Paranoid Penguin - Linux Filesystem Security, Part I

Errors in setting permissions are the often-frustrating cause of many common Linux problems, so learn the fundamentals of permissions and take the first step to understanding Linux security.

In Listing 1, we see that the first field contains the name of the user account, maestro. The second field (x) is a placeholder for maestro's password, which actually is stored in /etc/shadow. The third field shows maestro's numeric user ID, or uid; in this case it's 200. The fourth field shows the numeric group ID, or gid—in this case it's 100—of maestro's main group membership. The remaining fields specify a comment, maestro's home directory and maestro's default login shell.

In Listing 2, from /etc/group, each line simply contains a group name, a group password (usually unused—x is a placeholder), numeric group ID (gid) and a comma-delimited list of users with secondary memberships in the group. Thus, we see that the group conductors has a gid of 100, which corresponds to the gid specified as maestro's main group in Listing 1. We also see that the group pianists includes the user maestro, plus another named volodyia, as a secondary member.

The simplest way to modify /etc/password and /etc/group in order to create, modify and delete user accounts is by using the commands useradd, usermod and userdel, respectively. I'd rather concentrate here on concepts than command syntax, so suffice it to say that all three of these commands can be used to set and modify group memberships and all three commands are well documented in their respective man pages. To see a quick usage summary, you also can type the command followed by --help, for example, useradd --help.

Simple File Permissions

Each file has two owners, a user and a group, each with its own set of permissions that specify what the user or group may do with the file—read it, write to it and execute it. A third set of permissions pertains to what others, user accounts that don't own the file or belong to the group that owns it, can do with the file. Listing 3 shows a long file listing for the file /home/maestro/baton_dealers.txt.

Permissions are listed in the order of user permissions, group permissions and other permissions. For the file shown in Listing 3, its user owner (maestro) can read and write the file (rw-); its group owner (conductors) also can read and write the file (rw-), but other users can only read the file. Permissions are a little more complicated, however. Users classified as other, in terms of permissions on a particular file, can delete any file in a directory to which they have write permissions. In other words, users with read-only permission on a file cannot edit the file but can delete it if they have write permission on the file's directory.

There's a third permission besides read and write: execute, which is denoted by x when set. If maestro writes a shell script named and if he sets its permissions to -rwxrw-r--, he then can execute this script by entering the name of the script at the command line. If, however, he forgets to set the execute permission, he is not able to run the script, even though he owns it.

Permissions usually are set with the chmod command, short for change mode. Continuing with our example, suppose maestro has second thoughts about allowing other members of the conductors group to read his list of baton dealers. He could remove the group read/write permissions using the commands shown in Listing 4.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi, this page seems to ha

Anonymous's picture


this page seems to have several notes to an editor or something? Search on


to see what I mean.


Anonymous's picture

As a newbie this article helped a lot. However, I'm still looking for a list of cammonds and what they do. Simple commands like how to change directories and how you navigte through the file system. I'm coming from DOS intuition and although there are some similarities, I still find myself lost at times.

Re: commands

Mick's picture

I talk more about chmod, chgrp, etc. in Part II, which you can read at

Hope that helps!

--Mick Bauer

list of commands

Keith Daniels's picture

Here is a list I made for myself over the years. I am sure there are some errors here so watch out for them and use the man pages:

man (command name)

To get details. These are just the ones I commonly used.

** To activate changes in .bashrc simply type bash in a terminal

ac ** connect time in hours on a per-user or daily basis, command reads /var/log/wtmp

cat /proc/cpuinfo ** List info about CPU.
cat /proc/dma ** List DMA channels and device used by system.
cat /proc/filesystems  ** Display filesystems currently in use.
cat /proc/ide/hda/any-file  ** Displays disk information held by kernel.
cat /proc/interrupts ** List IRQ's used by system and the device using the interrupt.
cat /proc/ioports ** List I/O ports used by system.
cat /proc/mounts  ** Display mounted filesystems currently in use.
cat /proc/partitions  ** to see full list of disks and partitions that your system can see
cat /proc/pci  ** list all PCI devices (result of probe)
cat /proc/swaps  ** Displays swap partition(s) size, type and quantity used.
cat /proc/version ** Display Linux kernel version in use.
cat www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** list unique entries (see *5*)
chkconfig --list |grep on **  list all services are started at bootup
chkconfig --list nfs ** check that the NFS service is NOT enabled and running
chkconfig --list portmap ** check that the  portmap service used by NFS is NOT enabled and running
cp /etc/httpd/conf/httpd.conf{,.bak} ** copy httpd.conf to httpd.conf.bak
cp -r /* -t  ** copy dir & sub dir contents to new dir.  * must follow / of dir to be copied and New dir must exist.

df -h   Show the sizes of the mounted devices.
df -k  ** report filesystem disk space usage. (-k reports in Kbytes)
diff /etc/httpd/conf/httpd.conf{.bak,} ** show diff between httpd.conf and httpd.conf.bak
dig   ** gives IP address
dump-utmp ** Converts the raw data from /var/run/utmp or /var/log/wtmp into ASCII-parsable format.
du -sh  ** Calculates file space usage for directory and everything under it (-s option summarizes)
du -sh /*   Show the sizes of all the root directories.

egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}' ** To get a list of all encryptable pswd accounts (see *1*)

find / -name rdiff* 2> /dev/null  ** find everywhere rdiff* is located and don't show error messages
find / -path /proc -prune -o -nouser -o -nogroup ** locate files on your system not owned by any user or group
find / -path /proc -prune -o -perm -2 ! -type l -ls ** locate world-writable files and directorie
find / -path /proc -prune -o -type f -perm +6000 -ls ** search the system for SUID or SGID files (see *3*)
find / -path /proc -prune -o -user  -ls ** find if there are any files owned by an account (see *3*)

grep -RI 'XXX' *  ** Search for XXX in that directory and all subdirectories and Ignore binary files
grep -R 'XXX' *  2> /dev/null  ** Search for XXX in that directory and all subdirectories without ANY error messages
grep string /var/log/messages | more  ** search for "string" in log with paging
grep -v ':x:' /etc/passwd  **  lists all accounts that do not have a 'x' in the password field ( see *2*)
groups ** Display groups you are part of.  Use groups user-id to display groups for a given user.
gunzip ** uncompress .gz files with out tar in front of it.
gzip ** compress single file to .gz

halt ** Shutdown system.
history ** Shell command to display previously entered commands.
host   ** gives domain name or IP address
httpd2 -V ** list all apache modules that are installed.
id ** Display user and all group ids.  Use id user-id to display info for another user id.
ifconfig    Shows which network interfaces are currently active in the system.
import  - Puts a screenshot of the current selected window or desktop in your home directory (ImageMagick tool).
init q ** To have changes in /etc/inittab become effective immediately
init  - When root, changes the runlevel

kill  - Kills the process (process # found with "ps -ef") if you want to stop it.

last -100  **  lists the last users who logged into the system
lastb  ** Same as last, but shows a log of the file /var/log/btmp, of the bad login attempts
lastlog ** reports data maintained in /var/log/lastlog, a record of the last time a user logged in.
ln -s target linkname   Make a symbolic link.
locate/slocate **   Find location/list of files which contain a given partial name
ls -1 * >   ** make a list - names only - of all files and all subdirectory files
lsdev  ** List devices and info on system hardware. Also IRQ's.(RPM package procinfo)
ls | less  - pipes the output through "less", = pages which can be flipped through with the spacebar or Pgup, Pgdown
ls -lR >   ** make a complete list of all files, must be as root not su and from / directory
lsmod  ** List all currently loaded kernel modules - Same as cat /proc/modules
lsof -i -n | egrep 'COMMAND|LISTEN|UDP' ** list listening network ports (TCP and UDP sockets)
lspci (or lspci -vvx)  ** list all PCI devices (result of probe)
lynx -dump -stdin output.txt ** convert html to plain text with good tables.

more /var/log/messages  ** view log one page at a time
multitail   or tail -f /var/log/messages  ** How to View New Log Entries as They Happen

netstat ** Displays network connections, routing tables, and interface statistics....
netstat -nlp ** list other informaiton on network ports (TCP and UDP sockets)
netstat -punta ** list more information on network ports (TCP and UDP sockets)
netstat -tulp ** list listening network ports (TCP and UDP sockets)
nmap   **  gives open ports and other stuff on a site -- considered an attack.

pdftohtml -c  infile.pdf outfile.html  ** Convert pdf to html with associate graphics - 1 html per page
ps -Ax, ps -eL or ps -auxw (process status)  ** shows all processes running or sleeping.
ps -ef | grep 'text' -  will search running services & display services matching 'text'.
pstree -pa  ** gives you the processes that are running in a tree format.  Shows what started the processes
pwd - Will tell you what directory you are in.

reboot – Restart system.
rm -f filename.txt ** deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ ** recursively deletes the directory tmp, and all files in it, including subdirectories.
rpm -e --test  ** check for potential conflicts/dependencies when deleting a RPM
rpm -qa  ** To get a list of all installed RPMs
rpm -qf  ** Display name of RPM package from which the file was installed.
rpm -qi   ** find more about a particular RPM:
rpm -ql $(rpm -qa | grep httpd) rpm -qa | grep httpd, lists packages with httpd in the name.  
rpm -ql ** lists files in each package.
rpm -q --whatrequires   ** find what package(s) requies that file or lib.

set or env ** Display all environment variables in your current environment. 

