قالب وردپرس درنا توس
Home / Tips and Tricks / What is file state in Linux and how can I make sure mine is secure? – CloudSavvy IT

What is file state in Linux and how can I make sure mine is secure? – CloudSavvy IT



File permissions.

In Linux, file permissions determine the permission levels for file owners and everyone else. It is important to ensure that all web-oriented files have rights set correctly, so that a compromised process cannot write to places that it should not.

What is file permission?

File Permissions tracks the permissions for three different groups. Each group is represented by three bits:

  • r: With read permission, a process can read the contents of that file in memory.
  • w: The “Write”
    ; state provides process access to overwrite the physical location on the disk where the file is stored.
  • x: The “Execute” state applies to programs and allows the file to run.

The terminal displays permissions as follows:

Shown permissions.

The first “d” means if the file is a directory. The first group of three is for the file owner. In this case, the file owner has full read, write and execute access. The next group of three is “group owner”, which indicates the permissions of the group to which the file belongs, in this case read-only. The next group is everyone else, who is read-only.

In general, files with open “all” permissions are not very secure. You want to make sure that the last group is set to read-only or no access for most files.

Under the hood, these are stored in binary, with each condition representing little. For example, rw- is 110 in binary, which is 6 in decimal. So the state string:

rwxrw-r--

… can be stored as “764.” File permissions will often be referred to in this way; “777” indicates full access, “700” is private, “644” is read-only. Technically, this is known as octal, not decimal, because there are eight possible values ​​for each digit.

For directories, permissions use the same characters, but are slightly different:

  • r: List condition. Allows the directory to open and allows the use of ls. Requires the x attribute to be set.
  • w: Write permission. Allows you to create new files, delete files and rename files. Does not prevent changing the contents of existing write-enabled files in the directory.
  • x: Enterability. Allows use of cd. This is respected throughout the system and prevents the folder from being opened in a GUI file explorer.

On some systems, especially macOS, there may be an “@” after the file permission string. This means that the file has extended attributes that you can control with ls -l@. For example com.apple.quarantine attributes are assigned to executable files that have not been opened yet, so that Gatekeeper can block you from double-clicking it, forcing you to right-click> open, and then unnecessarily prompting you to really sure you want to open it.

What are file owners and groups?

The file owner is only a certain user, but users in Unix systems do not work the way they do in Windows. Unix can have different users for individual processes such as mysql and nginx. This can make permissions very detailed; for example, an instance of MySQL running under mysql the user can access his own database, however nginx the user can not.

User groups work in a similar way but support having multiple users with the same permissions. Users can be added and removed from the group, and they are optional to set file permissions.

How to check file permissions in directories

You can view file and directory permissions by running ls -l in your terminal. File permissions are displayed on the far right:

File permissions are displayed on the far right.

To view the file permissions for a specific file or directory, you must beep ls output to grep:

ls -la | grep filename

Note that the current folder and the parent folder have their permissions as . and .. when using -a flag. But even this shows only two levels of permissions. To view permissions for each parent folder, you must use namei command:

namei -l `pwd`

This command may not be installed on all Linux distributions. On macOS, you need to install it from the bridge.

To search for individual files in the folders that may have incorrect permissions, you can use find command with -perm flag:

find ~ -type f -perm 777

This is looking recursively and it may take some time if you run it in the root directory.

How to change file permissions and ownership

Changing file permissions is easy chmod command:

chmod 700 filename

You can also add permissions without entering a full permissions string. This is a shortcut, but can save some time. For example, if you are unable to open a script file, you can add permission for the owner to run with:

chmod u+x filename

This adds the execution permission (x) for the current owner (u, for “users”).

Changing owners works in the same way as chown command:

chown owner:group filename

“: Group” is optional. Both chmod and chown can be run recursively in directories, to change file permissions for everything within those directories. To do this, use capital letters -R flag:

chmod 700 -R directory

You can also use chmod as the -exec options for find, which allows you to change file permissions throughout the system. For example, this command will find files that have open write permissions and set them to read-only:

find / -type f -perm 777 -print -exec chmod 744 {} ;

Source link