05 Linux Access Control

Linux IDs and /etc/passwd
Linux Authentication and

Each user has a user id (uid) and belongs to (possibly several) groups
Access Control each of which has a gid.
uid and default gid are stored in /etc/passwd. E.g, in my Fedora VM:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
Tue/Wed/Thu, September 16/17/18, 2014
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
Reading: Pollock Article; Hacking Linux Exposed sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
CS342 Computer Security mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
Department of Computer Science ...
Wellesley College lynux:x:500:500:Franklyn Turbak:/home/lynux:/bin/bash
gdome:x:501:501:Georgia Dome:/home/gdome:/bin/bash
cs342:x:502:502:CS342 Account:/home/cs342:/bin/bash
Linux Authentication and Access Control 4-2
/etc/group /etc/shadow
/etc/group defines groups and Sysadmins can define new groups,
lists which users belong to them. /etc/shadow contains hashed passwords:
e.g. on puma
root:$1$SdMYD5fz$cr120C7tA0wDhXPrQHc3H1:15583:0:99999:7:::
root:x:0:root
bin:x:1:root,bin,daemon • faculty (all cs faculty) bin:*:13665:0:99999:7:::
daemon:*:13665:0:99999:7:::
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
• cs111sta (members of the adm:*:13665:0:99999:7:::
adm:x:4:root,adm,daemon CS111 teaching staff) …
lynux:$1$mUwRqvWp$2yfe5MJV0HbtdcDad8E7i/:15583:0:99999:7:::
tty:x:5: • cs251stu (cs251 students) gdome:$1$d6tpFiwO$rBD5jd1ASAYatV2UuAlXW.:14274:0:99999:7:::
disk:x:6:root
cs342:$1$kmTSYJoG$0AnYYfykI2e/nWPRXdjwO.:14194:0:99999:7:::
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
Your Ubuntu VM uses longer salts and hashes:
...
lynux:x:500:
wendy:$6$FoFIUVCi$/FUkEldzfdJXMefmv/s76m4wRpeZPnHjsVdJ9pO.QgKWuZmV
gdome:x:501:
cjt5J53lZ8Sifj9Q3Pm6n6ukR9p8A1\43mnE2Q0:15594:0:99999:7:::
cs342:x:502:
cs342sta:x:503:cs342,lynux
cs342stu:x:504:cs342,gdome,lynux
Linux Authentication and Access Control 5-3 Linux Authentication and Access Control 5-4
LDAP Checking/Changing Who You Are
Our networked dept. machines now use LDAP, a database system for o whoami: name associated with current uid
users/groups that does not use /etc/passwd and /etc/group directly. o groups: groups of which current uid is a member
(But you will be using /etc/passwd and /etc/group on the machines you
o su username : "become" username
administer in E125.)
o su - username: "become" username, using initialization files
On puma, use getent command to get info from the LDAP database: o su: "become" root (su = superuser)
[fturbak@puma ~] getent passwd fturbak o sudo command: Execute command as root
fturbak:x:708:708:Franklyn Turbak:/home/fturbak:/bin/bash (if you re in /etc/sudoers and you give your password.)
[fturbak@puma ~] getent passwd acarnigl
acarnigl:x:4568:4569:Allison Carniglia class of 2013:/students/acarnigl:/usr/local/bin/scponly
# /usr/local/bin/scponly only allows SCP, not login access. For 110/111 students
[fturbak@puma ~] getent group cs242stu

cs242stu:x:4678:networks,fturbak,amckenna,choover,clee2,cvaldes,kneugent,ksulliv3,lbell,
gwunnava,skim17 http://xkcd.com/688/
Checking/Changing Who You Are: Examples

