Using UNIX Permissions to Protect Files
Files can be secured through UNIX file permissions and through ACLs. Files with
sticky bits, and files that are executable, require special security measures.
Commands for Viewing and Securing Files
This table describes the commands for monitoring and securing files and directories.
Table 7-1 Commands for Securing Files and Directories
Command |
Description |
Man Page |
ls |
Lists
the files in a directory and information about the files. |
ls(1) |
chown |
Changes the ownership
of a file. |
chown(1) |
chgrp |
Changes the group ownership of a file. |
chgrp(1) |
chmod |
Changes permissions on a
file. You can use either symbolic mode, which uses letters and symbols, or
absolute mode, which uses octal numbers, to change permissions on a file. |
chmod(1) |
File and Directory Ownership
Traditional UNIX file permissions can assign ownership to three classes of users:
user – The file or directory owner, which is usually the user who created the file. The owner of a file can decide who has the right to read the file, to write to the file (make changes to it), or, if the file is a command, to execute the file.
group – Members of a group of users.
others – All other users who are not the file owner and are not members of the group.
The owner of the file can usually assign or modify file permissions. Additionally,
users or roles with administrative capabilities, such as superuser or the Primary Administrator
role, can change a file's ownership. To override system policy, see Example 7-2.
A file can be one of seven types. Each type is displayed
by a symbol:
- - (Minus symbol)
Text or program
- b
Block special file
- c
Character special file
- d
Directory
- l
Symbolic link
- s
Socket
- D
Door
- P
Named pipe (FIFO)
UNIX File Permissions
The following table lists and describes the permissions that you can give to
each class of user for a file or directory.
Table 7-2 File and Directory Permissions
Symbol |
Permission |
Object |
Description |
r |
Read |
File |
Designated users can open
and read the contents of a file. |
|
|
Directory |
Designated users can list files in
the directory. |
w |
Write |
File |
Designated users can modify the contents of the file or delete
the file. |
|
|
Directory |
Designated users can add files or add links in the directory.
They can also remove files or remove links in the directory. |
x |
Execute |
File |
Designated users can
execute the file, if it is a program or shell script. They also
can run the program with one of the exec(2) system calls. |
|
|
Directory |
Designated users can
open files or execute files in the directory. They also can make the
directory and the directories beneath it current. |
- |
Denied |
File and Directory |
Designated users cannot read,
write, or execute the file. |
These file permissions apply to regular files, and to special files such as
devices, sockets, and named pipes (FIFOs).
For a symbolic link, the permissions that apply are the permissions of the
file that the link points to.
You can protect the files in a directory and its subdirectories by
setting restrictive file permissions on that directory. Note, however, that superuser has access to
all files and directories on the system.
Special File Permissions (setuid, setgid and Sticky Bit)
Three special types of permissions are available for executable files and public directories:
setuid, setgid, and sticky bit. When these permissions are set, any user who
runs that executable file assumes the ID of the owner (or group) of
the executable file.
You must be extremely careful when you set special permissions, because special permissions
constitute a security risk. For example, a user can gain superuser capabilities by
executing a program that sets the user ID (UID) to 0, which is
the UID of root. Also, all users can set special permissions for files
that they own, which constitutes another security concern.
You should monitor your system for any unauthorized use of the setuid
permission and the setgid permission to gain superuser capabilities. A suspicious permission grants
ownership of an administrative program to a user rather than to root or
bin. To search for and list all files that use this special permission,
see How to Find Files With Special File Permissions.
setuid Permission
When setuid permission is set on an executable file, a process that runs
this file is granted access on the basis of the owner of the
file. The access is not based on the user who is running the
executable file. This special permission allows a user to access files and directories
that are normally available only to the owner.
For example, the setuid permission on the passwd command makes it possible
for users to change passwords. A passwd command with setuid permission would
resemble the following:
-r-sr-sr-x 3 root sys 28144 Jun 17 12:02 /usr/bin/passwd
This special permission presents a security risk. Some determined users can find a
way to maintain the permissions that are granted to them by the setuid
process even after the process has finished executing.
Note - The use of setuid permissions with the reserved UIDs (0–100) from a program
might not set the effective UID correctly. Use a shell script, or avoid
using the reserved UIDs with setuid permissions.
setgid Permission
The setgid permission is similar to the setuid permission. The process's effective group
ID (GID) is changed to the group that owns the file, and a
user is granted access based on the permissions that are granted to that
group. The /usr/bin/mail command has setgid permissions:
-r-x--s--x 1 root mail 67504 Jun 17 12:01 /usr/bin/mail
When the setgid permission is applied to a directory, files that were created
in this directory belong to the group to which the directory belongs. The
files do not belong to the group to which the creating process belongs.
