suspicious listing would be one that grants ownership of such a program to a user rather than to bin or sys. Only superuser can set these permissions.
The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This prevents a user from deleting other users' files from public directories such as uucppublic:
drwxrwxrwt 2 uucp uucp 512 May 24 09:48 /var/spool/uucppublic |
Be sure to set the sticky bit manually when you set up a public directory on a TMPFS file system.
You can set special permissions on a file in absolute or symbolic modes. In absolute mode, you set special permissions by adding a new octal value to the left of the permission triplet. Table 51-7 lists the octal values to set special permissions on a file.
Table 51-7 Setting Special Permissions in Absolute Mode
Octal Value |
Special Permissions Set |
---|---|
1 |
Sticky bit |
2 |
setguid |
4 |
setuid |
Table 51-6 lists the symbols to change the special permissions in symbolic mode.
If you are not the owner of the file or directory, become superuser.
Only the current owner or superuser can use the chmod command to change the special permissions on a file or directory.
Change special permissions in absolute mode by using the chmod command.
$ chmod nnnn filename |
nnnn |
Specifies the octal values that change the permissions on the file or directory. The first octal value on the left sets the special permissions on the file. See Table 51-7for the list of valid octal values for the special permissions. |
filename |
Is the file or directory. |
Verify the permissions of the file have changed.
$ ls -l filename |
The following example sets setuid permission on the dbprog file.
$ chmod 4555 dbprog $ ls -l dbprog -r-sr-xr-x 1 db staff 12095 May 6 09:29 dbprog |
The following example sets setgid permission on the dbprog2 file.
$ chmod 2551 dbprog2 $ ls -l dbprog2 -r-xr-s--x 1 db staff 24576 May 6 09:30 dbprog2 |
The following example sets sticky bit permission on the pubdir directory.
$ chmod 1777 pubdir |
Find files with setuid permissions set by using the find command.
# find directory -user root -perm -4000 -exec ls -ldb {}\; >/tmp/filename |
Display the results in /tmp/filename.
If you need background information about setuid permissions, see "setuid Permission".
# find / -user root -perm -4000 -exec ls -ldb { }\; > /tmp/ckprm # cat /tmp/ckprm -r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at -r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab ---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct -r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir -r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin -r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched ---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh -r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su # |
An unauthorized user (rar) has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user. If you want to save this output for future reference, move the file out of the /tmp directory.
The traditional UNIX file protection provides read, write, and execute permissions for the three user classes: owner, group, and other. An ACL provides better file security by enabling you to define file permissions for the owner, owner's group, others, specific users and groups, and default permissions for each of those categories.
For example, assume you had a file that you wanted everyone in a group to be able to read. With that situation, you would give group read permissions on that file. Now, assume you wanted only one person in the group to be able to write to that file. Standard UNIX doesn't let you set that up. However, you could set up an ACL for that file to give only one person in the group write permissions on the file.
Table 51-8 lists the ACL commands that you can use on files or directories.
Table 51-8 ACL Commands
Command |
Description |
---|---|
setfacl(1) |
Sets, adds, modifies, and deletes ACL entries |
getfacl(1) |
Displays ACL entries |
ACL entries are the way to define an ACL on a file, and they are set through the ACL commands. ACL entries consist of the following fields separated by colons:
entry_type:[uid|gid]:perms |
In an ACL entry,
entry_type |
Type of ACL entry on which to set file permissions. For example, entry_type can be user (the owner of a file) or mask (the ACL mask). |
uid |
User name or identification number. |
gid |
Group name or identification number. |
perms |
Represents the permissions that are set on entry_type. perms can be indicated by the symbolic characters rwx or a number (the same permissions numbers used with the chmod command). |
The following example shows an ACL entry that sets read/write permissions for the user nathan.
user:nathan:rw- |
UFS file system attributes such as ACLs are supported in UFS file systems only. This means that if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.
Table 51-9 lists the valid ACL entries. The first three ACL entries provide the basic UNIX file protection.
Table 51-9 ACL Entries for Files
In addition to the ACL entries described in Table 51-9, you can set default ACL entries on a directory that will apply to files created within the directory. Files created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. Table 51-10 lists the default ACL entries for directories.
When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the owner, owner's group, others, and the mask (these are required and are the first four default ACL entries in Table 51-10).
Table 51-10 Default ACL Entries for Directories
Set ACL entries on a file by using the setfacl command.
$ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list filename ... |
-s |
Replaces the entire ACL with the new ACL entries, if an ACL already exists on the file. |
user::perms |
Specifies the owner's permissions. |
group::perms |
Specifies the permissions for the owner's group. |
other:perms |
Specifies the permissions for users other than the owner or members of the owner's group. |
mask:perms |
Specifies the permissions for the ACL mask. The mask indicates the maximum permissions allowed for users (other than the owner) and for groups. |
acl_entry_list |
Is the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 51-9 and Table 51-10 show the valid ACL entries. |
filename |
File or directory on which to set the ACL entries. |
To verify that an ACL was set on the file, see "How to Check If a File Has an ACL". To verify which ACL entries were set on the file, use the getfacl command.
$ getfacl filename |
If an ACL already exists on the file, the -s option will replace the entire ACL with the new ACL entries.
The following example sets the user permissions to read/write, group permissions to read only, and other permissions to none on the ch1.doc file. In addition, the user george is given read/write permissions on the file, and the ACL mask permissions is set to read/write, which means no user or group can have execute permissions.
$ setfacl -s user::rw-,group::r--,other:---,mask:rw-, user:george:rw- ch1.doc $ ls -l total 124 -rw-r-----+ 1 nathan sysadmin 34816 Nov 11 14:16 ch1.doc -rw-r--r-- 1 nathan sysadmin 20167 Nov 11 14:16 ch2.doc -rw-r--r-- 1 nathan sysadmin 8192 Nov 11 14:16 notes $ getfacl ch1.doc # file: ch1.doc # owner: nathan # group: sysadmin user::rw- user:george:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:--- |
The following example sets the user permissions to read/write/execute, group permissions to read only, and other permissions to none on the ch2.doc file. In addition, users in the sysadmin group are given read/write permissions on the file, and the ACL mask permissions is set to read/write.
$ setfacl -s u::7,g::4,o:0,g:sysadmin:6,m:6 ch2.doc $ getfacl ch2.doc |
Check if a file has an ACL by using the ls command.
$ ls -l filename |
filename |
File or directory that you want to check. |
A `+' to the right of the mode field indicates the file has an ACL.
The following example shows that ch1.doc has an ACL.
$ ls -l ch1.doc -rwxr-----+ 1 nathan sysadmin 167 Nov 11 11:13 ch1.doc |
Add or modify ACL entries on a file by using the setfacl command.
$ setfacl -m acl_entry_list filename1 [filename2...] |
-m |
Modifies the existing ACL entry. |
acl_entry_list |
List of one or more ACL entries to add or modify on the file or directory. You can also add or modify default ACL entries on a directory. Table 51-9 and Table 51-10 show the valid ACL entries. |
filename ... |
File or directory on which to add or modify ACL entries. |
To verify that the ACL entries were added or modified on the file, use the getfacl command.
$ getfacl filename |
The following example adds read/write permissions for the user george on the ch3.doc file.
$ setfacl -m user:george:6 ch3.doc getfacl ch3.doc # file: ch3.doc # owner: george # group: staff user::rw- user::george:rw- #effective:rw- group::r- #effective:r-- mask:r-- other:r-- |
The following example adds default ACL entries for the book directory, which already has a default entry specified for the owner of the directory, for the group owner of the directory, and for others. The users in the staff group are given read permissions and the required default mask is set to read/write.
$ setfacl -m default:group:staff:4,default:mask:6 book getfacl book |
Delete ACL entries from a file by using the setfacl command.
$ setfacl -d acl_entry_list filename1 ... |
-d |
Deletes the specified ACL entries. |
acl_entry_list |
List of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 51-9 and Table 51-10 show the valid ACL entries. |
filename ... |
File or directory from which to delete the ACL entries. |
Alternately, you can use the setfacl -s command to delete all the ACL entries on a file and replace them with the new ACL entries specified.
To verify that the ACL entries were deleted from the file, use the getfacl command.
$ getfacl filename |
The following example deletes read permission for the user nigel on the ch4.doc file.
$ setfacl -d user:nigel:4 ch4.doc $ getfacl ch4.doc # file: ch4.doc # owner: nigel # group: staff user::r-- group::r-- #effective:r-- other:r-- |
Display ACL entries for a file by using the getfacl command.
$ getfacl [-a | -d] filename1 ... |
-a |
Displays the file name, owner, group, and ACL entries for the specified file or directory. |
-d |
Displays the file name, owner, group, and default ACL entries for the specified directory. |
filename ... |
File or directory for which to display the ACL entries. |
If you specify multiple file names on the command line, the ACL entries are separated by a blank line.
The following example shows all the ACL entries for the ch1.doc file. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.
$ getfacl ch1.doc # file: ch1.doc # owner: nathan # group: sysadmin user::rw- user:george:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:--- |
The following example shows the default ACL entries for the book directory.
$ getfacl -d book # file: book # owner: nathan # group: sysadmin default:user::rw- default:user:george:r-- default:group::rw- default:mask:rw- default:other:r-- |