About File Access

Every file and directory can be assigned three basic file permissions:

• read (r)
• write (w)
• execute (x)

This group of three permissions, called triplets, can be assigned to the three classes of users:

• The file or directory owner--usually the user who created the file. The owner of a file can decide who has the right to read it, to write to it (make changes to it), or, if it is a command, to execute it.
• Members of a group
• All others who are not the file or group owner

Only the owner of the file or the superuser can assign or modify file permissions.

File Permissions

Table 3-1 lists and describes the file permissions.

Table 3-1

Symbol	Permission	Means Designated Users...
r	Read	Can open and read the contents of a file
w	Write	Can write to the file (modify its contents), add to it, or delete it
x	Execute	Can execute the file (if it is a program or shell script), or run it with one of the exec(2) system calls
-	Denied	Cannot read, write, or execute the file

These file permissions apply to special files such as devices, sockets, and named pipes (FIFOs), as they do to regular files.

For a symbolic link, the permissions that apply are those of the file the link points to.

Directory Permissions

Table 3-2 lists and describes the directory permissions.

Table 3-2

Symbol	Permission	Means Designated Users...
r	Read	Can list files in the directory.
w	Write	Can add or remove files or links in the directory.
x	Execute	Can open or execute files in the directory. Also can make the directory and to the directories beneath it current.

You can protect the files in a directory (and in its subdirectories) by disallowing access to that directory. Note, however, that root (superuser) has access to all files and directories on the system.

File Types

A file can be one of six types. Table 3-3 lists the possible file types.

Table 3-3

Symbol	Type
-	Text or program
d	Directory
b	Block special file
c	Character special file
p	Named pipe (FIFO)
l	Symbolic link

Viewing Permissions

You can view permissions on the files and subdirectories within the current directory by typing ls -l. The first column of output describes the mode of the file. This information tells you what type of file it is, and who has permission to access it.

For example, a file with a listing of:

indicates that this is a text file with read, write, and execute permissions for its owner, read-only permission for groups and others.

Changing Permissions With chmod

You must be root or the owner of a file or directory to assign or change its permissions.

The chmod command sets or changes the permissions on a file. You can use this command to set permissions in either of two modes: symbolic or absolute. Symbolic mode uses combinations of letters and symbols to add or remove permissions. Absolute mode uses numbers to represent file permissions.

Symbolic Mode

Symbolic mode uses letters to specify whose privileges are being modified, and in what way. Table 3-4 lists the symbols that specify whose permissions are to be set or changed, the operation to be performed, and the permissions being assigned or changed.

Table 3-4

Symbol	Function	Meaning
u	Who	User (owner)
g	Who	Group
o	Who	Others
a	Who	All
=	Operation	Assign
+	Operation	Add
-	Operation	Remove
r	Permission	Read
w	Permission	Write
x	Permission	Execute
l	Permission	Mandatory locking, setgid bit is on, group execution bit is off
s	Permission	setuid or setgid bit is on
S	Permission	suid bit is on, user execution bit is off
t	Permission	Sticky bit is on, execution bit for others is on
T	Permission	Sticky bit is on, execution bit for others is off

The read, write, and execute permissions are explained in "File Permissions" on page 26. The setuid, setgid, and sticky bits are explained in "Special Permissions (setuid, setgid and Sticky Bit)" on page 31.

Absolute Mode

The absolute mode is the method most commonly used to set permissions. This mode uses the octal numeric value representing owner, group and others, as illustrated below:

Table 3-5 lists the octal values and their meanings.

Table 3-5

Octal Value	Permission Assigned
0	No permissions
1	Execute permission only
2	Write permission only
3	Write and execute permissions
4	Read permission only
5	Read and execute permissions
6	Read and write permissions
7	Read, write, and execute permissions

When you change permissions by using the absolute mode, represent permissions for each triplet by an octal mode number. Thus, the following command sets read, write, and execute permissions for owner; read and execute permissions for group and others:

chmod 755 filename

Special Permissions (setuid, setgid and Sticky Bit)

Three special types of permissions are available for executable files and public directories. When these permissions are set, any user who runs that executable file assumes the permissions of the owner (or group) of the executable file.

setuid Permission

When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who created the process. This allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID:

