Chapter 6 File System Security

Filename Specifications
Maximum of 14 characters Maximum of 255 characters if long filenames are supported May contain alphabetic, numeric, dot, dash and underscore

Security Policies
The UNIX system incorporates a 3-tier structure to define who has access to each file and directory: User Group Others The ls l command displays the owner and group who has access to the file
Default for Files

Read/Write for User and read only for Group and Other
Default for directories Read/Write/Execute for User and Read/Execute for Group and Other

File Types
d l n c b regular file directory symbolically linked file network special file character device file block device file (disks)

File System Permissions

- rw-r-- r-drwxr-xr-x
user - owner / creator of file or directory group permissions used by members of the group that owns the file or directory other all users other than the file owner, and members of the group that owns the file or the directory.

Permissions

User & Group ID

$ ls -n displays the UID and the GID $ id displays numeric and alphabetic User ID and Group ID for your Effective User ID (EUID) $ groups displays all of the groups you are a member of

Changing Permissions Syntax $ chmod mode filename

We use the chmod command to change the access mode of a file The mode portion is made up of three parts: Who - Category you are working with u = user g = group o = others a = all Op - Operator set (=) remove (-) give (+) Permission(s) assigned Read (r), Write (w) or Execute (x)

Changing Permissions - Symbolic

Permissions - Octal Mode octal - eight possible numbers in group bits are either on (1) or off (0) 7 6 5 4 3 2 1 0 r r r r w w w w x x x x 1 1 1 1 0 0 0 0 1 1 0 0 1 1 0 0 1 0 1 0 1 0 1 0

Changing Permissions - Octal

umask
The umask (UNIX shorthand for "user file-creation mode mask") is a four-digit octal number that UNIX uses to determine the file permission for newly created files The umask specifies the permissions you do not want given by default to newly created files and directories. umask works by doing a bitwise AND with the bitwise complement of the umask. Bits that are set in the umask correspond to permissions that are not automatically assigned to newly created files. By default, most UNIX variants specify an octal mode of 666 (any user can read or write the file) when they create new files. Likewise, new programs are created with a mode of 777 (any user can read, write, or execute the program) Octal umasks are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the permissions specified by the program: typically 666 in the case of files, and 777 in the case of directories.

Octal umask example

Assuming the umask has the value 174, any new file will be created with the permissions 602 and any new directory will have permissions 603 because:
666 AND NOT(174) = 602 while 777 AND NOT(174) = 603 Computation: 7778 = (111 111 111)2 1748 = (001 111 100)2 NOT(001 111 100)2 = (110 000 011)2 (111 111 111)2 AND (110 000 011)2 = (110 000 011)2 7778 NOT (174)8 (603)8

Other commands touch - either creates one or more files with zero bytes if none exists; or updates date/time stamp if file already exists -a time change access time to time -m time change modify time to time -t time use time as your current time -c if the file does not already exists, do not create it Example: To create/update more than 1 file: $touch f1.txt f2.txt f3.txt

The chgrp Command

Changes access to a file; only the owner of file can change the group of the file Syntax: $ chgrp newgroup filename

su - switch user id
Changes your user id and group id designation Syntax: $ su [username]

The newgrp command

Changes the group id. Syntax: $ newgrp [group_name]

chown
Change file ownership
Syntax:

$ chown owner [:group] filename . . . Example:

$ id
$ cp f1 /tmp/user2/f1 $ ls -l /tmp/user2/f1 /tmp/user2/f1

$ chown user2

$ ls -l f1 /tmp/user2/f1