Linux File Permissions Engineering Secure Software Last Revised: - - PowerPoint PPT Presentation

SWEN-331: Engineering Secure Software Benjamin S Meyers

Linux File Permissions

Engineering Secure Software

Last Revised: August 26, 2020 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

Review: Principle of Least Privilege

• Every user, thread, process, module needs permissions to run
• Give the least amount of privilege necessary to function
• Dangers of sudo
• e.g. secretary vs. custodian vs. salesperson vs. developer

2

SWEN-331: Engineering Secure Software Benjamin S Meyers

Linux File Permissions

• Each file and directory has bits for:

○ Read: r ○ Write: w ○ Execute: x

• Bits work like you expect for files
• For directories:

○ r → “can list files in a directory” (but not read a given file) ○ w → “can create, change, delete files in a directory” ○ x → “cannot cd (change directory) to that directory”

3

SWEN-331: Engineering Secure Software Benjamin S Meyers

Linux File Permissions

• Thus, you may only read a file IFF you:

○ Have read (r) permissions to the file AND ○ Have execute (x) permissions to that file’s directory

• Files and directories have 3 levels of permissions:

○ Owner, Group, and Everyone Else ○ aka: User (u), Group (g), Other (o)

4

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb

5

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• . (one dot) → current directory
• .. (two dots) → parent directory

6

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• d → directory
• → regular file
• l → symlink (that’s a lowercase “L”, not the number “1”)

7

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Octets

○ user/owner permissions ○ group permissions ○

• ther permissions

8

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can andy execute myprog.py?

9

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can andy execute myprog.py?

○ No, andy is not the owner of myprog.py, and the faculty group (which andy is a member of) does not have permission to execute (x) myprog.py

10 10

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can both kal and andy execute ourprog.rb?

11 11

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can both kal and andy execute ourprog.rb?

○ Yes, everyone in the faculty group can execute (x) ourprog.rb

12 12

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can andy read ourprog.rb?

13 13

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can andy read ourprog.rb?

○ Yes, because andy has read (r) permissions to the ourprog.rb and execute (x) permissions to ourprog.rb’s parent directory

14 14

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can andy change directory (cd) into mydir?

15 15

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can andy change directory (cd) into mydir?

○ No, because the faculty group (which andy is a member of) does not have execute (x) permissions for mydir

16 16

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can jane (member of the student group) read ourprog.rb?

17 17

SWEN-331: Engineering Secure Software Benjamin S Meyers

Output of ls

• List permissions of a file/directory: ls -l

permissions user group file/dir name drwxr-x--- [...] kal faculty [...] . drwx------ [...] kal faculty [...] ..

• rwxrwxrwx [...] kal faculty [...] allopen.sh

drwx------ [...] kal faculty [...] mydir

• rw------- [...] kal faculty [...] myfile.txt
• rwx------ [...] kal faculty [...] myprog.py

drwxrwx--- [...] kal faculty [...] ourdir

• rwxrwx--- [...] andy faculty [...] ourprog.rb
• Can jane (member of the student group) read ourprog.rb?

○ Yes, if the student group is a member of the faculty group ○ Otherwise, no

18 18

SWEN-331: Engineering Secure Software Benjamin S Meyers

Changing Permissions w/ chmod

• chmod <options> <file/dir name>

○ Set (=), add (+), remove (-) ○ Set user to rw, not x: chmod u=rw . ○ Set user, groups to only w: chmod ug=w . ○ Set user, groups to rx, recursively: chmod -R ug=rx . ○ Add “groups can rw”: chmod g+rw . ○ Add “everyone can read”: chmod a+r . ○ Remove “group can write”: chmod g-w .

