Robbie’s Notes on File System Security in Linux (and comparison to Windows NT)

2012年4月6日
mode: rwx for [ user, group, others ]
object: directory or file
special modes: t for directory

When applying rwx to a file, they mean: r – whether the (binary) contents of the file can be read; w – whether the contents of the file can be changed; x – whether the file can be executed (how it can be executed is based on its content; for example, a script file can be executed by launching the script interpreter, if it specifies the interpreter as a comment line; a binary executable file of format a.out or ELF can be loaded by the operating system).

When applying rwx to a directory, they mean: r – whether the directory can be listed; w – whether the list of directory entries (for example creating or deleting a file) and the attributes of the entries can be modified (for example changing the date of a file); x – whether the directory entry attributes can be read. Note that if a directory has rw but not x, you can see what files/ directories are in there (list), but any file or directory in it cannot be read/ written/ executed (as if their permission cannot be determined), and their attributes can neither be read/ written.

A user can belong to multiple groups. For convenience, modern Linux usually creates a user-private group for the user with the same name as the user name, and this group is the default group for the user. The line of the group in the /etc/group file shows the default group. When logged-in to a new group, all newly-created files will be have the new group as the group owner.

No matter whether the current user is logged-in to a group or not, all files modifiable by a group the user belongs can be modified by the user. For example, if user “sarah” logged in to “sarah” group, if she also belongs to the “adm” group, she can still change files that can be changed by “adm” group.

Compared to Windows NT series (especially 5.0 and up), which have access control list, the file permission security model seems to be naive (remember SELinux supports access control list too), but considering the concept that one user can belong to multiple groups, it is still possible to share files between different users by creating a group for them.

The sticky bit “t”, when applied to a directory, makes that files can only be renamed or unlinked by owner or root. (http://en.wikipedia.org/wiki/Sticky_bit) As I tried, if one directory owned by root:root, with o=rwt, then all users can write to it, but user1 cannot delete user2’s file, and this is true even if the group owner of the file is a group containing user1, and g=rw-.

Command id shows the current logged-in user, group and all groups the user belongs. It also lists the default group first among all the possible groups.

Command newgrp allows logging in to another group to which the current user belongs.

Command umask is a shell internal command. It shows the default file creation mask. The mask consists of 4 octadecimal digits, and is used as follows (TODO what’s the meaning of the first digit?): the second to the fourth digits are for user, group, others respectively. The default file permission for a role bitwise-and “bitwise-not the mask” will be the permission for the file. In bash, use “umask -S” to print it in a more descriptive symbolic form. Usually for a normal user the umask value is 0002, and for the root user it is 0022.

Command chown and chgrp can be used to change the ownership of a file. chown can change the user and group owners at the same time, using the format “chown <user>:<group> <file>”. For a normal user, the permission required to change a file is that the file is owned by the login user or the group of the login user, and the target user can only be him/herself, and the target group can only be one to which he/she belongs. For root, usually ownership of any file and any user/ group can be changed.

Note: one difference between user ownership and group ownership is that, if a file is owned by the login user, chown can change its ownership even if the file is read-only to the user; if a file is owned by a group of the login user, but not owned by the user, and if it’s read-only to the group, then chown can’t change the ownership.

Note: commands chmod, chown and chgrp have “-R” option, which changes permissions recursively.

Compared to Windows NT behavior, the copy command in Windows has different behavior than the cp command in linux regarding file security. In Windows NT, when using “copy” command to copy a file into a directory, the target file will have the permission inherited from the directory (this is like creating a new file). In Linux, cp command creates the target file also like creating a regular file, having the ownership of the user and permissions of the user. The difference is that the ownership in Linux determines the permissions, while in NT the parent directory ACL determines the permissions.

Compared to Windows NT behavior, the ownership in Linux has two levels, while in NT the ownership has only one level (owned by either a user or a group). ACL defines permissions, and ownership means potential full access to the file (because with ownership the user can change file permissions). Another difference is that if a file is read-only to a user, and the containing directory is not owned by the user, and the user doesn’t have “full control or change permission” permissions to the directory, then the user cannot modify the contents of the file or delete the file, while in Linux the directory permission should have the sticky bit to prevent the user from deleting the file.

Tags:

留下您的评论