JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Using UNIX Permissions to Protect Files

Commands for Viewing and Securing Files

File and Directory Ownership

UNIX File Permissions

Special File Permissions (setuid, setgid and Sticky Bit)

setuid Permission

setgid Permission

Sticky Bit

Default umask Value

File Permission Modes

Using Access Control Lists to Protect UFS Files

Protecting Executable Files From Compromising Security

Protecting Files (Tasks)

Protecting Files With UNIX Permissions (Task Map)

How to Display File Information

How to Change the Owner of a File

How to Change Group Ownership of a File

How to Change File Permissions in Symbolic Mode

How to Change File Permissions in Absolute Mode

How to Change Special File Permissions in Absolute Mode

Protecting Against Programs With Security Risk (Task Map)

How to Find Files With Special File Permissions

How to Disable Programs From Using Executable Stacks

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Protecting Files (Tasks)

The following procedures protect files with UNIX permissions, locate files with security risks, and protect the system from compromise by these files.

Protecting Files With UNIX Permissions (Task Map)

The following task map points to procedures that list file permissions, change file permissions, and protect files with special file permissions.

Task
For Instructions
Display file information.
Change local file ownership.
Change local file permissions.

How to Display File Information

Display information about all the files in a directory by using the ls command.

Example 7-1 Displaying File Information

In the following example, a partial list of the files in the /sbin directory is displayed.

% cd /sbin
% ls -la
total 4960
drwxr-xr-x   2 root     sys           64 Dec  8 11:57 ./
drwxr-xr-x  39 root     root          41 Dec  8 15:20 ../
-r-xr-xr-x   1 root     bin        21492 Dec  1 20:55 autopush*
-r-xr-xr-x   1 root     bin        33680 Oct  1 11:36 beadm*
-r-xr-xr-x   1 root     bin       184360 Dec  1 20:55 bootadm*
lrwxrwxrwx   1 root     root          21 Jun  7  2010 bpgetfile -> ...
-r-xr-xr-x   1 root     bin        86048 Dec  1 20:55 cryptoadm*
-r-xr-xr-x   1 root     bin        12828 Dec  1 20:55 devprop*
-r-xr-xr-x   1 root     bin       130132 Dec  1 20:55 dhcpagent*
-r-xr-xr-x   1 root     bin        13076 Dec  1 20:55 dhcpinfo*

   .
   .
   .

Each line displays information about a file in the following order:

How to Change the Owner of a File

Before You Begin

If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.

  1. Display the permissions on a file.
    % ls -l example-file
    -rw-r--r--   1 janedoe   staff   112640 May 24 10:49 example-file
  2. Become an administrator with the required security attributes.

    For more information, see How to Obtain Administrative Rights.

  3. Change the owner of the file.
    # chown stacey example-file
  4. Verify that the owner of the file has changed.
    # ls -l example-file
    -rw-r--r--   1 stacey   staff   112640 May 26 08:50 example-file 

    NFS-mounted file systems have further restrictions on changing ownership and groups. For more information, see Chapter 6, Accessing Network File Systems (Reference), in Oracle Solaris Administration: Network Services.

Example 7-2 Enabling Users to Change the Ownership of Their Own Files

Security Consideration – You need a good reason to change the setting of the rstchown variable to zero. The default setting prevents users from listing their files as belonging to others so as to bypass space quotas.

In this example, the value of the rstchown variable is set to zero in the /etc/system file. This setting enables the owner of a file to use the chown command to change the file's ownership to another user. This setting also enables the owner to use the chgrp command to set the group ownership of a file to a group that the owner does not belong to. The change goes into effect when the system is rebooted.

set rstchown = 0

For more information, see the chown(1) and chgrp(1) man pages.

How to Change Group Ownership of a File

Before You Begin

If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.

  1. Become an administrator with the required security attributes.

    For more information, see How to Obtain Administrative Rights.

  2. Change the group ownership of a file.
    $ chgrp scifi example-file

    For information about setting up groups, see Chapter 2, Managing User Accounts and Groups (Overview), in Oracle Solaris Administration: Common Tasks.

  3. Verify that the group ownership of the file has changed.
    $ ls -l example-file
     -rw-r--r--   1 stacey   scifi   112640 June 20 08:55  example-file

    Also see Example 7-2.

How to Change File Permissions in Symbolic Mode

In the following procedure, a user changes permissions on a file that the user owns.

  1. Change permissions in symbolic mode.
    % chmod who operator permissions filename
    who

    Specifies whose permissions are to be changed.

    operator

    Specifies the operation to be performed.

    permissions

    Specifies what permissions are to be changed. For the list of valid symbols, see Table 7-5.

    filename

    Specifies the file or directory.

  2. Verify that the permissions of the file have changed.
    % ls -l filename

    Note - If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.


