Special Modes - Part II

Contents

keyboard_tab
Introduction
1
Introduction
PREVIEW1m 2s
File Attributes
ACLs
9
ACLs
9m 25s
10
ACLs Demo
6m 13s
Rootkits
11
Rootkits
8m 33s

The course is part of this learning path

Linux Security and Hardening
7
4
Start course
Overview
Difficulty
Intermediate
Duration
1h 13m
Students
64
Ratings
5/5
starstarstarstarstar
Description

This course covers the security features that you can use in order to secure your files and directories on Linux. We look at permissions, data sharing, special modes, file attributes, ACLs, and rootkits. You will also have the chance to follow along with guided demonstrations which will give you a practical understanding of the concepts covered.

Learning Objectives

  • Learn how Linux file and directory permissions work and how to apply the proper permissions to files and directories
  • Learn how to share data securely with groups and multiple users on a Linux system
  • Understand how special modes add extra security to file systems
  • Learn how to make files unchangeable even by the root user and how to secure the log files on a Linux system by making them append-only
  • Learn how to secure files and directories using ACLs
  • Learn about rootkits and how to discover and remove them

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.

Prerequisites

To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.

Transcript

Using the find command to look for files that have setuid and setgid bit set is one way to monitor for changes. However, you can use a file integrity checker such as Tripwire, AIDE, OSSEC, Samhain, or even your distribution's package manager to find files that have improper permissions or that have been modified from their original state. Let's talk about the final special permission, it's called the sticky bit, and it's used on a directory to only allow the file's owner, the directory's owner, or the root user to rename or delete the file. Without the sticky bit set on a directory, the user could delete another user's file if the permissions on the directory allowed for it. For example, this would be applicable to a directory that had 777 permissions on it. To tell if a directory has the sticky bit set, you can look at its ls output. You will see a T in the execute field of the other section of the permissions. You'll usually only find the sticky bit set on the /tmp directory or the /var tmp directory, but you may also encounter it on directories that are being used to share data amongst several or all users on a system. To set the sticky bit on a directory, use chmod o+t, or use 1 in the special permissions field followed by the remaining permissions. Typically, using the sticky bit only makes sense with 777 permissions, so you would typically run chmod 1777 followed by a path to a directory. To remove the sticky bit, run chmod o-t followed by the path to the directory. Again, just like removing the other special permissions, you can subtract the numeric value in the special permissions field or use a zero to clear all special permissions. If you see a special permission represented with a capital letter in ls output, that means the permission that would normally show up in that position is not set. If you see a lowercase s or a lowercase t, then the underlying normal permission is set. Here's an example of a file that has 644 permissions. The user section of the permission shows rw, which is read and write permissions. If we add the setuid bit by running chmod u+s on the file, you'll see a capital S in the ls output. This permission really doesn't make any sense, because the program is not executable. But, in any case, if you see this in ls output, you know exactly what the file permission is. Now, if we add the execute bit for the owner by running chmod u+x on the file, then the ls output shows a lowercase s in the output. Here are a couple of more examples showing special permissions with capital letters. The first example shows that the setgid bit is set, but the execute bit is not set for the group. The second example shows that the sticky bit is set, but the execute bit is not set for others. Again, these permissions don't make any sense, but if you run across them or accidentally set them, you'll know exactly what you're looking at.

About the Author
Avatar
Jason Cannon
Founder, Linux Training Academy
Students
3453
Courses
61
Learning Paths
8

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.