[fturbak@puma ~] whoami
sudo in Ubuntu
fturbak
[fturbak@puma ~] echo $UID The culture in Ubuntu is to use sudo rather than su to root.
708
[fturbak@puma ~] groups
fturbak faculty cvs lumberjacks cs301stu cs301pri cs301sta itr2004 • Reminds you that you’re doing rooty things: less likely to
cs230pri cs230sta cs230stu cs251pri cs251stu … accidentally do something bad (e.g. rm –rf * on /)
[fturbak@puma ~] su – gdome
Password: ********** • Don’t have to remember root password, only your own.
[gdome@puma ~] whoami
gdome • Can still become root if you want to (red part not echoed)
[gdome@puma ~] echo $UID
707 wendy@cs342-ubuntu-1:~$ sudo su –
[gdome@puma ~] groups
gdome cs301stu cs230stu cs251stu cs235stu cs242stu
[sudo] password for wendy: Tr0ub4dor&3
[gdome@puma ~] su –
root@cs342-ubuntu-1:~#
Password: **********
[root@puma ~] whoami
root
[root@puma ~] echo $UID
0
[root@puma ~] groups
root bin daemon sys adm disk wheel Linux Authentication and Access Control 5-7 Linux Authentication and Access Control 5-8
passwd: Change Password useradd: Create User Account
Sudoer wendy changes guest password (red parts not echoed) Sudoer wendy adds user acct1
!wendy@cs342-ubuntu-1:~$sudo passwd guest !wendy@cs342-ubuntu-1:~$sudo useradd -m -s /bin/bash acct1
[sudo] password for wendy: Tr0ub4dor&3 [sudo] password for wendy: Tr0ub4dor&3
Enter new UNIX password: foobar
Retype new UNIX password: foobar • By default, puts user in empty group with same name as user
passwd: password updated successfully /etc/passwd now has: !acct1:x:1101:1101::/home/acct1:/bin/bash
/etc/group now has: acct1:x:1101:
• As root, wouldn’t need extra sudo password • Still need to set password (via passwd); ! in /etc/shadow locks user out:
acct1:!:15601:0:99999:7:::
• Can change anyone’s password as root
• -m creates account /home/acct1
• Anyone change her own password w/o being root. • -s specifies shell program for user.
• Many more options; see man useradd
• Add user to group sudo to make her a sudoer
• There are graphical user interfaces for creating accounts, setting passwords,
etc. but you will not have access to these in many contexts (like Capture the
Flag contests) So best to learn shell commands instead!
File Permissions in Linux What Do Permissions Mean?

[lynux@localhost cs342]$ ls -al handouts
total 68 o On file:
drwxrwx--- 4 lynux lynux 4096 2008-09-12 07:36 .
drwxrwxr-x 6 lynux lynux 4096 2008-09-02 03:08 .. r: can read from file
drwxrwx--- 2 lynux lynux 4096 2008-09-02 03:15 course-info
-rw-rw---- 1 lynux lynux 638 2008-09-09 08:59 linux-commands.txt w: can write to file
-rw-rw---- 1 lynux lynux 12335 2008-09-12 07:33 os-security.txt
-rw-rw---- 1 lynux lynux 3073 2008-09-11 21:27 os-security.txt~ x: can execute file as a program
drwxrwx--- 2 lynux lynux 4096 2008-09-09 05:38 security
o On directory:
How do you read a permission string (e.g. drwxrwxr-x, -rw-rw----)?
r: can list the filenames in the directory.
Leftmost chars: Other 9 chars: w: can add new file and delete existing file
read (r), write (w), execute (x) (even if don't have any permissions on file!)
- normal file permissions for 3 entities: x: can cd to directory and “search” files in directory
d directory • 3 chars for owner (u=user); (i.e., get inode information necessary for file contents.)
l link
• 3 for group (g);
s socket
• 3 for everyone else (o=other)
Special permissions Permissions as Bits & Octal Numbers
There are 12 (not 9) permission bits in Linux. 11 10 9 8 7 6 5 4 3 2 1 0
11 10 9 8 7 6 5 4 3 2 1 0 set set stic- user user user group group group other other other
uid gid key r w x r w x r w x
set set stic- user user user group group group other other other
uid gid key r w x r w x r w x
setuid bit permissions octal
setuid bit
changes user "x" to "s" -rwxrwxrwx 777
• on executable program: change effective user id (more later)
and no "x" to "S" -rwxr-x--- 750
setgid bit
setgid bit -rw-r—-r-- 644
• on executable program: change effective group (more later)
changes group "x" to "s" -rwsr-sr-- 6754
• on directory: files/subdirectories inherit group and its permissions and no "x" to "S"
from directory -rwsr-Sr-- 6744
sticky bit -rwsr-xr-- 4754
sticky bit
changes other "x" to "t" -rwxr-sr-- 2754
• on directory: only owner can delete files in the dir (used in /tmp) and no "x" to "T
-rwxr-xr-t 1755
-rwxr-xr-T 1754
Changing File Permissions in Linux Changing File Permissions in Linux (Continued)

chmod perms file … : changes file permissions [lynux@localhost handouts]$ chmod u+s os-security.txt; ls -al os-security.txt
-rwsr-xr-- 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
chmod -R perms file … : changes file permissions recursively
[lynux@localhost handouts]$ chmod g+s os-security.txt; ls -al os-security.txt
[lynux@localhost handouts]$ ls -al os-security.txt -rwsr-sr-- 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
-rw-rw---- 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
[lynux@localhost handouts]$ chmod 754 os-security.txt; ls -al os-security.txt
[lynux@localhost handouts]$ chmod o+rx os-security.txt; ls -al os-security.txt -rwxr-xr-- 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
-rw-rw-r-x 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
[lynux@localhost handouts]$ chmod 4754 os-security.txt; ls -al os-security.txt
[lynux@localhost handouts]$ chmod g-w os-security.txt; ls -al os-security.txt -rwsr-xr-- 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
-rw-r--r-x 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
[lynux@localhost handouts]$ ls -al .
[lynux@localhost handouts]$ chmod u+x os-security.txt; ls -al os-security.txt total 72
-rwxr--r-x 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt drwxrwxr-x 4 lynux lynux 4096 2008-09-12 08:27 .
...
[lynux@localhost handouts]$ chmod a-wx os-security.txt; ls -al os-security.txt
-r--r--r-- 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt [lynux@localhost handouts]$ chmod +t . ; ls -al .
total 72
[lynux@localhost handouts]$ chmod 754 os-security.txt; ls -al os-security.txt drwxrwxr-t 4 lynux lynux 4096 2008-09-12 08:27 .
-rwxr-xr-- 1 lynux lynux 13290 2008-09-12 07:48 os-security.txt
Changing File Owner & Group: chown & chgrp chown & chgrp Examples
chown username/uid file : change owner of file [lynux@localhost ~]$ touch owntest; ls -al owntest
-rw-rw-r-- 1 lynux lynux 0 2010-09-20 03:24 owntest
chgrp groupname/gid file : change group of file
[lynux@localhost ~]$ chown gdome owntest
chown username/uid.groupname/gid file : change owner & group of file chown: changing ownership of òwntest': Operation not permitted
Notes: [lynux@localhost ~]$ chgrp cs342stu owntest

[lynux@localhost ~]$ ls -al owntest
o chown can only be executed by root.
-rw-rw-r-- 1 lynux cs342stu 0 2010-09-20 03:24 owntest
o chgrp can only be executed by root or owner
(and only if owner is a member of the group). [root@localhost lynux]# chown gdome.gdome owntest; ls -al owntest
-rw-rw-r-- 1 gdome gdome 0 2010-09-20 03:24 owntest
o In all cases, the -R flag performs recursively.
[root@localhost lynux]# chown 502.500 owntest; ls -al owntest
-rw-rw-r-- 1 cs342 lynux 0 2010-09-20 03:24 owntest
The SetUID (SUID) Bit Playing with SetUID: A Squirrel program

Some programs need to use protected/private files -- /*** squirrel.c ***/
#include <stdio.h> /* Include standard library headers */
e.g., passwd stores encrypted passwords in /etc/shadow, #include <stdlib.h>
which has permissions that are something like
int main (int argc, char** args) {
-rw------- 1 root root 1554 2008-09-15 05:57 /etc/shadow
/* Append the argument to the file named "nest" */
(This is a white lie, but believe it for now) FILE *fp;
fp=fopen("nest", "a"); /* a = append mode */
if (fp > 0) {
How can a regular user change her own password? Because of setuid! if (argc >= 1) fprintf(fp, "%s\n", args[1]);
[lynux@localhost setuid]$ which passwd fclose(fp);
/usr/bin/passwd } else {
printf("Unable to open file\n");
[lynux@localhost setuid]$ ls -al /usr/bin/passwd }
}
-rwsr-xr-x 1 root root 4730 2008-09-13 08:08 /usr/bin/passwd
The setUID bit says that while /usr/bin/passwd is running, it will lynux s "squirrel" program appends into lynux s nest file:
have the owner's (in this case root's) UID as its effective UID. [lynux@localhost setuid]$ touch nest; ls -al nest
So it can write to /etc/shadow! -rw-rw-r-- 1 lynux lynux 0 2008-09-16 06:39 nest
SUID is like S&S kernel bit in user code. nest is initally empty, readable by anyone, writable only by lynux
Let's Compile and Run squirrel.c SUID to the Rescue
[lynux@localhost setuid]$ gcc -o squirrel squirrel.c ; ls -al squirrel But if lynux makes the file suid ...
-rwxrwxr-x 1 lynux lynux 5208 2008-09-16 06:45 squirrel
[lynux@localhost setuid]$ chmod u+s squirrel
Now lynux can add items to the nest ... [lynux@localhost setuid]$ ls -al squirrel
-rwsrwxr-x 1 lynux lynux 5208 2008-09-16 06:45 squirrel
[lynux@localhost setuid]$ cat nest
[lynux@localhost setuid]$ squirrel aaa ... then gdome can write to it via squirrel:
[lynux@localhost setuid]$ cat nest
aaa [gdome@localhost setuid]$ ./squirrel ccc
[lynux@localhost setuid]$ squirrel bbb [gdome@localhost setuid]$ cat nest
[lynux@localhost setuid]$ cat nest aaa
aaa bbb
bbb ccc
... but poor gdome can't:
[gdome@localhost setuid]$ ./squirrel ccc

Unable to open file
Can We Make Squirrel a Script? Problems with squirrel2 script

Does lynux need to write squirrel in C? Lynux makes squirrel2.sh suid and takes it for a spin:
Why not just use the following bash script named "squirrel2.sh"?
[lynux@localhost setuid]$ chmod u+s squirrel2.sh; ls -al squirrel2.sh
#!/bin/bash -p -rwsrwxr-x 1 lynux lynux 161 2008-09-16 06:59 squirrel2.sh
# squirrel expressed as a bash script
# The -p option says to pay attention to [lynux@localhost setuid]$ squirrel2.sh ddd; cat nest
# setuid and setgid bits aaa
if (($#>=1)) bbb
then ccc
echo $1 >> nest ddd
fi
Sadly, gdome can't use it:
[gdome@localhost setuid]$ ./squirrel2.sh eee

./squirrel2.sh: line 8: nest: Permission denied
Why? For safety reasons, this version of Linux does not allow
shell scripts to be suid!
Circumventing the Restriction with execv Compile & Run squirrel3.c
[lynux@localhost setuid]$ gcc -o squirrel3 squirrel3.c
Do we have to write all suid programs in C rather than as bash scripts?
[lynux@localhost setuid]$ chmod u+s squirrel3; ls -al squirrel3
Sort of ... but there's a trick to transform a bash script to a C program. -rwsrwxr-x 1 lynux lynux 4820 2008-09-16 07:08 squirrel3
Here's a C program named squirrel3.c that runs the script squirrel2.sh : [lynux@localhost setuid]$ echo –n > nest; ls –al nest
-rw-rw-r-- 1 lynux lynux 0 2008-09-16 07:14 nest
/* squirrel3.c */ [lynux@localhost setuid]$ squirrel3 eee; cat nest

int main (int argc, char* argv) { eee
execv("squirrel2.sh", argv);
Even gdome can use squirrel3!
}
[gdome@localhost setuid]$ ./squirrel3 fff; cat nest
eee
fff
Moral: using C's execv, we can execute a bash script using suid!
The Rootshell: A Dangerous SUID Program Why rootshell shouldn t be SUID

/*** rootshell.c ***/ Suppose lynux compiles it and makes it SUID:
#include <stdio.h>
[lynux@localhost setuid]$ gcc -o rootshell rootshell.c
int main (int argc, char** args) {
[lynux@localhost setuid]$ chmod u+s rootshell; ls -al rootshell
/* rootshell <arg1> ... <argn>
acts like /bin/bash -p <arg1> ... <argn> */
-rwsrwxr-x 1 lynux lynux 4968 2008-09-16 07:19 rootshell
char* newargs[argc + 2];
int i; Now what if gdome uses it?
newargs[0] = "/bin/bash";
newargs[1] = "-p"; /* Essential for setuid root to work */ [gdome@localhost setuid]$ ./rootshell
for (i=1; i<argc; i++) { bash-3.2$ whoami
newargs[i+1] = args[i]; lynux
} bash-3.2$ ... go off and do anything as lynux ...
newargs[argc + 1] = NULL; /* Array must be null-terminated */
execv("/bin/bash", newargs); Oops! This program allows anyone to *become* lynux in a shell!
}
If the owner is root, this is called a "root shell".
It's obviously very dangerous (and beloved by hackers) because it
allows Elevation of Privilege.
Removing SUID from rootshell The SetGID (SGID) Bit
This is so dangerous that we better take away SUID: o On executable files, setGID bit can be used like setUID, except it
changes the effective group ID of the user executing the file.
[lynux@localhost setuid]$ chmod u-s rootshell
o On a directory, SGID causes new files/subdirectories to inherit
permissions of the directory.
[lynux@localhost setuid]$ ls -al rootshell
-rwxrwxr-x 1 lynux lynux 4968 2008-09-16 07:19 rootshell
[lynux@localhost download]$ mkdir shared
[lynux@localhost download]$ chgrp cs342stu shared
Now gdome can just create a new shell *owned by her* [lynux@localhost download]$ ls -al shared
total 16
[gdome@localhost setuid]$ ./rootshell drwxrwxr-x 2 lynux cs342stu 4096 2008-09-16 08:36 .
[gdome@localhost setuid]$ whoami # new shell, not the original drwxrwxr-x 4 lynux lynux 4096 2008-09-16 08:36 .
gdome
[gdome@localhost setuid]$ exit # exit the new shell [gdome@localhost ~]$ cd ~lynux/cs342/download/shared
exit [gdome@localhost shared]$ ls -al
total 16
[gdome@localhost setuid]$ # now back in original shell
drwxrwxr-x 2 lynux cs342stu 4096 2008-09-16 08:36 .
drwxrwxr-x 4 lynux lynux 4096 2008-09-16 08:36 ..
The SetGID (SGID) Bit (Continued) SGID in Practice: CS111 Drop Folders
/home/cs111/drop:
[gdome@localhost shared]$ touch one; ls –al one
drwxrwx--- 2 cs111 cs111 4096 Sep 8 11:17 .
-rw-rw-r-- 1 gdome gdome 0 2008-09-16 08:43 one
lrwxrwxrwx 1 root root 29 Sep 8 11:17 astud1 -> /students/astud1/cs111/drop
...
[gdome@localhost shared]$ chmod g+s .
chmod: changing permissions of `.': Operation not permitted /home/cs111/drop/astud1:
drwxr-s--- 13 astud1 cs111 4096 Sep 2 20:39 .
[lynux@localhost download]$ chmod g+s shared; ls -al shared drwxr-s--- 3 astud1 cs111 4096 Sep 6 01:15 ps01
drwxrwsr-x 2 lynux cs342stu 4096 2008-09-16 08:43 shared drwxr-s--- 3 astud1 cs111 4096 Sep 15 23:35 ps02
...
[gdome@localhost shared]$ touch two; mkdir sub; ls -al
total 32 /home/cs111/drop/astud1/ps01:
drwxrwsr-x 3 lynux cs342stu 4096 2008-09-16 08:44 . drwxr-s--- 3 astud1 cs111 4096 Sep 6 01:15 .
drwxrwxr-x 4 lynux lynux 4096 2008-09-16 08:36 .. drwxr-sr-x 2 astud1 cs111 4096 Sep 6 01:16 Amanda_ps01
/home/cs111/drop/astud1/ps01/Amanda_ps01:
drwxrwsr-x 2 gdome cs342stu 4096 2008-09-16 08:44 sub
drwxr-sr-x 2 astud1 cs111 4096 Sep 6 01:16 .
-rw-rw-r-- 1 gdome cs342stu 0 2008-09-16 08:44 two -rw-r--r-- 1 astud1 cs111 9044 Sep 6 01:15 Buggle.class
...
-rw-r--r-- 1 astud1 cs111 2678 Sep 6 01:15 Writing.java
The Sticky Bit: Problem The Sticky Bit: Solution
Any user with write access to directory can delete a file from
directory, regardless of owner: The "sticky bit" on a directory allows users to delete only those files
owned by them. Used to protect files in shared directory /tmp
[lynux@localhost shared]$ touch important; chmod 700 important
[lynux@localhost shared]$ ls -al
[lynux@localhost shared]$ chmod +t .
total 36
[lynux@localhost shared]$ touch important2
drwxrwsr-x 3 lynux cs342stu 4096 2008-09-16 09:06 .
[lynux@localhost shared]$ chmod 700 important2; ls -al
total 36
-rwx------ 1 lynux cs342stu 0 2008-09-16 09:06 important
drwxrwsr-t 3 lynux cs342stu 4096 2008-09-16 09:09 .
-rwx------ 1 lynux cs342stu 0 2008-09-16 09:09 important2
-rw-rw-r-- 1 gdome cs342stu 0 2008-09-16 08:44 two
[gdome@localhost shared]$ rm important drwxrwsr-x 2 gdome cs342stu 4096 2008-09-16 08:44 sub
rm: remove write-protected regular empty file ìmportant'? y -rw-rw-r-- 1 gdome cs342stu 0 2008-09-16 08:44 two
[gdome@localhost shared]$ ls -al [gdome@localhost shared]$ rm important2

total 32 rm: remove write-protected regular empty file ìmportant2'? y
drwxrwsr-x 3 lynux cs342stu 4096 2008-09-16 09:06 . rm: cannot remove ìmportant2': Operation not permitted
-rw-rw-r-- 1 gdome cs342stu 0 2008-09-16 08:44 two
Password-protecting Web Pages: .htaccess Setting an HTTP password

Can require an HTTP password on a directory via .htaccess file in it. Can set HTTP password for gdome by executing the following as root:
# begin file .htaccess
AuthUserFile /var/www/htpasswd
# The first time (-c creates password file; -m uses MD5 hashing)
AuthGroupFile /dev/null htpasswd -c -m /var/www/htpasswd gdome
AuthName ByPassword
AuthType Basic # Subsequent times
htpasswd -m /var/www/htpasswd gdome
<Limit GET>
require user gdome # prompt gdome for http password Warning: http passwords are sent in the clear!
</Limit> (We'll see this later in semester using Wireshark.)
# end file .htaccess
Some other options are helpful

allow from .wellesley.edu # allow those from wellesley domain
allow from 149.130. # allow those from wellesley machines
require valid-user # allow any user with http password,
# not just gdome
Real-Life Access-Control Design Problem File Attributes
Goal: CS111 pset solutions viewable on web by staff but not students. In addition to permissions, Linux ext2 files also have attributes
settable via chattr (by root only) and gettable via lsattr.
Important details: These include:
• don’t want solutions to be world-readable on puma
o a : (append only) Can only append to file with this attribute.
• viewable web pages must be readable by user apache.
o c : (compressed) A file with this attribute is compressed when
How to achieve this goal? written to disk and uncompressed when read from disk.
o i : (immutable) A file with this cannot be modified, deleted or
renamed, and no link can be created to this file.
See man pages and Hacking Linux Exposed for more details.
File Attribute Example: i flag File Attribute Example: a flag

[lynux@localhost shared]$ touch itest; ls –al itest [lynux@localhost shared]$ touch atest; ls –al atest
-rw-rw-r-- 1 lynux cs342stu 6 2010-09-20 03:01 itest -rw-rw-r-- 1 lynux cs342stu 6 2010-09-20 02:58 atest
[lynux@localhost shared]$ echo foo > itest; cat itest [lynux@localhost shared]$ echo foo > atest; cat atest
foo foo
[root@localhost shared]# chattr +i itest [root@localhost shared]# chattr +a atest

[root@localhost shared]# lsattr itest [root@localhost shared]# lsattr atest
----i--------- itest -----a-------- atest
[lynux@localhost shared]$ echo bar" > itest [lynux@localhost shared]$ echo bar" > atest
bash: itest: Permission denied bash: atest: Operation not permitted
[lynux@localhost shared]$ echo bar" >> atest; cat atest
foo
bar

05 Linux Access Control

Uploaded by

Copyright:

Available Formats

05 Linux Access Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

05 Linux Access Control

Uploaded by

Copyright:

Available Formats

Linux IDs and /etc/passwd

Linux Authentication and

[fturbak@puma ~] getent group cs242stu

Checking/Changing Who You Are: Examples

File Permissions in Linux What Do Permissions Mean?

Changing File Permissions in Linux Changing File Permissions in Linux (Continued)

Notes: [lynux@localhost ~]$ chgrp cs342stu owntest

The SetUID (SUID) Bit Playing with SetUID: A Squirrel program

... but poor gdome can't:

[gdome@localhost setuid]$ ./squirrel ccc

Can We Make Squirrel a Script? Problems with squirrel2 script

[gdome@localhost setuid]$ ./squirrel2.sh eee

/* squirrel3.c */ [lynux@localhost setuid]$ squirrel3 eee; cat nest

The Rootshell: A Dangerous SUID Program Why rootshell shouldn t be SUID

[gdome@localhost shared]$ ls -al [gdome@localhost shared]$ rm important2

Password-protecting Web Pages: .htaccess Setting an HTTP password

Some other options are helpful

File Attribute Example: i flag File Attribute Example: a flag

[root@localhost shared]# chattr +i itest [root@localhost shared]# chattr +a atest

You might also like