- 论坛徽章:
- 0
|
类UNIX系统基础:文件安全与权限
Controlling File Access
After you have established login restrictions, you need to control access to the data on the system. Some users only need to look at files; others need the ability to change or delete files. You might have data that you do not want anyone else to see. You control data access by assigning permission levels to a file or directory.
Three levels of access permission are assigned to a UNIX file to control access by the owner, the group, and all others. Display permissions with the ls -la command. The following example shows the use of the ls -la command to display permissions on files in the /users directory:
ls -la /users
The system responds with this:
drwxr-xr-x 2 bill staff 512 Sep 23 07:02 .
drwxr-xr-x 3 root other 512 Sep 23 07:02 ..
-rw-r—r— 1 bill staff 124 Sep 23 07:02 .cshrc
-rw-r—r— 1 bill staff 575 Sep 23 07:02 .login
The first column of information displays the type of file and its access permissions for the user, group, and others. The r, w, and x are described in Table 6-6. The third column displays the owner of the file—usually the user who created the file. The owner of a file (and superuser) can decide who has the right to read it, to write to it, or—if it is a command—to execute it. The fourth column displays the group to which this file belongs—normally the owner’s primary group.
---------------------------------------------------------------------------------
Table 6-6 File Access Permissions
Symbol Permission Means That Designated Users...
r Read Can open and read the contents of a file.
w Write Can write to the file (modify its contents), add to it, or Delete it.
x Execute Can execute the file (if it is a program or shell script).
- Denied Cannot read, write to, or execute the file.
---------------------------------------------------------------------------------
When listing the permissions on a directory, all columns of information are the same as for a file, with one exception. The r, w, and x found in the first column are treated slightly differently
---------------------------------------------------------------------------------
than for a file. They are described in Table 6-7.
Table 6-7 Directory Access Permissions Symbol Permission Means That Designated Users...
r Read Can list files in the directory.
w Write Can add or remove files or links in the directory.
x Execute Can open or execute files in the directory. Also can make the directory and the directories beneath it current.
- Denied Do not have read, write, or execute privileges.
---------------------------------------------------------------------------------
Use the commands listed in Table 6-8 to modify file access permissions and ownership, but remember that only the owner of the file or root can assign or modify these values.
---------------------------------------------------------------------------------
Table 6-8 File Access Commands
Command Description
chmod Changes access permissions on a file. You can use either ymbolic mode (letters and symbols) or absolute mode (octal umbers) to change permissions on a file. chown Changes the ownership of a file. chgrp Changes the group ownership of a file.
---------------------------------------------------------------------------------
Default umask
When a user creates a file or directory, the default file permissions ssigned to the file or directory are controlled by the user mask. The user mask should be set by the umask command in a user initialization file such as /etc/profile or .cshrc. You can display the current value of the user mask by typing umask and pressing Enter.
The user mask is set with a three-digit octal value such as 022. The first digit sets permissions for the user, the second sets ermissions for the group, and the third sets permissions for others. To set the umask to 022, type umask 022
By default, the system sets the permissions on a file to 666, ranting read and write permission to the user, group, and others. The system sets the default permissions on a directory or executable file to 777, or rwxrwxrwx. The value assigned by umask is subtracted from the default. To determine the umask value you want to set, subtract the value of the permissions you want from 666 (for a file) or 777 (for a directory). The remainder is the value to use with the umask command. For example, suppose you want to change the default mode for files to 644 (rw-r--r--). The difference between 666 and 644 is 022, which is the value you would use as an argument to the umask command.
Setting the umask value has the effect of granting or denying permissions in the same way chmod grants them. For example, the command chmod 022 grants write permission to group and others, and umask 022 denies write permission to group and others.
Sticky Bit
The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted by only the owner of the file, the owner of the directory,
or root. This prevents a user from deleting other users’ files from public directories.
A t or T in the access permissions column of a file listing indicates that the sticky bit has been set:
drwxrwxrwt 2 uucp uucp 512 Feb 12 7:32 /var/spool/uucppublic
Use the chmod command to set the sticky bit. The symbols for setting the sticky bit by using the chmod command in symbolic mode are listed in Table 6-9.
------------------------------------------------------------------------------------
Table 6-9 Sticky Bit Modes
Symbol Description
t Sticky bit is on; execution bit for others is on.