19 19

SWEN-331: Engineering Secure Software Benjamin S Meyers

Changing Permissions w/ chmod

• Octal notation

○ e.g. chmod 755 file.txt ○ Good for setting, not adding/removing ○ 1, 2, 3 are seldom used for files

20 20

rwx

• -x
• w-
• wx

r-- r-x rw- rwx binary 000 001 010 011 100 101 110 111 decimal 1 2 3 4 5 6 7

SWEN-331: Engineering Secure Software Benjamin S Meyers

Default Permissions (umask)

• When a file is created…

○ User mask (umask) is consulted for permissions ○ Owner = user that created the file ○ The resulting default permission C = (P & ~Q), where:

■ Q is the mask and P is 666 for files and 777 for directories ■ e.g. is mask is 077, a file’s permission C = 666 & ~(077) = 600 or

• rw-------

○ Or subtract octally, “digit by digit”

■ Tricky when the mask has a 7 in it ■ e.g. if mask is 022, a directory’s permission C = 777-022=755 or drwxr-xr-x

21 21

SWEN-331: Engineering Secure Software Benjamin S Meyers

Default Permissions (umask)

• nitron.se.rit.edu default: rw------- (or 077)
• Common default: rw-r--r-- (or 022)
• Common umask for shared group stuff: rw-rw---- (or 007)
• Programs can change their own umask

○ Blessing for good developers, but a curse for system admins

• Why is this evil? chmod -R 777 /

22 22

SWEN-331: Engineering Secure Software Benjamin S Meyers

Executing as Users

• Normally, when executing

○ OS ignores the owner of the program file ○ Runs the program as you (assuming you have permission) ○ e.g. prog.sh owned by root gets run as you

• This allows for root to have files that cannot be modified, but

can be executed

○ e.g. passwd (change password) should not be tampered with

• sudo: execute this program as root user (“superuser do”)

○ e.g. sudo /etc/init.d/apache start

• su: change the current user to someone else

23 23

SWEN-331: Engineering Secure Software Benjamin S Meyers

File Permissions in Windows

• Windows file permissions are handled by

the Operating System

○ Users and groups ○ Read, write, execute ○ Privilege escalation

24 24 Source: https://www.howtogeek.com Source: https://helpdeskgeek.com/ Source: https://www.raymond.cc/blog/

SWEN-331: Engineering Secure Software Benjamin S Meyers

setuid and setgid

• Set special user and group ID bits on files

○ chmod ug+s ./prog.sh ○ “Execute as the owner’s rights, not as the executing user’s rights” (assuming you have permission to execute it)

• Files owned by root with setuid are highly risky

○ Arbitrary code execution vulnerability? Executing as root. ○ App developers should almost never use this ○ OS commands have a lot of these (e.g. passwd is owned by root with setuid)

• Repudiation (auditability) becomes a major threat with

setuid and setgid

25 25

SWEN-331: Engineering Secure Software Benjamin S Meyers

setuid and setgid

• Set special user and group ID bits on directories

○ setuid on directories is ignored in Linux ○ setgid means new files inherit the group ID

• Sticky bit

○ Only a file’s owner, the owner of the file’s directory, or root can delete the file

26 26

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example

larry $ umask 007 larry $ mkdir dir larry $ touch dir/file.sh larry $ ls -l dir/ drwx------ [...] larry stooges [...] . → ./dir drwx------ [...] larry stooges [...] .. → ./dir/..

• rw------- [...] larry stooges [...] file.sh

larry $ ./dir/file.sh bash: ./dir/file.sh: Permission denied larry $ chmod -R ug+x . curly $ ./dir/file.sh [Success!] curly $ ls -l ./dir bash: ./dir/: Permission denied

27 27

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example

larry $ umask 007 larry $ mkdir dir larry $ touch dir/file.sh larry $ ls -l dir/ drwx------ [...] larry stooges [...] . → ./dir drwx------ [...] larry stooges [...] .. → ./dir/..

• rw------- [...] larry stooges [...] file.sh

larry $ ./dir/file.sh bash: ./dir/file.sh: Permission denied larry $ chmod -R ug+x . curly $ ./dir/file.sh [Success!] curly $ ls -l ./dir bash: ./dir/: Permission denied

28 28

curly can execute because of ug+x curly can’t ls because he doesn’t have read access on ./dir

SWEN-331: Engineering Secure Software Benjamin S Meyers

Beware of sudo

• “He sees you when you’re sleeping, he knows when you’re awake,

he’s copied on /var/spool/mail/root, so be good for goodness’ sake!”

29 29

Source: https://xkcd.com/838/