Security basics, Part 2

Unix Insider –

While everyone knows that computers are binary, not many people understand the numbering systems that represent the binary numbers stored in computers, or the notational conventions used for displaying this information.

This may be a teensy bit painful, but I need to cover it to further explain setting file modes. If you understand binary numbering, feel free to skip ahead.

Binary numbers

An odometer in an automobile measures mileage by wheels that rotate through the digits 0 to 9. Each time a wheel completes a revolution from 0 through 9 and back to 0, it trips the wheel to its left up one position. When that wheel reaches 9 and is tripped over to 0, it increments the next wheel to its left.

Now imagine that each wheel in your odometer only had the digits 0 and 1. The first wheel would increment from 0 to 1 and back to 0 again. As it rotated back to 0, it would trip the wheel to the left over to 1. Wheel 1 would again spin through 1 and back to 0, and this time it would trip wheel 2 over to 0. This would trip wheel 3 over to 1. The following illustrates the sequence of positions for our wheels. The wheel positions are numbered down the left-hand side so that position 0 is 0000, position 1 is 0001, position 2 is 0010, and so on.

<font face="Courier">
wheel ->   4  3  2  1 
 
position 
   0       0  0  0  0 
   1       0  0  0  1 
   2       0  0  1  0 
   3       0  0  1  1 
   4       0  1  0  0 
   5       0  1  0  1 
   6       0  1  1  0 
   7       0  1  1  1 
   8       1  0  0  0 
   9       1  0  0  1 
  10       1  0  1  0 
  11       1  0  1  1 
  12       1  1  0  0 
  13       1  1  0  1 
  14       1  1  1  0 
  15       1  1  1  1 
</font>
Figure 1. Binary notation

Here are some basics to keep in mind:

  • A byte of computer data is made up of 8 bits, which could be represented by eight wheels.
  • All information in a computer is stored as accumulations of bits and bytes.
  • A byte of data might represent a single character or eight separate flags. Two bytes could be strung together to hold 16 separate flags.

Hexadecimal notation

You could represent the value in a byte by writing out all of the 0s and 1s on each wheel (e.g., 01001101), but that would be cumbersome. Hexadecimal notation is a convenient way of representing the values in a byte with two characters. The characters used are the numbers 0 through 9 and the letters A through F. Figure 2 illustrates how a single hexadecimal digit can represent 4 bits.

<font face="Courier">
wheel ->   4  3  2  1 
 
position                  Hex 
   0       0  0  0  0      0 
   1       0  0  0  1      1 
   2       0  0  1  0      2 
   3       0  0  1  1      3 
   4       0  1  0  0      4 
   5       0  1  0  1      5 
   6       0  1  1  0      6 
   7       0  1  1  1      7 
   8       1  0  0  0      8 
   9       1  0  0  1      9 
  10       1  0  1  0      A 
  11       1  0  1  1      B 
  12       1  1  0  0      C 
  13       1  1  0  1      D 
  14       1  1  1  0      E 
  15       1  1  1  1      F 
</font>
Figure 2. Binary numbers and their hexadecimal equivalents

The 8 bits of a byte are frequently represented by grouping the bits into two collections of 4 bits each, then representing each of these with a hexadecimal digit. In our case, the number 00101101 becomes 0010 1101, and that, in turn, becomes 2D.

Octal notation

Hexadecimal notation represents bits in groups of four. Octal notation slices a byte and represents it in groups of three, as shown in Figure 3.

<font face="Courier">
wheel ->   3  2  1 
 
position               Oct 
   0       0  0  0      0 
   1       0  0  1      1 
   2       0  1  0      2 
   3       0  1  1      3 
   4       1  0  0      4 
   5       1  0  1      5 
   6       1  1  0      6 
   7       1  1  1      7 
</font>
Figure 3. Octal notation

Using this technique, 00111101 becomes 00 111 101 which, in turn, becomes 075 in octal notation. A byte only has 8 bits, so the highest 2 bits are presented as if they had a leading 0, and 10111101 becomes 010 111 101, or 275 in octal. In fact, longer strings of bits can be represented by longer hexadecimal or octal notation. The 16 bits of 2 bytes, 00101011 10010110, become 0010 1011 1001 0110, which can be represented as 2B96 in hexadecimal. If you divide the number into groups of 3 bits and add two extra 0s to the beginning, you get 000 010 101 110 010 110, or 025626 in octal.

The mode bits

From last month's article, you know that the

<font face="Courier">ls -l</font>
mode bits are displayed (from left to right) as read, write, and execute for owner; read, write, and execute for group; and read, write, and execute for other.

<font face="Courier">
-rwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 afile 
</font>

These nine flags are actually saved as 9 mode bits (a byte plus part of another), and the mode bits can be represented by the octal notation for that bit pattern.

The above flags represent a bit pattern of 111111101 or 111 111 101, and can be expressed as 775. If you wanted to set those exact permissions for the file, you would use the following command:

<font face="Courier">
$ chmod 775 afile 
$ ls -l 
-rwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 afile 
</font>

Figure 4 shows several examples of directly setting mode bits using octal notation. The last example makes the file read only.

