How to Protect Files and Directories in Linux

By Emmett Dulaney

One important aspect of securing the host is protecting important system files — and the directories on your Linux system that contain these files. In Linux, you can protect the files through file ownership and the permission settings that control who can read, write, or (in the case of executable programs) execute the file.

The default Linux file security is controlled through the following settings for each file or directory:

  • User ownership
  • Group ownership
  • Read, write, execute permissions for the owner
  • Read, write, execute permissions for the group
  • Read, write, execute permissions for others (everyone else)

How to view ownerships and permissions in Linux

You can see settings related to ownership and permissions for a file when you look at a detailed listing with the ls -l command. For example, in Ubuntu, type the following command to see the detailed listing of the /etc/inittab file:

ls -l /etc/inittab

The resulting listing looks something like this:

-rw-r--r-- 1 root root 1666 Feb 16 07:57 /etc/inittab

The first set of characters describes the file permissions for user, group, and others. The third and fourth fields show the user and group that own this file. In this case, user and group names are the same: root.

How to change file ownerships in Linux

You can set the user and group ownerships with the chown command. If the file /dev/hda should be owned by the user root and the group disk, you type the following command as root to set up this ownership:

chown root.disk /dev/hda

To change the group ownership alone, use the chgrp command. Here’s how you can change the group ownership of a file from whatever it was earlier to the group named accounting:

chgrp accounting ledger.out

How to change file permissions in Linux

Use the chmod command to set the file permissions. To use chmod effectively, you have to specify the permission settings. One way is to concatenate one or more letters from each column of the table below, in the order shown in the table (Who/Action/Permission).

File Permission Codes
Who Action Permission
u (user) + (add) r (read)
g (group) – (remove) w (write)
o (others) = (assign) x (execute)
a (all) s (set user ID)

To give everyone read and write access to all files in a directory, type chmod a+rw *. To permit everyone to execute a specific file, type chmod a+x filename.

Another way to specify a permission setting is to use a three-digit sequence of numbers. In a detailed listing, the read, write, and execute permission settings for the user, group, and others appear as the sequence

rwxrwxrwx

with dashes in place of letters for disallowed operations. Think of rwxrwxrwx as being three occurrences of the string rwx. Now assign the values r=4, w=2, and x=1. To get the value of the sequence rwx, simply add the values of r, w, and x. Thus, rwx = 7. With this formula, you can assign a three-digit value to any permission setting. If the user can read and write the file but everyone else can only read the file, for example, the permission setting is rw-r--r--, and the value is 644. Thus, if you want all files in a directory to be readable by everyone but writable only by the user, use the following command:

chmod 644 *

How to set default permission in Linux

What permission setting does a file get when you (or a program) create a new file? The answer is in what is known as the user file-creation mask, which you can see and set by using the umask command.

Type umask, and the command prints a number showing the current file-creation mask. For the root user, the mask is set to 022, whereas the mask for other users is 002. To see the effect of this file-creation mask and to interpret the meaning of the mask, follow these steps:

  1. Log in as root, and type the following command: 

    touch junkfileThis command creates a file named junkfile with nothing in it.

  2. Type ls -l junkfile to see that file’s permissions. 

    You see a line similar to the following:

    -rw-r--r-- 1 root root 0 Aug 24 10:56 junkfile

    Interpret the numerical value of the permission setting by converting each three-letter permission in the first field (excluding the first letter) to a number between 0 and 7. For each letter that’s present, the first letter gets a value of 4, the second letter is 2, and the third is 1. rw- translates to 4+2+0 (because the third letter is missing), or 6. Similarly, r-- is 4+0+0 = 4. Thus, the permission string -rw-r--r-- becomes 644.

  3. Subtract the numerical permission setting from 666. 

    What you get is the umask setting. In this case, 666 – 644 results in a umask of 022. Thus, a umask of 022 results in a default permission setting of 666 – 022 = 644. When you rewrite 644 in terms of a permission string, it becomes rw-r--r--.

To set a new umask, type umask followed by the numerical value of the mask. Here’s how you go about it:

  1. Figure out what permission settings you want for new files. 

    If you want new files that can be read and written only by the owner and no one else, the permission setting looks like this:rw——-

  2. Convert the permissions to a numerical value by using the conversion method that assigns 4 to the first field, 2 to the second, and 1 to the third. 

    Thus, for files that are readable and writable only by their owner, the permission setting is 600.

  3. Subtract the desired permission setting from 666 to get the value of the mask. 

    For a permission setting of 600, the mask becomes 666 – 600 = 066.

  4. Use the umask command to set the file-creation mask by typing umask 066.

A default umask of 022 is good for system security because it translates to files that have read and write permission for the owner and read permissions for everyone else. The bottom line is that you don’t want a default umask that results in files that are writable by the whole world.

How to check for set user ID permission in Linux

Another permission setting can be a security hazard. This permission setting, called the set user ID (or setuid and/or suid for short), applies to executable files. When the suid permission is enabled, the file executes under the user ID of the file’s owner.

In other words, if an executable program is owned by root and the suid permission is set, the program runs as though root is executing it, no matter who executed the program. The suid permission means that the program can do a lot more (such as read all files, create new files, and delete files) than a normal user program can do. Another risk is that if a suid program file has a security hole, crackers can do a lot more damage through such programs than through other vulnerabilities.

You can find all suid programs with a simple find command:

find / -type f -perm +4000

You see a list of files such as the following:

/bin/su
/bin/ping
/bin/eject
/bin/mount
/bin/ping6
/bin/umount
/opt/kde4/bin/fileshareset
/opt/kde4/bin/artswrapper
/opt/kde4/bin/kcheckpass
… lines deleted …

Many of the programs have the suid permission because they need it, but you should check the complete list to make sure that it contains no strange suid programs (such as suid programs in a user’s home directory).

If you type ls -l /bin/su, you see the following permission settings:

-rwsr-xr-x 1 root root 25756 Aug 19 17:06 /bin/su

The s in the owner’s permission setting (-rws) tells you that the suid permission is set for the /bin/su file, which is the executable file for the su command that you can use to become root or another user.