Module 4 - File
Security
File Security
•
•
•
•
•
•
Security Overview
File Ownership
Access to Files and Dircetories
Changing File and Directory Ownership
Changing File and Directory Access Modes
Setting Default Access Modes
File Security
•
•
•
•
•
•
Security Overview
File Ownership
Access to Files and Dircetories
Changing File and Directory Ownership
Changing File and Directory Access Modes
Setting Default Access Modes
Security Overview
• The primary function of the system’s security is to
make sure that only authorized users have access to
system resources.
• Standard Unix system security features include:
• User password
• File and directory protection with permissions
• Other features that enable system administrators to
check for security breaches
Linux Accounts
• Accounts are a system mechanism that enables all
the users in the system to have their own space in the
file system and their own unique settings.
• Each user has a unique ID (UID).
• Each user in the system is a part of at least one
group.
• Each group has a unique group ID (GID).
• There are three types of users in Unix:
• Super User - Has unrestricted access to the system. Has UID
0.
• Regular Users - Usually have access only to their own home
directories. UID larger then 500
User Configuration Files
• The /etc/passwd file is a semicolon delimited file in which all
the system users accounts are defined.
• Each entry in the file represents a user account
user1:x:501:500:user1:/home/user1:/bin/bash
• The /etc/shadow file holds the password encryption
information per user
user1:Ep6mckrOLChF.:10063:0:99999:7:::
Group configuration file
• The /etc/group file holds group name to GID
relations, along with listing of users in the group
• User can be part of a group in one of two ways:
• The group number appears in the user’s line in /etc/passwd –
the group is then called the user’s primary group
• The user’s name appears in the group’s line in /etc/group
staff:x:500:user3,user4,user5
• Two approaches to determine a new file’s group:
• AT&T approach - The primary group the user belongs to
determine the group ownership of files.
• BSD approach – Group ownership is being given to the group
that has ownership over the directory in which the file is being
created.
File Ownership
• Each file and directory is owned by a single
user and belongs to a single group
• The user and group ownership is being
assigned at the time the file is created.
• It is important to remember that user
ownership and group ownership distinct, and
it is possible that a user that owns a file will
not be a member in the group that owns it.
Directory and File Access Modes
File-type
Owner Group
d/l/-
rwx
# ls
-l
rwx
Others
rwx
filename
file.txt
/etc/passwd
-rw-r--r-- 1 root root 2232 Feb 21 2011 /etc/passwd
Changing File and Directory Access
Modes
• Only the file owner (and the super user) may change
access modes for files and directories.
• Use the chmod command in order to change the
access modes for files and directories.
• There are two modes of operation with the chmod
command:
• Symbolic mode – uses combinations of letters and symbols to
add, remove or set permissions from various types of users.
• Octal mode- uses octal numbers to represent file permissions.
Octal mode is also referred as absolute or numeric mode
Symbolic Mode
•
•
•
•
The chmod command
ugo (user,group,others)
+=- (give , equal or take )
rwx (read, write, execute)
# chmod g+rx /home/avi
# chmod ugo=rwx /tmp
Octal (Absolute) Mode
• Command Format: chmod octalmode filename(s)
• Octal modes are:
• Read access = 4
• Write access = 2
• Execute access =1
• Any combination and manipulation of these numbers would
set the permissions for the user, group and others:
•
•
•
•
644 = rw-r--r-755 = rwxr-xr-x
751 = rwxr-x-—x
777 = rwxrwxrwx
Setting Default Access Mode with
umask
Linux umask base modes
• file base mode
0666
• directory base mode 0777
• new file mode = base-mode – umask
•
•
0644
0755
= 0666 - 0022
= 0777 - 0022
files
directories
Setting Default Access Mode with
umask
• The umask filter determines the default permissions for new
files and directories
• Display your umask:
# umask
# 0022
The first digit of a mode (0750, for example) is used to specify some special
bits (e.g. set-user-ID, set-group-ID, and the "sticky bit")
• Try:
# umask -S
# umask 777
Remember!
• File level security is composed of user authentication and
permissions
• Users are defined by names and groups in the
/etc/passwd,shadow,group files
• Files of all types have user group and other permissions of
read write and execute
• The meaning of those permissions are a bit different for files
and directories
• File ownership and mode can be changed by owner and
root
• File default permissions can be set using umask
Changing Ownership
• Only the owner of the file and root can change
ownership
• Changing ownership is done with the chown
command:
# chown new-owner:new-group filename
# chown anat:ort
/etc/passwd
• Change directory and the recursive content with -R
# chown -R anat:public /tmp
Users
# useradd - Adding a new user
(use the passwd to change the user password or usermod)
# usermod
- Changing a user
# userdel
- Deleting a user
• Lets look at /etc/passwd
Groups
# groupadd
- Add a new group
# groupmod
- Change a group
# groupdel
- Deleting a group
• Lets look at /etc/group
Exercises
1.
2.
3.
4.
5.
6.
create 5 different users
create 3 new groups
Change the new users home directory to /tmp
change the UID of the new users to 10001/2/3/4/5
change the GID of the 3 new groups to 2001/2/3
add all 5 users to the new 3 groups without
changing the default group
7. use the useradd command and in one line add a
new user, grant him a password, set his home
directory to /tmp and make him a member of all 3
groups
Exercises
• Write the command line by using letters with chmod to
set the following permissions:
rwxrwxr-x :
rwxr--r-- :
r--r----- :
rwxr-xr-x :
rwxr-xr-x :
r-x--x--x :
-w-r----x :
-----xrwx :
Exercises
Write the command line by using octal numbers with
chmod to set the following permissions:
rwxrwxrwx :
--x--x--x :
r---w---x :
-w------- :
rw-r----- :
rwx--x--x :
Exercises
• With the following umask values what would be the
files and directories creation permissions?
umask = 0027
File permissions:
Directory permissions:
umask = 0011
File permissions:
Directory permissions:
umask = 0541
File permissions:
Directory permissions:
umask = 0777
File permissions:
Directory permissions:
<Insert Picture Here>