File System Security in UnixOverviewUnix BasicsAn Area of File System SecurityAccount Security: PasswordsThe UNIX File SystemSimple Unix File StructureAnother Area of File System SecurityFile PermissionsWhy should you learn about permissions?File Ownership Levels3 Levels of Access ProtectionFormat of PermissionsAdditional PermissionsAdditional Permissions: setuid and setgidAdditional Permissions: The “sticky” BitChecking Current Access Modes“ls -l” Example OutputSetting PermissionsSetting Permissions : Symbolic ModeSymbolic Mode - ExampleAdding Permissions - ExampleSubtracting PermissionsSetting Permissions: Absolute ModeAbsolute Mode – ExampleumaskSlide 27Access Mode LimitationsAccess Control Lists (ACLs)ACLssetfaclgetfaclSummaryReferencesFile System Security in UnixAnnie CalpeOverviewUnix BasicsFile System Security: - Account Security: Passwords - File Permissions - Access Control ListsUnix BasicsDeveloped in the late 1970sA multi-user environmentIntended to be used only by a small number of people within the same companyAn Area of File System Security Account Security : Concerned with keeping unauthorized users from gaining access into the system.A login feature is added for file security.Account Security: PasswordsOne way hash encryption algorithmUses a modified version of the Data Encryption Standard (DES)Uses a “salt”The UNIX File SystemControls the way that information in files and directories is laid out on the diskThe hierarchical organization of files & directories is often represented with a tree structureSimple Unix File Structure /(root)u tmp binhueycp rmmyfile file1 file2Another Area of File System SecurityFile System Security : Concerned with preventing unauthorized access to the system’s data.Access of data is controlled through the use of file permissions.File Permissionsa.k.a. “mode bits” or “permission bits”It controls which users can access what and how.They depend also on the permission bits associated with all directories “above” the file in the directory hierarchy.Why should you learn about permissions?May allow others to access, alter and even delete your files!The default setting is not acceptable where sensitive data is present.Many beginning users of Unix don’t understand modes, thus compromising overall security.Permissions are a useful tool to enhance file system security!File Ownership LevelsUser: User who owns the fileGroup: Users in a group associated with the fileOther: All other users; “world” permissionsAll: Includes all of the above levels3 Levels of Access Protectionr read read a file read contents of directoryw write write data to a filechange the contents of the directoryx execute run an executable programsearch the contents of a folder or subdirectoryFormat of Permissions file or directory?User modesGroup modesOther modes_ _ _ _ _ _ _ _ _ _Additional Permissions4th bit is available per set. These are only useful for executable files: 1. setuid (replaces user’s x by s)2. setgid (replaces group’s x by s)3. “sticky” (replaces other’s x by t)Additional Permissions:setuid and setgidUsed when another user must perform a task which only the owner of a file has the power to do: 1. setuid – script which assumes the User ID of the program when run2. setgid – script which assumes the Group ID of the program group when runAdditional Permissions: The “sticky” BitWhen set, only the root or owner can unlink/rename files in a directory.Without it, anyone able to write to the directory can delete/rename files. It is commonly found on world-writable directories, such as /tmp.Checking Current Access ModesTo check the file characteristics for all files within the current directory, type: “ls -l”To check the file characteristics of a specific file or directory, type: “ls -l <filename or directory>”“ls -l” Example Output> ls – ldrwxr-xr-x 3 huey 512 Dec 27 15:58 dir1-rwx------ 1 huey 16384 Jun 1 13:45 progfile1-rwsr-sr-t 1 huey 24576 Jan 23 16:35 progfile2-rw-r--r-- 1 huey 40 Dec 29 11:42 textfile1-rw-rw-rw- 1 huey 1024 Mar 23 08:19 textfile2Setting PermissionsThe chmod command is used to set or modify file and directory permissions2 ways to specify permissions: - symbolic mode - absolute modeSetting Permissions :Symbolic Modechmod <who> op <perm bits> <filename>optionswho: u, g, o, aop: +, -, =perm bits: r, w, x, s, tSymbolic Mode - Example Apply to all rows in current directory:>chmod u=rwx,g=rx,o=r row* Allow all users to read and search contents of directory:>chmod a=rx dir1Adding Permissions - Example>ls -l textfile1 -rw-r--r-- … (current permissions)>chmod g+w textfile1>ls -l textfile1 -rw-rw-r-- … (updated permissions)Subtracting Permissions>ls -l textfile1 -rw-rw-r-- … (current permissions)>chmod g-w textfile1>ls -l textfile1 -rw-r-r-- … (updated permissions)Setting Permissions:Absolute Modechmod <sum of permitted octal #s> <file(s)>Octal # Permission400020001000040002000100set user idset group id“sticky” bitRead by ownerWrite by ownerExecute by ownerOctal # Permission004000200010000400020001Read by groupWrite by groupExecute by groupRead by otherWrite by otherExecute by otherAbsolute Mode – ExampleTo let the owner read, write, and execute: 0400 + 0200 + 0100 = 0700Yet, only allow group users and others to read and write to the file: 0040 + 0020 = 0060 (group value) 0004 + 0002 = 0006 (others value)The octal value = 0700 + 0060 + 0006 > chmod 766umaskUsed to turn off permissions: umask <value>For a file: determine the numeric value for the desired permissions and subtract it from 666 to get the umask valueumaskFor a directory: determine the numeric value for the desired permissions and subtract it from 777 to get the umask valueUsed to set default permissions for newly created files within the directory, only during the current shell session.Access Mode LimitationsModes are defined to only user, group, and others i.e. Users cannot designate file access to specific usersAccess Control Lists (ACLs)Reduces complexity of managing permissionsStored as extended attributesAllows you to define lists that grant/deny access to a given file based on criteria that you provideEnabled ACLs will append a “+” to the set of permissions. e.g.
View Full Document