Paranoid Penguin - Linux Filesystem Security, Part I

Errors in setting permissions are the often-frustrating cause of many common Linux problems, so learn the fundamentals of permissions and take the first step to understanding Linux security.

For most of the Paranoid Penguin's illustrious four years with Linux Journal, I've tended to write tools-focused columns. I've described how to secure Sendmail, how to add SSL encryption to things by using Stunnel and how to get any number of other powerful security software tools configured and running.

Over the next couple of columns, however, I am going to address one of the most basic and important, yet often-overlooked aspects of Linux security; filesystem permissions. If used wisely, it will be harder for users and intruders to abuse their system privileges. If you set them carelessly, however, minor vulnerabilities can lead to major system compromises.

These articles should be especially useful to Linux newcomers who wonder what all the drwxr-xr-x gobbledygook in file listings means. But, even if you're an intermediate user—perhaps the kind who doesn't yet understand the precise ramifications of setuid and setgid—these articles, especially Part II, may have something for you too.

Prelude: Everything Is a File

Did you know that in UNIX and UNIX-like systems, basically everything is represented by files? Documents, pictures and even executable programs are easy to conceptualize as files on your hard disk. Although we think of a directory as a container of files, a directory actually is a file containing, you guessed it, a list of other files.

Similarly, the CD-ROM drive attached to your system seems tangible enough, but to your Linux kernel, it too is a file—the special device file /dev/cdrom. To send data from it or to write it to the CD-ROM drive, the kernel actually reads to and writes from this special file. Actually, on most systems, /dev/cdrom is a symbolic link to /dev/hdb or some other special file. And wouldn't you know it, a symbolic link is in turn nothing more than a file containing the location of another file.

Other special files, such as named pipes, act as input/output (I/O) conduits, allowing one process or program to pass data to another.

My point here is not to describe each and every type of file that exists in Linux or UNIX. It's to illustrate how nearly everything is represented by a file. Once you understand this, it's much easier to understand why filesystem security is such a big deal and how it works.

Users, Groups and Permissions

Actually, two things on a Linux system aren't represented by files, user accounts and group accounts, which we call users and groups for short. Various files contain information about a system's users and groups, but none of those files actually represents them. A user account represents someone or something capable of using files. This is to say, both human beings and system processes can use user accounts. For example, a user account named webmaster typically represents a human being who maintains Web sites. But the standard Linux user account lp is used by the line printer dæmon (lpd); the lpd program runs as the user lp. I explain later what it means for a program to run as one user vs. another.

A group account simply is a list of user accounts. Each user account is defined with a main group membership but may in fact belong to as many groups as needed. For example, the user maestro may have a main group membership in conductors and also belong to pianists.

A user's main group membership is specified in the user account's entry in /etc/password. You can add that user to additional groups by editing /etc/group and adding the user name to the end of the entry for each group to which the user should belong. Alternatively, you could use the usermod command; see the usermod(8) man page for more information.

Listing 1 shows maestro's entry in the file /etc/password, and Listing 2 shows part of the corresponding /etc/group file.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi, this page seems to ha

Anonymous's picture

Hi,

this page seems to have several notes to an editor or something? Search on

***BEGIN SIDEBAR
Garrick

to see what I mean.

Commands

Anonymous's picture

As a newbie this article helped a lot. However, I'm still looking for a list of cammonds and what they do. Simple commands like how to change directories and how you navigte through the file system. I'm coming from DOS intuition and although there are some similarities, I still find myself lost at times.

Re: commands

Mick's picture

I talk more about chmod, chgrp, etc. in Part II, which you can read at http://www.linuxjournal.com/article/7727

Hope that helps!

--Mick Bauer

list of commands

Keith Daniels's picture

Here is a list I made for myself over the years. I am sure there are some errors here so watch out for them and use the man pages:

man (command name)

To get details. These are just the ones I commonly used.

** To activate changes in .bashrc simply type bash in a terminal

ac ** connect time in hours on a per-user or daily basis, command reads /var/log/wtmp

cat /proc/cpuinfo ** List info about CPU.
cat /proc/dma ** List DMA channels and device used by system.
cat /proc/filesystems  ** Display filesystems currently in use.
cat /proc/ide/hda/any-file  ** Displays disk information held by kernel.
cat /proc/interrupts ** List IRQ's used by system and the device using the interrupt.
cat /proc/ioports ** List I/O ports used by system.
cat /proc/mounts  ** Display mounted filesystems currently in use.
cat /proc/partitions  ** to see full list of disks and partitions that your system can see
cat /proc/pci  ** list all PCI devices (result of probe)
cat /proc/swaps  ** Displays swap partition(s) size, type and quantity used.
cat /proc/version ** Display Linux kernel version in use.
cat www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** list unique entries (see *5*)
chkconfig --list |grep on **  list all services are started at bootup
chkconfig --list nfs ** check that the NFS service is NOT enabled and running
chkconfig --list portmap ** check that the  portmap service used by NFS is NOT enabled and running
cp /etc/httpd/conf/httpd.conf{,.bak} ** copy httpd.conf to httpd.conf.bak
cp -r /* -t  ** copy dir & sub dir contents to new dir.  * must follow / of dir to be copied and New dir must exist.

