System Administration Guide: Security Services
Previous Next

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Using UNIX Permissions to Protect Files

Using Access Control Lists to Protect Files

Preventing Executable Files From Compromising Security

Protecting Files (Task Map)

Protecting Files With UNIX Permissions (Task Map)

Protecting Files With ACLs (Task Map)

Protecting Against Programs With Security Risk (Task Map)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Solaris Cryptographic Services

13.  Solaris Cryptographic Framework (Overview)

14.  Solaris Cryptographic Framework (Tasks)

15.  Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Solaris Auditing

28.  Solaris Auditing (Overview)

29.  Planning for Solaris Auditing

30.  Managing Solaris Auditing (Tasks)

31.  Solaris Auditing (Reference)

Glossary

Index

Protecting Files With UNIX Permissions (Task Map)

The following task map points to procedures that list file permissions, change file permissions, and protect files with special file permissions.

Task

For Instructions

Display file information

How to Display File Information

Change file ownership

How to Change the Owner of a File

How to Change Group Ownership of a File

Change file permissions

How to Change File Permissions in Symbolic Mode

How to Change File Permissions in Absolute Mode

How to Change Special File Permissions in Absolute Mode

How to Display File Information

Display information about all the files in a directory by using the ls command.

  • Type the following command to display a long listing of all files in the current directory.
    % ls -la
    -l

    Displays the long format that includes user ownership, group ownership, and file permissions.

    -a

    Displays all files, including hidden files that begin with a dot (.).

Example 7-1 Displaying File Information

In the following example, a partial list of the files in the /sbin directory is displayed.

% cd /sbin
% ls -la
total 13456
drwxr-xr-x   2 root     sys          512 Sep  1 14:11 .
drwxr-xr-x  29 root     root        1024 Sep  1 15:40 ..
-r-xr-xr-x   1 root     bin       218188 Aug 18 15:17 autopush
lrwxrwxrwx   1 root     root          21 Sep  1 14:11 bpgetfile -> ...
-r-xr-xr-x   1 root     bin       505556 Aug 20 13:24 dhcpagent
-r-xr-xr-x   1 root     bin       456064 Aug 20 13:25 dhcpinfo
-r-xr-xr-x   1 root     bin       272360 Aug 18 15:19 fdisk
-r-xr-xr-x   1 root     bin       824728 Aug 20 13:29 hostconfig
-r-xr-xr-x   1 root     bin       603528 Aug 20 13:21 ifconfig
-r-xr-xr-x   1 root     sys       556008 Aug 20 13:21 init
-r-xr-xr-x   2 root     root      274020 Aug 18 15:28 jsh
-r-xr-xr-x   1 root     bin       238736 Aug 21 19:46 mount
-r-xr-xr-x   1 root     sys         7696 Aug 18 15:20 mountall
   .
   .
   .

Each line displays information about a file in the following order:

  • Type of file – For example, d. For list of file types, see File and Directory Ownership.

  • Permissions – For example, r-xr-xr-x. For description, see File and Directory Ownership.

  • Number of hard links – For example, 2.

  • Owner of the file – For example, root.

  • Group of the file – For example, bin.

  • Size of the file, in bytes – For example, 7696.

  • Date the file was created or the last date that the file was changed – For example, Aug 18 15:20.

  • Name of the file – For example, mountall.

How to Change the Owner of a File

The file owner, the Primary Administrator role, or superuser can change any file's ownership.

  1. Display the permissions on a file.
    % ls -l example-file
-rw-r--r--   1 janedoe   staff   112640 May 24 10:49 example-file
  2. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  3. Change the owner of the file.
    # chown stacey example-file
  4. Verify that the owner of the file has changed.
    # ls -l example-file
-rw-r--r--   1 stacey   staff   112640 May 26 08:50 example-file
Example 7-2 Enabling Users to Change the Ownership of Files That Others Own

Security Consideration – You should have good reason to override system security policy by changing the setting of the rstchown variable to zero. Any user who accesses the system can change the ownership of any file on the system.

In this example, the value of the rstchown variable is set to zero in the /etc/system file. This setting enables the owner of a file to use the chown command to change the file's ownership to another user. This setting also enables the owner to use the chgrp command to set the group ownership of a file to a group that the owner does not belong to. The change goes into effect when the system is rebooted.

set rstchown = 0

For more information, see the chown(1) and chgrp(1) man pages.

Also, be aware that NFS-mounted file systems have further restrictions on changing ownership and groups. For more information on restricting access to NFS-mounted systems, see Chapter 6, Accessing Network File Systems (Reference), in System Administration Guide: Network Services.

How to Change Group Ownership of a File

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Change the group ownership of a file.
    $ chgrp scifi example-file

    For information on setting up groups, see Chapter 4, Managing User Accounts and Groups (Overview), in System Administration Guide: Basic Administration.

  3. Verify that the group ownership of the file has changed.
    $ ls -l example-file
 -rw-r--r--   1 stacey   scifi   112640 June 20 08:55  example-file

    Also see Example 7-2.

How to Change File Permissions in Symbolic Mode

  1. If you are not the owner of the file or directory, become superuser or assume an equivalent role.

    Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

  2. Change permissions in symbolic mode.
    % chmod who operator permissions filename
    who

    Specifies whose permissions are to be changed.

    operator

    Specifies the operation to be performed.

    permissions

    Specifies what permissions are to be changed. For the list of valid symbols, see Table 7-5.

    filename

    Specifies the file or directory.

  3. Verify that the permissions of the file have changed.
    % ls -l filename
Example 7-3 Changing Permissions in Symbolic Mode

In the following example, read permission is taken away from others.

% chmod o-r example-file1

In the following example, read and execute permissions are added for user, group, and others.

$ chmod a+rx example-file2

In the following example, read, write, and execute permissions are assigned to group.

$ chmod g=rwx example-file3

How to Change File Permissions in Absolute Mode

  1. If you are not the owner of the file or directory, become superuser or assume an equivalent role.

    Only the current owner or superuser can use the chmod command to change file permissions on a file or directory.

  2. Change permissions in absolute mode.
    % chmod nnn filename
    nnn

    Specifies the octal values that represent the permissions for the file owner, file group, and others, in that order. For the list of valid octal values, see Table 7-4.

    filename

    Specifies the file or directory.

    Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for other users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.

  3. Verify that the permissions of the file have changed.
    % ls -l filename
Example 7-4 Changing Permissions in Absolute Mode

In the following example, the permissions of a public directory are changed from 744 (read, write, execute; read-only; and read-only) to 755 (read, write, execute; read and execute; and read and execute).

# ls -ld public_dir
drwxr--r--  1 ignatz   staff    6023 Aug  5 12:06 public_dir
# chmod 755 public_dir
# ls -ld public_dir
drwxr-xr-x  1 ignatz   staff    6023 Aug  5 12:06 public_dir

In the following example, the permissions of an executable shell script are changed from read and write to read, write, and execute.

% ls -l my_script
-rw------- 1 ignatz   staff    6023 Aug  5 12:06 my_script
% chmod 700 my_script
% ls -l my_script
-rwx------ 1 ignatz   staff    6023 Aug  5 12:06 my_script

How to Change Special File Permissions in Absolute Mode

  1. If you are not the owner of the file or directory, become superuser or assume an equivalent role.

    Only the current owner or a user with superuser capabilities can use the chmod command to change the special permissions on a file or directory.

  2. Change special permissions in absolute mode.
    % chmod nnnn filename
    nnnn

    Specifies the octal values that change the permissions on the file or directory. The leftmost octal value sets the special permissions on the file. For the list of valid octal values for special permissions, see Table 7-6.

    filename

    Specifies the file or directory.

    Note - When you use the chmod command to change the file group permissions on a file with ACL entries, both the file group permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the permissions for additional users and groups who have ACL entries on the file. Use the getfacl command to make sure that the appropriate permissions are set for all ACL entries. For more information, see the getfacl(1) man page.

  3. Verify that the permissions of the file have changed.
    % ls -l filename
Example 7-5 Setting Special File Permissions in Absolute Mode

In the following example, the setuid permission is set on the dbprog file.

# chmod 4555 dbprog
# ls -l dbprog
-r-sr-xr-x   1 db     staff        12095 May  6 09:29 dbprog

In the following example, the setgid permission is set on the dbprog2 file.

# chmod 2551 dbprog2
# ls -l dbprog2
-r-xr-s--x   1 db     staff       24576 May  6 09:30 dbprog2

In the following example, the sticky bit permission is set on the public_dir directory.

# chmod 1777 public_dir
# ls -ld public_dir
drwxrwxrwt   2 ignatz   staff          512 May 15 15:27 public_dir
Previous Next