File Security 8 Objectives Upon completion of this module, you should be able to: • Display file permissions • Define permission types (read, write, and execute) • Set and change file permissions using symbolic and octal notation • Display the umask value of a file or directory Discussion – What types of protection would you like to be able to place on files and directories? How would you group people you work with and who would have access to your files and directories? Security Overview The primary function of a system’s security feature is to deny access to unauthorized users. Keeping computer information secure is important to the user and the system administrator. By protecting their files and accounts from unauthorized use, users are also protecting their job and reputation. Standard Linux environment security features include user passwords, which restrict access to the system; file and directory protection with permissions; files that control remote logins and commands on individual workstations; and other features that enable system administrators to check for security breaches. Permissions The Linux operating system has two default levels of security. First, users must supply a login ID and password in order to access a Linux workstation. Second, files and directories are automatically protected by permissions when they are created. Superuser Linux provides a special user account called root that has total access to the system. All permissions placed on files and directories can be overridden by the root user. This account’s user is also called the superuser. The superuser account is used to run system administration commands and to edit critical system files such as the password file. The ls -l Command The ls -l command displays the following permissions: • File type – This includes directories and ordinary files. • User (owner) – The user who created the file or directory • Group – Class of users defined by the system administrator • Others (public) – All other users $ ls –l .profile Permission Categories File Type The first character is called the file type. An ordinary file is represented by a dash (–), and a directory is represented by a d. A dash anywhere else in a permission set indicates no permission. The interpretation of permissions is slightly different for files and directories. User (Owner) The next three characters are the user or owner permissions. They show the type of access the owner of the file or directory has. When you create a new file or directory, it is owned by you. The owner of the file .profile in the example is user2. Group The second set of three characters, called group permissions, identifies the permissions of the group that owns the file. A user group (system group) is a set of users with common file access needs. System administrators define system groups and determine which users belong to which groups. Users in the same group can access each others’ files based on the group permissions. The group owner of the file .profile in the example is the group staff. Others (Public) The last set of characters, called others permissions, are the permissions everyone else has. Others is anyone who is neither the file owner nor a member of the group that owns the file, but who has access to the system. Files you create are owned by you and the group association on these files is your primary group. Access is determined by the highest category to which you belong. If you are the user (owner), even though you are a member of the group, only the user category of permissions applies. The others permissions only apply to someone who is neither the owner nor a member of the group. How File and Directory Access Is Determined UID and GID All files and directories have a user identifier (UID) and group identifier (GID) number associated with them. The kernel uses these numbers to identify ownership of files, rather than the user or group name familiar to the user. $ ls -an drwxr-xr-x 2 101 10 512 May 24 17:25 mickey -rw-r--r-- 1 101 10 0 May 24 17:25 .profile Note – The -n option displays the UID and the GID instead of its names. Process For Determining Permissions Every system process also has a UID and GID. When a process attempts to read, write, or execute a file, the process’ system data information is compared to the file’s or directory’s UID, and then to the GID. If neither matches, then the other category of permissions is used. Default Permissions When a user accesses the system, files and directories are protected by default permissions. These are put in place automatically when a file or directory is created. $ mkdir secure; touch pluto $ ls -l drwxr-xr-x 2 user2 staff 512 May 24 17:25 secure -rw-r--r-- 1 user2 staff 0 May 24 17:25 pluto Types of Permissions Every file or directory has a set of permissions that determines who can do what with it. Permissions are represented by characters that control who may read, write, and execute the contents of a file or directory. Note – As can be seen from Table 8-1, in order for a directory to be of any practical use, at least read and execute permissions must be set. As seen from previous examples, you may see a dash (–) in place of r, w, or x. This indicates no permission. The following are samples of different types of permissions on files and directories: • The file is read/write/execute for owner only. -rwx------ • The directory is read/execute for owner and group. dr-xr-x--- • The file is read/write/execute for owner, and read/execute for group members and others. -rwxr-xr-x • The directory is read/write/execute for owner, read/execute for group, and execute for others. drwxr-x--x Changing Permissions Overview The chmod command is used by a file’s owner (or superuser) to change file permissions. The two modes of operation with the chmod command are symbolic and octal. • Symbolic mode uses combinations of letters and symbols to add or remove permissions from various categories of users. • Octal mode uses octal numbers to represent file permissions. Octal mode is also referred to as absolute or numeric mode. Symbolic Mode The command format for symbolic mode uses letters and symbols. Command Format chmod mode filename Changing Permissions With Symbolic Mode You can: • Remove group read permission $ ls -l dante -rw-r--r-- 1 user2 staff 2 Jun 11 1:44 dante $ chmod g-r dante $ ls -l dante -rw----r-- 1 user2 staff 2 Jun 11 1:44 dante • Deny read permission to others $ chmod o-r dante $ ls -l dante -rw------- 1 user2 staff 2 Jun 11 1:44 dante • Add execute permission for owner, and read permission for group and others $ chmod u+x,go+r dante $ ls -l dante -rwxr--r-- 1 user2 staff 2 Jun 11 1:44 dante  There is no space after u+x and before go+r, although there is a comma between them. • Set permissions to read and write for everyone $ chmod a=rw dante $ ls -l dante -rw-rw-rw- 1 user2 staff 2 Jun 11 1:44 dante Octal (Absolute) Mode Octal mode is based on the base eight numbering system (0–7 are the available numerals). Command Format chmod octal_mode filename Each permission has an octal value as shown in Table 8-2. The octal values for the