Understanding Ownership

Linux uses a three-tiered approach to protecting files and directories:

• Owner: Within the Linux system, each file and directory is assigned to a single owner. The Linux system administrator can assign the owner specific privileges to the file or directory.
• Group: The Linux system also assigns each file and directory to a single group of users. The administrator can then assign that group privileges that are specific to the file or directory and that differ from the owner privileges.
• Others: This category of permissions is assigned to any user account that is not the owner nor in the assigned user group.

You can view the assigned owner and group for a file or directory by adding the -l option to the ls command, as shown in Listing 15.1.

Listing 15.1: Viewing file owner and group settings

$ ls -l
total 12
-rw-rw-r--  1 Rich sales 1521 Jan 19 15:38 customers.txt
-rw-r--r--  1 Christine sales  479 Jan 19 15:37 research.txt
-rw-r--r--  1 Christine sales  696 Jan 19 15:37 salesdata.txt
$

In Listing 15.1, the first column, -rw-rw-r--, defines the access permissions assigned to the owner, group, and others. That will be discussed later in the chapter in the section “Controlling Access Permissions.” The third column in Listing 15.1, the Rich or Christine value, shows the user account assigned as the owner of the file. The fourth column, sales, shows the group assigned to the file.

When a user creates a file or directory, by default the Linux system automatically assigns that user as the owner and uses the primary group the user belongs to as the group for the file or directory. You can change the default owner and group assigned to files and directories using Linux commands. The following sections show how to do that.

chown [options] newowner filenames

$ sudo chown Christine customers.txt
$ ls -l
total 12
-rw-rw-r-- 1 Christine sales 1521 Jan 19 15:38 customers.txt
-rw-r--r-- 1 Christine sales  479 Jan 19 15:37 research.txt
-rw-r--r-- 1 Christine sales  696 Jan 19 15:37 salesdata.txt
$

chgrp [options] newgroup filenames

$ sudo chgrp marketing customers.txt
$ ls -l
total 12
-rw-rw-r-- 1 Christine marketing 1521 Jan 19 15:38 customers.txt
-rw-r--r-- 1 Christine sales      479 Jan 19 15:37 research.txt
-rw-r--r-- 1 Christine sales      696 Jan 19 15:37 salesdata.txt
$

Controlling Access Permissions

After you’ve established the file or directory owner and group, you can assign specific permissions to each. Linux uses three types of permission controls:

• Read: The ability to access the data stored within the file or directory
• Write: The ability to modify the data stored within the file or directory
• Execute: The ability to run the file on the system, or the ability to list the files contained in the directory

You can assign each tier of protection (owner, group, and other) different read, write, and execute permissions. This creates a set of nine different permissions that are assigned to each file and directory on the Linux system. The nine permissions appear in the ls output as the first column of information when you use the -l option, as shown in Listing 15.1. Figure 15.1 shows the order in which the permissions are displayed in the ls output.

In Figure 15.1, the first character denotes the object type. A dash indicates a file, while a d indicates a directory.

The next three characters denote the owner permissions in the order of read, write, and execute. A dash indicates the permission is not set, while the r, w, or x indicate the read, write, or execute permission is set. In the example in Listing 15.1, all three files use rw- for the owner permissions, which means the owner has permissions to read and write to the file but cannot execute, or run, the file. This is common with data files.

The second set of three characters denotes the group permissions for the file or directory. Again, this uses the read, write, and execute order, with a dash indicating the permission is not set. After making the change to the customers.txt file for the marketing group, the sales group can only read the research.txt and salesdata.txt files, but the marketing group can both read and write the customers.txt file.

Finally, the third set of three characters denotes the permissions assigned to user accounts that are not the owner or a member of the group assigned to the file or directory. The same order of read, write, and execute is used. In the Listing 15.1 examples, other user accounts on the system can read the files but not write or execute them.

Either the root user account or the owner of the file or directory can change the assigned permissions by using the chmod command.

The format of the chmod command can be somewhat confusing. It uses two different modes for denoting the read, write, and execute permission settings for the owner, group, and other. Both modes allow you to define the same sets of permissions, so there’s no reason to use one mode over the other.

In symbolic mode, you denote permissions by using a letter code for the owner (u), group (g), others (o), or all (a) and another letter code for the read (r), write (w), or execute (x) permission. The two codes are separated with a plus sign (+) if you want to add the permission, a minus sign (-) to remove the permission, or an equal sign (=) to set the permission as the only permission. Listing 15.2 shows an example of this.

Listing 15.2: Changing the file owner

$ chmod g-w customers.txt
$ ls -al
total 12
-rw-r--r--  1 Christine marketing 1521 Jan 19 15:38 customers.txt
-rw-r--r--  1 Christine sales      479 Jan 19 15:37 research.txt
-rw-r--r--  1 Christine sales      696 Jan 19 15:37 salesdata.txt
$

In Listing 15.2, the g-w code in the chmod command indicates to remove the write permission for the group from the customers.txt file.

You can combine letter codes for both to make multiple changes in a single chmod command, as shown in Listing 15.3.

Listing 15.3: Combining permission changes

$ chmod ug=rwx research.txt
$ ls -l
total 12
-rw-rw-r-- 1 Christine marketing 1521 Jan 19 15:38 customers.txt
-rw-r--r-- 1 Christine sales      479 Jan 19 15:37 research.txt
-rwxrwxr-- 1 Christine sales      696 Jan 19 15:37 salesdata.txt
$

The ug code assigns the change to both the owner and the group, while the rwx code assigns the read, write, and execute permissions. The equal sign indicates to set those permissions.

The second mode available in chmod is called octal mode. With octal mode, the nine permission bits are represented as three octal numbers, one each for the owner, group, and other permissions. Table 15.1 shows how the octal number matches the three symbolic mode permissions.

You must specify the three octal values in the owner, group, and other in the correct order, as shown in Listing 15.4.

Listing 15.4: Using octal mode to assign permissions

$ chmod 664 research.txt
$ ls -l
total 12
-rw-r--r-- 1 Christine marketing 1521 Jan 19 15:38 customers.txt
-rw-rw-r-- 1 Christine sales      479 Jan 19 15:37 research.txt
-rw-r--r-- 1 Christine sales      696 Jan 19 15:37 salesdata.txt
$

The 664 octal mode set the owner and group permissions to read and write (6) but the others permission to read only (4). You can see the results from the ls output. This is a handy way to set all of the permissions for a file or directory in a single command.

Exploring Special Permissions

There are three special permission bits that Linux uses for controlling the advanced behavior of files and directories.

The Set User ID (SUID) bit is used with executable files. It tells the Linux kernel to run the program with the permissions of the file owner and not the user account actually running the file. This feature is most commonly used in server applications that must run as the root user account to have access to all files on the system, even if the user launching the process is a standard user.

The SUID bit is indicated by an s in place of the execute permission letter for the file owner: rwsr-xr-x. The execute permission is assumed for the system to run the file. If the SUID bit is set on a file that doesn’t have execute permission for the owner, it’s indicated by an uppercase S.

To set the SUID bit for a file, in symbolic mode add s to the owner permissions, or in octal mode include a 4 at the start of the octal mode setting:

# chmod u+s myapp
# chmod 4750 myapp

The Set Group ID (GUID) bit works differently in files and directories. For files, it tells Linux to run the program file with the file’s group permissions. It’s indicated by an s in the group execute position: rwxrwsr--.

For directories, the GUID bit helps us create an environment where multiple users can share files. When a directory has the GUID bit set, any files users create in the directory are assigned the group of the directory and not that of the user. That way all users in that group can have the same permissions as all of the files in the shared directory.

To set the GUID bit, in symbolic mode add s to the group permissions, or in octal mode include a 2 at the start of the octal mode setting:

# chmod g+s /sales
# chmod 2660 /sales

Finally, the sticky bit is used to protect a file from being deleted by those who don’t own it, even if they belong to the group that has write permissions to the file. The sticky bit is denoted by a t in the execute bit position for others: rwxrw-r-t.

The sticky bit is often used on directories shared by groups. The group members have read and write access to the data files contained in the directory, but only the file owners can remove files from the shared directory.

To set the sticky bit, in symbolic mode add t to the owner permissions, or in octal mode include a 1 at the start of the octal mode setting:

# chmod o+t /sales
# chmod 1777 /sales

Managing Default Permissions

When a user creates a new file or directory, the Linux system assigns it a default owner, group, and permissions. The default owner, as expected, is the user who created the file. The default group is the owner’s primary group.

The user mask feature defines the default permissions Linux assigns to the file or directory. The user mask is an octal value that represents the bits to be removed from the octal mode 666 permissions for files or the octal mode 777 permissions for directories.

