{"id":23630,"date":"2021-09-17T12:29:43","date_gmt":"2021-09-17T12:29:43","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=23630"},"modified":"2023-11-06T09:28:12","modified_gmt":"2023-11-06T09:28:12","slug":"complete-referance-of-linux-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/complete-referance-of-linux-security\/","title":{"rendered":"Complete Referance of Linux Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Course Outline<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Introduction To Linux Security<\/li>\n\n\n\n<li>Secure Linux Installation<\/li>\n\n\n\n<li>Securing The Linux Boot Process<\/li>\n\n\n\n<li>User Accounts and Groups<\/li>\n\n\n\n<li>File System Security and Permissions<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction To Linux Security<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A bit About Linux<\/li>\n\n\n\n<li>Current Security Problems<\/li>\n\n\n\n<li>Requirements of a secure OS<\/li>\n\n\n\n<li>Which is More Secure: Window vs Linux?<\/li>\n\n\n\n<li>Linux Security Features Overview<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">A Bit About Linux<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open Sourse OS with proven track record<\/li>\n\n\n\n<li>Alternative to closed Sourse OS<\/li>\n\n\n\n<li>Comparable and competitive features<\/li>\n\n\n\n<li>Highly secure, dependable OS<\/li>\n\n\n\n<li>Wide variety os uses(personal,servers)<\/li>\n\n\n\n<li>Comes in many &#8220;distributions&#8221;<\/li>\n\n\n\n<li>Red Hat, Debian, SuSe, Slax, Mandriva<\/li>\n\n\n\n<li>Other function-specific distros are built on basic ones to perform specific functions<\/li>\n\n\n\n<li>Allows Security to be defined on a role-based function for implementation<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Current Security Problems<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malware<\/li>\n\n\n\n<li>Identity Theft<\/li>\n\n\n\n<li>Data Theft<\/li>\n\n\n\n<li>Unsafe Internet Use<\/li>\n\n\n\n<li>Network\/Computer Intrusion<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">which is more secure: Windows vs Linux?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows is most popular OS, but is highly attacked and exploited due to popularity<\/li>\n\n\n\n<li>Microsoft is improving security in products<\/li>\n\n\n\n<li>Windows security fixes can be slow coming,<\/li>\n\n\n\n<li>incompatible wirth apps,and closed source<\/li>\n\n\n\n<li>Linux can address All of these problems!<\/li>\n\n\n\n<li>Linux does not suffer from same proportion of attacks due to lower popularity<\/li>\n\n\n\n<li>Still suffers from the same issues!<\/li>\n\n\n\n<li>Biggest problem is lack of user knowledge and complacency<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Requirements of a Secure OS<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protection against intrusion from malicious entities(hackers)<\/li>\n\n\n\n<li>Protection aainst malware<\/li>\n\n\n\n<li>Secure data transmision capability<\/li>\n\n\n\n<li>Secure data storage capability<\/li>\n\n\n\n<li>Individually defined users<\/li>\n\n\n\n<li>Positive identification and authentication of users and other entities (Computers)<\/li>\n\n\n\n<li>Ability to separate users into roles or groups with varying access needs,rights, and privileges.<\/li>\n\n\n\n<li>Ability to define access permissions to resources and allow\/deny access<\/li>\n\n\n\n<li>Ability to audit actions of individuals or processes on computer<\/li>\n\n\n\n<li>Flexible security mechanisms to adjust to environment<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Overview of Linux Security Features<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Meets requirements of secure operating systems<\/li>\n\n\n\n<li>Can be made to be VERY secure, yet flexible for wide range of needs<\/li>\n\n\n\n<li>Wide array of security mechanisms, tools, software, and features.<\/li>\n\n\n\n<li>Allows for securing resources with access controls, such as users, groups, and permissions<\/li>\n\n\n\n<li>Allows for secure network and internet access by users<\/li>\n\n\n\n<li>Built-in tools for securing resources available to network\/Internet users<\/li>\n\n\n\n<li>Apache, Bastille, Tripwire, PAMs etc.<\/li>\n\n\n\n<li>Can be made as secure as desired<\/li>\n\n\n\n<li>Lerning curve can be a bit steep<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Sercure Linux Installation<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Selecting the Right Distribution<\/li>\n\n\n\n<li>Defining Partitions for Security<\/li>\n\n\n\n<li>Intalling Software and Services<\/li>\n\n\n\n<li>Installing Secure File Systems<\/li>\n\n\n\n<li>Installation Security Configurations<\/li>\n\n\n\n<li>Post Install Actions<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Selecting the Right Distribution<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Base selection on security features offered<\/li>\n\n\n\n<li>Plan for role of box &#8211; workstation, file server, infrastructure server, multi-role server &#8211; and install for that role<\/li>\n\n\n\n<li>Some distros better suited for different roles &#8211; It&#8217;s ok to go with multiple distros!<\/li>\n\n\n\n<li>Linux can be freely downloaded<\/li>\n\n\n\n<li>Unless you trust the download source, possibility exists of trojaned binaries<\/li>\n\n\n\n<li>Best download source is usually company that produces distro(RH, Mandriv, SuSe)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Defining Partitions for Security<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use multiple partitions rather than putting entire filesystem on single partition<\/li>\n\n\n\n<li>Enables separate partitions to have different access permissions\/restrictions<\/li>\n\n\n\n<li>Prevents attacker from filling up entire disk with garbage, or accessing entire disk<\/li>\n\n\n\n<li>Mark some partitions as read only, such as &#8220;\/&#8221;(root)<\/li>\n\n\n\n<li>Set some partitions (\/tmp, \/user, \/home) as No SUID or GUID<\/li>\n\n\n\n<li>Restrict access to system partitions<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Intalling Software and Services<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install only necessary software and services &#8211; never go with &#8220;Everything&#8221;!<\/li>\n\n\n\n<li>Attack surface is reduced with only minimum installed services<\/li>\n\n\n\n<li>Base installed services\/software on machine role &#8211; dhcp, dns, samba, etc.<\/li>\n\n\n\n<li>Install only packages from trusted binaries<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Secure File Systems<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure file system uses a journaling file system, such as ext3\/reiserfs<\/li>\n\n\n\n<li>Mount &#8220;\/&#8221; as read only and make symbolic links to other trees that are read-write<\/li>\n\n\n\n<li>Edit \/etc\/fstab file to secure mounted file systems<\/li>\n\n\n\n<li>Avoid auto mounting file systems if not needed<\/li>\n\n\n\n<li>Do not allow all users to mount filesystems<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Installation Security Configurations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create other uses than &#8216;root&#8217;<\/li>\n\n\n\n<li>Configure Linux Firewall options. Learn about <a href=\"https:\/\/www.namehero.com\/blog\/how-to-install-csf-firewall-on-your-linux-server\/\" target=\"_blank\" rel=\"noopener\">installing a CSF firewall<\/a> on Linux servers if you require an additional level of security above and beyond what is provided natively, including defense against common DDoS attacks.<\/li>\n\n\n\n<li>Choose local login ore NIS login depending upon network configuration<\/li>\n\n\n\n<li>Configure computer to start in text only(Runlevel 3) mode instead of GUI<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Post Install Actions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Patch computer with latest vendor security<\/li>\n\n\n\n<li>Virus scan box before connecting to production network<\/li>\n\n\n\n<li>Baseline system by running Tripwire<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Installation Demonstration<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Installation of Ubuntu 20.04.3<\/li>\n\n\n\n<li>Virtual machine environment using Oracle Virtualbox<\/li>\n\n\n\n<li>Non-relevant parts omitted due to time<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Securing the Linux Boot Process<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Securing LILO<\/li>\n\n\n\n<li>Securing GRUB<\/li>\n\n\n\n<li>Runlevel Security and inittab<\/li>\n\n\n\n<li>Partition Mounting and fstab<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Securing LILO<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single-User mode can be started by typing &#8216;linux single&#8217; at the LILO boot: prompt<\/li>\n\n\n\n<li>Single user mode (runlevel 1) is basic mode of Linux OS that can load with root-level privileges but no root passpord required &#8211; bypasses login requirement<\/li>\n\n\n\n<li>Single-User mode can protected by requiring password<\/li>\n\n\n\n<li>Uses &#8216;password&#8217; key word in \/etc\/lilo.conf<\/li>\n\n\n\n<li>Can protect all(if placed &#8216;global&#8217; section of file) boot images or only certain ones if placed in &#8216;image&#8217; section for selected image.