To ensure system security, you must establish good file and directory standards. On Sept. 12, Jim McIntyre provided an introduction to the Linux file system, and he discussed how to limit or allow user permission to files and directories.If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.
To ensure system security, you must establish good file and directory standards. On Sept 12th, Jim McIntyre provided an introduction to the Linux file system, and he discussed how to limit or allow user permission to files and directories. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Welcome to Tonight’s discussion on Linux logfile management
MODERATOR: Welcome everyone to tonight’s guild meeting! Tonight we have the honor of having Mr. Jim McIntyre here to speak about our favorite subject, Linux! This month we are also very glad to be giving away a new motherboard and CPU from our good friends at PogoLinux!
JIM MCINTYRE: Hi everyone. I'll be speaking about the Linux file system tonight. I’ll discuss files, directories, mount points, permissions, and anything else you folks can think of.
MODERATOR: Please don't hesitate to ask questions! We have a great group of people here tonight who are more than willing to help you through all your Linux needs!
The Linux File System
JIM MCINTYRE: A short primer on the Linux file system before we start. The Linux file system is not the same type of file system that PC users are familiar with. C:\ doesn't exist anymore. Now, we deal with the root of the file system, \, and directories that are selected as mount points. Each of these mount points becomes a logical drive. The advantage here is that these mount points may exist independently of one another, making protection of the file system much easier than in Windows.
T_LINDSEY: Nice to have the system data be the most important thing in an OS again.
Security in Linux
DANIEL.FORTIN: What's so special with the Linux security?
JIM MCINTYRE: The biggest advantage to the Linux security model is its flexibility. Security can be applied in almost unlimited ways to files, directories, programs, the kernel, users, etc.
DANIEL.FORTIN: How does Linux security work?
T_LINDSEY: If your users shouldn't be messing with it, they can't!
JIM MCINTYRE: The most important aspect of Linux security is the set of permissions applied to any given file or directory. There are three basic user permissions: read (r), write (w), and execute (x). The combination of these access rights and how they are applied determine the security of your file system. Every Linux file and directory has three sets of permissions applicable to it. These are user (or owner) permission, group permissions, and other permissions.
DANIEL.FORTIN: Tell us more about these combinations.
JIM MCINTYRE: The user, or owner, is the user who actually controls the file. When you create a file in Linux or install a program, you become the owner of this file or program.
T_LINDSEY: One important thing to remember about Linux is that every file, executable or image file, is a text file. It’s the permissions that determine if you can execute it or not.
DANIEL.FORTIN: If we have the user permissions, can we decide who can use the file?
JIM MCINTYRE: If you are the owner of the file, you can set the permissions for that file.
T_LINDSEY: Or root, which is the administrator, can.
JIM MCINTYRE: The next set of permissions belongs to the group the user belongs to. Typically, when a user, let's say Jim, is created, that user is automatically placed in a group with the same name as the user. So Jim would automatically be placed in the group Jim.
DANIEL.FORTIN: Can root bypass any user permission?
JIM MCINTYRE: Root may bypass anything on the system. There are no restrictions on what root can do.
T_LINDSEY: That's why hackers and crackers try to get root when they get access to a system.
JIM MCINTYRE: The third permission applied to a file or directory applies to "other.” This means everybody else, other than the user or the user's group.
MODERATOR: Anyone here ever heard of a 'root kit'?
JIM MCINTYRE: A root kit is used by hackers to cover their tracks. The root kit replaces system binaries and log files, making forensics much more difficult to perform.
JIM MCINTYRE: Back to the three permissions. I'm going to use the octal method for changing permissions. It's just my personal preference. The three permissions—read, write, and execute—are assigned the values 4, 2, and 1, respectively. If all rights are given to the owner of a file and no rights are given to anyone else, I would use the command chmod 700 jims-file.
EECKEL: What's the octal method, Jim?
T_LINDSEY: Each field, (read, write, exec) has a binary value equated with the different groups. It’s easier to memorize at first than understand.
