LINUX


Tuesday 7 July 2015

Linux File & Folder Permissions



File & folder security is a big part of any operating system and Linux is no exception!
These permissions allow you to choose exactly who can access your files and folders, providing an overall enhanced security system. This is one of the major weaknesses in the older Windows operating systems where, by default, all users can see each other's files (Windows 95, 98, Me).
For the more superior versions of the Windows operating system such as NT, 2000, XP and 2003 things look a lot safer as they fully support file & folder permissions, just as Linux has since the beginning.
Together, we'll now examine a directory listing from our Linux lab server, to help us understand the information provided. While a simple 'ls' will give you the file and directory listing within a given directory, adding the flag '-l' will reveal a number of new fields that we are about to take a look at:
linux-introduction-file-permissions-1
It's possible that most Linux users have seen similar information regarding their files and folders and therefore should feel pretty comfortable with it. If on the other hand you happen to fall in to the group of people who haven't seen such information before, then you either work too much in the GUI interface of Linux, or simply haven't had much experience with the operating system :)
Whatever the case, don't disappear - it's easier than you think!!

So what does all this output mean ? Especially all those 'rwx' lines?!

Let's start from scratch, analysing the information in the previous screenshot.
linux-introduction-file-permissions-2
In the yellow column on the right we have the file & directory names (dirlist.txt, document1, document2 etc.) - nothing new here. Next, in the green column, we will find the time and date of creation.
Note that the date and time column will not always display in the format shown. If the file or directory it refers to was created in a year different from the current one, it will then show only the date, month and year, discarding the time of creation.
For example, if the file 'dirlist.txt' was created on the 27th of July, 2004, then the system would show:
Jun 27 2004 dirlist.txt
instead of
Jun 27 11:28 dirlist.txt
A small but important note when examining files and folders! Lastly, the date will change when modifying the file. As such, if we edited a file created last year, then the next time we typed 'ls -l', the file's date information would change to today's date. This is a way you can check to see if files have been modified or tampered with.
The next column (purple) contains the file size in bytes - again nothing special here.
linux-introduction-file-permissions-3
Next column (orange) shows the permissions. Every file in Linux is 'owned' by a particular user.. normally this is the user (owner) who created the file.. but you can always give ownership to someone else.
The owner might belong to a particular group, in which case this file is also associated with the user's group. In our example, the left column labeled 'User' refers to the actual user that owns the file, while the right column labeled 'group' refers to the group the file belongs to.
Looking at the file named 'dirlist.txt', we can now understand that it belongs to the user named 'root' and group named 'sys'.
Following the permissions is the column with the cyan border in the listing.
The system identifies files by their inode number, which is the unique file system identifier for the file. A directory is actually a listing of inode numbers with their corresponding filenames. Each filename in a directory is a link to a particular inode.
Links let you give a single file more than one name. Therefore, the numbers indicated in the cyan column specifies the number of links to the file.
As it turns out, a directory is actually just a file containing information about link-to-inode associations.
Next up is a very important column, that's the first one on the left containing the '-rwx----w-' characters. These are the actual permissions set for the particular file or directory we are examining.
To make things easier, we've split the permissions section into a further 4 columns as shown above. The first column indicates whether we are talking about a directory (d), file (-) or link (l).
In the newer Linux distributions, the system will usually present the directory name in colour, helping it to stand out from the rest of the files. In the case of a file, a dash (-) or the letter 'f' is used, while links make the use of the letter 'l' (l). For those unfamiliar with links, consider them something similar to the Windows shortcuts.
linux-introduction-file-permissions-4
Column 2 refers to the user rights. This is the owner of the file, directory or link and these three characters determine what the owner can do with it.
The 3 characters on column 2 are the permissions for the owner (user rights) of the file or directory. The next 3 are permissions for the group that the file is owned by and the final 3 characters define the access permissions for the others group, that is, everyone else not part of the group.
So, there are 3 possible attributes that make up file access permissions:
r - Read permission. Whether the file may be read. In the case of a directory, this would mean the ability to list the contents of the directory.
w - Write permission. Whether the file may be written to or modified. For a directory, this defines whether you can make any changes to the contents of the directory. If write permission is not set then you will not be able to delete, rename or create a file.
x - Execute permission. Whether the file may be executed. In the case of a directory, this attribute decides whether you have permission to enter, run a search through that directory or execute some program from that directory.
Let's take a look at another example:
linux-introduction-file-permissions-5
Take the permissions of 'red-bulb', which are drwxr-x---. The owner of this directory is user david and the group owner of the directory is sys. The first 3 permission attributes are rwx. These permissions allow full read, write and execute access to the directory to user david. So we conclude that david has full access here.
The group permissions are r-x. Notice there is no write permission given here so while members of the group sys can look at the directory and list its contents, they cannot create new files or sub-directories. They also cannot delete any files or make changes to the directory content in any way.
Lastly, no one else has any access because the access attributes for others are ---.
If we assume the permissions are drw-r--r-- you see that the owner of the directory (david) can list and make changes to its contents (Read and Write access) but, because there is no execute (x) permission, the user is unable to enter it! You must have read and execute (r-x) in order to enter a directory and list its contents. Members of the group sys have a similar problem, where they seem to be able to read (list) the directory's contents but can't enter it because there is no execute (x) permission given!
Lastly, everyone else can also read (list) the directory but is unable to enter it because of the absence of the execute (x) permission.
Here are some more examples focusing on the permissions:
-r--r--r-- :This means that owner, group and everyone else has only read permissions to the file (remember, if there's no 'd' or 'l', then we are talking about a file).