T Sticky bit is on; execution bit for others is off.
------------------------------------------------------------------------------------
Access Control Lists (ACLs)
ACLs (pronounced “ackls”) can provide greater control over file permissions when the traditional UNIX file protection in the Solaris operating system is not enough. The traditional UNIX file protection provides read, write, and execute permissions for the three user
classes: owner, group, and other. An ACL provides better file security by allowing you to define file permissions for the owner, owner’s group, others, specific users and groups, and default permissions for each of these categories.
For example, assume you have a file you want everyone in a group to be able to read. To give everyone access, you would give group” read permissions on that file. Now, assume you want only one person in the group to be able to write to that file. Standard UNIX doesn’t let you set that up; however, you can set up an ACL to give only one person in the group write permissions on the file. ACL entries are the way to define an ACL on a file, and they
are set through the ACL commands. ACL entries consist of the following fields, separated by colons:
entry_type:uid | gid:perms
ACL entries are defined in Table 6-10.
------------------------------------------------------------------------------------
Table 6-10 ACL Entries
ACL Field Description
entry_type The type of ACL entry on which to set file permissions.
For example, entry_type can be user (the owner of a file) or mask (the ACL mask).
uid The user name or identification number.
gid The group name or identification number.
perms Represents the permissions set on entry_type. Permissions are indicated by the symbolic characters rwx or an octal number as used with the chmod command.
------------------------------------------------------------------------------------
The ACL mask entry indicates the maximum permissions allowed for users, other than the owner, and for groups. The mask is a quick ay to change permissions on all users and groups. For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though they might have rite/execute permissions.
Setting ACL Entries
Set ACL entries on a file by using the setfacl command:
$ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl_entry_list filename ...
The -s option replaces the entire ACL with the new ACL entries, if n ACL already exists on the file.
The following example sets the user permissions to read/write, roup permissions to readonly, and other permissions to none on the txt1.doc file. In addition, the user bill is given read/write permissions on the file, and the ACL mask permissions are set to read/write, which means that no user or group can have execute permissions.
$ setfacl -s user::rw-,group::r--,other:---,mask:rw-, user:bill:rw- txt1.doc
Checking the New File Permissions Check the new file permissions with the ls -l command. The plus sign (+) to the right of the mode field indicates that the file has an ACL:
$ ls -l
total 210
-rw-r-----+ 1 mike sysadmin 32100 Sep 11 13:11 txt1.doc
-rw-r--r-- 1 mike sysadmin 1410 Sep 11 13:11 txt2.doc
-rw-r--r-- 1 mike sysadmin 1700 Sep 11 13:11 labnotes
Verifying ACL Entries
To verify which ACL entries were set on the file, use the getfacl command:
$ getfacl txt1.doc
The system responds with this:
# file: txt1.doc
# owner: mike
# group: sysadmin
user::rwuser:
bill:rw- #effective:rwgroup::
r-- #effective:r--
mask:rwother:---
Copying a File’s ACL to Another File
Copy a file’s ACL to another file by redirecting the getfacl output as follows:
getfacl <filename1>;: | setfacl -f - <filename2>;
In the following example, I copy the ACL from file1 to file2:
getacl file1 | setfacl -f - file2
Issuing the getfacl command, I can verify that the change has been made:
getfacl file*
# file: file1
# owner: root
# group: other
user::rwuser:
bcalkins:rw- #effective:rwgroup::
r-- #effective:r--
mask:rwother:---
# file: file2
# owner: root
# group: other
user::rwuser:
bcalkins:rw- #effective:rwgroup::
r-- #effective:r--
mask:rwother:---
Modifying ACL Entries on a File
Modify ACL entries on a file by using the setfacl command:
setfacl -m <acl_entry_list>; <filename1>; [filename2 ...]
The arguments for the setfacl command are described in Table 6-11.
-----------------------------------------------------------------------------------
Table 6-11 setfacl Arguments
Argument Description
-m Modifies the existing ACL entry.
<acl_entry_list>; Specifies the list of one or more ACL entries to modify on the file or directory.
You can also modify default ACL entries on a directory. (See Table 6-12 for the list of ACL entries.)
<filename>; Specifies the file or directory.
------------------------------------------------------------------------------------
The ACL entries that can be specified with the setfacl command are described in Table 6-12.
