Chapter 3 Maintaining Security CSNB113 SYSTEM ADMINISTRATION College of Information Technology Universiti Tenaga Nasional (UNITEN) SN 2017

Objectives Use chmod to change file permissions in an absolute manner Learn how the administrator uses three basic file permissions bits Use chown and chgrp to change the owner and group owner of files Restrict a user’s activities with the restricted shell SN 2017

Introduction Security in a computer system eventually involves files Faulty file permission – exploit by malicious user System Administrator’s responsibility - ensure that system directories (/bin, /usr/bin, /etc, /sbin) and files in them are not writable by others SN 2017

Listing File Attributes Number of links Last modification time owner $ ls –l total 2 drwxrw-r-- 1 ixo team 0 2012-08-30 18:42 Material -rwxr-xr-x 1 sn010101 dba 5234 2012-12-20 22:22 file1.txt File type Permission group File name Here, the first column represents different access modes, i.e., the permission associated with a file or a director SN 2017

Other (world) permissions File Permission Owner permissions The owner's permissions determine what actions the owner of the file can perform on the file Group permissions The group's permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file. Other (world) permissions The permissions for others indicate what action all other users can perform on the file. SN 2017

File Permission The permissions are broken into groups of threes, and each position in the group denotes a specific permission, in this order: read (r), write (w), execute (x). Basic permission Read, r : content of the file is accessible Write, w : permitted to create, modify, or remove the file eXecute, x : allowed to run or “pass through” SN 2017

File Permission rwxr-xr-x owner group world Example: Access permission for file1.txt Owner is allowed to: Read, write and execute file1.txt Group is allowed to: Read, and execute file1.txt World is allowed to: Read, and execute file1.txt SN 2017

Change File Permission To change the file or the directory permissions - use the chmod (change mode) command. There are two ways to use chmod :- The symbolic mode The absolute mode. SN 2017

Symbolic Mode Can add, delete, or specify the permission set you want by using the operators in the following table: Symbol Description + Adds the designated permission(s) to a file or directory - Removes the designated permission(s) from a file or directory. = Sets the designated permission(s). SN 2017

Symbolic Mode Example $ls -l testfile -rwxrwxr-- 1 sn010101 student 1024 Nov 7 11:25 testfile $chmod o+wx testfile -rwxrwxrwx 1 sn010101 student 1024 Nov 7 11:25 testfile $chmod u-x testfile -rw-rwxrwx 1 sn010101 student 1024 Nov 7 11:25 testfile $chmod g = rx testfile -rw-r-xrwx 1 sn010101 student 1024 Nov 7 11:25 testfile $chmod o+wx,u-x,g = rx testfile SN 2017

Absolute Mode. Use a number to specify each set of permissions for the file. Each permission is assigned a value and the total of each set of permissions provides a number for that set. $ chmod 700 file1.txt SN 2017

Change File Permission Binary Octal Permissions Significance 000 --- No permission 001 1 --x Executable only 010 2 -w- Writable only 011 3 -wx Writable and executable 100 4 r-- Readable only 101 5 r-x Readable and executable 110 6 rw- Readable, writable 111 7 rwx Readable, writable, executable SN 2017

Change File Ownership chown command: transfer ownership of a file to a user The new owner of this file is sn020202 $ ls -l testfile -rwxrwxr-- 1 sn010101 student 1024 Nov 7 11:25 testfile $ chown sn020202 testfile -rwxrwxr-- 1 sn020202 student 1024 Nov 7 11:25 testfile SN 2017

Change File Group Owner chgrp command: change a file’s group owner A user can change the group owner of a file, but only to a group to which he/she belongs to. The new group owner of this file is alumni $ ls -l testfile -rwxrwxr-- 1 sn010101 student 1024 Nov 7 11:25 testfile $ chgrp alumni testfile -rwxrwxr-- 1 sn020202 alumni 1024 Nov 7 11:25 testfile SN 2017

Restricted Shell A restricted shell is used to set up an environment more controlled than the standard shell. rbash and rksh shell versions: Restrict the activities of a user Place either one into the last field of /etc/passwd Restrict the following user’s actions: Use cd command Redefine PATH Redefine SHELL Use pathname containing a / Use > and >> operators (create or append to files) SN 2017

Restricted Shell Pros of Restricted Shell Cons of Restricted Shell Used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole. Cons of Restricted Shell Insufficient to allow execution of entirely untrusted software. When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script. When users run bash or dash from rbash then they got unrestricted shells. rbash should only be used within a chroot unless you know what you are doing. There are many ways to break out a restricted bash shell that are not easy to predict in advance. SN 2017

References Das, S. (2012). Your UNIX/LINUX The Ultimate Guide: Third Edition. McGraw-Hill Hahn, H. (2008). Harley Hahn's Guide to Unix and Linux. California: McGraw-Hill Higher Education SN 2017