New version page

UCF COT 4810 - File System Security in Unix

Documents in this Course
Spoofing

Spoofing

25 pages

CAPTCHA

CAPTCHA

18 pages

Load more
Upgrade to remove ads
Upgrade to remove ads
Unformatted text preview:

File System Security in UnixOverviewUnix BasicsAn Area of File System SecurityAccount Security: PasswordsThe UNIX File SystemSimple Unix File StructureAnother Area of File System SecurityFile PermissionsWhy should you learn about permissions?File Ownership Levels3 Levels of Access ProtectionFormat of PermissionsAdditional PermissionsAdditional Permissions: setuid and setgidAdditional Permissions: The “sticky” BitChecking Current Access Modes“ls -l” Example OutputSetting PermissionsSetting Permissions : Symbolic ModeSymbolic Mode - ExampleAdding Permissions - ExampleSubtracting PermissionsSetting Permissions: Absolute ModeAbsolute Mode – ExampleumaskSlide 27Access Mode LimitationsAccess Control Lists (ACLs)ACLssetfaclgetfaclSummaryReferencesFile System Security in UnixAnnie CalpeOverviewUnix BasicsFile System Security: - Account Security: Passwords - File Permissions - Access Control ListsUnix BasicsDeveloped in the late 1970sA multi-user environmentIntended to be used only by a small number of people within the same companyAn Area of File System Security Account Security : Concerned with keeping unauthorized users from gaining access into the system.A login feature is added for file security.Account Security: PasswordsOne way hash encryption algorithmUses a modified version of the Data Encryption Standard (DES)Uses a “salt”The UNIX File SystemControls the way that information in files and directories is laid out on the diskThe hierarchical organization of files & directories is often represented with a tree structureSimple Unix File Structure /(root)u tmp binhueycp rmmyfile file1 file2Another Area of File System SecurityFile System Security : Concerned with preventing unauthorized access to the system’s data.Access of data is controlled through the use of file permissions.File Permissionsa.k.a. “mode bits” or “permission bits”It controls which users can access what and how.They depend also on the permission bits associated with all directories “above” the file in the directory hierarchy.Why should you learn about permissions?May allow others to access, alter and even delete your files!The default setting is not acceptable where sensitive data is present.Many beginning users of Unix don’t understand modes, thus compromising overall security.Permissions are a useful tool to enhance file system security!File Ownership LevelsUser: User who owns the fileGroup: Users in a group associated with the fileOther: All other users; “world” permissionsAll: Includes all of the above levels3 Levels of Access Protectionr read read a file read contents of directoryw write write data to a filechange the contents of the directoryx execute run an executable programsearch the contents of a folder or subdirectoryFormat of Permissions file or directory?User modesGroup modesOther modes_ _ _ _ _ _ _ _ _ _Additional Permissions4th bit is available per set. These are only useful for executable files: 1. setuid (replaces user’s x by s)2. setgid (replaces group’s x by s)3. “sticky” (replaces other’s x by t)Additional Permissions:setuid and setgidUsed when another user must perform a task which only the owner of a file has the power to do: 1. setuid – script which assumes the User ID of the program when run2. setgid – script which assumes the Group ID of the program group when runAdditional Permissions: The “sticky” BitWhen set, only the root or owner can unlink/rename files in a directory.Without it, anyone able to write to the directory can delete/rename files. It is commonly found on world-writable directories, such as /tmp.Checking Current Access ModesTo check the file characteristics for all files within the current directory, type: “ls -l”To check the file characteristics of a specific file or directory, type: “ls -l <filename or directory>”“ls -l” Example Output> ls – ldrwxr-xr-x 3 huey 512 Dec 27 15:58 dir1-rwx------ 1 huey 16384 Jun 1 13:45 progfile1-rwsr-sr-t 1 huey 24576 Jan 23 16:35 progfile2-rw-r--r-- 1 huey 40 Dec 29 11:42 textfile1-rw-rw-rw- 1 huey 1024 Mar 23 08:19 textfile2Setting PermissionsThe chmod command is used to set or modify file and directory permissions2 ways to specify permissions: - symbolic mode - absolute modeSetting Permissions :Symbolic Modechmod <who> op <perm bits> <filename>optionswho: u, g, o, aop: +, -, =perm bits: r, w, x, s, tSymbolic Mode - Example Apply to all rows in current directory:>chmod u=rwx,g=rx,o=r row* Allow all users to read and search contents of directory:>chmod a=rx dir1Adding Permissions - Example>ls -l textfile1 -rw-r--r-- … (current permissions)>chmod g+w textfile1>ls -l textfile1 -rw-rw-r-- … (updated permissions)Subtracting Permissions>ls -l textfile1 -rw-rw-r-- … (current permissions)>chmod g-w textfile1>ls -l textfile1 -rw-r-r-- … (updated permissions)Setting Permissions:Absolute Modechmod <sum of permitted octal #s> <file(s)>Octal # Permission400020001000040002000100set user idset group id“sticky” bitRead by ownerWrite by ownerExecute by ownerOctal # Permission004000200010000400020001Read by groupWrite by groupExecute by groupRead by otherWrite by otherExecute by otherAbsolute Mode – ExampleTo let the owner read, write, and execute: 0400 + 0200 + 0100 = 0700Yet, only allow group users and others to read and write to the file: 0040 + 0020 = 0060 (group value) 0004 + 0002 = 0006 (others value)The octal value = 0700 + 0060 + 0006 > chmod 766umaskUsed to turn off permissions: umask <value>For a file: determine the numeric value for the desired permissions and subtract it from 666 to get the umask valueumaskFor a directory: determine the numeric value for the desired permissions and subtract it from 777 to get the umask valueUsed to set default permissions for newly created files within the directory, only during the current shell session.Access Mode LimitationsModes are defined to only user, group, and others i.e. Users cannot designate file access to specific usersAccess Control Lists (ACLs)Reduces complexity of managing permissionsStored as extended attributesAllows you to define lists that grant/deny access to a given file based on criteria that you provideEnabled ACLs will append a “+” to the set of permissions. e.g.


View Full Document
Download File System Security in Unix
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view File System Security in Unix and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view File System Security in Unix 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?