Security basics, Part 1

RELATED TOPICS

Unix Insider –

Security is always an issue in multiuser computing systems. Unix provides a rich set of security options, and this month we begin a three-part security series by exploring some basics.

As a true multiuser, multitasking operating system, Unix has a fairly sophisticated method for setting file and directory permissions.

The

<font face="Courier">chmod</font>
command is simple once you've grasped the basics. To understand it, let's start with a small directory listing that can be generated by the
<font face="Courier">ls -l</font>
command.

<font face="Courier">
$ ls -l 
  drwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 adir 
  -rw-rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif 
  -rwxrwxr-x    1 mob      wp    8525 Sep  4 02:48 command.sh 
 
$ 
</font>

The permissions are indicated by a series of letters on the left-hand side of the listing. The first character indicates the type of the entry. For our purposes, the first character will be either a dash (

<font face="Courier">-</font>
) to indicate that the entry is a file or a
<font face="Courier">d</font>
to indicate that it's a directory.

After the initial character, a series of

<font face="Courier">rwx</font>
s (or the absence of the same) on the left side of the listing indicates the access permissions for that file or entry.

The nine characters after the initial entry-type indicator are broken into three groups, each containing three characters. Each group of three from left to right indicates the permissions given to the owner, group, and others, respectively.

An

<font face="Courier">r</font>
indicates that read permission is given to the user who owns the file, group the owner belongs to, or the rest of the world. An
<font face="Courier">r</font>
allows a file to be read, and a directory to be listed with
<font face="Courier">ls</font>
and related utilities. A
<font face="Courier">w</font>
indicates write permission. If this is an entry for a directory,
<font face="Courier">w</font>
means that new files can be created within it.

In the following example, the owner,

<font face="Courier">mob</font>
, has read and write permissions on
<font face="Courier">picture.gif</font>
. The group
<font face="Courier">wp</font>
has read permission only, and no other permissions are given.

<font face="Courier">
$ ls -l 
  -rw-r-----    1 mob      wp    8755 Aug 30 23:37 picture.gif 
 
$ 
</font>

An

<font face="Courier">x</font>
indicates execute permission for executable files, and search permission for directories.

In the following example

<font face="Courier">mob</font>
members of the group
<font face="Courier">wp</font>
, and all others have search permission for
<font face="Courier">adir</font>
.

<font face="Courier">
$ ls -l 
  drwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 adir 
  -rw-rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif 
  -rwxrwxr-x    1 mob      wp    8525 Sep  4 02:48 command.sh 
 
$ 
</font>

An

<font face="Courier">x</font>
permission on a standard data file has no effect.

To change the permissions on a file, use

<font face="Courier">chmod</font>
, followed by the permissions you want to change and the file name. A permission is expressed as a one-character identifier that signifies (
<font face="Courier">u</font>
)ser, (
<font face="Courier">g</font>
)roup, (
<font face="Courier">o</font>
)thers, or (
<font face="Courier">a</font>
)ll, followed by
<font face="Courier">+</font>
,
<font face="Courier">-</font>
, or
<font face="Courier">=</font>
, meaning add, remove, or set, respectively. After these characters, add one or more of the following permissions:
<font face="Courier">r</font>
,
<font face="Courier">w</font>
, or
<font face="Courier">x</font>
. The permission strings should look something like the following examples:

<font face="Courier">
u+rw 
a-w 
o+x 
a=rwx 
</font>

Some more examples are shown below. Line 3 adds write privileges to group, line 6 removes write privileges, and line 9 adds read privileges for others. Line 12 sets privileges for others to write only. In line 14, the

<font face="Courier">r</font>
has disappeared and the
<font face="Courier">w</font>
has appeared. Line 15 removes read and write privileges for all; note the result at line 17. Line 18 uses
<font face="Courier">ug+rw</font>
to add read and write privileges for both user and group.

<font face="Courier">
1  $ ls -l 
2    -rw-r-----    1 mob      wp    8755 Aug 30 23:37 picture.gif 
3  $ chmod g+w picture.gif 
4  $ ls -l 
5    -rw-rw----    1 mob      wp    8755 Aug 30 23:37 picture.gif 
6  $ chmod u-w picture.gif 
7  $ ls -l 
8    -r--rw----    1 mob      wp    8755 Aug 30 23:37 picture.gif 
9  $ chmod o+r picture.gif 
10 $ ls -l 
11   -r--rw-r--    1 mob      wp    8755 Aug 30 23:37 picture.gif 
12 $ chmod o=w picture.gif 
13 $ ls -l 
14   -r--rw--w-    1 mob      wp    8755 Aug 30 23:37 picture.gif 
15 $ chmod a-rw picture.gif 
16 $ ls -l 
17   ----------    1 mob      wp    8755 Aug 30 23:37 picture.gif 
18 $ chmod ug+rw picture.gif 
19 $ ls -l 
20   -rw-rw----    1 mob      wp    8755 Aug 30 23:37 picture.gif 
$ 
</font>

User and group categories

In a Unix system, a user is a member of a higher-echelon grouping, simply called a group. Some common groups on Unix systems are

<font face="Courier">root</font>
,
<font face="Courier">admin</font>
,
<font face="Courier">users</font>
, and
<font face="Courier">mail</font>
.

