Learn basic file access licenses in UNIX

If using a UNIX or UNIX-style operating system, we need to understand the most basic file-level security management methods.

Network administration - UNIX is not only a standalone operating system but also one of the next generation of AT&T UNIX developed by Ken Thompson and Dennis Ritchie with support from Brian Kernighan later.

Picture 1 of Learn basic file access licenses in UNIX
Since that time, an official IEEE standard for UNIX operating systems, called POSIX Standard, has been developed. The UNIX name was later used to name the operating systems that comply with this unique standard of UNIX, but the current version of this standard (SUS 3) is very similar to the POSIX: 2001 standard.

Part of this standard, we can see on any Linux operating system like UNIX BSD systems or Linux distributions, is the Unix file system license. This system provides three main types of objects, each of which can be approved or refused to grant the corresponding three types of licenses.

The object

Owner (owner)

Each file and directory (a specific file type) has an Owner. This is a user account with full rights to this file, allowing you to do some things like changing the file license. The owner is considered a root user account or a personal user account, or even an arbitrary user account that is automatically created to use some of the software's functions that we have Setting. Typically, the owner of a file is the account used to create the file, although these files can then be reassigned to another Owner with the chown command.

Group (group)

In addition to Owner, each file has a group account. This group, like the user account is the owner of the file, has a group of permissions to access the file. When creating a file, this group will be considered the default group of user accounts used to create this file, although then this file can be reassigned to another group with the chgrp command. For example, in the root account, this means that the group that owns this file is the wheel group in BSD Unix systems.

World (community)

This is the last licensed object. This includes all non-owner accounts or members of the file owner group.

Types of licenses

Licenses in UNIX include three numeric binary values:

100 Binary value 100 (corresponding decimal value is 4) grant read or r (read) file to the object. This means that even if this object is licensed, it is possible to view the data in the file. A read- licensed account to a directory will be able to view data in that directory.

10 . This binary value (corresponding decimal value is 2) corresponds to write or w license (write). This means that the licensees can write data or make changes to the file, or even delete the data in it. Similarly, a write- licensed account to a directory can also make changes to the data in that directory, such as creating new files.

1 . This is a binary value (the corresponding decimal value is 1) representing the execute license or x (execution). This means that these licensed objects can run the file, as in the case of running the application. If there are no licensed objects running the file, they will not be able to access any files except the raw data on the hard drive. When an account is allowed to execute to a directory it can access that directory to perform all operations, including data viewing, because when viewing the data of a directory from outside the user will must run the application and access it.

These values ​​can be combined to create a license group for a specific user object. For example, when combining 100 and 10 will create license object 110 with read and write access, without execution rights. Corresponding to this binary value 110 is the decimal value 6.

Display and change licenses

Show license

To check the license settings of a file, we only need to use the ls command with the -l option to display information including licenses. When running this command on the / etc / periodic directory of Free BSD default system, we will see the following information:
> ls -l / etc / periodic
drwxr-xr-x 2 root wheel 1024 Sep 7 09:10 daily
drwxr-xr-x 2 root wheel 512 Sep 7 09:10 monthly
drwxr-xr-x 2 root wheel 512 Sep 7 09:10 security
drwxr-xr-x 2 root wheel 512 Sep 7 09:10 weekly
The character d at the beginning of each line indicates that the file is a directory. The remaining group of licenses is then divided into groups of 3 characters, in which order of these license groups will be the three rights x , w and r of each Owner , Group and World object. Hyphens between groups to distinguish licenses of objects. Therefore, for directories in / etc / periodic , the Owner object has licenses 111/7 / rwx , corresponding to r, w and x , while the license of both Group and World objects will be 101 / 5 / rx , or r and x .

Columns of root and wheel are the licenses of the Owner and Group objects for these files.

Change license

Suppose we have a file tmp.txt, and we want to change the license for this file. For illustrative purposes, we will assign the original license for this file as follows:
> ls -l tmp.txt
-rw-r - r-- 1 jon doe 0 Nov 12 15:30 tmp.txt
Note that in order to make changes to this file we have to log in with the account with the necessary system privileges to not only affect the file but also affect all users and groups. Otherwise, we will not be able to assign the file tmp.txt to root user without logging in as root.

File level security management

If using a UNIX or UNIX-style operating system, we need to understand the most basic file-level security management methods. An important factor with file-level security on UNIX systems is to limit file permissions to the extent possible without compromising the functionality of the operating system, and not preventing us from accessing files. necessary.

Most importantly, the file license is outside the home directory of the user account (such as / usr / home / jon / in case the account assumes jon above, or / root / in the case of the root account of the system FreeBSD, or / home / jon / and / root / on a typical Linux platform system should remain the same if we do not know exactly what operation is being performed.

Most data files in the user account's home directory, such as text files, need to license 110/6 / rw- for that account, and issue a license 000/0 / - for Group objects. and World. Whereas every subdirectory in that home directory will authorize 111/7 / rwx for Owner objects, and 000/0 / - for Group and World objects if we pay attention to privacy with accounts. Other, good to prevent security crackers can take over or create other accounts on the system.

Understanding the method of using file licenses of UNIX is that we understand a basic security component of UNIX. Without the use of a file security license, the powerful ability of UNIX operating system to provide significant security compared with other operating systems has been reduced.
Update 25 May 2019
Category

System

Mac OS X

Hardware

Game

Tech info

Technology

Science

Life

Application

Electric

Program

Mobile