|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
|May the source be with you, but remember the KISS principle ;-)|
|Linux security||Recommended Books||Red Hat security||Suse Hardening|
|Apparmor||Seccheck||Pure-FTPd configuration||Applying Patches in SLES||Baseliners||Computer Security||Intrusion Detection||Unix/Linux Security-related Perl Scripts|
In SuSE you have 3 security levels, which determine what permissions.* file is applied to
easy, secure and paranoid. So you have permissions.easy , permissions.secure and permissions.paranoid files under /etc. You can set the security level via YAST -> Security and Users -> Security Settings
You can also edit the corresponding permissions.* file.
The permissions of the more than 200,000 files included in a SUSE distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permission bits.
To minimize damage from incorrect permissions a SLES includes so called 4 permissions files:
all in the directory /etc. The purpose of these files is to define special permissions, such as world-writable directories or, for files, the setuser ID bit (programs with the setuser ID bit set do not run with the permissions of the user that has launched it, but with the permissions of the file owner, in most cases root).
An administrator can use the file /etc/permissions.local to add his own permissions of specific files, directories, and devices depending on the local security settings which overwrite specified in other files.
The local security setting (easy, secure, or paranoid) can be configured iether via YAST or in /etc/sysconfig/security.
PERMISSION_SECURITY="easy local"#/usr/sbin/suexec2 root:root 4755
# setuid bit on Xorg is only needed if no display manager, ie startx
#/usr/bin/Xorg root:root 4711
# # /etc/permissions.local # # Description: Roman Drahtmueller
, 2001 # # This file is used by SuSEconfig and chkstat to check or set the modes # and ownerships of files and directories in the installation. # # In particular, this file will not be touched during an upgrade of the # SuSE Linux installation. It is designed to be a placeholder for local # additions by the administrator of the system to reflect filemodes # of locally installed packages (usually under /opt/local or /usr/local). # # Format: # . # # Please see the file /etc/permissions for general usage hints of the # /etc/permissions* files. # Keep in mind that this file (/etc/permissions.local) is being used by # default by SuSEconfig, the shell script that is used by yast and yast2 # after package installation and configuration changes to make the changes # effective for the respective packages (eg generating the "real" # configuration files). # Always check if there are no conflicts between your \"local\" changes here # and the settings in the other permissions files by calling # \"SuSEconfig\" as root! # Please remember that logfiles might be modified by the logfile # rotation facilities (e.g. logrotate) so local settings might # be overridden. # # example: #/usr/local/bin/mtr root.root 4755 /var/spool/clientmqueue smmsp:smmsp 770
The program /usr/bin/chkstat is a tool to check and set file permissions. Multiple permissions files can be given on the commandline. If the permission files contain multiple entries for a single file, the last entry found will be used.
chkstat [--set|-set] [--noheader] [[--examine file ]...] [[--files filelist ]...] [[--root directory ]...] permission-file ...
chkstat -set /etc/permissions.local
will parse the file /etc/permissions.local and set the access mode and the user- and group memberships each file listed. The format for the input file is
FILEPATH OWNER:GROUP MODE
and wildcards are not supported for the filepath. Lines starting with ’#’ and empty lines are treated as comments.SUSE Linux includes a utility called chkstat (not the most imaginative name) that checks, and optionally corrects, the ownerships and permissions of key files in the filesystem. As such, it can be used as a low-grade system hardening tool or perhaps for intrusion detection, if an intruder has left permissions deliberately lax. chkstat reads one or more permissions files to find out what files to check, and what the ownership and permissions are supposed to be. The system ships with several permissions files, described in
File in /etc
A really basic set of permissions. File modes that differ from the settings in this file should be considered broken, not merely insecure.
A fairly lax set of permissions for use on standalone single-user systems.
A more secure set of permissions for use on multiuser or networked systems. To quote from the comments in the file itself: "The primary target of this configuration is to make the basic things such as changing passwords, the basic networking programs as well as some of the all-day work programs properly function for the unprivileged user."
A very secure set of permissions. This file is similar to permissions.secure but has all the set-user-id and set-group-id bits cleared. These settings will prove inconvenient for ordinary users and are probably best reserved for servers or firewalls which do not support ordinary user log-ins.
This file provides a place for administrators to add entries for locally installed programs; for example those in /opt or /usr/local.
Entries in these files have the syntax:
filename owner:group mode
For example, here are a few lines from /etc/permissions.secure:
/usr/bin/passwd root:shadow 4755 /usr/bin/crontab root:trusted 4750 /etc/fstab root:root 644 /var/spool/fax/archive fax:uucp 700
The file permissions (mode) are written in octal. The 4000 bit is the set-user-id bit; the bottom three digits correspond to the usual rwxrwxrwx permissions on the file.
Comparing permissions.secure with permissions.paranoid, you can see that (for example) in the paranoid settings the passwd command does not run set-uid to root:
/usr/bin/passwd root:shadow 0755
This means that nonroot users would not be able to change their passwords.
To run chkstat against the permissions.secure file (for example), just supply the file name as an argument. On my test system, the command:
# chkstat /etc/permissions.secure
produces no outputthe system passes with flying colors (whatever that means). Running chkstat against permissions.paranoid, however, produces a long list of warnings, mostly about config files that are readable by nonroot users, or about programs that have the set-user-id bit on.
Running chkstat with the --set option tells it to fix the problem automatically. Let's try making one of the permissions deliberately too lax, and re-run the program. The line numbers in this listing are for reference; they are not part of the input or output.
1 # chmod 666 /etc/fstab 2 # chkstat /etc/permissions.secure 3 Checking permissions and ownerships - using the permissions files 4 /etc/permissions.secure 5 /etc/fstab should be root:root 0644. (wrong permissions 0666) 6 # chkstat --set /etc/permissions.secure 7 Checking permissions and ownerships - using the permissions files 8 /etc/permissions.secure 9 setting /etc/fstab to root:root 0644. (wrong permissions 0666) 10 # ls -l /etc/fstab 11 -rw-rr-- 1 root root 670 Oct 11 09:35 /etc/fstab
At line 1, I deliberately changed the permissions on /etc/fstab. At lines 25, I ran chkstat and it duly reported the problem. At lines 69, I ran chkstat again with the --set flag and at lines 10 and 11 verified that chkstat had indeed corrected the permissions problem.
It's time to tie all this up with the File Permissions setting in the YaST security module you've seen in this lab. The setting made within YaST sets a line in the file /etc/sysconfig/security; for example if I set the file permissions to "Easy," I will see a line in /etc/sysconfig/security like this:
This line says to run chkstat with the files permissions.easy and permissions.local as parameters.
The chkstat program is run by SuSEconfig, the script that YaST runs whenever it commits a configuration change. This means that the file permissions are checked pretty well every time you change something in YaST.
|Bulletin||Latest||Past week||Past month||
File system permissions - Wikipedia, the free encyclopedia
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: October 03, 2017