-r-sr-sr-x   1 root     sys        10332 May  3 08:23 /usr/bin/passwd

This presents a security risk, because some determined users can find a way to maintain the permissions granted to them by the setuid process even after the process has finished executing.

setgid Permission

The set-group identification (setgid) permission is similar to setuid, except that the process's effective group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group. The /usr/bin/mail program has setgid permissions:

-r-x--s--x   1 bin      mail       62504 May  3 07:58 /usr/bin/mail

When setgid permission is applied to a directory, files created in this directory belong to the group the directory belongs to, not the group the creating process belongs to. Any user who has write permission in the directory can create a file there--however, the file will not belong to the group of the user, but will belong to the group of the directory.

Sticky Bit

The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This prevents a user from deleting other users' files from public directories such as uucppublic:

drwxrwxrwt   2 uucp     uucp     512 May 24 09:48 /var/spool/uucppublic

Be sure to set the sticky bit manually when you set up a public directory on a tmpfs filesystem.

Setting Special Permissions

You must be extremely careful when assigning these permissions, since setting these permissions constitutes a security risk. For example, a user can gain root permission by executing a program that sets the user ID to root.

You should monitor your system to stay aware of any unauthorized use of the setuid and setgid permissions to gain root privileges. You can use the find command or the ncheck command to search the file systems and print out a list of all programs using these permissions. A suspicious listing would be one that grants ownership of such a program to a user rather than to bin or sys. Only the superuser can set these permissions. They are set using the extreme left position in the permission triplet:

Examples

This chmod command sets setuid permission:

# chmod 4555 dbprog # ls -l dbprog -r-sr-xr-x 1 db staff 12095 May 6 09:29 dbprog

This chmod command sets setgid permission:

# chmod 2551 dbprog2 # ls -l dbprog2 -r-xr-s--x 1 db dbstaff 24576 May 6 09:30 dbprog

This chmod command sets sticky bit permission:

# chmod 1777 pubdir # ls -ld pubdir -rwxrwxrwt 1 root root 512 May 8 09:45 pubdir

Setting a Default umask

When you create a file or directory, it has a default set of permissions. These default permissions are determined by the value of umask in the system file /etc/profile, or in your .cshrc or .login file. By default, the system sets the permissions on a text file to 666, granting read and write permission to user, group, and others, and to 777 on a directory or executable.

The value assigned by umask is subtracted from the default. This has the effect of denying permissions in the same way that chmod grants them. For example, while the command chmod 022 grants write permission to group and others, umask 022 denies write permission for group and others.

Table 3-6 shows some typical umask settings, and the effect on an executable file.

Table 3-6 umask

Level of Security	umask	Disallows
Permissive (744)	022	w for group and others
Moderate (740)	027	w for group, rwx for others
Moderate (741)	026	w for group, rw for others
Severe (700)	077	rwx for group and others

Encrypting Files

Placing a sensitive file into an inaccessible directory (700 mode) and making the file unreadable by others (600 mode) will keep it secure in most cases. However, someone who guesses your password or the root password can read and write to that file. Also, the sensitive file is preserved on backup tapes every time you back up the system files to tape.

Fortunately, an additional layer of security is available to all SunOS system software users in the United States--the optional file encryption kit. The encryption kit includes the crypt command which scrambles the data to disguise the text.

Instructions for Securing Your Files

This section outlines the tasks that you perform to restrict access to the files and directories on your system.

· How to Display File Permissions and Ownership

* Type ls -lg and press Return. The screen displays a long list of files in the directory. The -l option specifies a long listing, and the -g option lists the group. Each line in the display has the following information:

• Type of file, and its permissions
• Number of hard links
• Owner of the file
• Group of the file
• Size of the file, in bytes
• Date the file was created, or the last date it was changed
• Name of the file

Example of a Display of File Permissions and Ownership

The following example shows the result of the ls -lg command on the /sbin directory.

example% ls -lg -r-xr-xr-x 1 bin bin 122488 Dec 13 13:38 autopush* -rwxr--r-- 1 root sys 6916 Jan 1 1994 bcheckrc* -rwxr-xr-x 1 bin bin 523256 Dec 13 13:15 bpgetfile* -r-xr-xr-x 1 bin bin 483372 Dec 13 10:56 hostconfig* -r-xr-xr-x 1 bin bin 373700 Dec 13 14:15 ifconfig -r-xr-xr-x 1 root sys 187884 Dec 13 15:45 init* -r-xr-xr-x 1 bin staff 144808 Dec 13 15:38 mount* -r-xr-xr-x 1 root sys 5696 Jan 1 1994 mountall* -rwxr--r-- 3 root sys 2265 Jan 1 1994 rc0 -rwxr--r-- 1 root sys 1018 Jan 1 197 rc1* -rwxr--r-- 1 root sys 1374 Jan 1 1994 rc2* -rwxr--r-- 1 root sys 713 Jan 1 1994 rc3* -rwxr--r-- 3 root sys 2265 Jan 1 1994 rc5* -rwxr--r-- 3 root sys 2265 Jan 1 1994 rc6* -r-xr-xr-x 2 bin root 192016 Sep 5 18:02 sh*

· How to Find Files With setuid Permissions Set

1. Type the following command:

find / -user root -perm -4000 -exec ls -ldb {}\; >/tmp/filename

This find command lists all setuid programs (those with a permission of 4000) owned by root. The results are saved in a file in /tmp. All mounted paths are checked by this command starting at the root directory (/). Any surprises in the output should be investigated. Search time depends on the number of entries in the directory to be searched. This program can be run for /sys, /bin, and /mail, as well as /.

2. Type cat /tmp/filename to see the results of the find command.

Example of Finding Files With setuid Permissions Set

In this example, an unauthorized user (rar) has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user.

# find / -user root -perm -4000 -exec ls -ldb { }\; > /tmp/ckprm # cat /tmp/ckprm -r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at -r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab ---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct -r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir -r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin -r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched ---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh -r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su #

If you want to save this output for future reference, move the file out of the /tmp directory.

· How to Create a Group for Users

1. As root, type groupadd -g gid groupname and press Return. This creates a new group called groupname.

2. Type vi /etc/group and press Return.

3. Add the users to the group you have just created.

Example of Creating a Group for Users

In the following example, users charlie, msmith and jjones are added to the projects group as their secondary group membership.

# groupadd -g 200 projects # vi /etc/group root::0:root other::1: bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp mail::6:root tty::7:root,tty,adm lp::8:root,lp,adm nuucp::9:root,nuucp staff::10: daemon::12:root,daemon sysadmin::14: nobody::60001: noaccess::60002: users::100: projects::200:charlie,msmith,jjones

· How to Change the Owner of a File or Directory

* As root, type chown newowner filename and press Return. Only the current owner or root can change the owner of a file or directory.

example% chown msmith myfile example% ls -l myfile -rwxr-xr-x msmith 12985 Nov 12 16:28 myfile

· How to Change the Group of a File

* Type chgrp group filename and press Return. Use the -g option to the ls command to list the group.

example% chgrp languages myfile example% ls -lg myfile -rwxrw-rw- 1 msmith languages 12985 Nov 12 16:28 myfile

· How to Set Permissions in Absolute Mode

When using chmod in absolute mode, the octal value assigned to the permission bits sets permissions for the owner, group, and others.

* Type chmod nnn filename and press Return. The value of n has the following meanings:

Octal Value	File Permissions
0	---
1	--x
2	-w-
3	-wx
4	r--
5	r-x
6	rw-
7	rwx

Examples

To set rwxr-xr-x permissions:

example% chmod 755 myfile

To set rwsr-xr-x permissions:

example% chmod 4755 myfile

To set the sticky bit on a directory:

example% chmod 1777 pubdir

· How to Change Permissions in Symbolic Mode

When using chmod in symbolic mode, the symbols add, remove, or assign permissions to the owner, group, or all others.

* Type chmod who operator permissions filename Table 3-4 on page 29 lists the symbols that designate whose permissions are being set (who), the action being taken (operator), and the permissions being assigned (permissions).

Examples

To take away read permission from others:

example% chmod o-r filename

To add read and execute permissions for user, group, and others:

example% chmod a+rx filename

To assign read, write, and execute permissions to group:

example% chmod g=rwx filename