df -h   Show the sizes of the mounted devices.
df -k  ** report filesystem disk space usage. (-k reports in Kbytes)
diff /etc/httpd/conf/httpd.conf{.bak,} ** show diff between httpd.conf and httpd.conf.bak
dig   ** gives IP address
dump-utmp ** Converts the raw data from /var/run/utmp or /var/log/wtmp into ASCII-parsable format.
du -sh  ** Calculates file space usage for directory and everything under it (-s option summarizes)
du -sh /*   Show the sizes of all the root directories.

egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}' ** To get a list of all encryptable pswd accounts (see *1*)

find / -name rdiff* 2> /dev/null  ** find everywhere rdiff* is located and don't show error messages
find / -path /proc -prune -o -nouser -o -nogroup ** locate files on your system not owned by any user or group
find / -path /proc -prune -o -perm -2 ! -type l -ls ** locate world-writable files and directorie
find / -path /proc -prune -o -type f -perm +6000 -ls ** search the system for SUID or SGID files (see *3*)
find / -path /proc -prune -o -user  -ls ** find if there are any files owned by an account (see *3*)

grep -RI 'XXX' *  ** Search for XXX in that directory and all subdirectories and Ignore binary files
grep -R 'XXX' *  2> /dev/null  ** Search for XXX in that directory and all subdirectories without ANY error messages
grep string /var/log/messages | more  ** search for "string" in log with paging
grep -v ':x:' /etc/passwd  **  lists all accounts that do not have a 'x' in the password field ( see *2*)
groups ** Display groups you are part of.  Use groups user-id to display groups for a given user.
gunzip ** uncompress .gz files with out tar in front of it.
gzip ** compress single file to .gz

halt ** Shutdown system.
history ** Shell command to display previously entered commands.
host   ** gives domain name or IP address
httpd2 -V ** list all apache modules that are installed.
id ** Display user and all group ids.  Use id user-id to display info for another user id.
ifconfig    Shows which network interfaces are currently active in the system.
import  - Puts a screenshot of the current selected window or desktop in your home directory (ImageMagick tool).
init q ** To have changes in /etc/inittab become effective immediately
init  - When root, changes the runlevel

kill  - Kills the process (process # found with "ps -ef") if you want to stop it.

last -100  **  lists the last users who logged into the system
lastb  ** Same as last, but shows a log of the file /var/log/btmp, of the bad login attempts
lastlog ** reports data maintained in /var/log/lastlog, a record of the last time a user logged in.
ln -s target linkname   Make a symbolic link.
locate/slocate **   Find location/list of files which contain a given partial name
ls -1 * >   ** make a list - names only - of all files and all subdirectory files
lsdev  ** List devices and info on system hardware. Also IRQ's.(RPM package procinfo)
ls | less  - pipes the output through "less", = pages which can be flipped through with the spacebar or Pgup, Pgdown
ls -lR >   ** make a complete list of all files, must be as root not su and from / directory
lsmod  ** List all currently loaded kernel modules - Same as cat /proc/modules
lsof -i -n | egrep 'COMMAND|LISTEN|UDP' ** list listening network ports (TCP and UDP sockets)
lspci (or lspci -vvx)  ** list all PCI devices (result of probe)
lynx -dump -stdin output.txt ** convert html to plain text with good tables.

more /var/log/messages  ** view log one page at a time
multitail   or tail -f /var/log/messages  ** How to View New Log Entries as They Happen

netstat ** Displays network connections, routing tables, and interface statistics....
netstat -nlp ** list other informaiton on network ports (TCP and UDP sockets)
netstat -punta ** list more information on network ports (TCP and UDP sockets)
netstat -tulp ** list listening network ports (TCP and UDP sockets)
nmap   **  gives open ports and other stuff on a site -- considered an attack.

pdftohtml -c  infile.pdf outfile.html  ** Convert pdf to html with associate graphics - 1 html per page
ps -Ax, ps -eL or ps -auxw (process status)  ** shows all processes running or sleeping.
ps -ef | grep 'text' -  will search running services & display services matching 'text'.
pstree -pa  ** gives you the processes that are running in a tree format.  Shows what started the processes
pwd - Will tell you what directory you are in.

reboot – Restart system.
rm -f filename.txt ** deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ ** recursively deletes the directory tmp, and all files in it, including subdirectories.
rpm -e --test  ** check for potential conflicts/dependencies when deleting a RPM
rpm -qa  ** To get a list of all installed RPMs
rpm -qf  ** Display name of RPM package from which the file was installed.
rpm -qi   ** find more about a particular RPM:
rpm -ql $(rpm -qa | grep httpd) rpm -qa | grep httpd, lists packages with httpd in the name.  
rpm -ql ** lists files in each package.
rpm -q --whatrequires   ** find what package(s) requies that file or lib.

set or env ** Display all environment variables in your current environment. 

