Securing File Systems Permissions

Previous page
Table of content
Next page

Mac OS X is built on a foundation of UNIX, which includes advanced features such as file and folder-level permissions and, new to Mac OS X 10.4, access control lists (ACLs). Permissions ensure that the owner of the file or folder controls is authorized (and who isn't authorized) to have access to that file or folder.

Here are the folders included in a typical Mac OS X user's home folder. In this case the user, osxuser1, opened Terminal (/Applications/Utilities) and entered ls -l ~osxuser1 on the command line to view this output:

powerbook:~ osxuser1$ ls -l total 0 drwx------      7   osxuser1     osxuser1    238    18 Mar 00:03  Desktop drwx------      12  osxuser1     osxuser1    408    24 Mar 10:50  Documents drwx------      25  osxuser1     osxuser1    850    15 Feb 12:17  Library drwx------      3   osxuser1     osxuser1    102    24 Feb 2004   Movies drwx------      3   osxuser1     osxuser1    102    24 Feb 2004   Music drwx------      5   osxuser1     osxuser1    170    24 Feb 2004   Pictures drwxr-xr-x      5   osxuser1     osxuser1    170    24 Mar 10:50  Public drwxr-xr-x      5   osxuser1     osxuser1    170    24 Feb 2004   Sites


By reviewing the UNIX permissions, you see that each folder"d" for directory in UNIX parlanceis owned by user osxuser1, and associated with the group osxuser1. Before Mac OS X 10.3, the group may have appeared as "staff" (or, occasionally, "wheel"), but beginning with Mac OS X 10.3, for increased security, when a new user is added to the system, a group is automatically created with the same name as the user's short name.

Except for the Public and Sites folders, only user osxuser1 has access to the remaining folder contents. Permissions for Group and Others are all "-".

For the Public, Sites, and other folders, user osxuser1 has full rwx (read, write, and execute) permissions, but the Group also has the permissions r-x (a read-only folder), and Others also have r-x permissions.

By default, a home directory for a Mac OS X user has no access to anyone but the owner for most of the folders, with exceptions being made for the Public and Sites folders.

The Sites folder (intended to be used for an individual's website) is accessible by others. Only information intended to be accessible to all users should be placed in the Sites folder. This folder is not intended to be a location for a secure website, but for a user's "personal" website. The Public folder allows its owner to share information with everyone in a controlled manner. All users can view the contents of the Public folder, but they cannot modify or add any contents, except through the Drop Box folder (which will be explained later).

Here are the contents of user osxuser1's Public folder:

powerbook:~/Public osxuser1$ ls -l total 12536 drwx-wx-wx     4     osxuser1    osxuser1    136         3 Jul 12:10      DropBox -rw-r--r--     1     osxuser1    osxuser1    29637       7 Nov 2004       GremInterior.jpg drwxr-xr-x     3     osxuser1    osxuser1    102         3 Jul 12:13      Misc -rw-r--r--     1     osxuser1    osxuser1    64512       27 May 2004      Quarterly05.xls -rw-r--r--     1     osxuser1    osxuser1    711734      1 Jul 11:34      Scott.tiff -rw-r--r--     1     osxuser1    osxuser1    5605250     25 Aug 2003      cowbell.mp3


Every file and folder is readable by everyone (-rw), yet only the owner, osxuser1, has write access to the files and folders contained in the Public folder, so these files cannot be modified by others. And since the Public folder can be modified only by the owner, the files and folders cannot be deleted or renamed.

The Drop Box allows others to "drop something off" in the Public folder, but only the owner of the folder can see what has been left there. Think of placing a letter into a public mailbox. Once you leave the letter and close the door, only the postal carrier has access to that letter (not even you can retrieve it). This is because user osxuser1 has full rwx access, but the Group and Others access is only -wx, meaning a write-only folder.

Let's say that a user named deborah wants to grab a copy of the file Quarterly05.xls, make modifications to it, and drop that file in osxuser1's Public folder. Deborah (or anyone else with access to the system) can use the Finder to navigate to osxuser1's Public folder and copy (not move) the file into her home directory. She can then modify that file and drop it in the Drop Box folder in osxuser1's Public folder. User deborah cannot replace the file that existed in the Public folder because she does not have write permission into that folder, thus the Drop Box is the alternative.

Setting Access Rights for Files and Folders

What if you have a file that you want only a certain user or group of users to be able to read? The default Public folder setup is not sufficient for this, and you will need to go a little further to control the granularity of access.

A user can create a folder or file with more granular permission control from either the Finder (which refers to the three levels of granularity as Owner, Group, or Others) or from the CLI (User, Group, or Others). The user can (if authenticated) also change the User/Owner of the file or folder or Group associated with the file or folder.

Note that the Finder allows only certain permissions options, whereas the command-line interface (CLI) allows all eight possible permutations of rwx to apply to each of the three levels of granularity.

Also note that there is no way from the Finder to control Group membershipyou can select from preexisting Groups, but cannot create your own, or modify who is (or isn't) in either new or preexisting groups.

The Sticky Bit

The Public folder/Drop Box system employed by Mac OS X is very powerful and, as you have seen, extensible into even more granular control by you. Another powerful aspect of the UNIX permissions system is something called the "sticky bit."

The sticky bit solves the problem of how to control permissions on a single collaborative folder in such a way that you can create your own new folders and files for other to have access to (with a granularity which you control) without fear of those same others being able to delete or modify your files (which would be annoying, to say the least).

Without the sticky bit, it might seem intuitive to create a collaborative folder called Collaborate with rwx permission enabled for each user who wants to collaborate (whether that's everyone, or it is controlled via a specific group). Sure enough, users who have write access to that folder will be able to create their own folders and files, but there is a problem: The same power that enables users to create files and folders in the Collaborate folder also allows them to delete or rename any file or folder within that foldernothing prevents them from deleting or renaming other collaborative users' files or folders!

The sticky bit ensures that this cannot happen. When the sticky bit is enabled on a folder (it cannot be enabled on a file), each user can create his or her own files and folders, but others are not allowed to delete, rename, or modify those files or folders (since they are not the owner).

The sticky bit is already utilized in a default Mac OS X installation on the Shared folder, as seen by using the CLI to view the permissions on the /Users folder:

powerbook:/Users osxuser1$ ls -l /Users total 0 drwxrwxrwt     9   root         wheel      306     26 Jun 14:54    Shared drwxr-xr-x     18  deborah      deborah    612     24 Dec 2004     deborah drwxr-xr-x     21  local        local      714     25 Jun 00:57    local drwxr-xr-x     15  preso        preso      510     22 Aug 2004     preso drwxr-xr-x     24  osxuser1     osxuser1   816     26 Jun 14:55    osxuser1


Notice the "t" in the permissions for the Shared folder; this delineates a folder that has the sticky bit set.

To set the sticky bit on another folder, you must use the CLI. (This option is not available in the Finder.)

You can create your Collaborate folder within the /Users/Shared folder, and make it usable only by the owner of the folder (you will use the administrative user local for this example) and members of the group users (a group designed for all nonadmin users, and automatically created and populated on Mac OS X).

1.

Log in to the CLI as the admin user local.

2.

Navigate to the /Users/Shared folder:

powerbook:~ local$ cd /Users/Shared


3.

Make the Collaborate folder:

powerbook:/Users/Shared local$ mkdir Collaborate powerbook:/Users/Shared local$ ls -l total 0 drwxrwxrwx   6   root         wheel     204       9 May 2004     Adobe PDF 6.0 drwxr-xr-x   2   local        wheel     68        11 Jul 10:57   Collaborate drwxrwxr-x   2   root         wheel     68        19 Nov 2003    Faxes drwxrwxrwx   3   osxuser1     wheel     102       20 Jun 2004    SC Info drwxr-xr-x 7 osxuser1 wheel 238 21 Apr 20:58 WO


4.

Change the group of the Collaborate folder to users:

powerbook:/Users/Shared local$ sudo chown :users Collaborate Password:


5.

Set the permissions to User rwx, Group rwx, Other "---":

powerbook:/Users/Shared local$ chmod 770 Collaborate powerbook:/Users/Shared local$ ls -l total 0 drwxrwxrwx    6    root        wheel      204     9 May 2004     Adobe PDF 6.0 drwxrwx---    2    local       users      68      11 Jul 10:57   Collaborate drwxrwxr-x    2    root        wheel      68      19 Nov 2003    Faxes drwxrwxrwx    3    osxuser1    wheel      102     20 Jun 2004    SC Info drwxr-xr-x 7 osxuser1 wheel 238 21 Apr 20:58 WO


6.

Set the sticky bit:

powerbook:/Users/Shared local$ chmod +t Collaborate powerbook:/Users/Shared local$ ls -l total 0 drwxrwxrwx    6    root        wheel      204     9 May 2004     Adobe PDF 6.0 drwxrwx--t    2    local       users      68      11 Jul 10:57   Collaborate drwxrwxr-x    2    root        wheel      68      19 Nov 2003    Faxes drwxrwxrwx    3    osxuser1    wheel      102     20 Jun 2004    SC Info drwxr-xr-x    7    osxuser1    wheel      238     21 Apr 20:58   WO


You have successfully created your Collaborate folder! Now take it for a test drive. First, the admin user local will create a folder within the Collaborate folder, and then a normal user (osxuser1 as an example) will also create a folder within the Collaborate folder. (osxuser1 is in the users group).

1.

Make a folder in Collaborate called localshare:

powerbook:/Users/Shared local$ cd Collaborate powerbook:/Users/Shared/Collaborate local$ mkdir localshare powerbook:/Users/Shared/Collaborate local$ ls -l total 0 drwxr-xr-x 2 local users 68 11 Jul 11:12 localshare


2.

Log in as osxuser1 and create a folder:

powerbook:~ osxuser1$ cd /Users/Shared/Collaborate powerbook:/Users/Shared/Collaborate osxuser1$ mkdir osxuser1share powerbook:/Users/Shared/Collaborate osxuser1$ ls -l total 0 drwxr-xr-x     2     local        users      68       11 Jul 11:12     localshare drwxr-xr-x     2     osxuser1     users      68       11 Jul 11:51     osxuser1share


3.

As the normal user, try to delete the localshare folder:

powerbook:/Users/Shared/Collaborate osxuser1$ rm -rf localshare rm: localshare: Operation not permitted


4.

As the normal user, try to delete your own newly created folder:

powerbook:/Users/Shared/Collaborate osxuser1$ rm -rf osxuser1share


You are able to make and remove your own folder, but you are not able to remove the one created by local.



Previous page
Table of content
Next page
Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
CISSP Exam Cram 2
WebLogic: The Definitive Guide
Java for RPG Programmers, 2nd Edition
Cisco CallManager Fundamentals (2nd Edition)
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy