Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software

Published byBudi Setiawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software"— Presentation transcript:

1 Engineering Secure Software
Linux Permissions

2 Linux File Permissions
Each file and directory has bits for.. Read, Write, Execute: rwx Files: works as it sounds Directories: r  “can list files in a directory” (but not read a given file) w  “can create, change, delete files in directory” x  “cannot cd (change directory) to that directory” Thus, you may only read a file IFF you: Have read permissions to the file AND Have execute permissions to that file’s directory Files & Directories have 3 levels: Owner, Group, and Everyone Else aka. User, Group, Other: ugo

3 List permissions of a file: ls –l with some info removed from below in [...] drwxr-x--- […] pkm faculty […] . drwx […] pkm faculty […] .. -rwxrwxrwx […] pkm faculty […] allopen drwx […] pkm faculty […] mydir -rw […] pkm faculty […] myfile -rwx […] pkm faculty […] myprog drwxrwx--- […] pkm faculty […] ourdir -rwxrwx--- […] andy faculty […] ourprog Can andy execute myprog? No, because of file permissions. Can both pkm and andy execute ourprog? Yes. Everyone in faculty can read and execute ourprog Can andy read ourprog? Yes. Directory has group x, file has group r Can andy change directory (cd) to mydir? No. The directory’s execute permission is off.

4 chmod Command to change permissions Octal notation
Set (=), Add (+), Remove (-) Set user to rw, not x: chmod u=rw . Set user, groups to only rw: chmod ug=rw . Set ug to only rx, recursively: chmod –R ug=rx . Add “groups can rw”: chmod g+rw . Add “others can rw”: chmod o+rw . Add “everyone can read”: chmod a+r . Remove write from group: chmod g-w . Octal notation e.g. chmod 755 file.txt Good for setting, not adding/removing 1,2,3 are never used rwx --- --x -w- -wx r-- r-x rw- Binary 000 001 010 011 100 101 110 111 Decimal 1 2 3 4 5 6 7

5 umask When a file is created… Programs can change their own umask
User mask (umask) is consulted for permissions Owner = user who created the file The resulting default permission C = (P & ~Q), where Q is the mask, and P is 666 for files and 777 for directories e.g., if mask is 077, a file’s permission, C = 666 & ~(077) = 600 = rw Or, subtract octally, “digit by digit” (tricky when the mask has a 7 in it) from 666 for files or 777 for directories e.g. , if mask is 022, a directory’s permission, C = =755, or rwxr-xr-x nitron.se.rit.edu default: rw (or 077) Common default: rw-r--r– (or 022) Common umask shared group stuff: rw-rw--– (or 007) Programs can change their own umask Blessing for good developers but curse for system administrators

6 Executing as users When executing, ordinarily…
OS ignores the owner of the program file Runs the program as you (assuming you have permissions, of course) e.g. prog.sh owned by root gets run as you This allows for root to have files that cannot be modified, but executed e.g. passwd (change the password) should not be tampered with sudo: execute this program as root user (“superuser do”) e.g. sudo /etc/init.d/apache2 start su: change the current user to someone else

7 setuid, setgid setuid and setgid bits on files
chmod ug+s ./prog.sh “Execute as the owner’s rights, not as the executing user’s rights” (assuming you have permissions to execute it) Files owned by root with setuid are highly risky Arbitrary code execution vulnerability? Executing as root. App developers should almost never use this OS commands have a lot of these (e.g. passwd is owned root with setuid) Repudiation becomes a major threat with setuid and setgid setuid and setgid bits on directories setuid on directories is ignored in Linux setgid means new files inherit the group ID Sticky bit Only a file’s owner, the owner of the file’s directory, or root can delete the file

8 For Example larry$ umask 077 larry$ mkdir dir larry$ ls –l dir/ drwx … larry stooges … dir larry$ touch dir/file.sh larry$ ls –la dir/ -rwx … larry stooges … .  ./dir -rwx … larry stooges … ..  ./dir/.. -rw … larry stooges … file.sh larry$ ./dir/file.sh bash: ./dir/file.sh: Permission denied larry$ chmod –R ug+x . curly$ ./dir/file.sh [Success!] curly$ ls –l ./dir bash: ./dir/: Permission denied

9 Beware of sudo He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake. Source:

Download ppt "Engineering Secure Software"

Similar presentations

Linux File & Folder permissions. File Permissions In Ubuntu, files and folders can be set up so that only specific users can view, modify, or run them.

