UNIX Chapter 08

File Security

Mr. Mohammad Smirat

Introduction

When you share a machine in a time-sharing system with other users, you must make a decision on how much you want the others to share your data.

There are many schemes and mechanisms you can employ and use in the UNIX operating system to give the users the kind of protection they want.

Types of Protections

Login password scheme. Every user on UNIX has a login id and password associated with it. The effectiveness of this protection scheme depends on how well protected a user’s password is. (computer hackers)

Types of Protections (cont…)

Encryption protection. In this scheme a software tool is used to convert a file (scramble it) to a form that is completely different from its original version. The new file called encrypted file and the process is called encryption. The same tool is used to perform the reverse process which called decryption. You can tell your editor to decrypt a file when it loads it, and encrypt it again when you write the file out to disk. You will be asked to enter a key or password for the editor to decrypt the file.

Types of Protections (cont…)

Protection based on access permission. This type is provided by a mechanism that prevents users from accessing each other’s files when they are not logged on as a file’s owner. As a file owner, you can attach certain access right to your files that dictate who can and cannot access them for various type of file operation (read, write ,execute).

Types of Users

user(owner): he is the user who create the file. Group: They are the users who belong to the

same group that the owner of the file belongs. Others : they are any other users in the system. And there is a super user (the root) is the

administrator of the computer system which have access privileges to all files.

The login name for the super user is root and user id is 0.

Access Types

The types of access permission are read, write and execute.

Access Types (cont…)

Determining and changing file access privileges

ls -l[file-list]ls -ld [directory-list]

The above command will display long list of files/directories on the console which has info about the file access privileges and other info.$ls -l -rwxr-w--- 1 ymk faculty 512 mar 23 07:23 course

course has the following permission user read, write, and execute group read and execute others denied.

Changing file access privileges

chmod[options] octal-mode file listchmod[options] symbolic-mode file list

options-R recursively descend through directories changing/setting permissions for all the files and subdirectories under each directory.-f force specified access permissions: no error messages are produced if you are the file‘s owner.

Changing file access privileges (cont…)

Examples of CHMOD

$chmod 700 coursewill set access privileges for file course to the owner read,write and execute, and denied group and others.

$chmod 740 course owners all privileges, group read and execute.

$chmod 700 ~sets access privileges for home directory to read, write and execute for the owner.

$chmod a+x courselets everyone execute sample, add execute to all.

Examples of CHMOD (cont…)

$chmod ugo-rw coursedeny all from read or write to the file course.

$chmod go= course remove all access privileges for the group and others.

$chmod g=u coursemake groups privileges match its user privileges.

Examples of CHMOD (cont…)

$chmod 700 [a-t]*change permission 700 to all file that start with letters a through t.

$chmod -R 711 courseit will set access permissions for all files and directories under directory called course to 711.

$chmod -R 700 ~/personal/letterit will set access permissions for all files and directories under ~/personal/letter to 700.

Default File Access Privileges

When a new file or directory is created, UNIX sets its access privileges based on the argument or the umask command.

$umask 077 The privileges set to (777-077) = 700 The following command will display the current value

for the bit mask.$umask077$

Normally placed in the system startup file .profile or .login files.

The Set User ID (SUID) bit

When a command executes, it does so under the access privileges of the user who issue the command.

However, a number of UNIX commands need to write to files that are protected from users who normally run these commands, example of such a file is /etc/passwd only the super user is allowed to write to this file. (add new user changing group id).

In UNIX users can change their passwords, in the meantime they do not have an access to the /etc/passwd file.

The Set User ID (SUID) bit (cont…)

When a command runs, it executes with the effective user ID of the user running the command, UNIX has a mechanism that allow commands to change their effective user ID and become privileged in some way.

Every UNIX file has an additional protection bit, called the SUID bit. If this bit is set for a file containing an executable program for a command, the command takes on the privileges of the owner of the file when it executes. If file is owned by root and has its SUID is set, it runs with super user privileges.

The Set User ID (SUID) bit (cont…)

$chmod 4xxx file$chmod u+s file

xxx is the octal number that specifies read, write, and execute. The octal digit 4 (100) is used to set the SUID bit, if the bit has set to x then it will be set to lowercase s, otherwise to uppercase S.

The Set User ID (SUID) bit (cont…)

$ls -l cpfile-rwxr-x--- …………………$chmod 4750 cpfile$ls -l cpfile-rwsr-x--- …………………..$chmod u-s cpfile$chmod u-x cpfile$ls -l cpfile-rw-r-x--- …………………..$chmod u+s cpfile$ls -l cpfile-rwSr-x--- …………………...

The SET Group ID (DGID) Bit

The SGID bit works in the same manner that SUID bit does, but it causes the access permissions of the process to take the group identity of the group to which the owner of the file belongs.

$chmod 2xxx file$chmod g+s file

The Sticky Bit

The sticky bit can be set for a directory to ensure that an unprivileged user may not remove or rename files of other user in that directory.

You muse be the owner of the directory or have an appropriate permission to set the stick bit.

This bit, originally designed, to be set for some programs such compilers, editors, commands like ls and cat to stick around in the main memory, because they are executed frequently.

The Sticky Bit

$chmod 1xxx file$chmod +t file$chmod 1751 cpfile$ls -l-rwxr-x--t ……………………….$chmod -t cpfile$ls -l-rwxr-x--x ………………………….$chmod 4750 cpfile$chmod +t cpfile$ls -l -rwsr-x--T …………………...