The user mask value is set with the umask command. You can view your current umask setting by simply entering the command by itself on the command line:

$ umask
0022
$

The output of the umask command shows four octal values. The first octal value represents the mask for the SUID (4), GUID (2), and sticky (1) bits assigned to files and directories you create. The next three octal values mask the owner, group, and other permission settings.

The mask is a bitwise mask applied to the permission bits on the file or directory. Any bit that’s set in the mask is removed from the permissions for the file or directory. If a bit isn’t set, the mask doesn’t change the setting. Table 15.2 demonstrates how the umask values work in practice when creating files and directories on your Linux system.

You can test this by creating a new file and directory on your Linux system:

$ mkdir test1
$ touch test2
$ ls -l
total 4
drwxr-xr-x 2 rich rich 4096 Jan 19 17:08 test1
-rw-r--r-- 1 rich rich    0 Jan 19 17:08 test2
$

The umask value of 0022 created the default file permissions of rw-r--r-- , or octal 644, on the test2 file, and rwx-r-xr-x, or octal 755, on the test1 directory, as expected (note that the directory entry starts with a d in the permissions list).

You can change the default umask setting for your user account by using the umask command from the command line:

$ umask 027
$ touch test3
$ ls -l test3
-rw-r----- rich rich 0 Jan 19 17:12 test3
$

The default permissions for the new file have changed to match the umask setting.

Using SELinux

The Security-Enhanced Linux (SELinux) application is a project of the United States National Security Agency (NSA) and has been integrated into the Linux kernel since version 2.6.x. It is now a standard part of Red Hat–based Linux distributions, such as Fedora and CentOS, and an optional install for Debian-based distributions.

SELinux implements MAC security by allowing you to set policy rules for controlling access between various types of objects on the Linux system, including users, files, directories, memory, network ports, and processes. Each time a user or process attempts to access an object on the Linux system, SELinux intercepts the attempt and evaluates it against the defined policy rules.

$ sudo getenforce
Enforcing
$

$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
$

user:role:type:level

$ id -Z rich
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$

$ ls -Z test1.txt
-rw-rw-r--. rich rich unconfined_u:object_r:user_home_t:s0 test1.txt
$

$ ps -axZ | grep postfix
system_u:system_r:postfix_master_t:s0 3910 ? Ss 0:00 master -w
system_u:system_r:postfix_pickup_t:s0 3935 ? S  0:00 pickup -l -t unix -u
system_u:system_r:postfix_qmgr_t:s0 3936 ?   S  0:00 qmgr -l -t unix -u
$

chcon -u newuser -r newrole -t newtype filename

$ getsebool antivirus_can_scan_system
antivirus_can_scan_system --> off
$

$ sudo getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
abrt_upload_watch_anon_write --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
auditadm_exec_content --> on
authlogin_nsswitch_use_ldap --> off
authlogin_radius --> off
authlogin_yubikey --> off
awstats_purge_apache_log_files --> off
boinc_execmem --> on
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> off
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
condor_tcp_network_connect --> off
conman_can_network --> off
conman_use_nfs --> off
...

$ sudo setsebool antivirus_can_scan_system on
$ getsebool antivirus_can_scan_system
antivirus_can_scan_system --> on
$

Using AppArmor

Debian-based Linux distributions commonly use the AppArmor MAC system. AppArmor isn’t as complex or versatile as SELinux; it only controls the files and network ports applications have access to.

AppArmor also defines access based on policies but calls them profiles. Profiles are defined for each application in the /etc/apparmor.d directory structure. Normally, each application package installs its own profiles.

Each profile is a text file that defines the files and network ports the application is allowed to communicate with and the access permissions allowed for each. The name of the profile usually references the path to the application executable file, replacing the slashes with periods. For example, the profile name for the mysqld application program is called usr.sbin.mysqld.

To determine the status of AppArmor on your Linux system, use the aa-status command, as shown in Listing 15.7.

Listing 15.7: The aa-status command output

$ sudo aa-status
apparmor module is loaded.
83 profiles are loaded.
44 profiles are in enforce mode.
   /sbin/dhclient
   /snap/core/4917/usr/lib/snapd/snap-confine
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
...
39 profiles are in complain mode.
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   ...
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   libreoffice-oopslash
   libreoffice-soffice
   ping
   syslog-ng
   syslogd
7 processes have profiles defined.
5 processes are in enforce mode.
   /sbin/dhclient (912)
   /sbin/dhclient (982)
   /usr/sbin/cups-browsed (804)
   /usr/sbin/cupsd (748)
   /usr/sbin/mysqld (1094)
0 processes are in complain mode.
2 processes are unconfined but have a profile defined.
   /usr/sbin/avahi-daemon (747)
   /usr/sbin/avahi-daemon (803)
$

