84-01-17 UNIX File System Security: Part 1 Previous screen Douglas G. Conorich Payoff The most important issue facing the UNIX system security administrator is understanding the key security issues surrounding the UNIX file system. The UNIX file system has built- in security features and utilities that can either enhance file security or create areas of exposure, depending on how they are set. The file permissions bits are the final line of defense, allowing the user to control the type of access (e.g., read, write, and execute) users can have to files and directories. This article, the first in a two-part series, examines how file permissions are set and their impact on security; specific controls and monitoring techniques are discussed. The second article in this series will address how to mitigate the risks associated with startup files; it will also discuss the appropriate controls for such special files as device and link files and describe how to use a checklist file to monitor changes to files. Introduction All information pertaining to a UNIX data file, with the exception of the file name, is listed in the information node (i-node). The i-node contains the file s permissions, link count, ownership, size, and the a-time, m-time and c-time of the file. (The a-time is the last time the file was read; the m-time is the last time the file was written or modified; and the c-time is the last time the i-node was written or modified.) Each i-node is distinguished by a unique number called the i-node number. The i-node numbers range from 2 (the root i- node) to 65535. The i-node acts as a pointer to the actual file data. A directory is a special type of file that contains a listing of the i-node numbers and their related file names. Directories have their own set of permission bits and their own i-node number. The directory provides the link between the file name and the i-node number. File Permissions Each file and directory has two bytes allocated to it that are associated with the file permissions and identity. These two bytes are divided into octals (i.e., sets of three bits whose additive value ranges from 0 to 7). The octals are arranged as shown in Exhibit 1. The extra bit and the high order (fifth)octal determine the file type (e.g., file, directory, special, character device, block device, or link). The next octal (the fourth)grants increased permissions to the file (set-user-id, set- group-id, or sticky bits). The last three octals determine the permissions for the file. The third, second, and first octals set the permissions for the user (including the owner), the group, and all others (i.e., the world), respectively. File Permission Bit Structure There are three permissions for each of the three user areas: user, group, and world, on each file and directory: · r (read). This permission bit allows the file to be accessed, or copied. In the case of a directory, this permission bit allows the names of the files in the directory to be listed. · w (write). This permission bit allows the file contents to be modified. In order for a Previous screen file to be created, deleted, or renamed, the write permission must be set on the parent directory. · x (execute). This permission bit allows the file or directory to be executed. Programs contained in the file can be run. Binary files (e.g., compiled programs) require only the execute bit to be set. Other programs, such as shell scripts, must also have the read permission bit set to run, because the shell under which the program is running must read the program in order to run it. The execute permission allows directories to be accessed (e.g., to search the directory). Without this permission set, the user cannot change directory. (It should be noted that for directories, the read permission bit allows the files to be visible and the execute bit makes them accessible.) Special features may be given to a file or directory by setting the bits in the fourth octal: · suid (set-user-id). With this permission bit set, the user executing the file gains the permissions of the owner of the file allowing users to execute programs they would not normally have the privilege to run. While running the program, the user's effective ID is that of the owner of the file. For this reason, it is extremely important that the program cannot execute a shell (i.e., shell escape). If the person shell escapes, they retain the effective ID of the suid program. If the owner of the program is root, shell escapes could lead to a devastating breach of the integrity of the system and data. Examples of suid programs are passwd, mail, and ps.The suid bit has no meaning for files, and directories that are not executable. · sgid (set-group-id). As with the suid bit, the user executing the file gains the permissions of the owner s group associated with the file. The sgid bit has no meaning for files that are not executable. SunOS gives special meaning to the sgid bit set on directories. Under the System V rules, a file created in a directory is assigned the group ID of that user as defined in the/etc/passwdfile. The UNIX Berkeley Software Distribution (BSD) method assigns the group ID of the directory in which it is created. Without the sgid bit set, the group is assigned in accordance with the UNIX System V mechanism. The sgid bit set causes the BSD mechanism to be used. · sticky bit. With the sticky bit set, the text image of a binary file remains in memory. The sticky bit was designed to increase the performance of commonly called binaries. With the text image already in memory, the program will start up quicker in subsequent executions. Problems can be encountered if too many files are sticky; memory or swap space could be filled with overuse. Since directories are not executable(they are only read into memory when listed or searched), retaining them in memory has no purpose. SunOS and System V versions of UNIX have given the sticky bit meaning on directories. If the sticky bit is set on a directory that is group- or world-writable, only files owned by that user may be moved or removed. This can give more security to directories that must be writable by all. The fifth octal and the extra bit determine the file type. A dash(–) is used to designate an ordinary file. The d designator shows that a file is a directory. The b, c, s and the p are used with special device files. They represent block devices, character devices, sockets, and ports, respectively. Listing Directories Previous screen The ls command is used to list the contents of directories. The lscommand can be executed with several options to produce various outputs. Typing ls without arguments creates a listing of only the file names, as shown in this example: $ ls /usr/doug BART chicken lock.c thirty_days FILES craker_pgm policy tmp appendix_d holes pwage check_files lock pwage.c The -i argument lists the files and their i-node numbers, as shown here: ls -i /user/doug 23564 BART 23577 craker_pgm 23593 pwage 23591 FILES 23574 holes 23589 pwage.c 23587 appendix_d 23586 lock 23595 thirty_days 23575 check_files 23576 lock.c 23579 chicken 23598 policy To produce a long listing of the directory, add the -l argument. A-a can be used to print all the file, including those that would normally be hidden ( dot files, named because of the leading dot). Some systems include the group name in the long listing; other versions of UNIX require the use of a -g argument. ls -lag /usr/doug total 256 drwx--x--x5 doug 2011024 Mar 28 06:39 . drwxr-sr-x20 root 2011536 Mar 19 17:01 .. -rw------ -1 doug doug148 Mar 28 06:39 .Xauthority -rw-r--r--1 doug doug217 Jun 30 1992 .cshrc -rw-r--r--1 doug doug294 Nov 18 21:49 .login -rw-r--r--1 doug 201900 Oct 22 16:22 .mailrc -rw-r--r--1 doug doug 186 May 18 1992 .profile -rw-r--r--1 doug 20112 Sep 3 1992 .rhosts drwxr-xr-x11 doug 201512 Feb 25 16:45 .wastebasket -r-------1 doug kmem44 Mar 28 06:39 .xnews.tiger:0 -rw-r--r--1 doug doug790 May 22 1992 BART -rw-r--r--1 doug 2015527 Mar 28 02:58 FILES -rw-r--r--1 doug 2013007 Oct 13 12:34 appendix_d -rw-r--r--1 doug 2012363 Aug 25 1992 check_files -rw-r--r--1 doug 2011253 Sep 4 1992 chicken -rw-r--r--1 doug 2014446 Aug 25 1992 craker_pgm -rwsr-xr-x 1 root 2011420 Aug 25 1992 holes -rwxr-xr-x1 doug 20124576 Sep 21 1992 lock -rw-r--r--1 doug 201818 Sep 21 1992 lock.c -rw-r--r--1 doug 20154757 Aug 12 1992 policy -rwxr-xr-x1 doug 20124576 Sep 29 15:36 pwage -rw-r--r--1 doug 201941 Oct 22 16:16 pwage.c -rwxr-xr-x1 root 201244 Dec 18 15:59 thirty_days The file type and permissions are displayed in the first field followed by the number of links to the file, the file owner, the file s group, the file size, the date and time of the last modification, and the file name.