Оффлайн
- Регистрация
- 1 Мар 2015
- Сообщения
- 1,481
- Баллы
- 155
Welcome to Day 15 of 30days linux challenge. We will be treating the 4th topic in our Linux Security Basics series! By now, you've learned why Linux is secure by design, how to secure SSH, and how to protect against brute force attacks with fail2ban. Today, we’re diving into a critical aspect of Linux security: hardening file permissions. Properly managing file permissions ensures that only authorized users can access sensitive data, reducing the risk of unauthorized access or accidental leaks. Let’s explore practical steps to lock down your data.
Index
Why File Permissions Matter
In Linux, every file and directory has permissions that dictate who can read, write, or execute it. Misconfigured permissions can expose sensitive files (like configuration files or user data) to attackers or unprivileged users. For example, a world readable file containing passwords or a world writable directory could allow malicious changes. Hardening file permissions is about applying the principle of least privilege: users and processes should only have the access they need.
Understanding Linux File Permissions
Before we start, let’s recap how permissions work:
-rwxr-xr-- 1 alice users 4096 May 19 2025 script.sh
Here, rwxr-xr-- means:
Practical Steps to Harden File Permissions
Let’s walk through actionable steps to secure your files and directories. These commands assume you’re logged in as a user with sudo privileges.
1. Audit Existing Permissions
Start by checking permissions on critical files and directories.
ls -l /etc /home /var/log
Use the chmod command to adjust permissions.
sudo chmod 600 /etc/shadow
This sets rw------- (owner only).
chmod 600 ~/.ssh/id_rsa
sudo chmod o-rwx /etc/myapp.conf
3. Harden Home Directories
Home directories should be accessible only by their owners.
ls -ld /home/*
If a directory shows drwxr-xr-x, others can list its contents.
sudo chmod 700 /home/username
umask
To set it permanently, add umask 022 to ~/.bashrc or /etc/profile.
4. Secure Directories with Sticky Bits
In shared directories (e.g., /tmp), users might delete others’ files. The sticky bit prevents this.
sudo chmod +t /tmp
Check with ls -ld /tmp. The permissions should show drwxrwxrwt.
5. Use chown to Correct Ownership
Ensure files are owned by the right user or group.
ls -l /var/www
Web server files should typically be owned by the web server user (e.g., www-data).
sudo chown -R www-data:www-data /var/www
6. Find and Fix Risky Permissions
Search for files with overly permissive settings.
sudo find / -type f -perm -o+w
Review the output and remove unnecessary write permissions:
sudo chmod o-w /path/to/file
sudo find /etc -type f -perm -o+r
Restrict access as needed.
7. Automate with a Script
To simplify, create a script to check and fix common issues.
#!/bin/bash
# Secure critical files
sudo chmod 600 /etc/shadow /etc/gshadow
sudo chmod 644 /etc/passwd
sudo chmod 700 /home/* -R
sudo chmod +t /tmp
echo "Permissions hardened!"
Save this as harden_permissions.sh, make it executable (chmod +x harden_permissions.sh), and run it with sudo ./harden_permissions.sh.
Best Practices
I would love to hear your thoughts, experiences, or tips about Linux!
Feel free to share in the comments and join the conversation.
Connect with me on !
#30DaysLinuxChallenge #CloudWhistler #RedHat #Cloudsecurity #DevOps #Linux #OpenSource #CloudComputing #RedHatEnterpriseLinux #SystemLogs #EnterpriseIT #Observability #Logging #SysAdmin #Automation #CloudEngineer #TechForBusiness #ITSupport #SRE #CloudOps
Index
- Why File Permissions Matter
- Understanding Linux File Permissions
- Practical Steps to Harden File Permissions
- Harden Home Directories
- Secure Directories with Sticky Bits
- Secure Directories with Sticky Bits
- Use chown to Correct Ownership
- Find and Fix Risky Permissions
- Automate with a Script
- Best Practices
Why File Permissions Matter
In Linux, every file and directory has permissions that dictate who can read, write, or execute it. Misconfigured permissions can expose sensitive files (like configuration files or user data) to attackers or unprivileged users. For example, a world readable file containing passwords or a world writable directory could allow malicious changes. Hardening file permissions is about applying the principle of least privilege: users and processes should only have the access they need.
Understanding Linux File Permissions
Before we start, let’s recap how permissions work:
Permission Types:
- Read (r): View file contents or list directory contents.
- Write (w): Modify a file or create/delete files in a directory.
