The following subsections are designed to give the user a very basic level of understanding of security within the GNU/Linux operating system. More comprehensive guides can be found at the Linux Documentation Project and numerous other GNU/Linux based sites.
Type linux single at a Lilo/Grub prompt. Then passwd once the system has started and you are at a console.
If you are using grub go to the relevant line (the one with the kernel and various options) then press 'e' for edit and add "single" on to the end of the section that boots the kernel. Then hit [Enter], then hit b (to boot).
If you are using lilo press escape and type linux single and then hit enter to boot.
 |
Warning: |
|---|---|
|
This is also a basic security hazard if you have others using your computer and security is a concern, you may like to add a password to your Lilo or Grub prompt to stop this from being done. |
The umask is a value set by the root user of the system. It controls the default permissions of any file created. It has an unusual way of doing things ...to set the umask you must describe file permissions by saying what will be disabled. You can do this by doing 777 minus the file permissions you want. Note that umask works with numbers only.
Example:
You want the default to be equivalent to chmod 750 (user has r/w/x, group has r/x and other has no permissions), then the command you would use would be:
umask 027 |
Compute an md5 checksum (128-bit) for file "file_name" to verify it's integrity.
Command syntax:
md5sum file_name |
This command will make a random password of length ten characters. This password generator creates passwords that are designed to be hard to guess.
Use ls -l to see the permissions of files (list-long). They will appear like this, note that I have added spaces between permissions to make it easier to read:
Where: r = read w = write x = execute
- rwx rw- r-- 1 |
The two names at the end are the username and group respectively.
Change file access permissions for a file(s).
There are two methods to change permissions using chmod; letters or numbers.
use a + or - (plus or minus sign) to add or remove permissions for a file. Use an equals sign =, to specify new permissions and remove the old ones for the particular type of user(s).
You can use chmod letter where the letters are:
a (all (everyone)) u (user) g (group) and o (other).
Examples:
chmod u+rw somefile |
This would give the user read and write permission.
chmod o-rwx somefile |
This will remove read/write/execute permissions from other users (doesn't include users within your group).
chmod a+r somefile |
This will give everyone read permission for the file.
chmod a=rx somefile |
This would give everyone execute and read permission to the file, if anyone had write permission it would be removed.
you can also use numbers (instead of letters) to change file permissions. Where:
r (read) = 4 w (write) = 2 x (execute) = 1
Numbers can be added together so you can specify read/write/execute permissions; read+write = 6, read+execute = 5, read+write+execute = 7
Examples:
chmod 777 somefile |
This would give everyone read/write/execute permission on "this_file". The first number is user, second is group and third is everyone else (other).
chmod 521 somefile |
This would give the user read and execute permission, and the group write permission (but not read permission!) and everyone else execute permission. (Note: it's just an example, settings like that don't really make sense...).
Changes the ownership rights of a file (hence the name 'chown' - change owner). Can only be used by root.
Use the -R option to change things recursively, in other words, all matching files including those in subdirectories.
Command syntax:
chown owner:group the_file_name |
Only the person who created the file may delete it, even if other people have write permission. You can turn it on by typing:
chmod 1700 somefile (where 1 = sticky bit) |
or (where t represents the sticky bit)
chmod +t somefile |
To turn it off you would need to type:
chmod 0700 somefile (where the zero would mean no sticky bit) |
or (where t represents the sticky bit)
chmod -t somefile |
Note that the permissions aren't relevant in the numbers example, only the first number (1 = on, 0 = off).
 |
Tip: |
|---|---|
|
You may also have sticky directories, the /tmp directory is usually an example of a sticky directory. The files inside can only be deleted by the super-user (root) or the creator of the file. Sticky directories will show a 't' at the end of their file permissions (when listed using ls -l). This may be useful when you have a directory that everyone has access to but no-one should be deleting each others files. |
Allow SUID/SGID (switch user ID/switch group ID) access. You would normally use chmod to turn this on or off for a particular file, suid is generally considered a security hazard so be careful when using this.
Example:
chmod a+s file_name |
This will give everyone permission to execute the file with the permissions of the user who set the +s switch.
|
Be warned: |
|---|---|
|
This is obviously a security hazard. You should avoid using the suid flag unless necessary. |
Change file system attributes (works on ext2fs and possibly others...). Use the -R option to change files recursively, chattr has a large number of attributes which can be set on a file, read the manual page for further information.
Example:
chattr +i /sbin/lilo.conf[1] |
This sets the 'immutable' flag on a file. Use a '+' to add attributes and a '-' to take them away. The +i will prevent any changes (accidental or otherwise) to the "lilo.conf" file. If you wish to modify the lilo.conf file you will need to unset the immutable flag: chattr -i. Note some flags can only be used by root; -i, -a and probably many others.
Note there are many different attributes that chattr can change, here are a few more which may be useful:
A (no Access time) --- if a file or directory has this attribute set, whenever it is accessed, either for reading of for writing, it's last access time will not be updated. This can be useful, for example, on files or directories which are very often accessed for reading, especially since this parameter is the only one which changes on an inode when it's opened read-only.
a (append only) --- if a file has this attribute set and is open for writing, the only operation possible will be to append data to it's previous contents. For a directory, this means that you can only add files to it, but not rename or delete any existing file. Only root can set or clear this attribute.
s (secure deletion) --- when such a file or directory with this attribute set is deleted, the blocks it was occupying on disk are written back with zeroes (similar to using shred).
(list attributes). This will list if whether a file has any special attributes (as set by chattr). Use the -R option to list recursively and try using the -d option to list directories like other files rather than listing their contents.
Command syntax:
lsattr |
This will list files in the current directory, you may also like to specify a directory or a file:
lsattr /directory/or/file |
| [1] |
This example and tiny parts of the explanation have been taken from the Linux Online Classroom, see [4] in the Bibliography for further information. |
|
|
|
|