Basic System Security

Basic Permissions

Unix uses a very basic permission scheme, where one can set permissions on a file for one of three different settings for any context: read, writing, and executing. These settings are shown when one does an ls -l and gets output such as:

-r-xr-xr-x 1 root wheel 504820 Jul 14 15:22 /usr/local/bin/gpg

Permissions applied to files

Permissions, when applied to files, have these consequences:

read (r): permission to view the contents of the file (e.g., through less
write (w): permission edit, change, or modify contents of the file.
execute (x): One can run the file as a program

Permissions applied to directories

Permissions, when applied to directories, can be confusing. It helps to keep things straight if one thinks of a directory as a list of filenames of the files or directories below it.

read (r): permission to list (read) the contents of the directory (do an ls)
write (w): permission to create, remove, or rename files in the directory
execute (x): permission to cd into the directory

Permission contexts

In general, there are four contexts that can arise when one is trying to access a file in unix. There are different sets of permissions that apply to each context.

First, note that each file is associated with a user and a group; for example, on my system:

isr5019 ~> ls -l /etc/passwd -rw-r--r-- 1 root wheel 1381 Sep 10 19:07 /etc/passwd

This shows that /etc/passwd is owned by the user root and associated with the group wheel. Note also that the first character in the permissions list (a - here), tells what type of file you are dealing with:

-: regular file
d: directory
l: symbolic link

root

As a rule of thumb, While root, one can do anything, regardless of who owns the file, or what group it is associated with. Some unixes have root-limitations but they are not standardized at all, and are generally changing.

user

-rw-r----- 1 ftobin users 50 Jul 3 01:10 test

The first triplet of permissions characters refer to the permissions for the user that owns the file. In this case, the user, ftobin, has read and write privileges, but not execute privileges.

group

-rwxr-x--x 1 root wheel 176048 Jun 24 20:50 test

The second triplet of permissions characters refer to the permissions for the group associated with the file. Here, the group, wheel, has read and execute permissions.

world/other

-rwxr-x--- 1 root wheel 176048 Jun 24 20:50 test

The third triplet of permissions refer to what permissions those users who are not the owner or in the group associated with the file have; in this case, Here, there are no permisisons granted to the world/others.

Changing permissions on a file

Only the user/owner of a file can change permissions; the group associated with it cannot.

setuid/setgid permissions

Programs that need to run with special privileges (such as changing one's passphrase), generally gain these privileges through a special set of permissions, called setuid or setgid.

-r-sr-xr-x 2 root wheel 23984 Jun 24 21:00 /usr/bin/passwd

The s in the permissions, and the fact it is in the user-permissions triplet, lets you know it is a setuid-executable. If it was in the group-permissions triplet, it is a setgid-executable.

If a program is setuid, it runs with the permissions of the owner of the file; if setgid, it runs with the permissions of the group associated with it.

Many system compromises are due to badly-written setuid-programs. It is considered good security practice to minimize the number of setuid/gid programs on one's system because of this, either by removing (deleting) them entirely, or by removing the setuid-permission with chmod -s file

One should occassionally peruse the list of setuid programs on one's machine, and make sure there are no unnecessary tasks. One can find all of the setuid-programs on one's system using:

find / -type f -perm -u+s -or -perm -g+s

setuid/setgid on directories

If setuid permissions are placed on a directory, they have an entirely different meaning. Directories with the setuid/setgid permission will force all files and sub-directories created in them to be owned by the directory owner/group and not the user/group of the user creating the file.

inetd

Purpose

inetd is a meta-daemon that listens on specified ports, and when a connection is made to that port, inetd starts up a specified program.

Uses

inetd is often used to startup programs such as mail-daemons (.e.g, sendmail and qmail), ftpd, and inetd. Other daemons, such as sshd, are generally started on their own, because the startup-time is somewhat high; it's more efficient to have one daemon running all the time, and fork off copies as needed.

Configuration

Control of what inetd handles is done through /etc/inetd.conf, which is comprised of lines that generally look similar to:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -ASll

This statement means that ftpd will listen on the ftp port, and when started, will take the parameters -ASll (which indicates, if interested, on FreeBSD, anonymous-only connections, and lots of logging).

Host-based security through tcp_wrappers

In order to tell what hosts are allowed to connect to certain services offered through inetd (such as ftp, sendmail, etc.)