**** Securely moving or copying files (Don't put in the <> brackets!)

(You are logged in to www.soyo.com)
( -r causes the entire directory to be included, -p keeps the permissions and timestamps)

scp -p // www.asp.net://  ** file on soyo -- to be moved to www.asp.net.
scp -r / www.asp.net:/ ** directory & subdirs on soyo --  moved to www.asp.net.

scp -p www.asp.net:/ / ** file on www.asp.net to be moved to soyo
scp -p keith@www.asp.net:// //  ** file on www.asp.net to be moved to soyo

=======
scp -p www.abc.com:// www.xyz.com://

** file on abc.com to be moved to www.xyz.com  This assumes that
there is a public/private key account for the user on www.soyo.com
(or at least the same user name account on all machines.  Note that
you can specify different user ids like: keith@www.abc.com: for one
and root@www.xyz.com: for the other -- If you know the passwords.
========

showmount  ** Displays mount info for NFS filesystems.

tail -100 www-error_log | cut -d']' -f 4-99 | sed -e "s/,referer.*//g"|sort|uniq ** unique last 100 errors(see *5*)
top ** shows running processes
tar -cf archive.tar   ** Creating a tar file.
tar -cvzf usr_lib.tar.gz   ** tar and compress a file to what ever directory you are in
tar -tf archive.tar  ** Lists the files and/or directories in a tar file.
tar -xvf archive.tar  ** Extract the files from a tar archive. (.tar)
tar -zxvf archive.tar.gz  ** Extract the files from a compressed .tar.gz archive
tar -zxvf archive.tgz  ** Extract the files from a compressed .tgz archive
tar xvjf filename.version.bz2   ** Extract bzip2 files with tar

uname -a  ** print system information
uname -r    Tells you what version of the kernel is currently running.
uptime  ** Tell how long the system has been running. Also number of users and system's load average.
users ** Show all users logged in.
userdel -r  ** Delete an users account and other stuff  (see *4*)

w ** Displays currently logged in users and processes they are running.
whereis ** Find directory of executable file and related files
which ** Find executable file location of command given. Command must be in path.
who ** Displays currently logged in users.
who -uH  ** for idle time and terminal info.
whoami ** Displays user id.
whois   **  gives the administrative information about the site.


===============================
Basic file compression utilities: (and file extensions)

gzip (.gz): Also see zcat, gunzip, gznew, gzmore
compress: gzip file-name
decompress: gzip -d file-name.gz

bzip2 (.bz2): Also see: bunzip2, bzcat, bzip2recover
compress: bzip2 file-name
decompress: bunzip2 file-name.bz2

compress (.Z): (Adaptive Lempel-Ziv compression) Also see: uncompress, zcat
compress: compress file-name
decompress: uncompress file-name.Z
(Provided by the RPM package ncompress)

pack (.z): Also see: unpack
compress: pack file-name
decompress: unpack file-name.z

zip (.zip): Compress files or groups of files. 
To compress: zip file-name
To decompress: unzip file-name.zip
(R.P.Byrne compression) Compatable with Win PKZIP files.
====================================

****** SHELL TRICKS **********
ctrl + d = logout (also usefull if you did su and want to get back 
to normal user)
--------------------------------------------------------------------
If your screen becomes unreadable because of displaying a binary file
type "reset" blindly and it should be normal again.

 Looping in the command line: for file in * ; do cp $file $file.bak; done

 {variable-name}=$(command) **  Set env variable-name to commands output ex: $(date +%d-%b-%Y)

{variable-name}=$"value"  ** Temporarilly set env "variable-name" to "value"

******************************
====================================
*1*  It is important that all system and vendor accounts that are
not used for logins are locked.  To get a list of unlocked accounts
on your system, you can check for accounts that do NOT have an
encrypted password string starting with "!" or "*" in the 
/etc/shadow file. If you lock an account using passwd -l, it 
will put a '!!' in front of the encrypted password, effectively
disabling the password. If you lock an account using usermod -L,
it will put a '!' in front of the encrypted password. Many system
and shared accounts are usually locked by default by having a '*' or
'!!' in the password field which renders the encrypted password into
an invalid string.

*2*  Also make sure all accounts have a 'x' in the password field in
/etc/passwd.  A 'x' in the password fields means that the password 
has been shadowed, i.e. the encrypted password has to be looked up in
the /etc/shadow file. If the password field in /etc/passwd is empty,
then the system will not lookup the shadow file and it will not
prompt the user for a password at the login prompt.

*3*  The -prune option in this example is used to skip the
/proc filesystem.:

*4*  If you are sure that an account can be deleted, you can remove
the account using the following command.  Without the "-r" option
userdel will not delete the user's home directory and mail spool
(/var/spool/mail/). Note that many system accounts have no
home directory:

*5* To monitor the significance, add '-c' to the uniq command, which
will find you a count of the number of each error.

All the new OSs and windowing systems are oriented towards content consumption instead of content production.

--Steve Daniels 2013

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix