Chapter 8: Security under Linux

Transcription

1 Chapter 8: Security under Linux 8.1 File and Password security Linux security may be divided into two major parts: a) Password security b) File security Password security To connect to a Linux system you need a valid username and a password. When a new user is created, the information corresponding to the new user is stored in a file called passwd located in the /etc directory. This file contains all the information the system needs to know about each user, including the password. The /etc/passwd file is viewable by all Linux users, thus the passwords in the /etc/passwd file must be stored in an encrypted format. A sample of the /etc/passwd file is shown here: [om@t4t om]$ cat /etc/passwd root:xydfcctrt180x:0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: console:*:1:1:admin:/:/bin/sh daemon:*:2:2:daemon:/sbin adm:*:3:4:adm:/var/adm: lp:*:4:7:lp:/var/spool/lpd: mail:*:8:12:mail:/var/spool/mail: news:*:9:13:news:/var/spool/news ftp:*:14:50:ftp User:/home/ftp: nobody:*:99:99:nobody:/: om:xmottvoyumjls:501:501:oswaldo Moreno,308, :/home/om:/bin/bash teresa:youamklx4fg3:502:502:teresa Alati, :/home/teresa:/bin/bash carlos:o4yomyutjls:503:503:carlos Moreno,loc. 209:/home/carlos:/bin/sh Each line in the /etc/passwd file represents one user (real or virtual). The information is stored in fields, each one separated by a colon. The fields for each user are: a) username b) encrypted password c) User ID number d) Group ID number e) personal information f) home directory g) default shell If you want to change your password, use the passwd command: 82

2 om]$ passwd Changing password for om (current) UNIX password: cutgtej New UNIX password: jjhugtf Retype new UNIX password: jjhugtf As you type the passwords, they are not shown at all on the screen. This is done to prevent others from seeing the password you are typing. Newer versions of Linux use a new method for storing the passwords, called shadow passwords. With shadow passwords, the encrypted password normally located in /etc/passwd is moved into the file /etc/shadow which is not readable by ordinary users. This increases significantly the level of security in Linux File security File security defines who can access a file, and what can they do with the file once they have accessed it. The UNIX system allows you to change the permissions of a file to suit your needs. These permissions determine who can read a file, who can write to it, and who can execute it, if it happens to be a program File attributes The -l option of the ls command (long format) provides information related to the security of files. If you want to know security details about a file, list it in long format as shown below: [om@t4t om]$ ls -l number1 -rwxrwxrwx 1 om staff 70 Mar 18 21:13 number1 Lets carefully evaluate all the information displayed: A dash (-) as the first character indicates that this is a regular file and not a directory. The next group of 9 characters (3 groups of 3 characters) represent the mode or permissions of the file. The first 3 characters indicate the permissions that apply to the owner of the file. The next 3 characters represent the permissions of the group associated with the file, and the last 3 characters represent the permissions to others. The characters are rwx, where r stands for read, w stands for write and x for execute. When a permission is denied (e.g. no read), a - shows up in the place of the appropriate letter. After the permissions, a number shows, indicating how many hard links the file has (typically one). Then, there are two words (om and staff) listed before the size file. These words tell the name of the owner (om) and group (staff) associated with the file. Every file has an owner and group associated with it. The owner of the file is a 83

3 user, usually the one who created the file; the group is a label that represents a group of several users who have been logically grouped together and given a name. For example, to view the permissions applied to the file countries, list it using the long format, as shown below: [om@t4t om]$ ls -l countries -rw-r om teachers 35 Mar 24 13:27 countries From this listing you can conclude that the owner, om, can read and write the file, members of the group teachers can read the file, but cannot modify it, and other users cannot read nor modify the file Changing file permisions To alter the mode (permissions) of a file, you must use the chmod command. There are two methods to setting the file permissions: numeric and symbolic. The numeric method of setting permissions is based on the use of octal numbers. Read permission is given the value 4, write permission the value 2 and execute permission 1. r w x These values are added together for any one user category: 1 = execute only 2 = write only 3 = write and execute (1+2) 4 = read only 5 = read and execute (4+1) 6 = read and write (4+2) 7 = read and write and execute (4+2+1) So file permissions can be expressed as three digits. For example: user group others chmod 640 file1 rw- r chmod 754 file1 rwx r-x r-- chmod 664 file1 rw- rw- r-- chmod 600 file1 rw The symbolic mode is based on the following format: who operation permission where who is a combination of the letters u for the owner's permissions, g for the group's, and o for other's permissions. a can be used to specify all of these. 84

4 u (user) g (group) o (other) a (all) the owner of the file the group to which the file belongs everyone else ugo (the world - this is frequently, but not always, the default) The operation can be a + to add permission to the mode, a - to remove permission from the mode, or an = to assign permission to the mode. + add the specified permission - subtract the specified permission = assign the specified permission, ignoring whatever may have been set before The permission is a combination of the letters r, w, x, meaning read, write, and execute, respectively. The following examples show the use of the symbolic method: To assign (set) the read+write permissions to everybody on the file number1: [om@t4t om]$ chmod a=rw number1 To add the execute permission to everybody on the file number2: [om@t4t om]$ chmod a+x number2 To add the read and write permission to the owner and the group on the file number2: [om@t4t om]$ chmod ug+rw number2 To remove the write permission to others on the file number3: [om@t4t om]$ chmod o-w number3 To remove write/execute and to add read permission to everybody on the files with a name starting with an uppercase letter: or [om@t4t om]$ chmod a-wx,a+r [A-Z]* [om@t4t om]$ chmod a=r [A-Z]* Changing the group a file is associated to The owner of a file can change the group a file is associated to, with the chgrp command: chgrp group file... 85

5 A group may be specified by either its name or its group ID (a decimal number). The names and corresponding IDs of each group may be found in the file /etc/group. Each line represents one group, with the information stored in fields, separated by a colon. The fields for each group are: a) groupname b) encrypted password (barely used any more) c) group ID number d) members of the group (optional) The /etc/group file is similar to this shown below: [om@t4t om]$ cat /etc/group staff:xydfcctrt180x:500: web:x:502:kathy,carlos,lyne,sylvie om:x:503: To change the group membership of the file students.address from its current group membership (gurus) to JAC, use the chgrp command as shown below (the ls -l commands are used to show the group before and after running chgrp): [om@t4t om]$ ls -l students.address -rw-r om gurus 3006 Oct 10 21:13 students.address [om@t4t om]$ chgrp JAC students.address [om@t4t om]$ ls -l students.address -rw-r om JAC 3006 Oct 10 21:13 students.address Getting the user IDs The id command gives you the UIDs and GIDs associated with an account. Its syntax is: id [username] For example, to find out details about the UID, GID, and additional groups of your current session: [om@t4t om]$ id uid=501(oswaldo) gid=501(staff) groups=501(staff),508(teachers) Finding the groups you belong to To determine what groups a particular user belong to, use the command groups. A list of group names is produced as output. 86

6 Examples: To see what groups you belong to: om]$ groups oswaldo staff teachers To see what groups the root user belongs to: om]$ groups root root : root bin daemon sys adm disk wheel Changing the owner of a file The chown command allows you to change the owner of a file to another user. The syntax is: chown owner file... The owner may be either a decimal user ID or a login name found in the file /etc/passwd. As you change the owner of a file to another user, you are no longer the owner and are not able to get it back. This command is not available to regular users in a normal Linux installation, and only the root user (system administrator) can use it. Example: to see who is the owner of the files in the exercises directory: First lets find out who is the owner of all the files in the exercises directory: [root@t4t om]# ls -l exercises/* -rw-r om gurus 3006 Oct 10 21:13 friends.address -rw-r om gurus 3006 Oct 10 21:13 clients.address Now, to change the owner of all the files in the exercises directory to the user steve: [root@t4t om]# chown steve exercises/* To verify who is the new owner of all the files in the exercises directory: [root@t4t om]# ls -l exercises/* -rw-r steve gurus 3006 Oct 10 21:13 friends.address -rw-r steve gurus 3006 Oct 10 21:13 clients.address 87

7 Directory permissions Directories also have permissions that work in ways similar, but not exactly the same, to ordinary files. The directory permissions and their capabilities are listed below: read (r) write (w) allows to use wildcards pointing to the directory; if directory is readable it will allow to list files in the directory (such as ls a*) or to use any other command (such as cat *) allows to add or remove files from the directory. execute (x) allows to cd into the directory or any of its branches (that is, to use the directory as part of a path) Note that to use any file, you must have the proper access permissions for the file and all the directories in the path of that file. If you don't have read permission to a directory, commands such as echo * or cat * will not work. You can still access files in such directory if the execute permission of the directory is set, but you must use its full name instead of wildcards; file name expansion will not work. If you don't have write permission in a directory, you can't create files in that directory, nor can you move or remove them. The opposite is also applicable: If you have write permission in a directory, you can remove a file, no matter what the file's permissions are or who the owner is. Thus, notice that it is extremely dangerous to grant write permission to others on your personal directories. If you don't have execute permission in all directories along the path to a file, you cannot use the file, no matter what the file's permissions are. We can think of the execute permission of a directory as the gate permission; no execute permission is like closing the gate that gives you access to the directory and its subdirectories. Reminder: to change the permissions of a directory, use the chmod command. 88

8 Chapter 8 Review Questions: 1) What are some of the permissions for a UNIX system? read edit write execute 2) What file contains the user information for the UNIX system?: a) /home/users b) /etc/system c) /bin/passwd d) /etc/users e) /home/passwd f) none of the above 3) What information fields are included in the /etc/passwd file? shell user name user id creation date user rights (administrator, normal, power) 4) How can you change the permissions for all the files in a directory in order to grant read to others? chmod read others chmod o+r * chmod??4 * chmod o=r * 5) You are associated to several groups. What command allows you to switch one of your files from one group to another? a) chmod b) chgrp c) chgroup d) swapgrp e) newgrp f) none of the above 89