<font face="Courier">
$ chmod 775 afile 
$ ls -l 
-rwxrwxr-x    1 mob      wp    2018 Aug 30 23:45 afile 
$ chmod 770 afile 
$ ls -l 
-rwxrwx---    1 mob      wp    2018 Aug 30 23:45 afile 
$ chmod 750 afile 
$ ls -l 
-rwxr-x---    1 mob      wp    2018 Aug 30 23:45 afile 
$ chmod 740 afile 
$ ls -l 
-rwxr-----    1 mob      wp    2018 Aug 30 23:45 afile 
$ chmod 444 afile 
$ ls -l 
-r--r--r--    1 mob      wp    2018 Aug 30 23:45 afile 
</font>
Figure 4. Setting mode bits using octal notation

In fact, there are 3 more bits available for controlling the mode of files and directories, but these display in different ways. Two of the bits apply to files, and one to directories.

The first bit controls the set user ID property of an executable program or shell script. When a program or script has this bit set and is executed, the script assumes the privileges of the owner of the script. The purpose of this mode would be to provide something like a backup script. The script owner would be

<font face="Courier">root</font>
and
<font face="Courier">root</font>
would have the privileges needed to back up all files, but the script could be executed by any backup operator who wouldn't need to be given
<font face="Courier">root</font>
privileges in order to run the backup.

The second bit controls the same feature for the group. The program or script acquires the privileges of the group that owns the file.

The third bit controls the behavior of directories and is popularly called the stick bit. When this bit is set on a directory, the only people who can delete or rename files from that directory are

<font face="Courier">root</font>
and the owner of the directory, regardless of any other permission a user's been granted. This is frequently used on temporary and work directories where many users need to be able to write to the directory, but where no one should be allowed to rename or delete anyone else's files.

These 3 bits are added at the front of the 9-bit bit pattern for access permission, creating a 12-bit pattern. In Figure 5, the first command prevents anyone but

<font face="Courier">root</font>
or
<font face="Courier">mob</font>
(the directory owner) from deleting or renaming any files in
<font face="Courier">adir</font>
. Note the
<font face="Courier">t</font>
in the final position of the permission string. The second command allows anyone to run the backup script, but when the script runs it has the privileges of
<font face="Courier">root</font>
. Note the
<font face="Courier">s</font>
:

<font face="Courier">
$ chmod 1777 adir 
$ ls -l 
drwxrwxrwt    1 mob      wp    2018 Aug 30 23:45 adir 
$ chmod 4111 backup 
$ ls -l 
---s--x--x    1 root     wp    2018 Aug 30 23:45 backup 
</font>
Figure 5. Using a full 12-bit pattern for permissions

There is a security feature built in to the set user ID bit and set group ID bits that causes the bit to be reset if the file is written or renamed by anyone other than the superuser. This prevents someone from editing a script that has extra privileges, because

<font face="Courier">root</font>
or someone with more privilege owns the script and the set user ID bit is set.

The character representation of these extra 3 bits worth of permission/behavior is handled by cramming their values into the existing permission string with different letters.

The normal state of the owner execute flag is either

<font face="Courier">x</font>
or
<font face="Courier">-</font>
(dash). If the owner has execute permission and the set user ID bit is on, the
<font face="Courier">x</font>
becomes an
<font face="Courier">s</font>
. If the owner does not have execute permission but the set user ID bit is on, the
<font face="Courier">-</font>
becomes an
<font face="Courier">S</font>
, as in Figure 6.

<font face="Courier">
$ chmod 100 backup 
$ ls -l 
---x------    1 root     wp    2018 Aug 30 23:45 backup 
$ chmod 4100 backup 
$ ls -l 
---s------    1 root     wp    2018 Aug 30 23:45 backup 
$ chmod 4000 backup 
$ ls -l 
---S------    1 root     wp    2018 Aug 30 23:45 backup 
</font>
Figure 6. The difference between s and S for a file owner

The normal state of the group execute flag is either

<font face="Courier">x</font>
or
<font face="Courier">-</font>
. If the group has execute permission and the set group ID bit is on, the
<font face="Courier">x</font>
becomes an
<font face="Courier">s</font>
. If the group does not have execute permission but the set group ID bit is on, the
<font face="Courier">-</font>
becomes an
<font face="Courier">S</font>
, as in Figure 7.

<font face="Courier">
$ chmod 010 backup 
$ ls -l 
------x---    1 root     wp    2018 Aug 30 23:45 backup 
$ chmod 2010 backup 
$ ls -l 
------s---    1 root     wp    2018 Aug 30 23:45 backup 
$ chmod 2000 backup 
$ ls -l 
------S---    1 root     wp    2018 Aug 30 23:45 backup 
</font>
Figure 7. The difference between s and S for a file owner's group

The normal state of the execute flag for others for a directory is either

<font face="Courier">x</font>
, indicating that others can search the directory, or
<font face="Courier">-</font>
, indicating that they cannot. If others have search permission and the sticky bit is on, the
<font face="Courier">x</font>
becomes a
<font face="Courier">t</font>
. If others don't have search permission but the sticky bit is on, the
<font face="Courier">-</font>
becomes a
<font face="Courier">T</font>
.

<font face="Courier">
$ chmod 001 adir 
$ ls -l 
d--------x    1 root     wp    2018 Aug 30 23:45 adir 
$ chmod 1001 adir 
$ ls -l 
d--------t    1 root     wp    2018 Aug 30 23:45 adir 
$ chmod 1000 adir 
$ ls -l 
d--------T    1 root     wp    2018 Aug 30 23:45 adir 
</font>
Figure 8. The difference between t and T

Now you have two ways to set up the modes for a file and directory, and three extra security permissions to control the access level of executable programs and protect files within a directory from being deleted or renamed.

Related:
ITWorld DealPost: The best in tech deals and discounts.
  
Shop Tech Products at Amazon