Page 160 - DCAP106_OPERATING_SYSTEM_TOOLS
P. 160

Unit 9: The File System




          As most MAC-based security projects (like RSBAC, LIDS and grSecurity) are not part of the   Notes
          default Linux kernel yet, we will talk about the standard, discretionary access control mechanism
          used by almost all Linux distributions.

          Read, Write and Execute

          The Linux file system provides support to numerous permission flags for every file or directory.
          A  flag  should  be  seen  as  a  feature  or  privilege  that  is  either  enabled  or  disabled  and  is  set
          independently of the other flags. The most used flags on a file system are the read (r), write (w)
          and execute (x) flags. Their meaning differs a bit based on the target.

          Nevertheless, supporting these flags wouldn’t make a system secure. That is, you want to mix
          these privileges based on who works with the file. For example, the system configuration files
          should only be writeable by the administrator(s); some might not even be readable by the users.
          In order to  enable this, Linux supports three different types  of privilege destinations:
          z z  the owner of the file (1st group of privileges)
          z z  the group owner of the file (2nd group of privileges)

          z z  everybody else (3rd group of privileges)
          In this manner, you can place one set of privileges for the file owner, another set for the group
          (which signifies that everybody who is member of the group is matched against these privileges)
          and a third one set for everybody else.
          In case of a file,
          z z  the read privilege informs the system that the file can be read (viewed)
          z z  the write privilege informs the system that the file can be written to (edited)

          z z  the execute privilege informs the system that the file is a command which can be executed
          For example, see the output of the ls -l command:
          $ ls -l /etc/fstab
          -rw-r--r-- 1 root root 905 Nov 21 09:10 /etc/fstab
          In the above example, the fstab file is writeable by the root user (rw-) and readable by anyone
          else (r--).
          In case of a directory,

          z z  the read privilege informs the system that the directory’s content can be viewed
          z z  the write privilege informs the system that the directory’s content can be changed (files or
               directories can be added or removed)

          z z  the execute privilege informs the system that you are able to jump inside the directory
               (using the cd command)

                 Example: See the output of the ls -ld command:

          $ ls -ld /etc/cron.daily
          drwxr-x--- 2 root root 4096 Nov 26 18:17 /etc/cron.daily/
          In the above example, the cron.daily directory is viewable (r), writeable (w) and “enterable” (x)
          by the root user.






                                           LOVELY PROFESSIONAL UNIVERSITY                                   153
   155   156   157   158   159   160   161   162   163   164   165