Module 4 - File Security

• Security Overview• File Ownership• Access to Files and Dircetories• Changing File and Directory Ownership• Changing File and Directory Access Modes• Setting Default Access Modes

File Security

File Security

• Security Overview• File Ownership• Access to Files and Dircetories• Changing File and Directory Ownership• Changing File and Directory Access Modes• Setting Default Access Modes

Security Overview

• The primary function of the system’s security is to make sure that only authorized users have access to system resources.

• Standard Unix system security features include:• User password• File and directory protection with permissions• Other features that enable system administrators to

check for security breaches

Linux Accounts

• Accounts are a system mechanism that enables all the users in the system to have their own space in the file system and their own unique settings.

• Each user has a unique ID (UID).• Each user in the system is a part of at least one

group.• Each group has a unique group ID (GID).• There are three types of users in Unix:

• Super User - Has unrestricted access to the system. Has UID 0.

• Regular Users - Usually have access only to their own home directories. UID larger then 500

User Configuration Files

• The /etc/passwd file is a semicolon delimited file in which all the system users accounts are defined.

• Each entry in the file represents a user account

user1:x:501:500:user1:/home/user1:/bin/bash

• The /etc/shadow file holds the password encryption information per user

user1:Ep6mckrOLChF.:10063:0:99999:7:::

Group configuration file

• The /etc/group file holds group name to GID relations, along with listing of users in the group

• User can be part of a group in one of two ways:• The group number appears in the user’s line in /etc/passwd –

the group is then called the user’s primary group• The user’s name appears in the group’s line in /etc/group

staff:x:500:user3,user4,user5

• Two approaches to determine a new file’s group:• AT&T approach - The primary group the user belongs to

determine the group ownership of files.• BSD approach – Group ownership is being given to the group

that has ownership over the directory in which the file is being created.

File Ownership

• Each file and directory is owned by a single user and belongs to a single group

• The user and group ownership is being assigned at the time the file is created.

• It is important to remember that user ownership and group ownership distinct, and it is possible that a user that owns a file will not be a member in the group that owns it.

Directory and File Access Modes

File-type Owner Group Others filename

d/l/- rwx rwx rwx file.txt

# ls -l /etc/passwd

-rw-r--r-- 1 root root 2232 Feb 21 2011 /etc/passwd

Changing File and Directory Access Modes

• Only the file owner (and the super user) may change access modes for files and directories.

• Use the chmod command in order to change the access modes for files and directories.

• There are two modes of operation with the chmod command:• Symbolic mode – uses combinations of letters and symbols to

add, remove or set permissions from various types of users.• Octal mode- uses octal numbers to represent file

permissions. Octal mode is also referred as absolute or numeric mode

Symbolic Mode

• The chmod command• ugo (user,group,others)• +=- (give , equal or take )• rwx (read, write, execute)

# chmod g+rx /home/avi

# chmod ugo=rwx /tmp

Octal (Absolute) Mode

• Command Format: chmod octalmode filename(s)• Octal modes are:

• Read access = 4• Write access = 2• Execute access =1

• Any combination and manipulation of these numbers would set the permissions for the user, group and others:• 644 = rw-r--r--• 755 = rwxr-xr-x• 751 = rwxr-x-—x• 777 = rwxrwxrwx

Setting Default Access Mode with umask

Linux umask base modes

• file base mode 0666

• directory base mode 0777

• new file mode = base-mode – umask

• 0644 = 0666 - 0022 files • 0755 = 0777 - 0022 directories

Setting Default Access Mode with umask

• The umask filter determines the default permissions for new files and directories

• Display your umask:

# umask

# 0022The first digit of a mode (0750, for example) is used to specify some special

bits (e.g. set-user-ID, set-group-ID, and the "sticky bit")

• Try:

# umask -S

# umask 777

Remember!

• File level security is composed of user authentication and permissions

• Users are defined by names and groups in the /etc/passwd,shadow,group files

• Files of all types have user group and other permissions of read write and execute

• The meaning of those permissions are a bit different for files and directories

• File ownership and mode can be changed by owner and root

• File default permissions can be set using umask

Changing Ownership

• Only the owner of the file and root can change ownership

• Changing ownership is done with the chown command:

# chown new-owner:new-group filename

# chown anat:ort /etc/passwd

• Change directory and the recursive content with -R

# chown -R anat:public /tmp

Users

# useradd - Adding a new user

(use the passwd to change the user password or usermod)

# usermod - Changing a user

# userdel - Deleting a user

• Lets look at /etc/passwd

Groups

# groupadd - Add a new group

# groupmod - Change a group

# groupdel - Deleting a group

• Lets look at /etc/group

Exercises

1. create 5 different users

2. create 3 new groups

3. Change the new users home directory to /tmp

4. change the UID of the new users to 10001/2/3/4/5

5. change the GID of the 3 new groups to 2001/2/3

6. add all 5 users to the new 3 groups without changing the default group

7. use the useradd command and in one line add a new user, grant him a password, set his home directory to /tmp and make him a member of all 3 groups

Exercises 

• Write the command line by using letters with chmod to set the following permissions:

rwxrwxr-x :

rwxr--r-- :

r--r----- :

rwxr-xr-x :

rwxr-xr-x :

r-x--x--x :

-w-r----x :

-----xrwx :

Exercises 

Write the command line by using octal numbers with chmod to set the following permissions:

rwxrwxrwx :

--x--x--x :

r---w---x :

-w------- :

rw-r----- :

rwx--x--x :

Exercises

• With the following umask values what would be the files and directories creation permissions?

umask = 0027

File permissions:

Directory permissions:

umask = 0011

File permissions:

Directory permissions:

umask = 0541

File permissions:

Directory permissions:

umask = 0777

File permissions:

Directory permissions:

<Insert Picture Here>