Skip to main content

Securing the File System

1. File Permissions and Ownership

Understanding File Permissions: Read, Write, Execute (r, w, x):

In Linux, every file and directory has permissions that control who can read, write, and execute them. These permissions are divided into three categories:

  • Read (r): Allows viewing the contents of a file or listing files in a directory.
  • Write (w): Allows modifying the contents of a file or adding/removing files in a directory.
  • Execute (x): Allows executing a file as a program or script, or accessing a directory.

Permissions are typically assigned to three entities:

  • Owner: The user who owns the file.
  • Group: The group of users who share access to the file.
  • Others: All other users on the system.

Example of file permissions displayed by the ls -l command:

$ ls -l /path/to/file
-rwxr-xr-- 1 john developers 12345 Jan 1 12:00 examplefile.txt
  • rwx (Owner): The owner can read, write, and execute.
  • r-x (Group): The group can read and execute, but not write.
  • r-- (Others): All others can only read the file.

Changing Ownership of Files (chown):

To change the ownership of a file or directory, use the chown command:

sudo chown john:developers /path/to/file

This command assigns the owner as john and the group as developers.

  • Changing Owner Only:
sudo chown john /path/to/file
  • Changing Group Only:
sudo chown :developers /path/to/file

Modifying File Permissions (chmod):

The chmod command allows you to change file permissions for the owner, group, and others.

Symbolic Mode:

This method uses characters (r, w, x) to modify permissions.

  • Add permissions:
sudo chmod u+x file.txt   # Add execute permission to the owner.
sudo chmod g-w file.txt   # Remove write permission from the group.
  • Remove permissions:
sudo chmod o-r file.txt   # Remove read permission from others.

Numeric Mode:

In this mode, permissions are represented by a three-digit number where each digit is the sum of the values for r, w, and x:

  • r = 4
  • w = 2
  • x = 1
Example:

chmod 755 file.txt: This means:

  • Owner: rwx (4 + 2 + 1 = 7)
  • Group: rx (4 + 1 = 5)
  • Others: rx (4 + 1 = 5)
Command:
sudo chmod 755 file.txt

Setting Default Permissions Using umask:

The umask command sets the default file creation permissions for new files and directories. It defines what permissions are NOT set when a new file is created.

  • Default File Creation Mode: When a file is created, it defaults to 666 (rw-rw-rw-).
  • Default Directory Creation Mode: Directories default to 777 (rwxrwxrwx).

The umask value subtracts from these defaults. For example, a umask of 022 would result in:

  • Files: 644 (rw-r--r--)
  • Directories: 755 (rwxr-xr-x)

To check your current umask:

$ umask
022

To change the umask temporarily:

$ umask 0777  # Set no default permissions (only root can access files).

2. Special File Permissions

Setuid, Setgid, and Sticky Bits:

  • Setuid (Set User ID):

When set on an executable file, this permission allows the file to be executed with the permissions of the file's owner rather than the user who runs it. This is useful for commands like passwd.

Example:
sudo chmod u+s /path/to/executable

This allows the program to run with the privileges of the file owner (usually root).

  • Setgid (Set Group ID):

When applied to a file, it allows the program to run with the group permissions of the file’s group rather than the user's current group. For directories, files created within the directory inherit the group of the directory. Example:

sudo chmod g+s /path/to/directory

  • Sticky Bit:

Used on directories to restrict file deletion. Only the file's owner or root can delete files within a sticky directory, even if others have write access to the directory. Example:

sudo chmod +t /path/to/directory

Use Case Example:

The /tmp directory often has the sticky bit set to ensure that files created by users cannot be deleted by other users.

$ ls -ld /tmp
drwxrwxrwt 14 root root 4096 Jan 1 12:00 /tmp

3. Securing Sensitive Files

Protecting /etc/passwd, /etc/shadow, and Other Critical System Files:

Certain files on the system are critical for security and system integrity:

  • /etc/passwd: Contains user information.
  • /etc/shadow: Contains encrypted password information.

Both files should be protected with strict permissions to prevent unauthorized access:

Example:
sudo chmod 644 /etc/passwd
sudo chmod 000 /etc/shadow
  • /etc/passwd: Readable by all users but writable only by root.
  • /etc/shadow: Should be readable and writable only by root, with permissions set to 000.

Using Access Control Lists (ACLs) to Fine-Tune Permissions:

ACLs provide more fine-grained control over file permissions. They allow you to specify permissions for individual users or groups beyond the standard owner/group/other model.

  • Setting ACL for a File:
sudo setfacl -m u:john:rwx /path/to/file

  • This gives user john read, write, and execute permissions for the specified file.

  • Viewing ACLs:
getfacl /path/to/file

4. Filesystem Encryption

Introduction to File Encryption Techniques:

Encryption protects sensitive data by converting it into unreadable ciphertext. In Linux, encryption can be used to protect files or entire directories.

GPG Encryption:

GPG allows encryption of individual files using public key cryptography.

  • Encrypt a file:
gpg -c file.txt  # Encrypt using symmetric encryption
  • Decrypt the file:
gpg file.txt.gpg

EncFS:

EncFS allows the creation of an encrypted directory that is mounted to an accessible directory, providing transparency.

To create an encrypted directory:
encfs /path/to/encrypted /path/to/mountpoint

Encrypting Sensitive Files and Directories: For encrypting entire directories, you can use tools like ecryptfs or fscrypt, which integrate with the filesystem.

5. Best Practices for Securing the File System

  • Ensure Proper File Permissions on System Files:
    Regularly check and secure permissions on sensitive system files, like /etc/passwd, /etc/shadow, /etc/sudoers.

  • Minimize Access to Critical Files:
    Use chmod, chown, and ACLs to restrict access to sensitive files to only those who need it.

  • Periodically Review File Permissions:
    Regularly audit file permissions across the system, ensuring that users and groups have only the permissions necessary for their roles.

  • Use Encryption:
    Encrypt sensitive files and directories, particularly those containing personal information or system credentials.

Key Takeaways:

  • Proper file permissions and ownership are crucial for securing sensitive data and system files.
  • Special file permissions like setuid, setgid, and sticky bits add an additional layer of security.
  • Protect critical files such as /etc/passwd and /etc/shadow with strict access control measures.
  • Encryption tools like GPG and EncFS are vital for protecting data at rest.
  • Regularly review file permissions and practices to ensure continued security and integrity.
© 2025 Neplearn