11.2 File Permissions

Some files are readable by all users, while others are restricted. This is achieved by a system of permissions known as discretionary access control (DAC). ^[2] Unix flavors use different filesystems (ufs, ext2, and several others), and they all implement the file permissions as follows :

^[2] In the terminology hailing from the famous Rainbow Series (http://www.radium.ncsc.mil/tpep/library/rainbow/), discretionary access control is a method of access control where the owner of the object (such as a file) assigns who can use it and how (such as read and write permissions).

 drwx------   2 user 19449        512 Mar 23  2000 bin -rw-r--r--   1 user 19449      34040 Jun 18 03:10 bookmark.htm 

In this example, the directory bin is readable and searchable exclusively by the owner, and only the owner can create new files there. On the other hand, the file bookmark.htm is readable by all users.

The following example shows all possible permissions:

 d  rwxt rwx rwx - type     ---- owner         --- group              --- others 

In this example, "d" is the type of object ("-" is used to denote files, "d" indicates directories, "l" means links, "s" indicates sockets). Permissions are intuitive for files (the owner, group, or others can read, write, and execute a file), but for directories, things can be cryptic. For example, the execute bit for directories means that it is possible to access files in the directory, but not to see the directory listing itself. The latter is controlled by the read bit. In contrast, the write bit allows the creation and removal of files in the directory. To set these permissions, use the Unix command chmod . The typical chmod command line may be in one of two forms: numeric or alphabetic characters . The numeric mode is determined by the 3-digit number (consisting of octal digits), ^[3] and the individual access rights (0 = none, 1 = execute, 2 = write, 4 = read) are combined: 764, for instance, means that read, execute, and write functions are allowed for the owner, read and write are allowed for the group members , and only read is allowed for others. The following chmod commands are equivalent ( assuming file permissions were set to 000, which is almost never the case):

^[3] That leads to 1 + 7 = 10 in the octal system.

 chmod 600 test.txt   chmod u=rw test.txt 

The default permissions for all newly created files are set by the umask command. The umask is set to a 3-digit number, such as 077. The umask number is subtracted from the default permissions; thus, if the umask is set to 600, all new files are created with read and write rights for the owner and no rights for others (which is a good idea when using umask).

The SUID bit is another attribute that you can set on files. For executable files, it simply means that when the file is executed, the resulting process will run with the owner's permissions and not with the permissions of the person launching the file. The SGID bit is similar: it modifies the running file's group permissions. It is sometimes used by the mail daemon to add mail to user mail spools, which are owned by individual users; the group ownership is "mail". SUID root files are considered a great security risk. Further, if they are abused by one of several methods , the attacker may obtain a root-owned shell or gain the ability to execute a command as root. SUID shell scripts are an even greater risk, because they are much easier to abuse. In fact, some Unix flavors prohibit setting the SUID bit on shell scripts.

The sticky bit set on a directory usually modifies the particular behavior of a file in the directory (some Unix flavors deviate here). When the directory sticky bit is set, users are able to create and modify files within this directory, but they can only delete files that they themselves created. This is used on the /tmp directory, where this kind of behavior is required.

On some Unix systems, the default file and directory permissions are insecure . In other words, some files are accessible by a wider audience than necessary. Historically, this behavior has been severe enough to be considered a bug. For example, on early SunOS systems, logfiles were writable for all users. This characteristic allowed malicious hackers to clean up all traces of their attacks. In addition, vendors often ship programs with an unnecessary SUID root bit set, significantly increasing the risk of abuse. Thus, carefully adjusting default permissions should be part of any system-hardening process.

11.2.1 Attributes and Capabilities

File permissions for users, groups, and others authorize access to objects. Access to files and directories can thus be given to certain users (group members only) and withdrawn from others. While this method of access control can be very effective, such granularity is only achieved by making users members of many groups. Managing such a system quickly becomes nightmarish. However, granular access control is sometimes needed. Unlike with Windows (which has Active Directory), there is no universal Unix method to implement this level of control, but since this security feature is important, we briefly touch upon Solaris. The capabilities of Solaris, AIX, and other Unix flavors differ greatly from vendor to vendor. It is possible to make a file readable by "user1" and "user2" and writable by "user3".

On Solaris 8, the getfacl and setfacl commands are used to enable and set extended permissions. They are implemented as a complicated list of access control rules called an access control list (ACL). We can see a detailed picture of standard Unix permissions, since capabilities are implemented as an extension of the permissions.

 $ getfacl bookmark.htm # file: bookmark.htm # owner: user # group: 19449 user::rw- group::r--              #effective:r-- mask:r-- other:r-- 

Now, let's apply the new access control list, as follows:

 $ setfacl -m user:friend:rwx /usr/local/bin/nmap 

This command gives the user "friend" the ability to read, write, and execute the file /usr/local/bin/nmap . The modified extended permissions are:

 $ getfacl /usr/local/bin/nmap # file: /usr/local/bin/nmap # owner: user # group: 19449 user::rw- user:friend:rwx               #effective:r-- group::r--                    #effective:r-- mask:r-- other:r-- 

The standard Unix permissions are as follows:

 -rw-r--r--+  1 anton 19449      34040 Jun 18 03:10 /usr/local/bin/nmap 

The plus sign (+) indicates that enhanced permissions are in use.

Linux supports another system (called file attributes ) that can block even root from accessing the file. Files can be designated as unchangeable, undeletable, and append-only, along with other unusual properties. This feature has been available since Version 2.2 of the Linux kernel. For more details on these capabilities, see Section 11.7 at the end of the chapter.