Chapter 51 Securing Files (Tasks)

This chapter describes the procedures for securing files. This is a list of the step-by-step instructions in this chapter.

• "How to Display File Information"

• "How to Change the Owner of a File"

• "How to Change Group Ownership of a File"

• "How to Change Permissions in Absolute Mode"

• "How to Change Permissions in Symbolic Mode"

• "How to Set Special Permissions in Absolute Mode"

• "How to Find Files With setuid Permissions"

• "How to Set ACL Entries on a File"

• "How to Check If a File Has an ACL"

• "How to Add or Modify ACL Entries on a File"

• "How to Delete ACL Entries From a File"

• "How to Display ACL Entries for a File"

Introducing File Security

This section describes file security concepts and terminology needed to understand file security.

User Classes

For each file, there are three classes of users:

• The file or directory owner--usually the user who created the file. The owner of a file can decide who has the right to read it, to write to it (make changes to it), or, if it is a command, to execute it.

• Members of a group.

• All others who are not the file or group owner.

Only the owner of the file or root can assign or modify file permissions.

File Permissions

Table 51-1 lists and describes the file permissions.

These file permissions apply to special files such as devices, sockets, and named pipes (FIFOs), as they do to regular files.

For a symbolic link, the permissions that apply are those of the file the link points to.

Directory Permissions

Table 51-2 lists and describes the directory permissions.

You can protect the files in a directory (and in its subdirectories) by disallowing access to that directory. Note, however, that superuser has access to all files and directories on the system.

Default umask

When you create a file or directory, it has a default set of permissions. These default permissions are determined by the value of umask in the system file /etc/profile, or in your .cshrc or .login file. By default, the system sets the permissions on a text file to 666, granting read and write permission to user, group, and others, and to 777 on a directory or executable file.

The value assigned by umask is subtracted from the default. This has the effect of denying permissions in the same way that chmod grants them. For example, while the command chmod 022 grants write permission to group and others, umask 022 denies write permission for group and others.

Table 51-3 shows some typical umask settings, and the effect on an executable file.

File Types

A file can be one of six types. Table 51-4 lists the possible file types.

Displaying File Information

This section describes how to display file information.

How to Display File Information

Display information about all the files in a directory by using the ls command.

$ ls -la

Each line in the display has the following information about a file:

• Type of file and its permissions

• Number of hard links

• Owner of the file

• Group of the file

• Size of the file, in bytes

• Date the file was created or the last date it was changed

• Name of the file

Example--Displaying File Information

The following example displays the partial list of the files in the /sbin directory.

$ cd /sbin
$ ls -la
total 5980
drwxrwxr-x   2 root  sys       512 May  1  1996 ./
drwxr-xr-x  33 root  root     1024 Sep  5 14:42 ../
-r-xr-xr-x   1 bin   bin    118840 Oct 25  1995 autopush*
lrwxrwxrwx   1 root  root       21 May  1  1996 bpgetfile -> ...
-r-xr-xr-x   1 bin   bin    515272 Oct 25  1995 hostconfig*
-r-xr-xr-x   1 bin   bin    569792 Oct 25  1995 ifconfig*
-r-xr-xr-x   1 root  sys    246688 Oct 25  1995 init*
-r-xr-xr-x   2 bin   root   189364 Oct 25  1995 jsh*
-r-xr-xr-x   1 bin   bin    161140 Oct 25  1995 mount*
-r-xr-xr-x   1 root  sys      6908 Jan  1  1970 mountall*
.
.
.

Changing File Ownership

This section describes how to change the ownership of a file.

How to Change the Owner of a File

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chown command to change the owner of a file or directory.

2. Change the owner of a file by using the chown command.

   $ chown newowner filename

   newowner	Name of the new owner of the file or directory.
   filename	File or directory.

3. Verify the owner of the file is changed.

   $ ls -l filename

Example--Changing the Owner of a File

The following example sets the ownership on myfile to the user rimmer.

$ chown rimmer myfile
$ ls -l myfile
-rw-r--r--   1 rimmer   scifi   112640 May 24 10:49 myfile

How to Change Group Ownership of a File

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chgrp command to change the group of a file or directory.

2. Change the group owner of a file by using the chgrp command.

   $ chgrp group filename

   group	Name of the new group of the file or directory.
   filename	File or directory.

3. Verify the group owner of the file is changed.

   $ ls -l filename

Example--Changing Group Ownership of a File

The following example sets the group ownership on myfile to the group scifi.

$ chgrp scifi myfile
$ ls -l myfile
-rwxrw-- 1 rimmer scifi 12985 Nov 12 16:28 myfile
 

Changing File Permissions

The chmod command enables you to change the permissions on a file. You must be superuser or the owner of a file or directory to change its permissions.

You can use the chmod command to set permissions in either of two modes:

• Absolute Mode - Use numbers to represent file permissions (the method most commonly used to set permissions). When you change permissions by using the absolute mode, represent permissions for each triplet by an octal mode number.

• Symbolic Mode - Use combinations of letters and symbols to add or remove permissions.

Table 51-5 lists the octal values for setting file permissions in absolute mode.

Table 51-6 lists the symbols for setting file permissions in symbolic mode. Symbols can specify whose permissions are to be set or changed, the operation to be performed, or the permissions being assigned or changed.

The who operator permission designations in the function column specifies the symbols that change the permissions on the file or directory.

How to Change Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

2. Change permissions in absolute mode by using the chmod command.

   $ chmod nnn filename

   nnn	Specifies the octal values that change permissions on the file or directory. See Table 51-5 for the list of valid octal values.
   filename	File or directory.

3. Verify the permissions of the file have changed.

   $ ls -l filename

Example--Changing Permissions in Absolute Mode

The following example sets rwxr-xr-x permissions on myfile.

$ chmod 755 myfile
$ ls -l myfile
-rwxr-xr-x   1 kryten   staff   6144 May 24 10:49 myfile

How to Change Permissions in Symbolic Mode

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

2. Change permissions in symbolic mode by using the chmod command.

   $ chmod who operator permission filename

   who operator permission	who specifies whose permissions are changed, operator specifies the operation to perform, and permission specifies what permissions are changed. See Table 51-6 for the list of valid symbols.
   filename	Is the file or directory.

3. Verify the permissions of the file have changed.

   $ ls -l filename

Examples--Changing Permissions in Symbolic Mode

The following example takes away read permission from others.

$ chmod o-r filea

The following example adds read and execute permissions for user, group, and others.

$ chmod a+rx fileb

The following example assigns read, write, and execute permissions to group.

$ chmod g=rwx filec
 

Using Special File Permissions (setuid, setgid and Sticky Bit)

Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the permissions of the owner (or group) of the executable file.

You must be extremely careful when setting special permissions, because special permissions constitute a security risk. For example, a user can gain superuser permission by executing a program that sets the user ID to root.

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. See "How to Find Files With setuid Permissions" to search for the file systems and print out a list of all programs using these permissions. A suspicious listing would be one that grants ownership of such a program to a user rather than to bin or sys. Only superuser can set these permissions.

setuid Permission

When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who created the process. This allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID:

-r-sr-sr-x   1 root     sys    10332 May  3 08:23 /usr/bin/passwd

This presents a security risk, because some determined users can find a way to maintain the permissions granted to them by the setuid process even after the process has finished executing.

Using setuid permissions with the reserved UIDs (0-99) from a program may not set the effective UID correctly. Use a shell script instead or avoid using the reserved UIDs with setuid permissions.

setgid Permission

The set-group identification (setgid) permission is similar to setuid, except that the process's effective group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group. The /usr/bin/mail program has setgid permissions:

-r-x--s--x   1 bin      mail       62504 May  3 07:58 /usr/bin/mail

When setgid permission is applied to a directory, files created in this directory belong to the group the directory belongs to, not the group the creating process belongs to. Any user who has write permission in the directory can create a file there--however, the file will not belong to the group of the user, but will belong to the group of the directory.

You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. See "How to Find Files With setuid Permissions" to search for the file systems and print out a list of all programs using these permissions. A suspicious listing would be one that grants ownership of such a program to a user rather than to bin or sys. Only superuser can set these permissions.

Sticky Bit

The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This prevents a user from deleting other users' files from public directories such as uucppublic:

drwxrwxrwt   2 uucp   uucp   512 May 24 09:48 /var/spool/uucppublic

Be sure to set the sticky bit manually when you set up a public directory on a TMPFS file system.

Setting and Searching for Special Permissions

You can set special permissions on a file in absolute or symbolic modes. In absolute mode, you set special permissions by adding a new octal value to the left of the permission triplet. Table 51-7 lists the octal values to set special permissions on a file.

Table 51-6 lists the symbols to change the special permissions in symbolic mode.

How to Set Special Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chmod command to change the special permissions on a file or directory.

2. Change special permissions in absolute mode by using the chmod command.

   $ chmod nnnn filename

   nnnn	Specifies the octal values that change the permissions on the file or directory. The first octal value on the left sets the special permissions on the file. See Table 51-7for the list of valid octal values for the special permissions.
   filename	Is the file or directory.

3. Verify the permissions of the file have changed.

   $ ls -l filename

Examples--Setting Special Permissions in Absolute Mode

The following example sets setuid permission on the dbprog file.

$ chmod 4555 dbprog
$ ls -l dbprog
-r-sr-xr-x   1 db     staff        12095 May  6 09:29 dbprog

The following example sets setgid permission on the dbprog2 file.

$ chmod 2551 dbprog2
$ ls -l dbprog2
-r-xr-s--x   1 db     staff       24576 May  6 09:30 dbprog2

The following example sets sticky bit permission on the pubdir directory.

$ chmod 1777 pubdir
 

How to Find Files With setuid Permissions

1. Become superuser.

2. Find files with setuid permissions set by using the find command.

   # find directory -user root -perm -4000 -exec ls -ldb {}\; >/tmp/filename

   find directory	Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.
   -user root	Displays files only owned by root.
   -perm -4000	Displays files only with permissions set to 4000.
   -exec ls -ldb	Displays the output of the find command in ls -ldb format.
   >/tmp/filename	Writes results to this file.

3. Display the results in /tmp/filename.

   If you need background information about setuid permissions, see "setuid Permission".

Example--Finding Files With setuid Permissions

# find / -user root -perm -4000 -exec ls -ldb { }\; > /tmp/ckprm 
	# cat /tmp/ckprm 
	-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
	-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
	---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
	-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
	-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
	-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
	---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
	-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
	-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
	-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
	-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
	#

An unauthorized user (rar) has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user. If you want to save this output for future reference, move the file out of the /tmp directory.

Using Access Control Lists (ACLs)

The traditional UNIX file protection provides read, write, and execute permissions for the three user classes: owner, group, and other. An ACL provides better file security by enabling you to define file permissions for the owner, owner's group, others, specific users and groups, and default permissions for each of those categories.

For example, assume you had a file that you wanted everyone in a group to be able to read. With that situation, you would give group read permissions on that file. Now, assume you wanted only one person in the group to be able to write to that file. Standard UNIX doesn't let you set that up. However, you could set up an ACL for that file to give only one person in the group write permissions on the file.

Table 51-8 lists the ACL commands that you can use on files or directories.

ACL entries are the way to define an ACL on a file, and they are set through the ACL commands. ACL entries consist of the following fields separated by colons:

entry_type:[uid|gid]:perms

In an ACL entry,

The following example shows an ACL entry that sets read/write permissions for the user nathan.

user:nathan:rw-

UFS file system attributes such as ACLs are supported in UFS file systems only. This means that if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.

ACL Entries for Files

Table 51-9 lists the valid ACL entries. The first three ACL entries provide the basic UNIX file protection.

u[ser]::perms 

g[roup]::perms 

o[ther]:perms 

m[ask]:perms 

u[ser]:uid:perms

g[roup]:gid:perms

ACL Entries for Directories

In addition to the ACL entries described in Table 51-9, you can set default ACL entries on a directory that will apply to files created within the directory. Files created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. Table 51-10 lists the default ACL entries for directories.

When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the owner, owner's group, others, and the mask (these are required and are the first four default ACL entries in Table 51-10).

d[efault]:u[ser]::perms 

d[efault]:g[roup]::perms 

d[efault]:o[ther]:perms 

d[efault]:m[ask]:perms 

d[efault]:u[ser]:uid:perms

d[efault]:g[roup]:gid:perms

How to Set ACL Entries on a File

1. Set ACL entries on a file by using the setfacl command.

   $ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list filename ...

   -s	Replaces the entire ACL with the new ACL entries, if an ACL already exists on the file.
   user::perms	Specifies the owner's permissions.
   group::perms	Specifies the permissions for the owner's group.
   other:perms	Specifies the permissions for users other than the owner or members of the owner's group.
   mask:perms	Specifies the permissions for the ACL mask. The mask indicates the maximum permissions allowed for users (other than the owner) and for groups.
   acl_entry_list	Is the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 51-9 and Table 51-10 show the valid ACL entries.
   filename	File or directory on which to set the ACL entries.

2. To verify that an ACL was set on the file, see "How to Check If a File Has an ACL". To verify which ACL entries were set on the file, use the getfacl command.

   $ getfacl filename

If an ACL already exists on the file, the -s option will replace the entire ACL with the new ACL entries.

Examples--Setting ACL Entries on a File

The following example sets the user permissions to read/write, group permissions to read only, and other permissions to none on the ch1.doc file. In addition, the user george is given read/write permissions on the file, and the ACL mask permissions is set to read/write, which means no user or group can have execute permissions.

$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,
user:george:rw-
ch1.doc
$ ls -l
total 124
-rw-r-----+  1 nathan  sysadmin   34816 Nov 11 14:16 ch1.doc
-rw-r--r--   1 nathan  sysadmin   20167 Nov 11 14:16 ch2.doc
-rw-r--r--   1 nathan  sysadmin    8192 Nov 11 14:16 notes
$ getfacl ch1.doc
# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:rw-    #effective:rw-
group::r--         #effective:r--
mask:rw-
other:---

The following example sets the user permissions to read/write/execute, group permissions to read only, and other permissions to none on the ch2.doc file. In addition, users in the sysadmin group are given read/write permissions on the file, and the ACL mask permissions is set to read/write.

$ setfacl -s u::7,g::4,o:0,g:sysadmin:6,m:6 ch2.doc 
$ getfacl ch2.doc

How to Check If a File Has an ACL

Check if a file has an ACL by using the ls command.

$ ls -l filename

A `+' to the right of the mode field indicates the file has an ACL.

Example--Checking If a File Has an ACL

The following example shows that ch1.doc has an ACL.

$ ls -l ch1.doc
-rwxr-----+  1 nathan   sysadmin      167 Nov 11 11:13 ch1.doc

How to Add or Modify ACL Entries on a File

1. Add or modify ACL entries on a file by using the setfacl command.

   $ setfacl -m acl_entry_list filename1 [filename2...]

   -m	Modifies the existing ACL entry.
   acl_entry_list	List of one or more ACL entries to add or modify on the file or directory. You can also add or modify default ACL entries on a directory. Table 51-9 and Table 51-10 show the valid ACL entries.
   filename ...	File or directory on which to add or modify ACL entries.

2. To verify that the ACL entries were added or modified on the file, use the getfacl command.

   $ getfacl filename

Examples--Adding or Modifying ACL Entries on a File

The following example adds read/write permissions for the user george on the ch3.doc file.

$ setfacl -m user:george:6 ch3.doc
getfacl ch3.doc
# file: ch3.doc
# owner: george
# group: staff
user::rw-				
user::george:rw-				#effective:rw-
group::r-						#effective:r--
mask:r--
other:r--

The following example adds default ACL entries for the book directory, which already has a default entry specified for the owner of the directory, for the group owner of the directory, and for others. The users in the staff group are given read permissions and the required default mask is set to read/write.

$ setfacl -m default:group:staff:4,default:mask:6 book
getfacl book

How to Delete ACL Entries From a File

1. Delete ACL entries from a file by using the setfacl command.

   $ setfacl -d acl_entry_list filename1 ...

   -d	Deletes the specified ACL entries.
   acl_entry_list	List of ACL entries (without specifying the permissions) to delete from the file or directory. You can only delete ACL entries and default ACL entries for specific users and groups. Table 51-9 and Table 51-10 show the valid ACL entries.
   filename ...	File or directory from which to delete the ACL entries.

   Alternately, you can use the setfacl -s command to delete all the ACL entries on a file and replace them with the new ACL entries specified.

2. To verify that the ACL entries were deleted from the file, use the getfacl command.

   $ getfacl filename

Example--Deleting ACL Entries on a File

The following example deletes read permission for the user nigel on the ch4.doc file.

$ setfacl -d user:nigel:4 ch4.doc
$ getfacl ch4.doc
# file: ch4.doc
# owner: nigel
# group: staff
user::r--
group::r--					#effective:r--
other:r--

How to Display ACL Entries for a File

Display ACL entries for a file by using the getfacl command.

$ getfacl [-a | -d] filename1 ...

If you specify multiple file names on the command line, the ACL entries are separated by a blank line.

Examples--Displaying ACL Entries for a File

The following example shows all the ACL entries for the ch1.doc file. The #effective: note beside the user and group entries indicates what the permissions are after being modified by the ACL mask.

$ getfacl ch1.doc
 
# file: ch1.doc
# owner: nathan
# group: sysadmin
user::rw-
user:george:rw-         #effective:rw-
group::r--              #effective:r--
mask:rw-
other:---

The following example shows the default ACL entries for the book directory.

$ getfacl -d book
 
# file: book
# owner: nathan
# group: sysadmin
default:user::rw-
default:user:george:r--
default:group::rw-
default:mask:rw-
default:other:r--