Working with Permissions


Under Linux (and UNIX), everything in the file system, including directories and devices, is a file. And every file on your system has an accompanying set of permissions based on ownership. These permissions form the basis for security under Linux, and designate each file's read, write, and execute permission for you, members of your group, and all others on the system.

You can examine the default permissions for a file you create by using the umask command, or as a practical example, by using the touch command and then the ls command's long-format listing like this:

$ touch file $ ls -l file -rw-rw-r--    1 andrew    andrew           0 Nov 11 12:28 file


In this example, the touch command is used to quickly create a file. The ls command then reports on the file, displaying information (from left to right) in the first field of output (such as -rw-rw-r-- previously):

  • The first character of the field is the type of file created Common indicators of the type of file are a leading letter in the output. A blank (which is represented by a dash in the preceding example) designates a plain file, d designates a directory, c designates a character device (such as /dev/ttyS0), and b is used for a block device (such as /dev/hda).

  • Permissions Read, write, and execute permissions for the owner, group, and all others on the system. (You learn more about these permissions later in this section.)

  • Number of links to the file The number one (1) designates that there is only one file, whereas any other number indicates that there might be one or more hard-linked files. Links are created with the ln command. A hard-linked file is an exact copy of the file, but it might be located elsewhere on the system. Symbolic links of directories can also be created, but only the root operator can create a hard link of a directory.

  • The owner The account that created or owns the file; you can change this designation by using the chown command.

  • The group The group of users allowed to access the file; you can change this designation by using the chgrp command.

  • File size and creation/modification date The last two elements indicate the size of the file in bytes and the date the file was created or last modified.

Assigning Permissions

Under Linux, permissions are grouped by owner, group, and others, with read, write, and execute permission assigned to each, like so:

Owner    Group    Others rwx      rwx      rxw


Permissions can be indicated by mnemonic or octal characters. Mnemonic characters are

  • r indicates permission for an owner, member of the owner's group, or others to open and read the file.

  • w indicates permission for an owner, member of the owner's group, or others to open and write to the file.

  • x indicates permission for an owner, member of the owner's group, or others to execute the file (or read a directory).

In the previous example for the file named file, the owner, andrew, has read and write permission, as does any member of the group named andrew. All other users may only read the file. Also note that default permissions for files created by the root operator will be different! This is because of umask settings assigned by the shell.

Many users prefer to represent permissions using numeric codes, based on octal (base 8) values. Here's what these values mean:

  • 4 indicates read permission.

  • 2 indicates write permission.

  • 1 indicates execute permission.

In octal notation, the previous example file has a permission setting of 664 (read+write or 4+2, read+write or 4+2, read-only or 4). Although you can use either form of permissions notation, octal is easy to use quickly after you visualize and understand how permissions are numbered.

Note

In Linux, you can create groups to assign a number of users access to common directories and files, based on permissions. You might assign everyone in accounting to a group named accounting, for example, and allow that group access to accounts payable files while disallowing access by other departments. Defined groups are maintained by the root operator, but you can use the newgrp command to temporarily join other groups in order to access files (as long as the root operator has added you to the other groups). You can also allow or deny access to your files by other groups by modifying the group permissions of your files.


Directory Permissions

Directories are also files under Linux. For example, again use the ls command to show permissions like this:

$ mkdir foo $ ls -ld foo drwxrwxr-x    2 andrew    andrew        4096 Jan 23 12:37 foo


In this example, the mkdir command is used to create a directory. The ls command and its -ld option is used to show the permissions and other information about the directory (not its contents). Here you can see that the directory has permission values of 775 (read+write+execute or 4+2+1, read+write+execute or 4+2+1, and read+execute or 4+1).

This shows that the owner and group members can read and write to the directory and, because of execute permission, also list the directory's contents. All other users can only list the directory contents. Note that directories require execute permission in order for anyone to be able to view their contents.

You should also notice that the ls command's output shows a leading d in the permissions field. This letter specifies that this file is a directory; normal files have a blank field in its place. Other files, such as those specifying a block or character device, have a different letter (see the section "Managing Files for Character Devices, Block Devices, and Special Devices" in Chapter 38 for more information about block devices).

For example, if you examine the device file for a Linux serial port, you will see

$ ls -l /dev/ttyS0 crw-rw----    1 root     uucp       4,  64 Jan 23 23:38 /dev/ttyS0


Here, /dev/ttyS0 is a character device (such as a serial communications port and designated by a c) owned by root and available to anyone in the uucp group. The device has permissions of 660 (read+write, read+write, no permission).

On the other hand, if you examine the device file for an IDE hard drive, you see

$ ls -l /dev/hda brw-rw----    1 root     disk       3,   0 Jan 23 23:37 /dev/hda


In this example, b designates a block device (a device that transfers and caches data in blocks) with similar permissions. Other device entries you will run across on your Linux system include symbolic links, designated by s.

You can use the chmod command to alter a file's permissions. This command uses various forms of command syntax, including octal or a mnemonic form (such as u, g, o, or a and rwx, and so on) to specify a desired change. The chmod command can be used to add, remove, or modify file or directory permissions to protect, hide, or open up access to a file by other users (except for root, which can access any file or directory on a Linux system).

The mnemonic forms of chmod's options (when used with a plus character, +, to add, or a minus sign, -, to take away) designate the following:

u Adds or removes user (owner) read, write, or execute permission

g Adds or removes group read, write, or execute permission

o Adds or removes read, write, or execute permission for others not in a file's group

a Adds or removes read, write, or execute permission for all users

r Adds or removes read permission

w Adds or removes write permission

x Adds or removes execution permission

For example, if you create a file, such as a readme.txt, the file will have default permissions (set by the umask setting in /etc/bashrc) of

-rw-rw-r--    1 andrew    andrew          12 Jan  2 16:48 readme.txt


As you can see, you and members of your group can read and write the file. Anyone else can only read the file (and only if it is outside of your home directory, which will have read, write, and execute permission set only for you, the owner). You can remove all write permission for anyone by using chmod, the minus sign, and aw like so:

$ chmod -aw readme.txt $ ls -l readme.txt -r--r--r--    1 andrew    andrew          12 Jan  2 16:48 readme.txt


Now, no one can write to the file (except you, if the file is in your home or /tmp directory because of directory permissions). To restore read and write permission for only you as the owner, use the plus sign and the u and rw options like so:

$ chmod u+rw readme.txt $ ls -l readme.txt -rw-------    1 andrew    andrew          12 Jan  2 16:48 readme.txt


You can also use the octal form of the chmod command, for example, to modify a file's permissions so that only you, the owner, can read and write a file. Use the chmod command and a file permission of 600, like this:

$ chmod 600 readme.txt


If you take away execution permission for a directory, files might be hidden inside and may not be listed or accessed by anyone else (except the root operator, of course, who has access to any file on your system). By using various combinations of permission settings, you can quickly and easily set up a more secure environment, even as a normal user in your home directory.

Understanding Set User ID and Set Group ID Permissions

Another type of permission is "set user ID," known as suid, and "set group ID" (sgid) permissions. These settings, when used in a program, enable any user running that program to have program owner or group owner permissions for that program. These settings enable the program to be run effectively by anyone, without requiring that each user's permissions be altered to include specific permissions for that program.

One commonly used program with suid permissions is the passwd command:

$ ls -l /usr/bin/passwd -r-s--x--x    1 root     root        13536 Jan 12  2000 /usr/bin/passwd


This setting allows normal users to execute the command (as root) to make changes to a root-only accessible file, /etc/passwd.

You also can assign similar permission using the chfn command. This command allows users to update or change finger information in /etc/passwd. You accomplish this permission modification by using a leading 4 (or the mnemonic s) in front of the three octal values.

Note

Other files that might have suid or guid permissions include at, rcp, rlogin, rsh, chage, chsh, ssh, crontab, sudo, sendmail, ping, mount, and several UNIX-to-UNIX Copy (UUCP) utilities. Many programs (such as games) might also have this type of permission in order to access a sound device.


Files or programs that have suid or guid permissions can sometimes present security holes because they bypass normal permissions. This problem is especially compounded if the permission extends to an executable binary (a command) with an inherent security flaw because it could lead to any system user or intruder gaining root access. In past exploits, this typically happened when a user fed a vulnerable command with unexpected input (such as a long pathname or option); the command would bomb out, and the user would be presented a root prompt. Although Linux developers are constantly on the lookout for poor programming practices, new exploits are found all the time, and can crop up unexpectedly, especially in newer software packages that haven't had the benefit of peer developer review.

Savvy Linux system administrators keep the number of suid or guid files present on a system to a minimum. The find command can be used to display all such files on your system:

# find / -type f -perm +6000 -exec ls -l {} \;


Note

The find command is quite helpful and can be used for many purposes, such as before or during backup operations. See the section "Using Backup Software" in Chapter 17, "Backing Up, Restoring, and Recovery."


Note that the programs do not necessarily have to be removed from your system. If your users really do not need to use the program, you can remove execute permission of the program for anyone. You have to decide, as the root operator, whether your users are allowed to, for example, mount and unmount CD-ROMs or other media on your system. Although Linux-based operating systems can be set up to accommodate ease of use and convenience, allowing programs such as mount to be suid might not be the best security policy. Other candidates for suid permission change could include the chsh, at, or chage commands.



Red Hat Fedora 5 Unleashed
Red Hat Fedora 5 Unleashed
ISBN: 067232847X
EAN: 2147483647
Year: 2004
Pages: 362

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net