**** Securely moving or copying files (Don't put in the <> brackets!)

(You are logged in to
( -r causes the entire directory to be included, -p keeps the permissions and timestamps)

scp -p //  ** file on soyo -- to be moved to
scp -r / ** directory & subdirs on soyo --  moved to

scp -p / ** file on to be moved to soyo
scp -p //  ** file on to be moved to soyo

scp -p

** file on to be moved to  This assumes that
there is a public/private key account for the user on
(or at least the same user name account on all machines.  Note that
you can specify different user ids like: for one
and for the other -- If you know the passwords.

showmount  ** Displays mount info for NFS filesystems.

tail -100 www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** unique last 100 errors(see *5*)
top ** shows running processes
tar -cf archive.tar   ** Creating a tar file.
tar -cvzf usr_lib.tar.gz   ** tar and compress a file to what ever directory you are in
tar -tf archive.tar  ** Lists the files and/or directories in a tar file.
tar -xvf archive.tar  ** Extract the files from a tar archive. (.tar)
tar -zxvf archive.tar.gz  ** Extract the files from a compressed .tar.gz archive
tar -zxvf archive.tgz  ** Extract the files from a compressed .tgz archive
tar xvjf filename.version.bz2   ** Extract bzip2 files with tar

uname -a  ** print system information
uname -r    Tells you what version of the kernel is currently running.
uptime  ** Tell how long the system has been running. Also number of users and system's load average.
users ** Show all users logged in.
userdel -r  ** Delete an users account and other stuff  (see *4*)

w ** Displays currently logged in users and processes they are running.
whereis ** Find directory of executable file and related files
which ** Find executable file location of command given. Command must be in path.
who ** Displays currently logged in users.
who -uH  ** for idle time and terminal info.
whoami ** Displays user id.
whois   **  gives the administrative information about the site.

Basic file compression utilities: (and file extensions)

gzip (.gz): Also see zcat, gunzip, gznew, gzmore
compress: gzip file-name
decompress: gzip -d file-name.gz

bzip2 (.bz2): Also see: bunzip2, bzcat, bzip2recover
compress: bzip2 file-name
decompress: bunzip2 file-name.bz2

compress (.Z): (Adaptive Lempel-Ziv compression) Also see: uncompress, zcat
compress: compress file-name
decompress: uncompress file-name.Z
(Provided by the RPM package ncompress)

pack (.z): Also see: unpack
compress: pack file-name
decompress: unpack file-name.z

zip (.zip): Compress files or groups of files. 
To compress: zip file-name
To decompress: unzip
(R.P.Byrne compression) Compatable with Win PKZIP files.

****** SHELL TRICKS **********
ctrl + d = logout (also usefull if you did su and want to get back 
to normal user)
If your screen becomes unreadable because of displaying a binary file
type "reset" blindly and it should be normal again.

 Looping in the command line: for file in * ; do cp $file $file.bak; done

 {variable-name}=$(command) **  Set env variable-name to commands output ex: $(date +%d-%b-%Y)

{variable-name}=$"value"  ** Temporarilly set env "variable-name" to "value"

*1*  It is important that all system and vendor accounts that are
not used for logins are locked.  To get a list of unlocked accounts
on your system, you can check for accounts that do NOT have an
encrypted password string starting with "!" or "*" in the 
/etc/shadow file. If you lock an account using passwd -l, it 
will put a '!!' in front of the encrypted password, effectively
disabling the password. If you lock an account using usermod -L,
it will put a '!' in front of the encrypted password. Many system
and shared accounts are usually locked by default by having a '*' or
'!!' in the password field which renders the encrypted password into
an invalid string.

*2*  Also make sure all accounts have a 'x' in the password field in
/etc/passwd.  A 'x' in the password fields means that the password 
has been shadowed, i.e. the encrypted password has to be looked up in
the /etc/shadow file. If the password field in /etc/passwd is empty,
then the system will not lookup the shadow file and it will not
prompt the user for a password at the login prompt.

*3*  The -prune option in this example is used to skip the
/proc filesystem.:

*4*  If you are sure that an account can be deleted, you can remove
the account using the following command.  Without the "-r" option
userdel will not delete the user's home directory and mail spool
(/var/spool/mail/). Note that many system accounts have no
home directory:

*5* To monitor the significance, add '-c' to the uniq command, which
will find you a count of the number of each error.

All the new OSs and windowing systems are oriented towards content consumption instead of content production.

--Steve Daniels 2013