Skip to content

7. File Security

Linux security 1

  • Linux has 2 default levels of data security:
    • Accessing the workstation requires a login ID and a user.
    • Within the workstation, files can be protected by permissions (read, write, and execute).
  • A special user called Superuser is allowed to do anything on the system.
  • Who command shows the current users logged in and it has options:
    • -H shows headers of the printed information.
    • -q shows only a quick summary of the logged-in users.
    • Example: who -H -q
  • Su command allows a user to switch to another user.
    • - switch to the previous user.
    • Example: su - Ted
    • To go back to the previous user: exit
  • id command shows the user ID and group ID of the current user
    • Example: id
    • Result: uid=501(ahmad) gid=20(staff) groups=20(staff),12(everyone)
  • Whoami or who am i are used to print the current user.
  • File Permissions are set of 10 bits:
    • the first bit indicates whether the file is a directory or not: d | -
    • the next 3 bits indicate owner permissions: rwx
    • the next 3 bits indicate group permissions: rwx
    • the next 3 bits indicate other permissions: rwx
  • Chmod command is used to change the permissions of a file.
    • Example: chmod 777 file.txt. Result: -rwxrwxrwx
    • Using the symbolic mode notation:
      • As chmod mode filename
      • Modes: u for user, g for group, o for other, a for all.
      • Operations: + to add, - to remove, = to set.
      • Permissions: r for read, w for write, x for execute.
      • Example: chmod u+x file.txt. changes the owner permissions by adding the execute permission.
      • Example: chmod g-r file.txt. changes the group permissions by removing the read permission.
      • Example: chmod a=rx file.txt. sets the permissions of all users to read and execute.
    • Using the absolute mode:
      • As chmod octal-values filename
      • Octal values: 1 for execute, 2 for write, 4 for read.
      • The sum of the octal values is the permission.
      • Example 7 is 4 + 2 + 1 which is rwx while, 6 is 4 + 2 which is rw- and 5 is 4 + 1 which is r-x.
      • You can pass three numbers each of them represents the permissions of the owner, group, and other.
      • Example: chmod 777 file.txt. Result: -rwxrwxrwx sets all permissions to all users.
      • Example: chmod 644 file.txt. Result: -rw-r--r-- sets read and write permissions to the owner and read permissions to the group and others.
      • Example: chmod 600 file.txt. Result: -rw------- sets read and write permissions to the owner and no permissions to the group and others.
      • Default modes:
        • 755 for directories.
        • 644 for files.

Managing Users, Groups, and Permissions 2

Passwd and Shadow Files

  • The /etc/passwd file contains users’ information each in a separate line of this schema: username:password:uid:gid:gecos:homedir:shell.
  • The /etc/shadow file contains users’ passwords, while the actual passwords in etc/passwd are omitted or replaced with x.
  • The pwuconv and pwconv commands are used to convert the password files from one format to another. pwuconv converts the etc/passwd file to the etc/shadow file and pwconv converts the etc/shadow file to the etc/passwd file.
  • The uid of root is 0 and the home directory is /root or /.
  • Password aging. an expiry date is set for the password and the user is forced to change the password after a certain time or get locked out.
  • The passwd command helps in managing the current user password. it has the following options:
    • -n sets the minimum number of days before the user can change the password.
    • -x sets the maximum number of days before the user must change the password.
    • -w sets the number of days before the user is warned that the password will expire.
    • -i sets the number of days before the account is locked after the password has expired.
    • There is a GUI tool found under Advanced Settings in the System Settings menu.

Pluggable Authentication Methods (PAM)

  • A tool that allows the system to authenticate users using different methods (aka, change the authentication method).

The Group File

  • The ls -l command shows the file permissions, owner, group, size, and date of the file.
  • Every user is assigned to at least one group.
  • The file /etc/group contains the groups’ information each in a separate line of this schema: groupname:password:gid:members where members is a comma separated list of user uid’s.
  • The newgrp command is used to change the current group.

CRUD on user accounts

  • The adduser command is used to create new users:
    • As sudo adduser username which starts an interactive session to create the user.
    • The command will create a new user copying the default settings from the /etc/skel directory.
    • The default group id for the created user is 100.
  • Deleting a user involves:
    • Delete the user from the /etc/passwd, /etc/shadow, and /etc/group files.
    • Delete the user’s home directory.
    • Delete any files owned by the user.
  • The userdel -r username command deletes the user and its home directory, -r is used to force the deletion of the home directory.
  • The find / -user username -ls command finds and lists all files owned by username. After deleting the user; this command should return nothing.
  • To Disable a user from logging in, start their password with * in the /etc/passwd and /etc/shadow files.
  • There are some commands used to Modifying accounts:
    • usermod is used to modify the user’s information.
    • groupmod is used to modify the group’s information.
    • passwd is used to change the user’s password.
    • chown is used to change the owner of a file.
  • All these commands finally changes the /etc/passwd, /etc/shadow, and /etc/group files which can be done manually along with the home directory and files owned by the user.

SELinux 3

  • SELinux is Security Enhanced Linux (SELinux) provides an additional layer of security functions on top of the standard Linux kernel security mechanisms.
  • The standard access policy based on the user, group, and other permissions, known as Discretionary Access Control (DAC).
  • SELinux implements Mandatory Access Control (MAC):
    • Every process and system resource has a special security label called a SELinux context or Label.
    • MAC rules are checked after DAC; if DAC denies access, SELinux won’t even check that file.
    • Contexts have several fields: user, role, type, and security level.
  • Benefits of SELinux:
    • All processes and files are labeled.
    • Fine-grained access control.
    • SELinux policy is administratively defined and enforced system-wide.
    • Improved mitigation for privilege escalation attacks.
    • SELinux can be used to enforce data confidentiality and integrity, as well as protect processes from untrusted inputs

Commands

Command Description
find / -user username -ls Finds and lists all files owned by username

References

  1. Linux Training CBTs. Omni Linux. Retrieved from: https://www.dropbox.com/sh/nckif4n8gsfbkgp/DN0J8p4hpr Chapter 6: File Security. 

  2. Matthias Kalle Dalheimer & Matt Welsh Chapter. (2005). Running Linux, Fifth Edition. O’Reilly. 11: Managing Users, Groups, and Permissions. https://my.uopeople.edu/pluginfile.php/1655738/mod_book/chapter/395976/CS3307%20running_linux_5th_edition%20%281%29.pdf 

  3. RedHat. (n.d). SELinux User’s and Administrator’s Guide. RedHat. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/part_i-selinux