-rw-rw-rw- : This means that the owner, group and everyone else has read and write permissions.

-rwxrwxrwx : Here, the owner, group and everyone else has full permissions, so they can all read, write and execute the file (-).

Modifying Ownership & Permissions

So how do you change permissions or change the owner of a file?
Changing the owner or group owner of a file is very simple, you just type 'chown user:group filename.ext', where 'user' and 'group' are those to whom you want to give ownership of the file. The 'group' parameter is optional, so if you type 'chown david file.txt', you will give ownership of file.txt to the user named david.
In the case of a directory, nothing much changes as the same command is used. However, because directories usually contain files that also need to be assigned to the new user or group, we use the '-R' flag, which stands for 'recursive' - in other words all subdirectories and their files: 'chown -R user:group dirname'.
To change permissions you use the 'chmod' command. The possible options here are 'u' for the user, 'g' for the group, 'o' for other, and 'a' for all three. If you don't specify one of these letters it will change to all by default. After this you specify the permissions to add or remove using '+' or '-' . Let's take a look at an example to make it easier to understand:
If we wanted to add read, write and execute to the user of a particular file, we would type the following 'chmod u+rwx file.txt'. If on the other hand you typed 'chmod g-rw file.txt' you will take away read and write permissions of that file for the group .
While it's not terribly difficult to modify the permissions of a file or directory, remembering all the flags can be hard. Thankfully there's another way, which is less complicated and much faster. By replacing the permissions with numbers, we are able to calculate the required permissions and simply enter the correct sum of various numbers instead of the actual rights.
The way this works is simple. We are aware of three different permissions, Read (r), Write (w) and Execute (x). Each of these permissions is assigned a number as follows:
r (read) - 4
w (write) - 2
x (execute) - 1
Now, to correctly assign a permission, all you need to do is add up the level you want, so if you want someone to have read and write, you get 4+2=6, if you want someone to have just execute, it's just 1.. zero means no permissions. You work out the number for each of the three sections (owner, group and everyone else).

If you want to give read write and execute to the owner and nothing to everyone else, you'd get the number 700. Starting from the left, the first digit (7) presents the permissions for the owner of the file, the second digit (0) is the permissions for the group, and the last (0) is the permissions for everyone else. You get the 7 by adding read, write and execute permissions according to the numbers assigned to each right as shown in the previous paragraphs: 4+2+1 = 7.
r, w, x Permissions
Calculated Number
---
0
--x
1
-w-
2
-wx
3 (2+1)
r--
4
r-x
5 (4+1)
rw-
6 (4+2)
rwx
7 (4+2+1)

If you want to give full access to the owner, only read and execute to the group, and only execute to everyone else, you'd work it out like this :
owner: rwx = 4 + 2 + 1 = 7
group: r-x = 4 + 0 + 1 = 5
everyone: --x = 0 + 0 + 1 = 1
So your number will be 751, 7 for owner, 5 for group, and 1 for everyone. The command will be 'chmod 751 file.txt'. It's simple isn't it ?
If you want to give full control to everyone using all possible combinations, you'd give them all 'rwx' which equals to the number '7', so the final three digit number would be '777':
linux-introduction-file-permissions-6
If on the other hand you decide not to give anyone any permission, you would use '000' (now nobody can access the file, not even you!). However, you can always change the permissions to give yourself read access, by entering 'chmod 400 file.txt'.
For more details on the 'chmod' command, please take a look at the man pages.
As we will see soon, the correct combination of user and group permissions will allow us to perform our work while keeping our data safe from the rest of the world.
For example in order for a user or group to enter a directory, they must have at least read (r) and execute (x) permissions on the directory, otherwise access to it is denied:
linux-introduction-file-permissions-7
As seen here, user 'mailman' is trying to access the 'red-bulb' directory which belongs to user 'david' and group 'sys'. Mailman is not a member of the 'sys' group and therefore can't access it. At the same time the folder's permissions allow neither the group nor everyone to access it.
Now, what we did is alter the permission so 'everyone' has at least read and execute permissions so they are able to enter the folder - let's check it out:
linux-introduction-file-permissions-8
Here we see the 'mailman' user successfully entering the 'red-bulb' directory because everyone has read (r) and execute (x) access to it!
The world of Linux permissions is pretty user friendly as long as you see from the right perspective :) Practice and reviewing the theory will certainly help you remember the most important information so you can perform your work without much trouble.
If you happen to forget something, you can always re-visit us - any time of the day!
Continuing on to our last page, we will provide you with a few links to some of the world's greatest Linux resources, covering Windows to Linux migration, various troubleshooting techniques, forums and much more that will surely be of help.


Installing & Configuring VSFTPD FTP Server for Redhat Enterprise Linux, CentOS & Fedora



Vsftpd is a popular FTP server for Unix/Linux systems. For thoes unaware of the vsftpd ftp server, note that this is not just another ftp server, but a mature product that has been around for over 12 years in the Unix world. While Vsftpd it is found as an installation option on many Linux distributions, it is not often Linux system administrators are seeking for installation and configuration instructions for it, which is the reason we decide to cover it on Firewall.cx.
This article focuses on the installation and setup of the Vsftpd service on Linux Redhat Enterprise, Fedora and CentOS, however it is applicable to almost all other Linux distributions.  We'll also take a look at a number of great tips which include setting quotas, restricting access to anonymous users, disabling uploads, setting a dedicated partition for the FTP service, configuring the system's IPTable firewall and much more.

VSFTPD Features

Following is a list of vsftpd's features which confirms this small FTP package is capable of delivering a lot more than most FTP servers out there:
  • Virtual IP configurations
  • Virtual users
  • Standalone or inetd operation
  • Powerful per-user configurability
  • Bandwidth throttling
  • Per-source-IP configurability
  • Per-source-IP limits
  • IPv6
  • Encryption support through SSL integration
  • and much more....!

Installing the VSFTPD Linux Server

To initiate the installation of the vsftpd package, simply open your CLI prompt and use the yum command (you need root privileges) as shown below:
# yum install vsftpd
Yum will automatically locate, download and install the latest vsftpd version.

Configure VSFTPD Server

To open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format and turn on verbose vsftpd log format by making the following changes in the vsftpd.conf file:
xferlog_std_format=NO
log_ftp_protocol=YES
Note: the default vsftpd log file is /var/log/vsftpd.log.
Above two directives will enable logging of all FTP transactions.
To lock down users to their home directories:
chroot_local_user=YES
You can create warning banners for all FTP users, by defining the path:
banner_file=/etc/vsftpd/issue
Now you can create the /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:
“NOTICE TO USERS - Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address”.

 

Turn On VFSTPD Service

Turn on vsftpd on boot:
# systemctl enable vsftpd@.service
Start the service:
# systemctl start vsftpd@vsftpd.service
You can verify the service is running and listening on the correct port using the following command:
# netstat -tulpn | grep :21
Here's the expected output:
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      LISTEN 9734/vsftpd

Configure IPtables To Protect The FTP Server

In case IPTables are configured on the system, it will be necessary to edit the iptables file and open the ports used by FTP to ensure the service's operation.
To open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Next, open file /etc/sysconfig/iptables-config, and enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection-tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the file and finally restart the firewall using the following commands:
# systemctl restart iptables.service
# systemctl restart ip6tables.service

Tip: View FTP Log File

Type the following command:
# tail -f /var/log/vsftpd.log

 

Tip: Restricting Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO

 

Tip: To Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO

Tip: To Enable Disk Quota

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub
The ftp users are the same users as those on the hosting machine.
You could have a separate group for ftp users, to help keep their privileges down (for example 'anonftpusers'). Knowing that, your script should do:
useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob
echo bobspassword | passwd --stdin bob
echo bob >> /etc/vsftpd/user_list

Be extremely careful with your scripts, as they will have to be run as root.
However, for this to work you will have to have the following options enabled in /etc/vsftpd/vsftpd.conf
userlist_enable=YES
userlist_deny=NO

 

Security Tip: Place the FTP Directory on its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab entry:
/dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2

 

Example File for vsftpd.conf

Following is an example for vsftpd.conf. It allows the users listed in the user_list file to log in, no anonymous users, and quite tight restrictions on what users can do:
# Allow anonymous FTP?
anonymous_enable=NO
#
# Allow local users to log in?
local_enable=YES
#
# Allow any form of FTP write command.
write_enable=YES
#
# To make files uploaded by your users writable by only
# themselves, but readable by everyone and if, through some
# misconfiguration, an anonymous user manages to upload a file, # the file will have no read, write or execute permission. Just to be # safe. 
local_umask=0000
file_open_mode=0644
anon_umask=0777
#
# Allow the anonymous FTP user to upload files?
anon_upload_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=NO
#
# Activate logging of uploads/downloads?
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data)?
connect_from_port_20=YES
#
# Log file in standard ftpd xferlog format?
xferlog_std_format=NO
#
# User for vsftpd to run as?
nopriv_user=vsftpd
#
# Login banner string:
ftpd_banner= NOTICE TO USERS - Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.
#
# chroot local users (only allow users to see their directory)?
chroot_local_user=YES
#
# PAM service name?
pam_service_name=vsftpd
#
# Enable user_list (see next option)?
userlist_enable=YES
#
# Should the user_list file specify users to deny(=YES) or to allow(=NO)
userlist_deny=NO
#
# Standalone (not run through xinetd) listen mode?
listen=YES
#
#
tcp_wrappers=NO
#
# Log all ftp actions (not just transfers)?
log_ftp_protocol=YES
# Initially YES for trouble shooting, later change to NO
#
# Show file ownership as ftp:ftp instead of real users?
hide_ids=YES
#
# Allow ftp users to change permissions of files?
chmod_enable=NO
#
# Use local time?
use_localtime=YES
#
# List of raw FTP commands, which are allowed (some commands may be a security hazard):
cmds_allowed=ABOR,QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,NLST,PORT,SYST,PRET,MDTM,DEL,MKD,RMD
With this config, uploaded files are not readable or executable by anyone, so the server is acting as a 'dropbox'. Change the file_open_modeoption to change that.
Lastly, it is also advised to have a look at 'man vsftpd.conf' for a full list and description of all options.