Files, Processes and Permissions

Linux Users, Groups, Processes

See this or this or man credentials on a Linux/Unix system.

User: used to assign ownership to files, directories and processes
see /etc/passwd and /etc/shadow
Group: A collection of users, a user can belong to many groups. Files are also owned by a group.
see /etc/group and group command
Process: An instance of a running program. (What follows is a simplification, this is the effective user and group for the process...) Associated with exactly one user and all groups the user is in. If a default group is set, then associated only with that group.
see ps aux command
File: Data stored on disk. Associated with exactly one user and group.
see ls -al command
Directory: Container for files and directories. Associated with exactly one user and group.
see ls -al command

Linux File and Directory Permissions

Files and directories have

Owner process permissions (r/w/x)
Group process permissions (r/w/x)
Other process permissions (r/w/x)

Notation (from ls -al)

-rwxr--r--
0123456789

Symbol in the position 0 ("-")is the type of the file. It is either "d" if the item is a directory, or "l" if it is a link, or "-" if the item is a regular file.
Symbols in positions 1 to 3 ("rwx") permissions for processes which match file user
Symbols in positions 4 to 6 ("r--") permissions for processes which match file group
Symbols in positions 7 to 9 ("r--") permissions for other processes

r	Read access is allowed
w	Write access is allowed
x	Execute access is allowed
-	Replaces "r", "w" or "x" if according access type is denied

Example

`-rwxr-xr-x`	File, processes which match my user can read, write and execute processes which match my group can only read and execute other processes can only read and execute
`dr-x------`	Directory, user read and execute access, group and others have no access

Meaning of Permissions for Files and Directories

Access type	File	Directory
Read	If the file contents can be read	If the directory listing can be obtained
Write	If process can write to the file (change its contents)	If process can change directory contents: create, delete, rename files/directories
Execute	If process can execute the file	If process can cd to/through the directory

umask

umask contols the default permissions on created files and folder. umask is set in /etc/bashrc.

By example:

[hacker@rh72 hacker]$ umask 000 [hacker@rh72 hacker]$ echo "" > zz.txt [hacker@rh72 hacker]$ ls -al zz.txt -rw-rw-rw- 1 hacker hacker 1 Nov 15 15:23 zz.txt [hacker@rh72 hacker]$ rm zz.txt [hacker@rh72 hacker]$ umask 002 [hacker@rh72 hacker]$ echo "" > zz.txt [hacker@rh72 hacker]$ ls -al zz.txt -rw-rw-r-- 1 hacker hacker 1 Nov 15 15:23 zz.txt [hacker@rh72 hacker]$ rm zz.txt [hacker@rh72 hacker]$ umask 006 [hacker@rh72 hacker]$ echo "" > zz.txt [hacker@rh72 hacker]$ ls -al zz.txt -rw-rw---- 1 hacker hacker 1 Nov 15 15:24 zz.txt [hacker@rh72 hacker]$

A catalog of commands (by example)

(as root) #!/bin/bash useradd u1 # create user u1 passwd u1 # set their password useradd u2 passwd u2 groupadd g1 # create a new group (see /etc/group) groupadd g2 # create a new group usermod -G g2 hacker # add hacker to the g2 group groups hacker # which groups is hacker a member of? mkdir u1g1 chown u1:g1 u1g1 # make u1g1 owned by u1 with group g1 chmod 770 u1g1 mkdir u1g2 chown u1:g2 u1g2 chmod 770 u1g2 mkdir u1sg1 chown u1:g1 u1sg1 chmod 777 u1sg1 # change u1sg1 permissions to drwxr-xr-x chmod g+ws u1sg1 # change u1sg1 permissions to drwxrwsr-x mkdir u2g1 chown u2:g1 u2g1 chmod 770 u2g1 mkdir u2g2 chown u2:g2 u2g2 chmod 770 u2g2 chown u2:u2 loopu2.pl chmod 755 loopu2.pl chmod u+s loopu2.pl chmod u+s write2u2g1.bash chown u2:u2 write2u2g1.bash chown u2:u2 write2u2g1.pl chmod +s write2u2g1.pl

Our examples

--------------------------hacker is a member of group g2--------------------- total 48 drwxr-xr-x 7 hacker hacker 4096 Oct 4 22:18 . drwx------ 6 hacker hacker 4096 Oct 4 22:16 .. -rwxr-xr-x 1 hacker hacker 30 Oct 4 21:56 loop.pl -rwsr-xr-x 1 u2 u2 30 Oct 4 21:45 loopu2.pl -rwxr-xr-x 1 hacker hacker 823 Oct 4 22:03 script.bash drwxrwx--- 2 u1 g1 4096 Oct 4 21:35 u1g1 drwxrwx--- 2 u1 g2 4096 Oct 4 22:00 u1g2 drwxrwsrwx 2 u1 g1 4096 Oct 4 22:16 u1sg1 drwxrwx--- 2 u2 g1 4096 Oct 4 22:20 u2g1 drwxrwx--- 2 u2 g2 4096 Oct 4 21:38 u2g2 -rwsr-xr-x 1 u2 u2 106 Oct 4 21:45 write2u2g1.bash -rwsr-sr-x 1 u2 u2 102 Oct 4 21:45 write2u2g1.pl --------------------------loopu2.pl------------------------------------ #!/usr/bin/perl while(1){ } --------------------------write2u2g1.bash------------------------------------ #!/bin/bash ps -aux echo "setuid has been disabled for bash scripts" cd u2g1 echo "Hi there" > hello.txt --------------------------write2u2g1.pl------------------------------------ #!/usr/bin/perl open(F,">>u2g1/hello.txt")||die "can't open file"; print F "Hello there!"; close F;

setuid

Problem: We would like to allow all users of the system to add to a log file. We don't want them to be able to read or modify the file though. How do we do this?
Solution: Write a program that adds to the log file. The program runs as user='logger' What permissions should the log file and directory have? What happens when hacker runs this program? Would like hacker to run as if they were 'logger'.

setuid

Consider -rwxrwxr-x 1 u2 u2 30 Nov 14 22:07 loopu2.pl | +------- pay attention to this... When run by hacker, process created is associated with hacker. The process has same access as hacker. -rwsrwxr-x 1 u2 u2 30 Nov 14 22:07 loopu2.pl | +------- changed via chmod u+s loopu2.pl When a user runs this, the process created has user=u2 (even though the original user may not be u2). This has the obvious effect on that processes access to files etc.

setuid vulnerability

Problems with setuid programs...see setuid - checklist for security of setuid programs or How to write a setuid program.

A few setuid threats

attacker uses setuid program to execute arbitrary commands as setuid user
- Example: buffer overrun
- Example: at (see How to write a setuid program and XP Pro Privilege Escalation Exploit) and example below.
attacker modifies their environment (setuid program runs under original processes environment) to effect the way the setuid process operates.
- Example: umask 000, then run write2u2g1.pl

groups and setgid

If a directory is setgid (ie by chmod g+s u1sg1) then all files and folders created in that directory are owned by the specified group.

Moral of the story

Remove setuid programs unless they are absolutely necessary and well written.
Principle of least privilege: Each process should run with least privilege necessary to get it's job done. Each file and directory should maximally restrict the set of users and groups that can access them.
World writable files are bad (see at example in How to write a setuid program).

Files, Processes and Permissions

Linux Users, Groups, Processes

Linux File and Directory Permissions

Example

Meaning of Permissions for Files and Directories

umask

A catalog of commands (by example)

Our examples

setuid

setuid

setuid vulnerability

groups and setgid

Moral of the story

References