<font face="Courier">superuser</font>
and
<font face="Courier">root</font>
would be members of the
<font face="Courier">root</font>
group. Users that have administrative access to backup, restore, and mount operations might be placed in the
<font face="Courier">admin</font>
group. Whoever handles the mail system might be in the
<font face="Courier">mail</font>
group. The remaining mortals would be in the
<font face="Courier">users</font>
group.

A user is given a new group when first created. To see your group, type the following command, using your login where I have

<font face="Courier">mob</font>
in the command.

<font face="Courier">
cat /etc/passwd|grep mob 
mob:x:537:500::/home/mob/:/bin/ksh 
$ 
</font>

The first field,

<font face="Courier">mob</font>
, is the login ID. The second field,
<font face="Courier">x</font>
, is the encrypted password, which will appear as an
<font face="Courier">x</font>
or an unreadable character. The third field is your user ID, the value returned when you type
<font face="Courier">id</font>
and press enter. The fourth field,
<font face="Courier">500</font>
, is the group ID. Keep that number written down, and search in your group file to find out which group is
<font face="Courier">500</font>
and who the members of that group are. In this example,
<font face="Courier">wp</font>
is group
<font face="Courier">500</font>
and is password protected. The members of the
<font face="Courier">wp</font>
group are
<font face="Courier">mob</font>
and
<font face="Courier">jjk</font>
.

<font face="Courier">
cat /etc/group|grep 500
wp:x:500:mob,jjk 
$ 
</font>

If you want to see all the groups you're in, repeat the command but

<font face="Courier">grep</font>
out your user ID. In this example,
<font face="Courier">mob</font>
shows up in the groups
<font face="Courier">wp</font>
,
<font face="Courier">accounting</font>
, and
<font face="Courier">admin</font>
.

<font face="Courier">
cat /etc/group|grep mob 
wp:x:500:mob,jjk 
accounting:x:512:mob,jan,ded 
admin:x:mob,root 
$ 
</font>

When you first log in, you're set to the default group specified in your

<font face="Courier">/etc/passwd</font>
file.

When you create a new file and then

<font face="Courier">ls -l</font>
it, you'll find it's assigned to you as owner and your default group as a group.

This example uses

<font face="Courier">touch</font>
to create an empty file, and then displays the directory entry.

<font face="Courier">
$ touch newfile 
$ ls -l 
  -rw-rw-r--    1 mob      wp    0 Sep 22 23:37 newfile 
 
$ 
</font>

You may change to a new group if you're a member of that group by using

<font face="Courier">newgrp</font>
. If the group is password protected, you'll be asked for a password. Once you've changed to the new group, if you create a new file, it will be owned by the new group.

<font face="Courier">
newgrp accounting 
$ touch nextfile 
$ ls -l 
  -rw-rw-r--    1 mob    wp           0 Sep 22 23:37 newfile 
  -rw-rw-r--    1 mob    accounting   0 Sep 22 23:37 nextfile 
 
$ 
</font>

As an exercise, you should create a new file with

<font face="Courier">vi</font>
and put a couple of lines into it. Close the file and change permissions by adding and subtracting read and write privileges from user, group, and others. Try to edit the file. If you can get your hands on another user login that's not part of your group, try logging in as that person and editing the file.

Here are some general rules. Start with a file that has read and write privileges for all users,

<font face="Courier">-rw-rw-rw-</font>
; anyone should be able to edit the file. If you
<font face="Courier">chmod o-rw</font>
to
<font face="Courier">-rw-rw----</font>
, only you and members of your group will be able to edit it. If you
<font face="Courier">chmod g-rw</font>
to
<font face="Courier">-rw-------</font>
, only you can edit the file. If you
<font face="Courier">chmod u-w</font>
to
<font face="Courier">-r--------</font>
, only you can view the document, but you cannot change it or delete it.

Try some similar experiments with a directory. Anyone can read, write (create new files), or search in a directory with a privilege string of

<font face="Courier">drwxrwxrwx</font>
. A more typical string for a directory would be
<font face="Courier">drwxrwxr-x</font>
, indicating that you and your group have full access, while other users can only read and search. A very secured directory might be set up as
<font face="Courier">dr--------</font>
, allowing only the owner to read the directory.

RELATED TOPICS
What’s wrong? The new clean desk test
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies