test

System Administration Guide: Security Services

File Security

The SunOS operating system is a multiuser system, which means that all the users who are logged in to a system can read and use files that belong to one another, as long as they have the file permissions to do so. Table 14–1 describes the commands for file system security. For step-by-step instructions on securing files, see Chapter 15, Securing Files (Tasks).

Commands for File System Security

This table describes the commands for monitoring and securing files and directories.

Table 14–1 Commands for File System Security

Command 

Description 

Man Page 

ls

Lists the files in a directory and information about them. 

ls(1)

chown

Changes the ownership of a file. 

chown(1)

chgrp

Changes the group ownership of a file. 

chgrp(1)

chmod

Changes permissions on a file. You can use either symbolic mode (letters and symbols) or absolute mode (octal numbers) to change permissions on a file. 

chmod(1)

File Encryption

By placing a sensitive file into an inaccessible directory (700 mode) and making the file unreadable by other users (600 mode), you will keep it secure in most cases. However, someone who guesses your password or the root password can read and write to that file. Also, the sensitive file is preserved on a backup tape every time you back up the system files to tape.

Fortunately, an additional layer of security is available to all SunOS system software users in the United States: the optional file encryption kit. The encryption kit includes the crypt command, which scrambles the data to disguise the text. For more information, see crypt(1).

Access Control Lists (ACLs)

ACLs (pronounced “ackkls”) can provide greater control over file permissions when the traditional UNIX file protection in the SunOS operating system is not sufficient. The traditional UNIX file protection provides read, write, and execute permissions for the three user classes: owner, group, and other. An ACL provides better file security by enabling you to define file permissions for the owner, owner's group, others, specific users and groups, and to define default permissions for each of those categories. For step–by–step instructions on using ACLs, see Using Access Control Lists (ACLs).

The following table lists the commands for administering ACLs on files or directories.

Table 14–2 ACL Commands

Command 

Description 

Man Page 

setfacl

Sets, adds, modifies, and deletes ACL entries 

setfacl(1)

getfacl

Displays ACL entries  

getfacl(1)