<\/li>\n\n\n\n<li>Passing arguments at boot prompt can cause unsecured boot of system<\/li>\n\n\n\n<li>Example: LILO boot: init=\/bin\/bassh causes execution of bash root shell with no login prompts or security checking<\/li>\n\n\n\n<li>&#8216;restricted&#8217; key word used in \/etc\/lilo.conf can prevent passing of arguments at boot tie unless password is used.<\/li>\n\n\n\n<li>Requires &#8216;password&#8217; keyword to be used.<\/li>\n\n\n\n<li>Other options used in file include &#8216;prompt&#8217; and &#8216;timeout&#8217; key words to prevent access in event of accidental reboot<\/li>\n\n\n\n<li>File permisions for \/etc\/lilo.conf should be restricted to 600<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Securing GRUB<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Newer boot loader used in Linux<\/li>\n\n\n\n<li>Unsecured GRUB can allow unauthenticated users to run commands at boot time<\/li>\n\n\n\n<li>GRUB allows bootloader password to be set and encryted using MD5 hash<\/li>\n\n\n\n<li>Uses \/boot\/grub\/grub.conf file to configure<\/li>\n\n\n\n<li>Create MD5 hshed password using MD5crypt, then pass hash into file<\/li>\n\n\n\n<li>Users can no longer view password<\/li>\n\n\n\n<li>&#8216;lock&#8217; command enables you to secure any boot entry for options or multi-boot systems<\/li>\n\n\n\n<li>&#8216;lock&#8217; command also takes its own password entry, so different options have different passwords<\/li>\n\n\n\n<li>Restrict access to \/boot\/grub\/grub.conf file by setting file permissions to 600<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Runlevel Security and init<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>init process starts and controls system once kernel is started<\/li>\n\n\n\n<li>Uses &#8216;runlevels&#8217; to determin which services start and which users can be login<\/li>\n\n\n\n<li>Runlevel is controllerd through \/etc\/inittab<\/li>\n\n\n\n<li>Runlevel 0: system halted<\/li>\n\n\n\n<li>Runlevel 1: Single User mode<\/li>\n\n\n\n<li>Runlevel 3: Multi-user, network services stated<\/li>\n\n\n\n<li>Runlevel 5: Multi-user with X Windows<\/li>\n\n\n\n<li>Runlevel 5 is usually default configuration for most linux systems<\/li>\n\n\n\n<li>Recommend change in \/etc\/inittab file to Runlevel 3 then &#8216;startx&#8217; after boot<\/li>\n\n\n\n<li>Prevents X-Windows apps from auto-running (security risk) if not needed<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Partition Mounting and fstab<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secure mounting of filesystems through use of \/etc\/fstab text configuration file<\/li>\n\n\n\n<li>Some partitions and filesystems should be mounted with special secure configurations<\/li>\n\n\n\n<li>Separate system and user files as much as possible on separate filesystems<\/li>\n\n\n\n<li>Assign certain filesystems their own partition: \/home, \/tmp, &#8216;\/'(root) and assign appropriate options<\/li>\n\n\n\n<li>Easier to secure\/backup many small partitions than one large one<\/li>\n\n\n\n<li>Use &#8216;suid&#8217; &#8216;sguid&#8217; options sparingly &#8211; enable executables to be run as their owner &#8211; source of many exploits &#8211; use &#8216;nosuid\/nosguid<\/li>\n\n\n\n<li>Disable running of executable in some filesytems, such as \/home or publicly available filesystems.<\/li>\n\n\n\n<li>Enable read only (ro) on selected filesystems containing executables or sensitive data &#8211; especially Internet facing systems<\/li>\n\n\n\n<li>Do not enable &#8216;any&#8217; user to mount a partition automatically.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Security With User Accounts and Groups<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users and Groups<\/li>\n\n\n\n<li>Passwords<\/li>\n\n\n\n<li>Use of Privileged Accounts<\/li>\n\n\n\n<li>Security User Shells and Profiles<\/li>\n\n\n\n<li>All users have accounts, even system users<\/li>\n\n\n\n<li>Accounts control access to resources through permissions<\/li>\n\n\n\n<li>Groups are groupings of user accpunts that have similar access requirements<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Users and Groups<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User accounts and groups are assigned user IDS(UIDs) and group IDs(GIDs)<\/li>\n\n\n\n<li>IDs are unique to user or group<\/li>\n\n\n\n<li>IDs assigned by sytem in blocks, or can be assigned by root user when accounts are created<\/li>\n\n\n\n<li>Root group:GID 0<\/li>\n\n\n\n<li>Select a UID\/GID manually,or allow user creation tool\/GUI to select<\/li>\n\n\n\n<li>Keep same UIDs\/GIDs across NFS environment to ensure user can acccess resources across network shares.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Passwords<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Passwords previously stored encrypted on Unix\/Linux systems in \/etc\/passwd text file, but world readable<\/li>\n\n\n\n<li>Now passwords in \/etc\/passwd removed &#8211; replaced with &#8216;x&#8217; in field to indicate use of shadow passwords file<\/li>\n\n\n\n<li>Passwords now stored in \/etc\/shadow text file in encrypted from (Using MD5 by default)<\/li>\n\n\n\n<li>File now readable only by root<\/li>\n\n\n\n<li>Passwords can be converted from stc\/passwd to shadow using &#8216;pwconv&#8217;<\/li>\n\n\n\n<li>Protect \/etc\/hadow file by assigning permissions of 400 to file &#8211; root is ower by default<\/li>\n\n\n\n<li>Ensure no &#8216;+&#8217; character in file to prevent potential unwanted NIS access<\/li>\n\n\n\n<li>Secure password must be assigned to user account upon creation &#8211; don&#8217;t use blank paswords or username as password<\/li>\n\n\n\n<li>User can change password using &#8216;passwd&#8217; command<\/li>\n\n\n\n<li>&#8216;chage&#8217; command used to specify password chaning (age) attributes<\/li>\n\n\n\n<li>Use to specify whether<\/li>\n\n\n\n<li>Password must be changed on first login<\/li>\n\n\n\n<li>Time between password expires<\/li>\n\n\n\n<li>Account lockout time after password expiration<\/li>\n\n\n\n<li>Advance warning(time) before password expiration<\/li>\n\n\n\n<li>Number of days before user must wait to change password<\/li>\n\n\n\n<li>Password creation guidelines include:<\/li>\n\n\n\n<li>Must be minimum of 8 characters, 14 for privileged accounts<\/li>\n\n\n\n<li>Must not contain username<\/li>\n\n\n\n<li>Must not contain dictionary or easily guessable word(such as P@$$w0rd)<\/li>\n\n\n\n<li>Must contain at least one each of the following types of Characters: lowercase letter, upper case letter, number, and special character<\/li>\n\n\n\n<li>Should not contain more of same character 3 times in succession<\/li>\n\n\n\n<li>Don&#8217;t allow reuse of Same password<\/li>\n\n\n\n<li>Password complexity requirements can be enforced using Pluggable Authentication Modules(PAMs)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Use of Privileged Accounts<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Practice &#8216;principle of least privilege&#8217;<\/li>\n\n\n\n<li>Users should only have enough privileges to do job &#8211; no more than that<\/li>\n\n\n\n<li>Limit remote login of &#8216;root&#8217; and other privileged accounts<\/li>\n\n\n\n<li>Limit direct login of privileged accounts<\/li>\n\n\n\n<li>Authorized users and tasks for sudo are located in \/etc\/sudoers file<\/li>\n\n\n\n<li>Use of &#8216;sudo&#8217; is logged for accountability in syslog file<\/li>\n\n\n\n<li>Users should su or sudo to root or other privileged account, perform task, and then switch back to non-privileged account<\/li>\n\n\n\n<li>Restrict \/etc\/securetty to prevent unauthorized use of root account<\/li>\n\n\n\n<li>Remove unwanted virtual consoles from \/etc\/securetty file<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Securing Shells and Profiles<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict default user profile settings<\/li>\n\n\n\n<li>Change \/etc\/skel as first step &#8211; contains default settings for new users; will not affect previously created users.<\/li>\n\n\n\n<li>Global configuration settings can be stored in \/etc\/profile, \/etc\/.login,<\/li>\n\n\n\n<li>Restrict permissions on these files to 644 and ensure owner is root<\/li>\n\n\n\n<li>Local (user) initialization files usually located in user&#8217;s home directory<\/li>\n\n\n\n<li>Can include .login, .profile, .cshrc, .bash_profile, and others<\/li>\n\n\n\n<li>Sets shell settings, path, options, command aliases, etc.<\/li>\n\n\n\n<li>Files should be owned by user or root, and permissions set a no more than 740<\/li>\n\n\n\n<li>Path variable should not include a &#8216;.&#8217; or &#8216;::&#8217; to prevent executing commands in root directory<\/li>\n\n\n\n<li>Restrict normal user use of unneeded shells<\/li>\n\n\n\n<li>users should not be allowed to use different shells &#8211; bash is sufficient<\/li>\n\n\n\n<li>Modify \/etc\/shells file to contain only authorized shells.(example &#8211; \/bin\/bash)<\/li>\n\n\n\n<li>Modify \/etc\/passwd for user&#8217;s default shell.