Paranoid Penguin - Linux Filesystem Security, Part I

Errors in setting permissions are the often-frustrating cause of many common Linux problems, so learn the fundamentals of permissions and take the first step to understanding Linux security.

In Listing 4's sample chmod command (chmod go-rw), go tells chmod to change the group permissions and other permissions; -rw says to remove read and write permissions for those two categories of permissions, group and other. Thus, a chmod command has three parts: a permission category, some combination of u, g and o or a for all; an operator, - to remove, + to add; and a list of permissions to add or remove, usually r, w or x.

Directory Permissions

We now know how to change basic permissions on regular files, but what about directories? Directory permissions work slightly differently from permissions on regular files. Read and write are similar; for directories these permissions translate to list the directory's contents and create or delete files within the directory, respectively.

Execute is a little less intuitive on directories, however. Here, execute translates to use anything within or change working directory to this directory. That is, if a user or group has execute permissions on a given directory, the user or group can list that directory's contents, read that directory's files (assuming those individual files' own permissions include this) and change the working directory to that directory with the command cd. If a user or group does not have execute permission on a given directory, the user or group is unable to list or read anything in it, regardless of the permissions set on the things inside. If you lack execute permission on a directory but do have read permission and you try to list its contents with ls, you receive an error message that, in fact, lists the directory's contents. But this doesn't work if you have neither read nor execute permissions on the directory.

Suppose our example system has a user named biff who belongs to the group drummers. Also suppose that his home directory contains a directory called extreme_casseroles that he wishes to share with his fellow percussionists. Listing 5 shows how biff might set that directory's permissions.

Per Listing 5, only biff has the ability to create, change or delete files inside extreme_casseroles. Other members of the group drummers can list its contents and cd to it. Everyone else on the system, however, is blocked from listing, reading, cd-ing or doing anything else with the directory.

Conclusion (for Now)

Those are the most basic concepts and practical uses of Linux filesystem security. In Part II, we'll go further in depth and discuss (among other things) setuid, setgid and numeric permission modes. Until then, be safe!

Mick Bauer, CISSP, is Linux Journal's security editor and an IS security consultant in Minneapolis, Minnesota. He's the author of Building Secure Servers With Linux (O'Reilly & Associates, 2002).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi, this page seems to ha

Anonymous's picture

Hi,

this page seems to have several notes to an editor or something? Search on

***BEGIN SIDEBAR
Garrick

to see what I mean.

Commands

Anonymous's picture

As a newbie this article helped a lot. However, I'm still looking for a list of cammonds and what they do. Simple commands like how to change directories and how you navigte through the file system. I'm coming from DOS intuition and although there are some similarities, I still find myself lost at times.

Re: commands

Mick's picture

I talk more about chmod, chgrp, etc. in Part II, which you can read at http://www.linuxjournal.com/article/7727

Hope that helps!

--Mick Bauer

list of commands

Keith Daniels's picture

Here is a list I made for myself over the years. I am sure there are some errors here so watch out for them and use the man pages:

man (command name)

To get details. These are just the ones I commonly used.

** To activate changes in .bashrc simply type bash in a terminal

ac ** connect time in hours on a per-user or daily basis, command reads /var/log/wtmp

cat /proc/cpuinfo ** List info about CPU.
cat /proc/dma ** List DMA channels and device used by system.
cat /proc/filesystems  ** Display filesystems currently in use.
cat /proc/ide/hda/any-file  ** Displays disk information held by kernel.
cat /proc/interrupts ** List IRQ's used by system and the device using the interrupt.
cat /proc/ioports ** List I/O ports used by system.
cat /proc/mounts  ** Display mounted filesystems currently in use.
cat /proc/partitions  ** to see full list of disks and partitions that your system can see
cat /proc/pci  ** list all PCI devices (result of probe)
cat /proc/swaps  ** Displays swap partition(s) size, type and quantity used.
cat /proc/version ** Display Linux kernel version in use.
cat www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** list unique entries (see *5*)
chkconfig --list |grep on **  list all services are started at bootup
chkconfig --list nfs ** check that the NFS service is NOT enabled and running
chkconfig --list portmap ** check that the  portmap service used by NFS is NOT enabled and running
cp /etc/httpd/conf/httpd.conf{,.bak} ** copy httpd.conf to httpd.conf.bak
cp -r /* -t  ** copy dir & sub dir contents to new dir.  * must follow / of dir to be copied and New dir must exist.

df -h   Show the sizes of the mounted devices.
df -k  ** report filesystem disk space usage. (-k reports in Kbytes)
diff /etc/httpd/conf/httpd.conf{.bak,} ** show diff between httpd.conf and httpd.conf.bak
dig   ** gives IP address
dump-utmp ** Converts the raw data from /var/run/utmp or /var/log/wtmp into ASCII-parsable format.
du -sh  ** Calculates file space usage for directory and everything under it (-s option summarizes)
du -sh /*   Show the sizes of all the root directories.

egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}' ** To get a list of all encryptable pswd accounts (see *1*)

find / -name rdiff* 2> /dev/null  ** find everywhere rdiff* is located and don't show error messages
find / -path /proc -prune -o -nouser -o -nogroup ** locate files on your system not owned by any user or group
find / -path /proc -prune -o -perm -2 ! -type l -ls ** locate world-writable files and directorie
find / -path /proc -prune -o -type f -perm +6000 -ls ** search the system for SUID or SGID files (see *3*)
find / -path /proc -prune -o -user  -ls ** find if there are any files owned by an account (see *3*)

grep -RI 'XXX' *  ** Search for XXX in that directory and all subdirectories and Ignore binary files
grep -R 'XXX' *  2> /dev/null  ** Search for XXX in that directory and all subdirectories without ANY error messages
grep string /var/log/messages | more  ** search for "string" in log with paging
grep -v ':x:' /etc/passwd  **  lists all accounts that do not have a 'x' in the password field ( see *2*)
groups ** Display groups you are part of.  Use groups user-id to display groups for a given user.
gunzip ** uncompress .gz files with out tar in front of it.
gzip ** compress single file to .gz

halt ** Shutdown system.
history ** Shell command to display previously entered commands.
host   ** gives domain name or IP address
httpd2 -V ** list all apache modules that are installed.
id ** Display user and all group ids.  Use id user-id to display info for another user id.
ifconfig    Shows which network interfaces are currently active in the system.
import  - Puts a screenshot of the current selected window or desktop in your home directory (ImageMagick tool).
init q ** To have changes in /etc/inittab become effective immediately
init  - When root, changes the runlevel

kill  - Kills the process (process # found with "ps -ef") if you want to stop it.

last -100  **  lists the last users who logged into the system
lastb  ** Same as last, but shows a log of the file /var/log/btmp, of the bad login attempts
lastlog ** reports data maintained in /var/log/lastlog, a record of the last time a user logged in.
ln -s target linkname   Make a symbolic link.
locate/slocate **   Find location/list of files which contain a given partial name
ls -1 * >   ** make a list - names only - of all files and all subdirectory files
lsdev  ** List devices and info on system hardware. Also IRQ's.(RPM package procinfo)
ls | less  - pipes the output through "less", = pages which can be flipped through with the spacebar or Pgup, Pgdown
ls -lR >   ** make a complete list of all files, must be as root not su and from / directory
lsmod  ** List all currently loaded kernel modules - Same as cat /proc/modules
lsof -i -n | egrep 'COMMAND|LISTEN|UDP' ** list listening network ports (TCP and UDP sockets)
lspci (or lspci -vvx)  ** list all PCI devices (result of probe)
lynx -dump -stdin output.txt ** convert html to plain text with good tables.

more /var/log/messages  ** view log one page at a time
multitail   or tail -f /var/log/messages  ** How to View New Log Entries as They Happen

netstat ** Displays network connections, routing tables, and interface statistics....
netstat -nlp ** list other informaiton on network ports (TCP and UDP sockets)
netstat -punta ** list more information on network ports (TCP and UDP sockets)
netstat -tulp ** list listening network ports (TCP and UDP sockets)
nmap   **  gives open ports and other stuff on a site -- considered an attack.

pdftohtml -c  infile.pdf outfile.html  ** Convert pdf to html with associate graphics - 1 html per page
ps -Ax, ps -eL or ps -auxw (process status)  ** shows all processes running or sleeping.
ps -ef | grep 'text' -  will search running services & display services matching 'text'.
pstree -pa  ** gives you the processes that are running in a tree format.  Shows what started the processes
pwd - Will tell you what directory you are in.

reboot – Restart system.
rm -f filename.txt ** deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ ** recursively deletes the directory tmp, and all files in it, including subdirectories.
rpm -e --test  ** check for potential conflicts/dependencies when deleting a RPM
rpm -qa  ** To get a list of all installed RPMs
rpm -qf  ** Display name of RPM package from which the file was installed.
rpm -qi   ** find more about a particular RPM:
rpm -ql $(rpm -qa | grep httpd) rpm -qa | grep httpd, lists packages with httpd in the name.  
rpm -ql ** lists files in each package.
rpm -q --whatrequires   ** find what package(s) requies that file or lib.

set or env ** Display all environment variables in your current environment. 

**** Securely moving or copying files (Don't put in the <> brackets!)

(You are logged in to www.soyo.com)
( -r causes the entire directory to be included, -p keeps the permissions and timestamps)

scp -p // www.asp.net://  ** file on soyo -- to be moved to www.asp.net.
scp -r / www.asp.net:/ ** directory & subdirs on soyo --  moved to www.asp.net.

scp -p www.asp.net:/ / ** file on www.asp.net to be moved to soyo
scp -p keith@www.asp.net:// //  ** file on www.asp.net to be moved to soyo

=======
scp -p www.abc.com:// www.xyz.com://

** file on abc.com to be moved to www.xyz.com  This assumes that
there is a public/private key account for the user on www.soyo.com
(or at least the same user name account on all machines.  Note that
you can specify different user ids like: keith@www.abc.com: for one
and root@www.xyz.com: for the other -- If you know the passwords.
========

showmount  ** Displays mount info for NFS filesystems.

tail -100 www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** unique last 100 errors(see *5*)
top ** shows running processes
tar -cf archive.tar   ** Creating a tar file.
tar -cvzf usr_lib.tar.gz   ** tar and compress a file to what ever directory you are in
tar -tf archive.tar  ** Lists the files and/or directories in a tar file.
tar -xvf archive.tar  ** Extract the files from a tar archive. (.tar)
tar -zxvf archive.tar.gz  ** Extract the files from a compressed .tar.gz archive
tar -zxvf archive.tgz  ** Extract the files from a compressed .tgz archive
tar xvjf filename.version.bz2   ** Extract bzip2 files with tar

uname -a  ** print system information
uname -r    Tells you what version of the kernel is currently running.
uptime  ** Tell how long the system has been running. Also number of users and system's load average.
users ** Show all users logged in.
userdel -r  ** Delete an users account and other stuff  (see *4*)

w ** Displays currently logged in users and processes they are running.
whereis ** Find directory of executable file and related files
which ** Find executable file location of command given. Command must be in path.
who ** Displays currently logged in users.
who -uH  ** for idle time and terminal info.
whoami ** Displays user id.
whois   **  gives the administrative information about the site.


===============================
Basic file compression utilities: (and file extensions)

gzip (.gz): Also see zcat, gunzip, gznew, gzmore
compress: gzip file-name
decompress: gzip -d file-name.gz

bzip2 (.bz2): Also see: bunzip2, bzcat, bzip2recover
compress: bzip2 file-name
decompress: bunzip2 file-name.bz2

compress (.Z): (Adaptive Lempel-Ziv compression) Also see: uncompress, zcat
compress: compress file-name
decompress: uncompress file-name.Z
(Provided by the RPM package ncompress)

pack (.z): Also see: unpack
compress: pack file-name
decompress: unpack file-name.z

zip (.zip): Compress files or groups of files. 
To compress: zip file-name
To decompress: unzip file-name.zip
(R.P.Byrne compression) Compatable with Win PKZIP files.
====================================

****** SHELL TRICKS **********
ctrl + d = logout (also usefull if you did su and want to get back 
to normal user)
--------------------------------------------------------------------
If your screen becomes unreadable because of displaying a binary file
type "reset" blindly and it should be normal again.

 Looping in the command line: for file in * ; do cp $file $file.bak; done

 {variable-name}=$(command) **  Set env variable-name to commands output ex: $(date +%d-%b-%Y)

{variable-name}=$"value"  ** Temporarilly set env "variable-name" to "value"

******************************
====================================
*1*  It is important that all system and vendor accounts that are
not used for logins are locked.  To get a list of unlocked accounts
on your system, you can check for accounts that do NOT have an
encrypted password string starting with "!" or "*" in the 
/etc/shadow file. If you lock an account using passwd -l, it 
will put a '!!' in front of the encrypted password, effectively
disabling the password. If you lock an account using usermod -L,
it will put a '!' in front of the encrypted password. Many system
and shared accounts are usually locked by default by having a '*' or
'!!' in the password field which renders the encrypted password into
an invalid string.

*2*  Also make sure all accounts have a 'x' in the password field in
/etc/passwd.  A 'x' in the password fields means that the password 
has been shadowed, i.e. the encrypted password has to be looked up in
the /etc/shadow file. If the password field in /etc/passwd is empty,
then the system will not lookup the shadow file and it will not
prompt the user for a password at the login prompt.

*3*  The -prune option in this example is used to skip the
/proc filesystem.:

*4*  If you are sure that an account can be deleted, you can remove
the account using the following command.  Without the "-r" option
userdel will not delete the user's home directory and mail spool
(/var/spool/mail/). Note that many system accounts have no
home directory:

*5* To monitor the significance, add '-c' to the uniq command, which
will find you a count of the number of each error.

"I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone."
-- Bjarne Stroustrup

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix