Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Using UNIX Permissions to Protect Files
Commands for Viewing and Securing Files
Special File Permissions (setuid, setgid and Sticky Bit)
Using Access Control Lists to Protect UFS Files
Protecting Executable Files From Compromising Security
Protecting Files With UNIX Permissions (Task Map)
How to Display File Information
How to Change the Owner of a File
How to Change Group Ownership of a File
How to Change File Permissions in Symbolic Mode
How to Change File Permissions in Absolute Mode
How to Change Special File Permissions in Absolute Mode
Protecting Against Programs With Security Risk (Task Map)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Network Services Authentication (Tasks)
17. Using Secure Shell (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
The following procedures protect files with UNIX permissions, locate files with security risks, and protect the system from compromise by these files.
The following task map points to procedures that list file permissions, change file permissions, and protect files with special file permissions.
|
Display information about all the files in a directory by using the ls command.
% ls -la
Displays the long format that includes user ownership, group ownership, and file permissions.
Displays all files, including hidden files that begin with a dot (.).
Example 7-1 Displaying File Information
In the following example, a partial list of the files in the /sbin directory is displayed.
% cd /sbin % ls -la total 4960 drwxr-xr-x 2 root sys 64 Dec 8 11:57 ./ drwxr-xr-x 39 root root 41 Dec 8 15:20 ../ -r-xr-xr-x 1 root bin 21492 Dec 1 20:55 autopush* -r-xr-xr-x 1 root bin 33680 Oct 1 11:36 beadm* -r-xr-xr-x 1 root bin 184360 Dec 1 20:55 bootadm* lrwxrwxrwx 1 root root 21 Jun 7 2010 bpgetfile -> ... -r-xr-xr-x 1 root bin 86048 Dec 1 20:55 cryptoadm* -r-xr-xr-x 1 root bin 12828 Dec 1 20:55 devprop* -r-xr-xr-x 1 root bin 130132 Dec 1 20:55 dhcpagent* -r-xr-xr-x 1 root bin 13076 Dec 1 20:55 dhcpinfo* . . .
Each line displays information about a file in the following order:
Type of file – For example, d. For list of file types, see File and Directory Ownership.
Permissions – For example, r-xr-xr-x. For description, see File and Directory Ownership.
Number of hard links – For example, 2.
Owner of the file – For example, root.
Group of the file – For example, bin.
Size of the file, in bytes – For example, 21308.
Date the file was created or the last date that the file was changed – For example, Dec 9 15:55.
Name of the file – For example, dhcpinfo.
Before You Begin
If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.
% ls -l example-file -rw-r--r-- 1 janedoe staff 112640 May 24 10:49 example-file
For more information, see How to Obtain Administrative Rights.
# chown stacey example-file
# ls -l example-file -rw-r--r-- 1 stacey staff 112640 May 26 08:50 example-file
NFS-mounted file systems have further restrictions on changing ownership and groups. For more information, see Chapter 6, Accessing Network File Systems (Reference), in Oracle Solaris Administration: Network Services.
Example 7-2 Enabling Users to Change the Ownership of Their Own Files
Security Consideration – You need a good reason to change the setting of the rstchown variable to zero. The default setting prevents users from listing their files as belonging to others so as to bypass space quotas.
In this example, the value of the rstchown variable is set to zero in the /etc/system file. This setting enables the owner of a file to use the chown command to change the file's ownership to another user. This setting also enables the owner to use the chgrp command to set the group ownership of a file to a group that the owner does not belong to. The change goes into effect when the system is rebooted.
set rstchown = 0
For more information, see the chown(1) and chgrp(1) man pages.
Before You Begin
If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.
For more information, see How to Obtain Administrative Rights.
$ chgrp scifi example-file
For information about setting up groups, see Chapter 2, Managing User Accounts and Groups (Overview), in Oracle Solaris Administration: Common Tasks.
$ ls -l example-file -rw-r--r-- 1 stacey scifi 112640 June 20 08:55 example-file
Also see Example 7-2.
In the following procedure, a user changes permissions on a file that the user owns.
% chmod who operator permissions filename
Specifies whose permissions are to be changed.
Specifies the operation to be performed.
Specifies what permissions are to be changed. For the list of valid symbols, see Table 7-5.
Specifies the file or directory.
% ls -l filename
Note - If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.
Example 7-3 Changing Permissions in Symbolic Mode
In the following example, read permission is taken away from others.
% chmod o-r example-file1
In the following example, read and execute permissions are added to a local file for user, group, and others.
$ chmod a+rx example-file2
In the following example, read, write, and execute permissions for group are assigned to a local file.
$ chmod g=rwx example-file3
In the following procedure, a user changes permissions on a file that the user owns.
% chmod nnn filename
Specifies the octal values that represent the permissions for the file owner, file group, and others, in that order. For the list of valid octal values, see Table 7-4.
Specifies the file or directory.
Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for other users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.
% ls -l filename
Note - If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.
Example 7-4 Changing Permissions in Absolute Mode
In the following example, the permissions of a directory that is open to the public are changed from 744 (read, write, execute; read-only; and read-only) to 755 (read, write, execute; read and execute; and read and execute).
# ls -ld public_dir drwxr--r-- 1 jdoe staff 6023 Aug 5 12:06 public_dir # chmod 755 public_dir # ls -ld public_dir drwxr-xr-x 1 jdoe staff 6023 Aug 5 12:06 public_dir
In the following example, the permissions of an executable shell script are changed from read and write to read, write, and execute.
% ls -l my_script -rw------- 1 jdoe staff 6023 Aug 5 12:06 my_script % chmod 700 my_script % ls -l my_script -rwx------ 1 jdoe staff 6023 Aug 5 12:06 my_script
Before You Begin
If you are not the owner of the file or directory, you must be assigned the Object Access Management rights profile. To change a file that is a public object, you must be superuser.
For more information, see How to Obtain Administrative Rights.
% chmod nnnn filename
Specifies the octal values that change the permissions on the file or directory. The leftmost octal value sets the special permissions on the file. For the list of valid octal values for special permissions, see Table 7-6.
Specifies the file or directory.
Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for additional users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.
% ls -l filename
Example 7-5 Setting Special File Permissions in Absolute Mode
In the following example, the setuid permission is set on the dbprog file.
# chmod 4555 dbprog # ls -l dbprog -r-sr-xr-x 1 db staff 12095 May 6 09:29 dbprog
In the following example, the setgid permission is set on the dbprog2 file.
# chmod 2551 dbprog2 # ls -l dbprog2 -r-xr-s--x 1 db staff 24576 May 6 09:30 dbprog2
In the following example, the sticky bit permission is set on the public_dir directory.
# chmod 1777 public_dir # ls -ld public_dir drwxrwxrwt 2 jdoe staff 512 May 15 15:27 public_dir
The following task map points to procedures that find risky executables on the system, and that prevent programs from exploiting an executable stack.
|
This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.
Before You Begin
You must be in the root role.
# find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.
Displays files owned only by root.
Displays files only with permissions set to 4000.
Displays the output of the find command in ls -ldb format.
Is the file that contains the results of the find command.
# more /tmp/filename
For background information about setuid permissions, see setuid Permission.
Example 7-6 Finding Files With setuid Permissions
The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/sh program runs with root permissions.
This output was saved for future reference by moving the /var/tmp/chkprm directory to an archive.
# find / -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm # cat /var/tmp/ckprm -r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at -r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab ---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct -r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir -r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin -r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched ---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh -r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su # mv /var/tmp/ckprm /export/sysreports/ckprm
For a description of the security risks of 32–bit executable stacks, see Protecting Executable Files From Compromising Security.
Before You Begin
You must be in the root role.
set noexec_user_stack=1
# reboot
Example 7-7 Disabling the Logging of Executable Stack Messages
In this example, the logging of executable stack messages is disabled, and then the system is rebooted.
# cat /etc/system set noexec_user_stack=1 set noexec_user_stack_log=0 # reboot
See Also
For more information, read the following: