File Permissions

Changing file permissions on macOS (and using flags)

Using file flags on macOS. While performing system hardening on macOS, you may encounter a typical chmod error. Learn how to fix this type of error

Summary of Changing file permissions on macOS (and using flags)

Using file flags on macOS While performing system hardening on macOS, you may encounter a typical chmod error. Something like this: chmod: Unable to change file mode on /usr/bin/gcc: Operation not permitted Even with root permissions, you can’t change the permissions of some files. How is this possible? This is caused by flags. Showing file permissions and flags To see if a file has any flags set, use the ls command with the l (el) and O (capital o).

Read the full article…

Conducting a Linux Server Security Audit

Performing a Linux server security audit can be a time consuming process. In this article the most important parts are explained including automation.

Summary of Conducting a Linux Server Security Audit

Auditing a system can be a time-consuming job, which is no different when conducting a Linux server security audit. Within this article, we give some highlights regarding the audit and tips to automate them by using Lynis. The business goal Before auditing any system, determine the business goal of the system. How critical is this system for doing business? What if the system goes down? Usually each system has a clear role or multiple roles, like being a web server.

Read the full article…

File permissions of the /etc/shadow password file

Got an issue with the file permissions of your /etc/shadow password file? Look no further and get it fixed.

Summary of File permissions of the /etc/shadow password file

The password files are an important cornerstone of the security of your Linux system. Commonly they are /etc/passwd and /etc/shadow, and installed by default. Sometimes we receive questions what the right permissions of these files should be. Therefore this blog post to have a look at the file permissions (and ownership) of both files. Passwd file The password file stores local accounts of the system. It is a readable text file and uses colons (:) to separate the fields.

Read the full article…

How to change file permissions

Learn how to change the file permissions of files and directories on a Linux system. Follow the examples and make your system more secure.

Summary of How to change file permissions

Changing file permissions: chmod The primary command to change file permissions on a Linux system is chmod. It’s a basic system administration utility and pre-installed on the system. To make changes to an existing directory or file, it is first good to look up the existing permissions. This can be done using the ls -l command, that lists them with the long format. ls -l /etc/hosts -rw-r--r-- 1 root root 241 Feb 2 19:10 /etc/hosts There are two syntax styles to tell chmod what the new value should be.

Read the full article…

Introduction in Linux file permissions

Learn the basics of how a Linux system applies file permissions. We look into examples, to demystify what the file permissions mean and how to troubleshoot common issues.

Summary of Introduction in Linux file permissions

Every file that is stored has a set of file permissions stored within the filesystem. This data about the actual data, it called meta-data. Let have a look at how file permissions work on Linux systems and how to read and understand them. Read, Write, and Execute Linux file permissions are divided into three main categories: Read (r): Allows users to view the contents of a file or directory Write (w): Grants users the ability to modify the contents of a file or directory Execute (x): Enables users to execute a file or access the contents of a directory User, Group, and Others These permissions are each assigned to three entities:

Read the full article…

Linux Capabilities: Hardening Linux binaries by removing setuid

Setuid binaries may be a risk for the system. We will investigate how to remove the setuid bit and use Linux capabilities instead, to reduce the risks.

Summary of Linux Capabilities: Hardening Linux binaries by removing setuid

Hardening Linux binaries by removing setuid Normally Unix based systems use two kind of processes: privileged and unprivileged. The first category is usually used for administrative purposes, like starting and stopping other processes, tuning the kernel and opening sockets. Root permissions The command ping is a great example why even small programs needs root permissions. In a first glance you might consider this tool to be simple: send a package to a host and see if it responds.

Read the full article…

Linux file permissions

Learn the basics of file permissions on Linux systems and common filesystems such as ext4, XFS, and ZFS. Guided by examples, everyone is able to learn how they work.

Summary of Linux file permissions

File permissions are stored together with the data on a disk. The Linux kernel uses them to decide which users and processes can access what file. This page can be considered as a good cheat sheet, while the underlying articles explain how to use this information. Main permissions Read (r): Allows users to view the contents of a file or directory Write (w): Grants users the ability to modify the contents of a file or directory Execute (x): Enables users to execute a file or access the contents of a directory Permission Abbreviation Octal value Read r 4 Write w 2 Execute x 1 Possible combinations:

Read the full article…

PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Linux users who want to compliant with PCI DSS have to restrict log file viewing to only the owner. We have a look at how to discover log files which can be viewed by others.

Summary of PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

Read the full article…

Plus sign in ls output

When file access control lists, or ACLs are being used, the output of ls will change. An additional character shows up (plus sign) to indicate the usage of these access control lists.

Summary of Plus sign in ls output

Ever wondered what the plus (+) sign is when showing a directory listing? It is part of a POSIX standard to support access control lists (ACL) on files. Normal files on a file system will have only 10 characters displayed, with the last 9 used for file permissions. However, when file access control lists are used, an 11th character shows up. This plus sign indicates the usage of a file ACL.

Read the full article…