The basic security of a Linux computer is based on file permissions. Default file permissions are set through the umask shell variable. SUID and SGID permissions can give all users access to specific files. Ownership is based on the default user and group IDs of the person who created a file. Managing permissions and ownership involves commands such as chmod, chown, and chgrp.
Users and groups own files. Users and groups have passwords. Security can be enhanced if you configure users and groups in the Shadow Password Suite. Obviously, more levels of security are available, but security options such as Access Control Lists and Security Enhanced Linux (SELinux) are not included in the Red Hat exam prerequisites.
Linux file permissions are straightforward. Consider the following output from ls -l /sbin/fdisk:
-rwxr-xr-x 1 root root 95572 Jan 11 08:10 /sbin/fdisk
The permissions are shown on the left side of the listing. Ten characters are shown. The first character determines whether it's a regular or a special file. The remaining nine characters are grouped in threes, applicable to the file owner (user), the group owner, and everyone else on that Linux system. The letters are straightforward: r = read, w = write, x = execute. These permissions are described in Table 1-6.
Type of file; - = regular file, d = directory, b = device, l = linked file
Permissions granted to the owner of the file
Permissions granted to the group owner of the file
Permissions granted to all other users on the Linux system
Key commands that can help you manage the permissions and ownership of a file are chmod, chown, and chgrp. The chmod command uses the numeric value of permissions associated with the owner, group, and others. In Linux, permissions are assigned the following numeric values: r = 4, w = 2, and x = 1. For example, if you were crazy enough to give read, write, and execute permissions on fdisk to all users, you would run the chmod 777 /sbin/fdisk command. The chown and chgrp commands adjust the user and group owners associated with the cited file.
|On the Job|| |
Red Hat now includes security contexts in file listings, in support of SELinux. To preview this feature, run the ls -Z command. For more information, see Chapter 4.
Linux, like Unix, is configured with users and groups. Everyone who uses Linux is set up with a username, even if it's just "guest." Take a look at /etc/passwd. One version of this file is shown in Figure 1-4.
Figure 1-4: /etc/passwd
As you can see, all kinds of usernames are listed in the /etc/passwd file. Even a number of Linux services such as mail, news, ftp, and apache have their own usernames. In any case, the /etc/passwd file follows a specific format, described in more detail in Chapter 6. For now, note that the only users shown in this file are mj and tb, their user IDs (UID) and group IDs (GID) are 500 and 501, and their home directories match their usernames. The next user gets UID and GID 502, and so on.
Users can change their own passwords with the passwd command. The root user can change the password of any user. For example, the passwd mj command allows the root user to change user mj's password.
The way umask works in Red Hat Enterprise Linux may surprise you, especially if you're coming from a different Unix-style environment. You cannot configure umask to allow you to create new files automatically with executable permissions. This promotes security: if fewer files have executable permissions, fewer files are available for a cracker to use to run programs to break through your system.
|On the Job|| |
In the world of Linux, a hacker is a good person who simply wants to create better software. A cracker is someone who wants to break into your system for malicious purposes.
Every time you create a new file, the default permissions are based on the value of umask. In the past, the value of umask canceled out the value of numeric permissions on a file. For example, if the value of umask is 000, the default permissions for any file created by that user were once 777 - 000 = 777, which corresponds to read, write, and execute permissions for all users. They're now 666, as new files can no longer get executable permissions.
When you type the umask command, you get a four-number output such as 0245. As of this writing, the first number in the umask output is always 0 and is not used. In the future, this first number may be usable to allow for new files that automatically include the SUID or SGID bits.
Also, no matter what the value of umask, new files in Red Hat Enterprise Linux can no longer be automatically created with executable permissions. In other words, a umask value of 0454 leads to identical permissions on new files as a umask value of 0545. You need to use commands such as chmod to set executable permissions on a specific file.
Permissions can be a risky business, but you need to give all users access to some programs. Setting full read, write, and execute permissions for all users on a Linux system can be dangerous. One alternative is setting the SUID and the SGID permission bits for a file. When active, these bits allow you to configure appropriate permissions on the subject file. For example, one common practice is to set the SUID bit for the KPPP Internet Connection Utility so users who require telephone modems can use KPPP to dial in to the Internet. You can set the SUID bit on this utility with the following command:
# chmod u+s /usr/sbin/kppp
SGID permissions can be useful when you're setting up a special group of users who need to share files on a specific task or project. This process is discussed in more detail in Chapter 6.
When you look at the default /etc/passwd file, you should see an "x" in the second column. Older versions of Linux had an encrypted version of user passwords in this column. As /etc/passwd is accessible to all users, a cracker could copy this file and decrypt everyone's password on a Linux computer. This problem led to the development of the Shadow Password Suite.
Historically, all that was needed to manage Linux users and groups was the information included in the /etc/passwd and /etc/group files. These files included passwords and are by default readable by all users.
The Shadow Password Suite was created to provide an additional layer of protection. It is used to encrypt user and group passwords in shadow files (/etc/ shadow and /etc/gshadow) that are readable only by users with root privileges.
The Shadow Password Suite is now enabled by default in Red Hat Enterprise Linux. Standard commands for creating new users and groups automatically set up encrypted passwords in the Shadow Password Suite files. These commands are described in more detail in Chapter 6.
But if you're restoring a system, you may not have access to these special commands. The old way of creating new users and groups is by editing the /etc/ passwd and /etc/group files directly. Four commands allow you to convert passwords to and from the /etc/shadow and /etc/gshadow files:
pwconv Converts passwords from /etc/passwd to /etc/shadow. This command works even if some of the passwords are already encrypted in /etc/shadow.
pwunconv Opposite of pwconv.
grpconv Converts passwords from /etc/group to /etc/gshadow. This command works even if some of the passwords are already encrypted in /etc/gshadow.
grpunconv Opposite of grpconv.