How to Protect Files and Directories in Linux
One important aspect of securing the host is protecting important system files — and the directories on your Linux system that contain these files. In Linux, you can protect the files through file ownership and the permission settings that control who can read, write, or (in the case of executable programs) execute the file.
The default Linux file security is controlled through the following settings for each file or directory:
- User ownership
- Group ownership
- Read, write, execute permissions for the owner
- Read, write, execute permissions for the group
- Read, write, execute permissions for others (everyone else)
How to view ownerships and permissions in Linux
You can see settings related to ownership and permissions for a file when you look at a detailed listing with the
ls -l command. For example, in Ubuntu, type the following command to see the detailed listing of the
ls -l /etc/inittab
The resulting listing looks something like this:
-rw-r--r-- 1 root root 1666 Feb 16 07:57 /etc/inittab
The first set of characters describes the file permissions for user, group, and others. The third and fourth fields show the user and group that own this file. In this case, user and group names are the same:
How to change file ownerships in Linux
You can set the user and group ownerships with the
chown command. If the file
/dev/hda should be owned by the user
root and the group
disk, you type the following command as
root to set up this ownership:
chown root.disk /dev/hda
To change the group ownership alone, use the
chgrp command. Here’s how you can change the group ownership of a file from whatever it was earlier to the group named
chgrp accounting ledger.out
How to change file permissions in Linux
chmod command to set the file permissions. To use
chmod effectively, you have to specify the permission settings. One way is to concatenate one or more letters from each column of the table below, in the order shown in the table (Who/Action/Permission).
|u (user)||+ (add)||r (read)|
|g (group)||– (remove)||w (write)|
|o (others)||= (assign)||x (execute)|
|a (all)||s (set user ID)|
To give everyone read and write access to all files in a directory, type chmod a+rw *. To permit everyone to execute a specific file, type chmod a+x filename.
Another way to specify a permission setting is to use a three-digit sequence of numbers. In a detailed listing, the read, write, and execute permission settings for the user, group, and others appear as the sequence
with dashes in place of letters for disallowed operations. Think of
rwxrwxrwx as being three occurrences of the string
rwx. Now assign the values
x=1. To get the value of the sequence
rwx, simply add the values of
rwx = 7. With this formula, you can assign a three-digit value to any permission setting. If the user can read and write the file but everyone else can only read the file, for example, the permission setting is
rw-r--r--, and the value is 644. Thus, if you want all files in a directory to be readable by everyone but writable only by the user, use the following command:
chmod 644 *
How to set default permission in Linux
What permission setting does a file get when you (or a program) create a new file? The answer is in what is known as the user file-creation mask, which you can see and set by using the
Type umask, and the command prints a number showing the current file-creation mask. For the
root user, the mask is set to
022, whereas the mask for other users is
002. To see the effect of this file-creation mask and to interpret the meaning of the mask, follow these steps:
- Log in as
root, and type the following command:
touch junkfileThis command creates a file named
junkfilewith nothing in it.
- Type ls -l junkfile to see that file’s permissions.
You see a line similar to the following:
-rw-r--r-- 1 root root 0 Aug 24 10:56 junkfile
Interpret the numerical value of the permission setting by converting each three-letter permission in the first field (excluding the first letter) to a number between 0 and 7. For each letter that’s present, the first letter gets a value of 4, the second letter is 2, and the third is 1.
rw-translates to 4+2+0 (because the third letter is missing), or 6. Similarly,
r--is 4+0+0 = 4. Thus, the permission string
- Subtract the numerical permission setting from 666.
What you get is the
umasksetting. In this case, 666 – 644 results in a
umaskof 022. Thus, a
umaskof 022 results in a default permission setting of 666 – 022 = 644. When you rewrite 644 in terms of a permission string, it becomes
To set a new
umask, type umask followed by the numerical value of the mask. Here’s how you go about it:
- Figure out what permission settings you want for new files.
If you want new files that can be read and written only by the owner and no one else, the permission setting looks like this:rw——-
- Convert the permissions to a numerical value by using the conversion method that assigns 4 to the first field, 2 to the second, and 1 to the third.
Thus, for files that are readable and writable only by their owner, the permission setting is 600.
- Subtract the desired permission setting from 666 to get the value of the mask.
For a permission setting of 600, the mask becomes 666 – 600 = 066.
- Use the
umaskcommand to set the file-creation mask by typing umask 066.
umask of 022 is good for system security because it translates to files that have read and write permission for the owner and read permissions for everyone else. The bottom line is that you don’t want a default
umask that results in files that are writable by the whole world.
How to check for set user ID permission in Linux
Another permission setting can be a security hazard. This permission setting, called the set user ID (or
suid for short), applies to executable files. When the
suid permission is enabled, the file executes under the user ID of the file’s owner.
In other words, if an executable program is owned by
root and the
suid permission is set, the program runs as though
root is executing it, no matter who executed the program. The
suid permission means that the program can do a lot more (such as read all files, create new files, and delete files) than a normal user program can do. Another risk is that if a
suid program file has a security hole, crackers can do a lot more damage through such programs than through other vulnerabilities.
You can find all
suid programs with a simple
find / -type f -perm +4000
You see a list of files such as the following:
/bin/su /bin/ping /bin/eject /bin/mount /bin/ping6 /bin/umount /opt/kde4/bin/fileshareset /opt/kde4/bin/artswrapper /opt/kde4/bin/kcheckpass … lines deleted …
Many of the programs have the
suid permission because they need it, but you should check the complete list to make sure that it contains no strange
suid programs (such as
suid programs in a user’s home directory).
If you type ls -l /bin/su, you see the following permission settings:
-rwsr-xr-x 1 root root 25756 Aug 19 17:06 /bin/su
s in the owner’s permission setting (
-rws) tells you that the
suid permission is set for the
/bin/su file, which is the executable file for the
su command that you can use to become
root or another user.