Any user who has write and execute permissions in the directory can create
a file there. However, the file belongs to the group that owns the
directory, not to the group that the user belongs to.
You should monitor your system for any unauthorized use of the setgid
permission to gain superuser capabilities. A suspicious permission grants group access to such
a program to an unusual group rather than to root or bin.
To search for and list all files that use this permission, see How to Find Files With Special File Permissions.
Sticky Bit
The sticky bit is a permission bit that protects the files within a directory.
If the directory has the sticky bit set, a file can be deleted
only by the file owner, the directory owner, or by a privileged user.
The root user and the Primary Administrator role are examples of privileged users.
The sticky bit prevents a user from deleting other users' files from public
directories such as /tmp:
drwxrwxrwt 7 root sys 400 Sep 3 13:37 tmp
Be sure to set the sticky bit manually when you set up
a public directory on a TMPFS file system. For instructions, see Example 7-5.
Default umask Value
When you create a file or directory, you create it with a
default set of permissions. The system defaults are open. A text file has
666 permissions, which grants read and write permission to everyone. A directory and
an executable file have 777 permissions, which grants read, write, and execute permission to
everyone. Typically, users override the system defaults in their /etc/profile file, .cshrc file, or
.login file.
The value assigned by the umask command is subtracted from the default. This
process has the effect of denying permissions in the same way that the
chmod command grants them. For example, the chmod 022 command grants write permission to
group and others. The umask 022 command denies write permission to group and others.
The following table shows some typical umask settings and their effect on an
executable file.
Table 7-3 umask Settings for Different Security Levels
Level of Security |
umask Setting |
Permissions Disallowed |
Permissive (744) |
022 |
w for group and others |
Moderate (740) |
027 |
w
for group, rwx for others |
Moderate (741) |
026 |
w for group, rw for others |
Severe (700) |
077 |
rwx
for group and others |
For more information on setting the umask value, see the umask(1) man page.
File Permission Modes
The chmod command enables you to change the permissions on a file. You
must be superuser or the owner of a file or directory to
change its permissions.
You can use the chmod command to set permissions in either of two
modes:
Absolute Mode – Use numbers to represent file permissions. When you change permissions by using the absolute mode, you represent permissions for each triplet by an octal mode number. Absolute mode is the method most commonly used to set permissions.
Symbolic Mode – Use combinations of letters and symbols to add permissions or remove permissions.
The following table lists the octal values for setting file permissions in absolute
mode. You use these numbers in sets of three to set permissions for
owner, group, and other, in that order. For example, the value 644
sets read and write permissions for owner, and read-only permissions for group and other.
Table 7-4 Setting File Permissions in Absolute Mode
Octal
Value |
File Permissions Set |
Permissions Description |
0 |
--- |
No permissions |
1 |
--x |
Execute permission only |
2 |
-w- |
Write permission only |
3 |
-wx |
Write and execute permissions |
4 |
r-- |
Read
permission only |
5 |
r-x |
Read and execute permissions |
6 |
rw- |
Read and write permissions |
7 |
rwx |
Read, write, and execute permissions |
The following table lists the symbols for setting file permissions in symbolic mode.
Symbols can specify whose permissions are to be set or changed, the operation
to be performed, and the permissions that are being assigned or changed.
Table 7-5 Setting File Permissions in Symbolic Mode
Symbol |
Function |
Description |
u |
who |
User (owner) |
g |
who |
Group |
o |
who |
Others |
a |
who |
All |
= |
operator |
Assign |
+ |
operator |
Add |
- |
operator |
Remove |
r |
permissions |
Read |
w |
permissions |
Write |
x |
permissions |
Execute |
l |
permissions |
Mandatory
locking, setgid bit is on, group execution bit is off |
s |
permissions |
setuid or setgid bit
is on |
t |
permissions |
Sticky bit is on, execution bit for others is on |
The who operator permissions designations in the function column specify the symbols that change the
permissions on the file or directory.
- who
Specifies whose permissions are to be changed.
- operator
Specifies the operation to be performed.
- permissions
Specifies what permissions are to be changed.
You can set special permissions on a file in absolute mode or symbolic
mode. However, you must use symbolic mode to set or remove setuid
permissions on a directory. In absolute mode, you set special permissions by adding
a new octal value to the left of the permission triplet. The
following table lists the octal values for setting special permissions on a file.
Table 7-6 Setting Special File Permissions in Absolute Mode
Octal
Value |
Special File Permissions |
1 |
Sticky bit |
2 |
setgid |
4 |
setuid |