------------------------------------------------------------------------------------
Table 6-12 ACL Entries for Files
ACL Entry Description
u[ser]::<perms>; File owner permissions.
g[roup]::<perms>; File group permissions.
o[ther]:<perms>; Permissions for users other than the file owner or members of the file group.
m[ask]:<perms>; The ACL mask. The mask entry indicates the maximum permissions allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups. For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though they may have write/execute permissions.
u[ser]:uid:<perms>; Permissions for a specific user. For uid, you can specify either a user name or a numeric UID.
g[roup]:gid:<perms>; Permissions for a specific group. For gid, you can specify either a group name or a numeric GID.
------------------------------------------------------------------------------------
Deleting ACL Entries from a File
To delete an ACL entry from a file, use the setfacl -d <acl_entry_list>; command. The following
example illustrates how to remove an ACL entry for user bcalkins on file1 and file2:
setfacl -d u:bcalkins file1 file2
Use the getfacl command, described earlier, to verify that the ntries have been deleted.
In addition to the ACL entries for files, you can set default ACL entries on a directory that apply to files created within the directory.
Setting the Correct Path
Setting your path variable correctly is important; otherwise, you might accidentally run a program introduced by someone else that harms the data or your system. This kind of program, which creates a security hazard, is called a “Trojan horse.” For example, a substitute su program could be placed in a public directory where you, as system administrator, might run it. Such a script would look just like the regular su command. The script would remove itself after execution, and you’d have trouble knowing that you actually ran a Trojan horse.
The path variable is automatically set at login time through the startup files .login, .profile, and .cshrc. Setting up the user search path so that the current directory (.) comes last prevents you or your users from running this type of Trojan horse. The path variable for superuser should not include the current directory (.) at all.
N O T E . Solaris provides a utility called ASET (Automated Security Enhancement Tool) that examines the startup files to ensure that the path variable is set up correctly and does not contain a dot (.) entry for the current directory. ASET is discussed later in this chapter.
The setuid and setgid Programs
When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the file’s owner (usually root) rather than the user who created the process. This allows a user to access files and irectories that normally are available only to the owner. For example, the setuid permission on the passwd command makes it possible for a user to edit the /etc/passwd file to change passwords. When a user executes the passwd command, that user assumes the permissions of the root ID, which is UID 0. The setuid permission can be identified by using the ls -l command. The -s in the permissions field of the following example indicates the use of setuid:
ls -l /etc/passwd
-r-sr-sr-x 1 root sys 10332 May 3 08:23 /usr/bin/passwd
Many executable programs have to be run as root (that is, as superuser) to work properly.
These executables run with the user ID set to 0 (setuid=0). Anyone running these programs runs them with the root ID, which creates a potential security problem if the programs are not written with security in mind.
On the other hand, the use of setuid on an executable program presents a security risk. A determined user can usually find a way to maintain the permissions granted to him by the setuid process, even after the process has finished executing. For example, a particular command might grant root privileges through the setuid. If a user can break out of this command, he could still have the root privileges granted by the setuid on that file. Any intruder who accesses a system will look for any files that have the setuid. Except for the executables shipped with Solaris that have their setuid to root, you should disallow the use of setuid programs—or at least restrict and keep them to a minimum.
T I P. To find files that have setuid permissions, become superuser. Then use the find command to find files that have setuid permissions set:
# find [directory] -user root -perm -4000 -exec ls -ldb {}\; >;/tmp/filename
The set-group identification (setgid) permission is similar to setuid, except that the process’s effective GID is changed to the group owner of the file, and a user is granted access based on permissions granted to that group. Using the ls -l command, you can see that the file /usr/bin/mail has setgid permissions:
-r-x--s--x 1 bin mail 64376 Jul 16 1997 /usr/bin/mail
The following example illustrates how to set the UID on an executable file named myprog1:
chmod 4744 myprog1
Verify the change by typing
ls -l myprog1
The system responds with this:
-rwsr--r-- 1 root other 25 Mar 6 11:52 myprog
The following example illustrates how to set the GID on an executable file named myprog1:
chmod 2070 myprog1
Verify the change by typing
ls -l myprog1
The system responds with this:
----rws--- 1 root other 25 Mar 6 11:58 myprog
Any user can set the UID or GID permission for any file he owns. |
|
免费注册
楼主: wingger
发表于 2005-08-19 17:05