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">File System Permissions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Types of Files<\/li>\n\n\n\n<li>Permissions Stucture<\/li>\n\n\n\n<li>Special Permission Bits<\/li>\n\n\n\n<li>Managimg Permissions<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Types of Files<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Everything in Linux represented by a file<\/li>\n\n\n\n<li>File can be:<\/li>\n\n\n\n<li>Directories(d)<\/li>\n\n\n\n<li>Files(-)<\/li>\n\n\n\n<li>Devices(block &#8216;b&#8217; or character &#8216;c&#8217;)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Permissions Stucture<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All files can be assigned permissions<\/li>\n\n\n\n<li>Permissions dictate what user can do to file<\/li>\n\n\n\n<li>3 basic permissions: read(r) write(w) and execute(x)<\/li>\n\n\n\n<li>Read enables reading files and traversing\/listing directories<\/li>\n\n\n\n<li>Write enables changing and deleting files and adding files(to a directory)<\/li>\n\n\n\n<li>Execute enables execution of executable files and scripts<\/li>\n\n\n\n<li>Users can have any combination of these 3 permissions<\/li>\n\n\n\n<li>Permissions are indicated for 3 classes of users: owner, group, and others(world)<\/li>\n\n\n\n<li>Each class can be assigned any different combination of 3 basic permissions<\/li>\n\n\n\n<li>User could have read and write only(rw), execute only(x),or all 3 permissions (rwx)<\/li>\n\n\n\n<li>Permissions usually listed for all classes<\/li>\n\n\n\n<li>Example: -rwxr-xr&#8211; indicates owner has all 3, group has read and execute, and all others have only read<\/li>\n\n\n\n<li>&#8216;-&#8216; indicates users class does not have that permission<\/li>\n\n\n\n<li>Permissions also given inoctal notation<\/li>\n\n\n\n<li>Numbers represent permissions<\/li>\n\n\n\n<li>Read:4<\/li>\n\n\n\n<li>Write:2<\/li>\n\n\n\n<li>Execute:1<\/li>\n\n\n\n<li>In octal notation, numbers are added for each individual permission to give overall value for user class<\/li>\n\n\n\n<li>Example: 7 indicates all 3 permissions: 4+2+1=7. 6 Indicates rw only: 4+2=6<\/li>\n\n\n\n<li>0 Indicates no permissions for that class<\/li>\n\n\n\n<li>Permissions for all user classes for file given in 3-digit number<\/li>\n\n\n\n<li>Example: file has permission of 740 indicates owner has full(rwx or 4+2+1, group has read(r or 4) and others have no permissions (indicated by 0))<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Special Permission Bites<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Special permissions also exist:<\/li>\n\n\n\n<li>Set UID(SUID bit)<\/li>\n\n\n\n<li>Set GID(SGID bit)<\/li>\n\n\n\n<li>Sticky Bit<\/li>\n\n\n\n<li>SUID indicates that any user who executes a file does so with permissions of the file ower&#8217;s UID &#8211; effectively has those permissions<\/li>\n\n\n\n<li>GUID indicates that the user executes a file with whatever permissions the group has<\/li>\n\n\n\n<li>SUID and SGID set on directories enables files creaed in directories to have the directory owner set as the file owner instead of the user creating the files<\/li>\n\n\n\n<li>Use suid and sgid bits with caution &#8211; big security risk!<\/li>\n\n\n\n<li>Sticky bit is set to protect files from being renamed or deleted in a directory.<\/li>\n\n\n\n<li>If bit is set, even user with write permissions canot delete or rename file<\/li>\n\n\n\n<li>File can only be renamed\/deleted by file owner, directory owner, or root.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Managing Permissions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Permissions and use classes for files managed using 3 primary utilities:<\/li>\n\n\n\n<li>chmod sets\/changes permissions<\/li>\n\n\n\n<li>chown sets\/changes file owner<\/li>\n\n\n\n<li>chgrp sets\/changes group<\/li>\n\n\n\n<li>chmod sets permissions for files and directories<\/li>\n\n\n\n<li>Can use octal or regular natation<\/li>\n\n\n\n<li>Can set special permission bits<\/li>\n\n\n\n<li>chmod demonstration<\/li>\n\n\n\n<li>chown sets owner and group of file<\/li>\n\n\n\n<li>Can only be run by root user<\/li>\n\n\n\n<li>chown demonstration<\/li>\n\n\n\n<li>chgrp sets group for file<\/li>\n\n\n\n<li>Can be run by normal (unprivileged) user<\/li>\n\n\n\n<li>User can only change group to one which they are a member of<\/li>\n\n\n\n<li>chgrp demonstation<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Course Outline Introduction To Linux Security A Bit About Linux Current Security Problems which is more secure: Windows vs Linux? Requirements of a Secure OS Overview of Linux Security Features&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[4957],"tags":[460,7055],"class_list":["post-23630","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-linux-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23630","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=23630"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23630\/revisions"}],"predecessor-version":[{"id":41264,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23630\/revisions\/41264"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=23630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=23630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=23630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}