File Attributes & Permissions

Home , File size, File system, Hard link, Stat (system call), Symbolic link

We will next look at how the filesystem influences the security of a UNIX system. Nearly all of the following discussion will concentrate on the metadata that a filesystem contains – the filenames, permissions, timestamps, and access control attributes.

The ls Command

You can use the ls command to list all of the files in a directory. For instance, to list all of the files in your current working directory along with some metadata:

# ls -alF total 44 drwxr-xr-x 15 grossman staff 1024 Feb 14 09:34 ./ drwxr-xr-x 3 root root 512 Feb 2 13:57 ../ -rw------1 grossman staff 0 Feb 14 09:34 .ICEauthority -rw------1 grossman staff 101 Feb 14 09:19 .Xauthority drwxr-xr-x 9 grossman staff 512 Feb 14 09:19 .dt/ -rwxr-xr-x 1 grossman staff 5111 Feb 9 11:28 .dtprofile* drwx------4 grossman staff 512 Feb 14 09:19 .gconf/ drwx------2 grossman staff 512 Feb 14 09:34 .gconfd/ drwx------4 grossman staff 512 Feb 9 11:28 .gnome/ drwx------7 grossman staff 512 Feb 14 09:34 .gnome2/ drwx------2 grossman staff 512 Feb 9 11:28 .gnome2_private/ -rw-r--r-- 1 grossman staff 94 Feb 9 11:28 .gtkrc-1.2-gnome2 drwxr-xr-x 2 grossman staff 512 Feb 14 09:34 .icons/ drwx------3 grossman staff 512 Feb 9 11:28 .metacity/ drwx------4 grossman staff 512 Feb 14 09:34 .mozilla/ drwxr-xr-x 3 grossman staff 512 Feb 9 11:28 .nautilus/ -rw------1 grossman staff 0 Feb 9 11:28 .recently-used drwxr-xr-x 3 grossman staff 512 Feb 9 11:28 .softwareupdate/ drwxr-xr-x 2 grossman staff 512 Feb 9 11:28 Desktop/ drwxr-xr-x 2 grossman staff 512 Feb 9 11:28 Documents/

Let’s take a look at some of the entries:

The following table describes the output and its meaning

Field Contents Meaning

- | d The File’s type: - for regular files and d for directories rwxr-xr-x The file’s permissions 2 The number of “hard” links to the file, tag">e.g. the number of “names” for the file grossman The name of the file’s owner staff The name of the file’s group 512 The file’s size in bytes Feb 9 11:28 The file’s modification time Desktop/ The file’s name

The -F option also gives meaning to the output as described below:

Symbol Meaning (blank) Regular file * The file has the execute bit set, typical of executable programs or command files / Directory @ Symbolic link

File Times

The times shown with the ls –l command are the modification times of the file contents, frequently called the file’s mtime. You can obtain the time of last access, the atime, by providing the -u option, e.g. ls –lu. These times are automatically updated by the UNIX operating system.

Knowing when a file was last modified or accessed can be important in many circumstances. For example, if a person has been using your account, you can look at the mtimes of the files to infer which files the person modified. Unfortunately, the mtime and atime cannot strictly be trusted, because they can be changed by the file’s owner or the superuser by calling a function called utimes() within the UNIX kernel. This function exists so that archive programs like tar and unzip can restore a file’s modification time in addition to its contents. Additionally, the times reflect the system clock at the time of access or modification, so if the clock is incorrect or is changed, the times may not be accurate.

Because a file’s mtime and atime cannot be trusted, system administrators and security professionals need to be in the habit of checking the inode change time, ctime, using the ls –c option, e.g. ls –lc. As with the mtime and the atime, the ctime is automatically updated by the operating system whenever a change is made to the inode of the file. However, unlike with mtime and atime, unprivileged users cannot change a file’s ctime. The ctime reflects the time of last writing, protection change, or change of owner. An attacker may change the mtime or atime of a file, but the ctime will usually be correct.

How might an attacker change the ctime?

- r w x r - x r - -

File permissions do not apply to symbolic links. Whether you can read the contents of a file pointed to by a symbolic link depends on that file’s permissions, not the link’s permissions. In fact symbolic links are almost always created with a file permission of “rwxrwxrwx”. These file permissions are then ignored by the operating system.

Note: You can have execute access without having read access.

If you have read access but not execute access, you can then make a copy of the file and run it for yourself.

It is a good idea that an executable script command have both its read bit and its execute bit set to allow people to run it.

On Solaris systems, there may be an additional character following the permissions characters:

-rwx—x—x+ 3 grossman staff 24219 May 17 10:42 program

The + symbol indicates that this file has an extended ACL associated with it. An Access Control List (ACL) provides a more comprehensive set of permissions on the file than can be described with the single user/single group model.

Because file permissions determine who can read and modify the information stored in your files, they are your primary method for protecting the data that you store on your Solaris system.

Directory Permissions

UNIX stores the contents of directories in nodes that are similar to the nodes used for regular files, but they are specially marked so that they can be modified only by the operating system.

As with other files, directories have a full complement of security attributes: owner, group, and world permission bits. Because directories are interpreted in a special way by the file system, the permission bits have special meaning as described in the following table:

Contents Permission Meaning r Read You can use the opendir() and readdir() functions or the ls command to find out which files are in the directory w Write You can add, rename, or remove entries in that directory x Execute You can stat the contents of a directory, e.g. you can determine the owners and the lengths of the files in the directory. You also need execute access to a directory to make that directory your current working directory or to open files inside the directory or in any of the directory’s subdirectories.

If you want to prevent other users from reading the contents of your files, you have two choices:

You can set the permission of each file to 0600 so only you have read/write access

You can put the files in a directory and set the permission of that directory to 0700 which prevents other users from accessing the files in the directory or in any of the directory’s subdirectories unless there is a hard link to each file from somewhere else.

Note: You must have execute access for a directory to make it your current working directory via cd or chdir or to change to any directory beneath, contained in, that directory.

If you do not have execute access to a directory, you cannot access the files within that directory even if you own them.

If you have execute access to a directory but do not have read access, you cannot list the names of files in the directory, e.g. you cannot read the contents of the directory

To unlink a file from a directory, you need to have write and execute access to that directory, but not to the file itself.

If you have read access to a directory but do not have execute access, you can display a short listing of the files in the directory, ls. However, you will not be able to find out anything about the files other than their names and inode numbers, ls –i because you cannot stat the files. Remember that the directory itself contains only names and inode information.