Example 7-3 Changing Permissions in Symbolic Mode

In the following example, read permission is taken away from others.

% chmod o-r example-file1

In the following example, read and execute permissions are added to a local file for user, group, and others.

$ chmod a+rx example-file2

In the following example, read, write, and execute permissions for group are assigned to a local file.

$ chmod g=rwx example-file3

How to Change File Permissions in Absolute Mode

In the following procedure, a user changes permissions on a file that the user owns.

  1. Change permissions in absolute mode.
    % chmod nnn filename
    nnn

    Specifies the octal values that represent the permissions for the file owner, file group, and others, in that order. For the list of valid octal values, see Table 7-4.

    filename

    Specifies the file or directory.


    Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for other users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.


  2. Verify that the permissions of the file have changed.
    % ls -l filename

    Note - If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.


Example 7-4 Changing Permissions in Absolute Mode

In the following example, the permissions of a directory that is open to the public are changed from 744 (read, write, execute; read-only; and read-only) to 755 (read, write, execute; read and execute; and read and execute).

# ls -ld public_dir
drwxr--r--  1 jdoe   staff    6023 Aug  5 12:06 public_dir
# chmod 755 public_dir
# ls -ld public_dir
drwxr-xr-x  1 jdoe   staff    6023 Aug  5 12:06 public_dir

In the following example, the permissions of an executable shell script are changed from read and write to read, write, and execute.

% ls -l my_script
-rw------- 1 jdoe   staff    6023 Aug  5 12:06 my_script
% chmod 700 my_script
% ls -l my_script
-rwx------ 1 jdoe   staff    6023 Aug  5 12:06 my_script

How to Change Special File Permissions in Absolute Mode

Before You Begin

If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.

  1. Become an administrator with the required security attributes.

    For more information, see How to Obtain Administrative Rights.

  2. Change special permissions in absolute mode.
    % chmod nnnn filename
    nnnn

    Specifies the octal values that change the permissions on the file or directory. The leftmost octal value sets the special permissions on the file. For the list of valid octal values for special permissions, see Table 7-6.

    filename

    Specifies the file or directory.


    Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for additional users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.


  3. Verify that the permissions of the file have changed.
    % ls -l filename

Example 7-5 Setting Special File Permissions in Absolute Mode

In the following example, the setuid permission is set on the dbprog file.

# chmod 4555 dbprog
# ls -l dbprog
-r-sr-xr-x   1 db     staff        12095 May  6 09:29 dbprog

In the following example, the setgid permission is set on the dbprog2 file.

# chmod 2551 dbprog2
# ls -l dbprog2
-r-xr-s--x   1 db     staff       24576 May  6 09:30 dbprog2

In the following example, the sticky bit permission is set on the public_dir directory.

# chmod 1777 public_dir
# ls -ld public_dir
drwxrwxrwt   2 jdoe   staff          512 May 15 15:27 public_dir

Protecting Against Programs With Security Risk (Task Map)

The following task map points to procedures that find risky executables on the system, and that prevent programs from exploiting an executable stack.

Task
Description
For Instructions
Find files with special permissions.
Locates files with the setuid bit set, but that are not owned by the root user.
Prevent executable stack from overflowing.
Prevents programs from exploiting an executable stack.
Prevent logging of executable stack messages.
Turns off logging of executable stack messages.

How to Find Files With Special File Permissions

This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.

Before You Begin

You must be in the root role.

  1. Find files with setuid permissions by using the find command.
    # find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
    find directory

    Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.

    -user root

    Displays files owned only by root.

    -perm -4000

    Displays files only with permissions set to 4000.

    -exec ls -ldb

    Displays the output of the find command in ls -ldb format.

    /tmp/filename

    Is the file that contains the results of the find command.

  2. Display the results in /tmp/filename.
    # more /tmp/filename

    For background information about setuid permissions, see setuid Permission.

Example 7-6 Finding Files With setuid Permissions

The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/sh program runs with root permissions.

This output was saved for future reference by moving the /var/tmp/chkprm directory to an archive.

# find / -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm
# cat /var/tmp/ckprm
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
# mv /var/tmp/ckprm /export/sysreports/ckprm

How to Disable Programs From Using Executable Stacks

For a description of the security risks of 32–bit executable stacks, see Protecting Executable Files From Compromising Security.

Before You Begin

You must be in the root role.

  1. Edit the /etc/system file, and add the following line:
    set noexec_user_stack=1
  2. Reboot the system.
    # reboot

Example 7-7 Disabling the Logging of Executable Stack Messages

In this example, the logging of executable stack messages is disabled, and then the system is rebooted.

# cat /etc/system
set noexec_user_stack=1
set noexec_user_stack_log=0
# reboot

See Also

For more information, read the following: