How Unix security works

Access Modes

Every file and every directory has 3 types of access, being read access, write access and exectue access for 3 types of groups: user, group and other. The first group is the group of the owner of the file. The second group contains access rights for a group of users. The third set of access rights is for any other user (not being the owner and not belonging to the group having access rights to the file or directory).

With the -l option (long list) of ls, you can find out the access rights for any given file or directory:


tille:~>ls -l verlanglijst 
-rw-rw-r--    1 tille    tille         200 Apr 13 10:23 verlanglijst

The file verlanglijst is owned by user tille, who has a separate group (the fact of each user having his own group is common on some newer Unix systems). It is readable and writeable for the user tille and other users that may be in group tille, and every other user can read the file.

Access control

The types of access have a value:

The chmod command (change mode) uses these values by making the sum of rights given to each group, thus obtaining 3 numbers between 0 and 7. In the above example the file verlanglijst would have a value of 664.

Some practical examples

Note

This is a simple explanation on chmod. In the manual, you will see that there are actually 4 octal digits specifying security on a file, as showed in this extract from the chmod manual:


       A numeric mode is from one to  four  octal  digits  (0-7),
       derived  by  adding  up  the bits with values 4, 2, and 1.
       Any omitted digits are assumed to be leading  zeros.   The
       first  digit  selects the set user ID (4) and set group ID
       (2) and save text image (1) attributes.  The second  digit
       selects  permissions  for the user who owns the file: read
       (4), write (2), and execute (1); the third selects permis­
       sions  for  other users in the file's group, with the same
       values; and the fourth for other users not in  the  file's
       group, with the same values.

Some Unix systems provide extra permission facilities, which go beyond the standard Unix file permission. Examples are filesystem specific attributes (ie. on Linux ext2 filesystems, files can have extra restrictions such as append-only, compressed, immutable or undeletable) and Access Control Lists (ie. on Solaris). Type man chattr or consult your vendor's system-specific documentation.

Changing file ownership

Changing user or group ownership of a file is done with the GNU chown command (change owner). Although both types of ownership are changed with the same command, they are independent of each other. E.g. you need not be a member of the group that owns the file in order to be able to change it. Your own group will be considered as "other", and if permissions allow, you can change the file.

User and group ownership can be changed in one command:

chown newuser:newgroup file

See man chown for more.

Switching between users

When you know the password of another user's account, you can present yourself to the system with that user's permissions using the su command (switch user). E.g. the intranet website of your company is managed by a special user called "www". In order to change the site, use

su - www

You will be prompted to enter the password for user "www". After the authentication process, you are working on the system using the permissions of user "www". Check with the id -a command:


[tille@rincewind tille]$ su - www
Password:
[www@rincewind www]$ id -a
uid=501(www) gid=501(www) groups=501(www)

The root user

So every file is owned by somebody. And so is every process. If you want to handle a file or a process, you have to be the owner. It is clear that some actions need to be undertaken to circumvent this situation. Who will clean up the mess? Who will modify the system files and services? On a Unix system, this force is called the "superuser" or "root".

The root account should always be protected with a password, and the root user is not obliged in any way to communicate this to the other users. This prevents people from reading eachother's mail, from harassing other people and generally prevents a great deal of accidents.

The root user (system administrator) should only use the root status when necessary, and only when concentrated. Root status gives full controll over the system, so you should be careful when "being" root. Should you need to become root, always log in as a normal user and then use the su - (switch user) command, which will give you root status when no options are given. When connecting to a system over the network, use ssh (see above: connecting to a system) if you want to connect directly using the root account.

In this document, we'll assume that you don't know the password for the root account. Almost any command discussed in this document can be executed without superuser status.