The default Linux file security is controlled through the following settings for each file or directory:
- User ownership
- Group ownership
- Read, write, execute permissions for the owner
- Read, write, execute permissions for the group
- Read, write, execute permissions for others (everyone else)
How to view ownerships and permissions in Linux
You can see settings related to ownership and permissions for a file when you look at a detailed listing with thels -l
command. For example, in Ubuntu, type the following command to see the detailed listing of the /etc/inittab
file:
ls -l /etc/inittabThe resulting listing looks something like this:
-rw-r--r-- 1 root root 1666 Feb 16 07:57 /etc/inittabThe first set of characters describes the file permissions for user, group, and others. The third and fourth fields show the user and group that own this file. In this case, user and group names are the same:
root
.
How to change file ownerships in Linux
You can set the user and group ownerships with thechown
command. If the file /dev/hda
should be owned by the user root
and the group disk
, you type the following command as root
to set up this ownership:
chown root.disk /dev/hdaTo change the group ownership alone, use the
chgrp
command. Here’s how you can change the group ownership of a file from whatever it was earlier to the group named accounting
:
chgrp accounting ledger.out
How to change file permissions in Linux
Use thechmod
command to set the file permissions. To use chmod
effectively, you have to specify the permission settings. One way is to concatenate one or more letters from each column of the table below, in the order shown in the table (Who/Action/Permission).
Who | Action | Permission |
u (user) | + (add) | r (read) |
g (group) | - (remove) | w (write) |
o (others) | = (assign) | x (execute) |
a (all) | s (set user ID) |
Another way to specify a permission setting is to use a three-digit sequence of numbers. In a detailed listing, the read, write, and execute permission settings for the user, group, and others appear as the sequence
rwxrwxrwxwith dashes in place of letters for disallowed operations. Think of
rwxrwxrwx
as being three occurrences of the string rwx
. Now assign the values r
=4, w
=2, and x
=1. To get the value of the sequence rwx
, simply add the values of r
, w
, and x
. Thus, rwx = 7
. With this formula, you can assign a three-digit value to any permission setting. If the user can read and write the file but everyone else can only read the file, for example, the permission setting is rw-r--r--
, and the value is 644. Thus, if you want all files in a directory to be readable by everyone but writable only by the user, use the following command:
chmod 644 *
How to set default permission in Linux
What permission setting does a file get when you (or a program) create a new file? The answer is in what is known as the user file-creation mask, which you can see and set by using theumask
command.Type umask, and the command prints a number showing the current file-creation mask. For the root
user, the mask is set to 022
, whereas the mask for other users is 002
. To see the effect of this file-creation mask and to interpret the meaning of the mask, follow these steps:
- Log in as
root
, and type the following command:touch junkfileThis command creates a file named
junkfile
with nothing in it. - Type ls -l junkfile to see that file’s permissions.
You see a line similar to the following:
-rw-r--r-- 1 root root 0 Aug 24 10:56 junkfile
Interpret the numerical value of the permission setting by converting each three-letter permission in the first field (excluding the first letter) to a number between 0 and 7. For each letter that’s present, the first letter gets a value of 4, the second letter is 2, and the third is 1.rw-
translates to 4+2+0 (because the third letter is missing), or 6. Similarly,r--
is 4+0+0 = 4. Thus, the permission string-rw-r--r--
becomes 644. - Subtract the numerical permission setting from 666.
What you get is the
umask
setting. In this case, 666 – 644 results in aumask
of 022. Thus, aumask
of 022 results in a default permission setting of 666 – 022 = 644. When you rewrite 644 in terms of a permission string, it becomesrw-r--r--
.
umask
, type umask followed by the numerical value of the mask. Here’s how you go about it:
- Figure out what permission settings you want for new files.
If you want new files that can be read and written only by the owner and no one else, the permission setting looks like this:rw-------
- Convert the permissions to a numerical value by using the conversion method that assigns 4 to the first field, 2 to the second, and 1 to the third.
Thus, for files that are readable and writable only by their owner, the permission setting is 600.
- Subtract the desired permission setting from 666 to get the value of the mask.
For a permission setting of 600, the mask becomes 666 – 600 = 066.
- Use the
umask
command to set the file-creation mask by typing umask 066.
A default umask
of 022 is good for system security because it translates to files that have read and write permission for the owner and read permissions for everyone else. The bottom line is that you don’t want a default umask
that results in files that are writable by the whole world.
How to check for set user ID permission in Linux
Another permission setting can be a security hazard. This permission setting, called the set user ID (orsetuid
and/or suid
for short), applies to executable files. When the suid
permission is enabled, the file executes under the user ID of the file’s owner.In other words, if an executable program is owned by root
and the suid
permission is set, the program runs as though root
is executing it, no matter who executed the program. The suid
permission means that the program can do a lot more (such as read all files, create new files, and delete files) than a normal user program can do. Another risk is that if a suid
program file has a security hole, crackers can do a lot more damage through such programs than through other vulnerabilities.
You can find all suid
programs with a simple find
command:
find / -type f -perm +4000
You see a list of files such as the following:
/bin/su /bin/ping /bin/eject /bin/mount /bin/ping6 /bin/umount /opt/kde4/bin/fileshareset /opt/kde4/bin/artswrapper /opt/kde4/bin/kcheckpass … lines deleted …Many of the programs have the
suid
permission because they need it, but you should check the complete list to make sure that it contains no strange suid
programs (such as suid
programs in a user’s home directory).If you type ls -l /bin/su, you see the following permission settings:
-rwsr-xr-x 1 root root 25756 Aug 19 17:06 /bin/suThe
s
in the owner’s permission setting (-rws
) tells you that the suid
permission is set for the /bin/su
file, which is the executable file for the su
command that you can use to become root
or another user.