Upload
kathleen-norton
View
236
Download
4
Tags:
Embed Size (px)
Citation preview
Module 4 - File Security
• Security Overview• File Ownership• Access to Files and Dircetories• Changing File and Directory Ownership• Changing File and Directory Access Modes• Setting Default Access Modes
File Security
File Security
• Security Overview• File Ownership• Access to Files and Dircetories• Changing File and Directory Ownership• Changing File and Directory Access Modes• Setting Default Access Modes
Security Overview
• The primary function of the system’s security is to make sure that only authorized users have access to system resources.
• Standard Unix system security features include:• User password• File and directory protection with permissions• Other features that enable system administrators to
check for security breaches
Linux Accounts
• Accounts are a system mechanism that enables all the users in the system to have their own space in the file system and their own unique settings.
• Each user has a unique ID (UID).• Each user in the system is a part of at least one
group.• Each group has a unique group ID (GID).• There are three types of users in Unix:
• Super User - Has unrestricted access to the system. Has UID 0.
• Regular Users - Usually have access only to their own home directories. UID larger then 500
User Configuration Files
• The /etc/passwd file is a semicolon delimited file in which all the system users accounts are defined.
• Each entry in the file represents a user account
user1:x:501:500:user1:/home/user1:/bin/bash
• The /etc/shadow file holds the password encryption information per user
user1:Ep6mckrOLChF.:10063:0:99999:7:::
Group configuration file
• The /etc/group file holds group name to GID relations, along with listing of users in the group
• User can be part of a group in one of two ways:• The group number appears in the user’s line in /etc/passwd –
the group is then called the user’s primary group• The user’s name appears in the group’s line in /etc/group
staff:x:500:user3,user4,user5
• Two approaches to determine a new file’s group:• AT&T approach - The primary group the user belongs to
determine the group ownership of files.• BSD approach – Group ownership is being given to the group
that has ownership over the directory in which the file is being created.
File Ownership
• Each file and directory is owned by a single user and belongs to a single group
• The user and group ownership is being assigned at the time the file is created.
• It is important to remember that user ownership and group ownership distinct, and it is possible that a user that owns a file will not be a member in the group that owns it.
Directory and File Access Modes
File-type Owner Group Others filename
d/l/- rwx rwx rwx file.txt
# ls -l /etc/passwd
-rw-r--r-- 1 root root 2232 Feb 21 2011 /etc/passwd
Changing File and Directory Access Modes
• Only the file owner (and the super user) may change access modes for files and directories.
• Use the chmod command in order to change the access modes for files and directories.
• There are two modes of operation with the chmod command:• Symbolic mode – uses combinations of letters and symbols to
add, remove or set permissions from various types of users.• Octal mode- uses octal numbers to represent file
permissions. Octal mode is also referred as absolute or numeric mode
Symbolic Mode
• The chmod command• ugo (user,group,others)• +=- (give , equal or take )• rwx (read, write, execute)
# chmod g+rx /home/avi
# chmod ugo=rwx /tmp
Octal (Absolute) Mode
• Command Format: chmod octalmode filename(s)• Octal modes are:
• Read access = 4• Write access = 2• Execute access =1
• Any combination and manipulation of these numbers would set the permissions for the user, group and others:• 644 = rw-r--r--• 755 = rwxr-xr-x• 751 = rwxr-x-—x• 777 = rwxrwxrwx
Setting Default Access Mode with umask
Linux umask base modes
• file base mode 0666
• directory base mode 0777
• new file mode = base-mode – umask
• 0644 = 0666 - 0022 files • 0755 = 0777 - 0022 directories
Setting Default Access Mode with umask
• The umask filter determines the default permissions for new files and directories
• Display your umask:
# umask
# 0022The first digit of a mode (0750, for example) is used to specify some special
bits (e.g. set-user-ID, set-group-ID, and the "sticky bit")
• Try:
# umask -S
# umask 777
Remember!
• File level security is composed of user authentication and permissions
• Users are defined by names and groups in the /etc/passwd,shadow,group files
• Files of all types have user group and other permissions of read write and execute
• The meaning of those permissions are a bit different for files and directories
• File ownership and mode can be changed by owner and root
• File default permissions can be set using umask
Changing Ownership
• Only the owner of the file and root can change ownership
• Changing ownership is done with the chown command:
# chown new-owner:new-group filename
# chown anat:ort /etc/passwd
• Change directory and the recursive content with -R
# chown -R anat:public /tmp
Users
# useradd - Adding a new user
(use the passwd to change the user password or usermod)
# usermod - Changing a user
# userdel - Deleting a user
• Lets look at /etc/passwd
Groups
# groupadd - Add a new group
# groupmod - Change a group
# groupdel - Deleting a group
• Lets look at /etc/group
Exercises
1. create 5 different users
2. create 3 new groups
3. Change the new users home directory to /tmp
4. change the UID of the new users to 10001/2/3/4/5
5. change the GID of the 3 new groups to 2001/2/3
6. add all 5 users to the new 3 groups without changing the default group
7. use the useradd command and in one line add a new user, grant him a password, set his home directory to /tmp and make him a member of all 3 groups
Exercises
• Write the command line by using letters with chmod to set the following permissions:
rwxrwxr-x :
rwxr--r-- :
r--r----- :
rwxr-xr-x :
rwxr-xr-x :
r-x--x--x :
-w-r----x :
-----xrwx :
Exercises
Write the command line by using octal numbers with chmod to set the following permissions:
rwxrwxrwx :
--x--x--x :
r---w---x :
-w------- :
rw-r----- :
rwx--x--x :
Exercises
• With the following umask values what would be the files and directories creation permissions?
umask = 0027
File permissions:
Directory permissions:
umask = 0011
File permissions:
Directory permissions:
umask = 0541
File permissions:
Directory permissions:
umask = 0777
File permissions:
Directory permissions:
<Insert Picture Here>