JIM MCINTYRE: In the octal system, the rightmost digit represents 2 to the zero power, or 1, the middle is 2 to the first power, or 2, and the leftmost digit is 2 to the second power, or 4. Whenever I need to change permissions, I know that 7 gives all rights, 6 gives read and write permission, and 4 gives read permission only.
MIKKILUSA: Does this work in Solaris as well?
JIM MCINTYRE: It works with any nix. This is one of the best aspects of Linux/UNIX. It means that on a multiuser system, Jim can log in, and he will be unable to see any of the files in Jack's home directory.
MODERATOR: Unless Jack wants Jim to see them.
JIM MCINTYRE: Precisely. It's your home directory, your decision as to who sees what.
T_LINDSEY: “You” meaning a sys admin with root.
MODERATOR: You can even add users to groups and give the group whatever permissions you choose, which makes administrating a system easier and faster.
JIM MCINTYRE: Exactly. Add an accounting group to give multiple users read/write permission to spreadsheets, make an administration group, whatever the system requirements are.
T_LINDSEY: Chalk another up to the PFM value. Can I mention another way to change file permissions? It's not confusing, I promise.
MODERATOR: Go right ahead, T_Lindsey.
T_LINDSEY: You can change the file permissions via Midnight commander as well. It puts a slightly GUI interface on it.
FRANK: How does one assign permission to the group and in turn add users to that group?
MODERATOR: Do you want to walk the good audience through creating a group and adding users to that group, Jim?
FRANK: I would appreciate it, Jim.
JIM MCINTYRE: The home directory is created when the user is created by root. Your home directory is where the preferences for your operating environment are stored and read when you log in. It's also where you keep most of the data files you create. The preferences stored in your home directory are what make it possible for two users to use the same desktop with a completely different setup, unlike Windows.
EECKEL: Ahhhh, c'mon. Windows profiles allow two users to access the same desktop with a completely different setup. That's been around since the old NT days.
T_LINDSEY: Not so with Windows, It's been proven that the Recycle Bin is shared between users. So any doc you throw away and not empty is subject to viewing by another user.
DANIEL.FORTIN: Just add a script to flush the Recycle Bin when the user logs off.
T_LINDSEY: Now I have to add a third-party script to "help" Windows become secure?
EECKEL: The Recycle Bin can be set to automatically delete files. That's not a problem for a qualified Network Administrator. Plus, that wasn't the point. The point was separate desktop environments on the same machine. Windows does that. Just keeping the facts straight.
If Windows is installed and administered properly, unique desktop environments result. With the use of properly configured profiles, that is.
T_LINDSEY: Also, you can't have multiple users hit a Win box at the same time, now can you?
EECKEL: Sure you can. It's called a server.
MODERATOR: You also can't have more than one user logged in at the same time on a desktop.
MIKKILUSA: What are the default write permissions that the user has?
T_LINDSEY: Does a user, by default, have write access to /usr/local?
MODERATOR: No sir, only root has access to /usr/local by default. I just ran ls -l /usr and saw that all ownership (at least on RedHat 6.2) was for root.
JIM MCINTYRE: This is why you need to be root to install a lot of popular X-Windows applications; Adobe Acrobat comes to mind. The install of many games wants to go in /usr/local/games so you have to be root to install them into that directory. You can often choose other directories to install them (say your user's home directory), which would allow you to install them as user.
T_LINDSEY: Can you as root make those choices when you set up a new user?
JIM MCINTYRE: Don't give users write permissions where they are not required. Execute and read permission will let them get their work done without compromising security.
T_LINDSEY: Thanks. I have lots of Linux experience, but not much on a multiuser system.
JIM MCINTYRE: The next area for security is passwords. The first rule for passwords is: Never allow a user account to exist without a password.
T_LINDSEY: Does rule #2 involve shadow passwords?
JIM MCINTYRE: Always use shadow passwords. Normally, user passwords are encrypted and stored in the /etc/passwd file. If you run the command cat /etc/passwd, you will find your user name in the first field, followed by either your encrypted password or an 'x' in the second field.
Cleaning off a Partition
EECKEL: I've tried to wipe clean a hard disk with Linux partitions on it so I can start from scratch. But, I've only built skills with fdisk (go figure) and it can't delete all the partitions to require a clean start. What can I use, other than a large magnet, to wipe Linux files clean off a partition?
T_LINDSEY: Lilo giving you fits or is it the extended/logical partitions?
EECKEL: The logical partition. I can handle Lilo edits. I can't get rid of the extended/logical partitions.
T_LINDSEY: You can boot off a Linux install disk, erase the partitions, then cold boot your machine.
EECKEL: Are file permissions inherited in Linux?
MODERATOR: If I (user) create a directory within my home directory that new directory inherits all the permissions of the user, which should have the same permissions as the user’s home directory. Does that answer your question?
EECKEL: Let's say you have directory B, which is created as a subdirectory of A. Does it have the rights of A?
MODERATOR: Yes, it does, unless you created that directory as root (in a user’s directory).
EECKEL: Cool. Thanks. Only a Paper RHCE would create a file directory as root.
MODERATOR: I've done that a number of times because I wasn't paying attention.
T_LINDSEY: Yeah, I've done that moving in menu files into a user’s directory.
MODERATOR: I usually erase that directory before anyone can see it.
MODERATOR: I have a question for you, Jim. Would you like to explain to the audience what SUDO is?
JIM MCINTYRE: Sure. Typically, users will use the SU command to switch users. The problem with SU is that it is not very secure. When you issue SU, you are given the full rights of the user you switched to.
FRANK: When you SU to root, you gain all permissions.
JIM MCINTYRE: SUDO is more secure in that it allows the admin to establish lists of users with varying responsibilities on the system. One group might be able to manage the print queues but not be able to configure any networking functions.
DANIEL.FORTIN: How can we block the use of SUDO?
JIM MCINTYRE: It isn't installed by default. SUDO must be installed and configured independently.
SUDO provides much more flexibility in assigning privileges to users. It reduces the damage they are able to do to your system. Another advantage to SUDO is that it runs in conjunction with PAM and syslogd.
T_LINDSEY: So you can configure SUDO to recognize different admin groups, say network, print, user addition?
DANIEL.FORTIN: How can we assign privileges with SUDO?
JIM MCINTYRE: Privileges are assigned by editing the /etc/sudoers file. If a user is not included in the sudoers, they won't be assigned the privileges of a particular group.
Journaling File Systems
T_LINDSEY: Have you used any of the journal FS? If so, what do you think of them?
MODERATOR: I've not used it yet. Has anyone else? I might know someone who can answer that question though.
DANIEL.FORTIN: FS? What’s that?
MODERATOR: It stands for journaling file system (fs for file system I think is what he's asking).
T_LINDSEY: I've been thinking about toying with the reiser FS, but I haven't yet.
JIM MCINTYRE: I haven't used a journaling file system with Linux yet. I didn't know one was out there.
MODERATOR: I'll ask around my circle and see if I can find an opinion or two. E-mail me to remind me to send you what I find out.
T_LINDSEY: An AIX guru at work keeps on about them.
MODERATOR: I know they are fast and better at recovery but not good for, say, desktop use.
JIM MCINTYRE: Linux needs a journaling file system.
MODERATOR: I know that with JFS a power outage won't take you down, and you'll be back up in no time. It's like instant boot.
T_LINDSEY: Well, IBM just opened up their JFS.
MODERATOR: I'll see what I can find out about it. Maybe I can get a drill down on it.
MODERATOR: Looks like tonight’s winner of yet another chance to win a great prize (FIC SD-11 Athlon motherboard & Intel 466 MHz CPU + fan, courtesy of PogoLinux) is Daniel.fortin!
JIM MCINTYRE: Good questions, Daniel.
MODERATOR: Daniel, if you would please send your contact info (including full name and e-mail) to firstname.lastname@example.org, we'll make sure you are registered for the prize.
Please don't hesitate to send your questions to me, email@example.com, and I'll see to it that they are answered.
JIM MCINTYRE: I'll be speaking again on Oct 10. Looking forward to it.
MODERATOR: Well everyone I hope you enjoyed tonight’s meeting. Thank you so kindly Jim! Take care everyone. Don’t forget to spread the Linux word as fast and as hard as you can!
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.