- Execute (x): Run a file (e.g., a script or binary) or access a directory.
Permission Groups:
- Owner (u): The user who owns the file.
- Group (g): Users in the file’s group.
- Others (o): Everyone else.
Viewing Permissions:
Use ls -l to see permissions. Example output:
-rwxr-xr-- 1 alice users 4096 May 19 2025 script.sh
Here, rwxr-xr-- means:
- Owner (alice): Read, write, execute (rwx).
- Group (users): Read, execute (r-x).
Others: Read only (r--).
- Numeric Notation: Permissions can be represented as numbers:
Read = 4, Write = 2, Execute = 1.
Example: 755 = rwx (7 = 4+2+1) for owner, r-x (5 = 4+1) for group and others.
Practical Steps to Harden File Permissions
Let’s walk through actionable steps to secure your files and directories. These commands assume you’re logged in as a user with sudo privileges.
1. Audit Existing Permissions
Start by checking permissions on critical files and directories.
- Command:
ls -l /etc /home /var/log
What to Look For:
- Sensitive files (e.g., /etc/shadow, /etc/passwd) should not be world-readable or writable.
- User home directories (/home/username) should not be accessible to others.
- Log files in /var/log should be restricted to root or specific services.
Example:
If /etc/shadow shows -rw-r--r-- (world-readable), it’s a security risk. Fix it later in Step 2.
Use the chmod command to adjust permissions.
- Secure Configuration Files: The /etc/shadow file (containing hashed passwords) should only be readable/writable by root.
sudo chmod 600 /etc/shadow
This sets rw------- (owner only).
- Protect User Configuration Files: Files like ~/.ssh/id_rsa (SSH private keys) should be private.
chmod 600 ~/.ssh/id_rsa
- Remove World-Readable Permissions: For files that don’t need public access, remove permissions for "others."
sudo chmod o-rwx /etc/myapp.conf
3. Harden Home Directories
Home directories should be accessible only by their owners.
- Check Permissions:
ls -ld /home/*
If a directory shows drwxr-xr-x, others can list its contents.
- Restrict Access: Set permissions to 700 (owner only access).
sudo chmod 700 /home/username
- Set Default Permissions for New Files: Use umask to control default permissions. A umask of 022 ensures new files are not world-writable. Check your current umask:
umask
To set it permanently, add umask 022 to ~/.bashrc or /etc/profile.
4. Secure Directories with Sticky Bits
In shared directories (e.g., /tmp), users might delete others’ files. The sticky bit prevents this.
- Set the Sticky Bit:
sudo chmod +t /tmp
Check with ls -ld /tmp. The permissions should show drwxrwxrwt.
5. Use chown to Correct Ownership
Ensure files are owned by the right user or group.
- Check Ownership:
ls -l /var/www
Web server files should typically be owned by the web server user (e.g., www-data).
- Change Ownership:
sudo chown -R www-data:www-data /var/www
6. Find and Fix Risky Permissions
Search for files with overly permissive settings.
- Find World Writable Files:
sudo find / -type f -perm -o+w
Review the output and remove unnecessary write permissions:
sudo chmod o-w /path/to/file
- Find World Readable Sensitive Files:
sudo find /etc -type f -perm -o+r
Restrict access as needed.
7. Automate with a Script
To simplify, create a script to check and fix common issues.
#!/bin/bash
# Secure critical files
sudo chmod 600 /etc/shadow /etc/gshadow
sudo chmod 644 /etc/passwd
sudo chmod 700 /home/* -R
sudo chmod +t /tmp
echo "Permissions hardened!"
Save this as harden_permissions.sh, make it executable (chmod +x harden_permissions.sh), and run it with sudo ./harden_permissions.sh.
Best Practices
- Regularly Audit Permissions: Use find or tools like lynix to monitor changes.
- Backup Before Changes: Always back up critical files before modifying permissions.
- Test Changes: Ensure services (e.g., web servers) still function after permission changes.
- Document Exceptions: If a file needs unusual permissions, document why.
I would love to hear your thoughts, experiences, or tips about Linux!
Feel free to share in the comments and join the conversation.
Connect with me on !
#30DaysLinuxChallenge #CloudWhistler #RedHat #Cloudsecurity #DevOps #Linux #OpenSource #CloudComputing #RedHatEnterpriseLinux #SystemLogs #EnterpriseIT #Observability #Logging #SysAdmin #Automation #CloudEngineer #TechForBusiness #ITSupport #SRE #CloudOps