Chapter 8 File System Security
File Protection Schemes Password-Based Protection Encryption-Based Protection Protection-Based on Access Permission
File Protection Schemes Password-Based Protection Both the Login name and password are required for a user to enter a UNIX system All login names can be found in the /etc/passwd file. A user’s password is given to that user ONLY. Change user’s password frequently. passwd command (for local account) yppasswd or nispasswd command for network’s computer systems.
File Protection Schemes Password-Based Protection Discovering a user’s password: 1) You, as the owner of an account, inform others of your password 2) a password can be guessed by another user 3) a user’s password can be extracted by “brute force”
Figure 8.1 The process of encryption and decryption File Protection Schemes Encryption-Based Protection Whole Disk Encryption File-level Encryption
File Protection Schemes Protection-Based on Access Permission As file owner, you can attach certain access rights to your files that dictate who can and cannot access them for various types of file operations. /etc/passwd /etc/group
File Access Rights Types of Users: – Owner – Group – All/Other Types of Permissions: – Read – Write – Execute Types of Operations Allows on Files – Directories – Other files
Table 8.1 Summary of File Permissions in LINUX Read permission Write permission Execute permission
Directory Permissions read = list files in the directory write = add new files to the directory execute = access files in the directory
Table 8.2 Permission Values
Determining and Changing File Access Privileges Determining File Access Privileges –ls –l, ls –ld
Changing the Access Rights Purpose – to set/change permissions in files chmod [options] octal-mode filelist chmod [options] symbolic-mode filelist Options -Rrecursively process subdirectories
Determining and Changing File Access Privileges (Contd)
Examples of chmod Command
Determining and Changing File Access Privileges Changing File Access Privileges – chmod [options] octal-mode file-list – chmod [options] symbolic-mode file-list
Access Privileges for Directories
Default File Access Rights umask is a bitmap which tells which permissions to be turned off when a new files is created. 022 = (deny write for g+o) rwx r-x r-x (new files permissions) umask (with no parameters returns the current mask value) umask newmask (sets new mask value.) umask command usually used in a startup file
Default File Access Rights The default access privileges: – Executable files & directories : 777 – Text files: 666 file access permission = 777 – mask A commonly used mask value is 022. Umask = 755 for executable files & directories = 644 for text files
Figure 8.2 Position of file type and access privilege bits for LINUX files (as seen by “ls –l” command)
Figure 8.3 Position of access privilege bits for LINUX files as specified in the chmod command
SUID Bit A special permission bit that allows executable files to run using the privileges of the owner of the files rather than the user of the file Can be set using commands: chmod u+s filelist chmod 4xxx filelist Shows up in ls - l in place of the user x bit as an s if the file is executable - (rwsrwxrwx) Very dangerous to use
SUID Bit Find both set user id and set group id programs. $ find / -type f –perm –exec ls –l {}\; > suid_sgid.list cat suid_sgid.list (more or less this file) ls –l /usr/bin/* | grep ‘rws’
SGID Bit A special permission bit that allows executable files to run using the privileges of the owner’s group rather than the user of the file Set using the commands chmod g+s filelist chmod 2xxx filelist
Sticky Bit A special bit that can be used as follows: For a file: it directs the operating system to keep the program in memory if possible after it finishes execution (Early versions of UNIX) For a directory: it sets it up such that only the owner of the directory can delete (or rename) files from the directory, even if other users have write privilege (tmp) Can be set using the chmod command using the options: chmod +t filelist Shows up in “ls –l” as a t - (rwxrwxrwt)