permission set are shown in Table 8-3. Octal values are combined to identify the octal_modethat is used with the chmod command. The first position defines the user (owner) permissions, the second position defines the group, and the last position defines others. Default permissions on files are 644, and default permissions on directories are 755. Note – When using octal mode with the chmod command, you must list all three numbers, one for each category of user: user, group, and others. Changing PermissionWith Octal Mode You can: • Give user, group, and others read and execute access $ ls -l dante rw-rw-rw- 1 user2 staff 2 Jun 11 11:54 dante $ chmod 555 dante $ ls -l dante -r-xr-xr-x 1 user2 staff 2 Jun 11 11:54 dante • Change user and group permissions to include write access $ chmod 775 dante $ ls -l dante -rwxrwxr-x 1 user2 staff 2 Jun 11 11:54 dante • Change group permission to read and execute $ chmod 755 dante $ ls -l dante -rwxr-xr-x 1 user2 staff 2 Jun 11 11:54 dante Default Permissions The umask Filter The umask filter determines the default permissions for files and directories. The permissions are assigned during the creation of new files and directories. Displaying Your umask $ umask 022 The default permissions which will be assigned to a newly created file or directory are determined by the application of the umask filter against the maximum system assignable file (666) and directory (777) permissions. Each digit in the umask value represents permission categories which are to be denied, or “masked out,”, from the maximum permissions.  Depending up the shell, the umask value will display differently as either 0022, 022, or 22. As an example, in the case of a newly created file, the maximum system assignable file permissions are represented by the octal value 666. This corresponds to read/write (42-) access for the user, read/write (42-) access for the group, and read/write (42-) access for all others. This can be represented as: 42-42-42- rw-rw-rw- The default umask filter value is octal 022, which corresponds to no access denial (---) for the user, a denial of write (-2-) access for the group, and a denial of write (-2-) access for all others. This can be represented as: ----2--2- ----w--w- When the access categories to be denied are “masked out” from the maximum system assignable values, the default permissions which are assigned to a newly created file are left. 42-42-42- Maximum system assignable file permissions ----2--2- Default umask filter value 42-4--4-- Default permissions assigned to a newly created file rw-r--r-- Note – Execute permissions can be placed on files by the user but are not assigned by the system when a file is created. This same process can be applied when determining what the default permissions will be when creating new directories. In this case, the maximum system assignable permissions are represented by the octal value 777. This corresponds to read/write/execute access for the user, group, and others. 421421421 Maximum system assignable directory permissions [...]... the motd file $ chmod g+w motd 6 Using symbolic mode, remove group read on the file dumpdates $ chmod g-r dumpdates 7 Using octal mode, change the permissions on the file motd to rwxrw $ chmod 760 motd 8 Using octal mode, change the permissions on the file group to add write permission for others $ chmod 646 group 9 Why is execute not a default permission for a newly created file? Most files are... files from your home directory into the new directory 4 Change permissions appropriately so that other users in your group can copy files from the Textfiles directory 5 Create a file in the directory which lists the names of all of the four text files in the directory Make the file modifiable by someone in your group Exercise Summary Discussion – Take a few minutes to discuss what experiences, issues,... unless the umask command is placed in the profile file This file is discussed in detail in Module 11, ‘‘Initialization Files.”  Caution – If terminal window is opened from the Front Panel, umask may display incorrectly due to a known bug This problem can be circumvented by opening a terminal window from the Workspace Manager instead Exercise: Changing File Permissions Exercise objective – The purpose... for a file would cause the system to see all new files as executables 10 Create a new file called memo in your practice directory $ touch ~/practice/memo 11 Remove the read permission for the owner from the file memo in the practice directory Use either symbolic or octal mode $ chmod u-r ~/practice/memo or chmod 244 ~/practice/memo What happens when you try to use the cat command to view the memo file? ... the memo file? You cannot copy the file because, as in step 4, the user has no read permission Check Your Progress Before continuing on to the next module, check that you are able to accomplish or answer the following:     Display file permissions Define permission types (read, write, and execute) Set and change file permissions using symbolic and octal notation Display the umask value of a file or... umask value is to subtract each digit of the umask from the maximum assignable file and directory permissions to determine the octal value of the permissions assigned to newly created files and directories 666 022 644 Maximum system assignable file permissions umask value Octal value of permissions assigned to a newly created file 777 022 755 Maximum system assignable directory permissions umask value... no permissions on this file 2 Change directory to perm and complete the following table: $ cd perm $ ls -l 3 Create a new file and a new directory  What are the default permissions given to the new file? rw-r r- What are the default permissions given to the new directory? rwxr-xr-x 4 In a directory with permissions of drwxr-xr , who can perform the following actions with the files shown below? Put... Using symbolic mode, add write permission for group to the motd file _ 6 Using symbolic mode, remove group read on the file dumpdates _ 7 Using octal mode, change the permissions on the file motd to rwxrw _ 8 Using octal mode, change the permissions on the file group to add write permission for others ... newly created file? _ _ 10 Create a new file called memo in your practice directory _ 11 Remove the read permission for the owner from the file memo in the practice directory Use either symbolic or octal mode _ What happens when you try to use the cat command to view the memo file? ... try to copy the memo file? _ _ Workshop Labs Use what you have learned so far in this course to work through the following: 1 Make a directory containing some of your files available to coworkers in your group but not to others 2 Create a directory under your home directory called Textfiles 3 Put a copy of four of the text files from your home . All other users $ ls –l .profile Permission Categories File Type The first character is called the file type. An ordinary file is represented by a dash. the umask command is placed in the .profile file. This file is discussed in detail in Module 11, ‘‘Initialization Files.”  Caution – If terminal window