The output from the aa-status command in Listing 15.7 shows all of the profiles in enforce, complain, or disabled status. You can view a listing of active network ports on your system that don’t have a profile defined by using the aa-unconfined command:

$ sudo aa-unconfined
465 /lib/systemd/systemd-resolved not confined
747 /usr/sbin/avahi-daemon not confined
748 /usr/sbin/cupsd confined by ’/usr/sbin/cupsd (enforce)’
804 /usr/sbin/cups-browsed confined by ’/usr/sbin/cups-browsed (enforce)’
885 /usr/sbin/xrdp-sesman not confined
912 /sbin/dhclient confined by ’/sbin/dhclient (enforce)’
935 /usr/sbin/xrdp not confined
982 /sbin/dhclient confined by ’/sbin/dhclient (enforce)’
992 /usr/sbin/apache2 not confined
993 /usr/sbin/apache2 not confined
994 /usr/sbin/apache2 not confined
1094 /usr/sbin/mysqld confined by ’/usr/sbin/mysqld (enforce)’
$

To turn off a specific profile, use the aa-complain command, which places the profile in complain mode:

$ sudo aa-complain /usr/sbin/tcpdump
Setting /usr/sbin/tcpdump to complain mode.
$

In complain mode, any violations of the profile will be logged but not blocked. If you want to completely disable an individual profile, use the aa-disable command:

$ sudo aa-disable /usr/sbin/tcpdump
Disabling /usr/sbin/tcpdump.
$

To turn a profile back on, use the aa-enforce command:

$ sudo aa-enforce /usr/sbin/tcpdump
Setting /usr/sbin/tcpdump to enforce mode.
$

While not quite as versatile as SELinux, the AppArmor system provides a basic level of security protection against compromised applications on your Linux system.

Types of User Accounts

While in Linux all user accounts are created the same way using the useradd utility (see Chapter 10), not all user accounts behave the same way. There three basic types of user accounts in Linux:

• Root: The root user account is the main administrator user account on the system. It is identified by being assigned the special user ID value of 0. The root user account has permissions to access all files and directories on the system, regardless of any permission settings assigned.
• Standard: Standard Linux user accounts are used to log into the system and perform standard tasks, such as run desktop applications or shell commands. Standard Linux users normally are assigned a $HOME directory, with permissions to store files and create subdirectories. Standard Linux users cannot access files outside of their $HOME directory unless given permission by the file or directory owner. Most Linux distributions assign standard user accounts user IDs over 1000.
• Service: Service Linux user accounts are used for applications that start in the background, such as network services like the Apache web server or MySQL database server. By setting the password value in the shadow file to an asterisk, these user accounts are restricted so that they cannot log into the system. Also, the login shell defined in the /etc/passwd file is set to the nologin value to prevent access to a command shell. Service accounts normally have a user ID less than 1000.

Escalating Privileges

While the root user account has full access to the entire Linux system, it’s generally considered a bad practice to log in as the root user account to perform system-related activities. There’s no accountability for who logs in with the root user account, and providing the root user account password to multiple people in an organization can be dangerous.

Instead, most Linux administrators use privilege escalation to allow their standard Linux user account to run programs with the root administrator privileges. This is done using three different programs:

• su: The su command is short for substitute user. It allows a standard user account to run commands as another user account, including the root user account. To run the su command, the standard user must provide the password for the substitute user account. While this solves the problem of knowing who is performing the administrator task, it doesn’t solve the problem of multiple people knowing the root user account password.
• sudo: The sudo command is short for substitute user do. It allows a standard user account to run any command as another user account, including the root user account. The sudo command prompts the user for their own password to validate who they are.
• sudoedit: The sudoedit command allows a standard user to open a file in a text editor with privileges of another user account, including the root user account. The sudoedit command also prompts the user for their own password to validate who they are.

While the su command is somewhat self-explanatory, the sudo and sudoedit commands can be a bit confusing. Running a command with administrator privileges by supplying your own user password seems a bit odd.

Each Linux system uses a file that defines which users are allowed to run the sudo command, usually located at /etc/sudoers. The sudoers file contains not only a list of user accounts, but also groups whose users are allowed administrator privileges. There are two common user groups that are used for these privileges. Debian-based distributions use the sudo group, and Red Hat–based distributions use the wheel group (short for big wheel).