Linux File & Folder permissions. File Permissions In Ubuntu, files and folders can be set up so that only specific users can view, modify, or run them.
Engineering Secure Software. Linux File Permissions  Each file and directory has bits for.. Read, Write, Execute: rwx Files: works as it sounds  Directories:

Engineering Secure Software. Linux File Permissions  Each file and directory has bits for.. Read, Write, Execute: rwx Files: works as it sounds  Directories:
1 CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller

1 CSE 390a Lecture 4 Persistent shell settings; users/groups; permissions slides created by Marty Stepp, modified by Jessica Miller
1 CSE 303 Lecture 4 users/groups; permissions; intro to shell scripting read Linux Pocket Guide pp. 19-20, 25-27, 61-65, 118-119, 176 slides created by.

1 CSE 303 Lecture 4 users/groups; permissions; intro to shell scripting read Linux Pocket Guide pp , 25-27, 61-65, , 176 slides created by.
File Security. Viewing Permissions ls –l Permission Values.

File Security. Viewing Permissions ls –l Permission Values.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
User Accounts and Permissions Chapter IV / Part II.

User Accounts and Permissions Chapter IV / Part II.
UNIX Chapter 08 File Security Mr. Mohammad Smirat.

UNIX Chapter 08 File Security Mr. Mohammad Smirat.
Using Linux Commands Lab 4. Using the Shell in Linux Commands Syntax  Options: could be added to the commands to change their behavior (-a, -la, --help)

Using Linux Commands Lab 4. Using the Shell in Linux Commands Syntax  Options: could be added to the commands to change their behavior (-a, -la, --help)
Getting Started with Linux Linux System Administration Permissions.

Getting Started with Linux Linux System Administration Permissions.
File System Security 1. General Principles Files and folders are managed by the operating system Applications, including shells, access files through.

File System Security 1. General Principles Files and folders are managed by the operating system Applications, including shells, access files through.
CIT 140: Introduction to ITSlide #1 CSC 140: Introduction to IT File Security.

CIT 140: Introduction to ITSlide #1 CSC 140: Introduction to IT File Security.
File Permissions. What are the three categories of users that apply to file permissions? Owner (or user) Group All others (public, world, others)

File Permissions. What are the three categories of users that apply to file permissions? Owner (or user) Group All others (public, world, others)
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
1Week 4 - Jan 31, 2005 Week 4 Agenda UNIX Directory Structure Absolute pathname Relative pathname Permissions chmod (symbolic/absolute)

1Week 4 - Jan 31, 2005 Week 4 Agenda UNIX Directory Structure Absolute pathname Relative pathname Permissions chmod (symbolic/absolute)
Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2011 by the Trustees of Indiana University except as noted.

Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2011 by the Trustees of Indiana University except as noted.
Module 4 - File Security. Security Overview File Ownership Access to Files and Dircetories Changing File and Directory Ownership Changing File and Directory.

Module 4 - File Security. Security Overview File Ownership Access to Files and Dircetories Changing File and Directory Ownership Changing File and Directory.
File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.

File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.
Lesson 9-Setting and Using Permissions. Overview Describing file permissions. Using execute permissions with a file. Changing file permissions using mnemonics.

Lesson 9-Setting and Using Permissions. Overview Describing file permissions. Using execute permissions with a file. Changing file permissions using mnemonics.
File Security and Permissions. File Permissions (1) u With respect to a particular file, Unix divides the set of all users on a system into three categories:

File Security and Permissions. File Permissions (1) u With respect to a particular file, Unix divides the set of all users on a system into three categories:

Similar presentations

Ads by Google