What:
'chmod' is a utility to set the mode (chmod = CHange MODe)
of
a file or directory. The 'mode' dictates who on the system
may
access a file. The mode is also known as 'permissions'.
literal
syntax: "Set the mode of that file to..."
"What
are the permissions on that directory?"
Why:
Many people don't fully understand the importance of file permissions
on
a Unix system. Furthermore, using Alpha notation may cause
incorrect
permissions because you are not fully qualifying the
permissions
of the file, only adding or removing permissions.
Over
time, or via the use of scripts and utilities, these
permissions
can be set to undesirable modes that may not be suitable
for
a secure environment.
Info:
CHMOD(1V) is used to change the permissions (mode) of a file or
files.
Only the owner of a file (or the super-user) may change
its
mode.
Lets
start out by looking at a common directory entry in unix. We are
going
to use "ls -alF" to obtain the list. (More on 'ls' in a
later file).
-rw-r--r--
1 jericho 2520 Jan 9 09:46 .plan
lrwxrwxrwx
1 root 9 Oct 1 19:42 .rhosts -> /dev/null
drwx------
4 jericho 4096 Jan 9 10:29 bin/
-rw-------
1 jericho 1349 Jan 6 14:49 header.file.2
Above
are 4 different kinds of entries we may find. The first part of each
entry
is the file permissions associated with that file. It determines who
can
read, write, or execute a file. There are 10 flags for each file, as
listed
below:
---------------------------------------------------
|
ft | ur | uw | ux | gr | gw | gx | or | ow | ox |
---------------------------------------------------
ft
- file type. This tells you what kind of 'file' you are listing. Take
into
account the word 'file' is vague, and does not necessarily mean "text
file"
necessarily. Unix treats everything as a file (directories, links,
etc),
and denotes these special permissions to differentiate one from
another.
Common file types:
-
regular file
d
directory
l symbolic
link
c character
device
b block
device
s socket
device
Character
devices, Block devices, and Sockets are frequently found in
the
/dev directory, and will be talked about later. The kinds
of
files we will look at for now are regular files, directories, and
take
a
brief look at symbolic links.
For
the other nine entries, you have different combinations of the
following:
u
= user r = read
g
= group w = write
o
= other x = execute
Permissions
control access for a file or directory by breaking
it
down into three access categories: user, group, and
other.
User:
Controlls access for the owner of the file.
Group:
Controlls access for all members of the group that
owns
the file.
Other:
Controlls access to anyone else on the system,
regardless
of them owning the file or being in a
group
that owns a file.
In
the syntax above, read means the ability to read the contents of that
file,
write means modifying, removing, or appending to a file, and execute
means
'running' the file (or if it is a directory, the ability to enter
it).
When
using chmod to set or change file permissions, there
are
two notations that are recognized:
Alpha:
Use of the + and - operators to change one of
the
three types of access for each category.
r,
w, and x which represent read, write and
execute
respectively. Alpha notation is also known
as
'Symbolic Mode'. For example:
chmod
u+rw,g+r,o+r filename
Octal:
Use of a three or four digit octal number to
change
the absolute permissions of a file. Using
octal
notation sets all access permissions each
time
it is used. Octal notation is also known
as
'Absolute Mode'. For example:
chmod
644 filename
Changing
the permissions: (we will get to the 'why' after this)
Many
people that are new to unix will use Alpha representation to change
the
permission
of a file. Lets say we have a file called 'readme' with
permissions
of -rw-r--r-- .. that means I (user) can read/write, while
people
in the group or other can only read it. Using alpha notation, I
may
do the following:
chmod
go-r readme
What
we are saying here is to remove the 'read' ability for 'group' and
'other'.
That changes the file from -rw-r--r-- to -rw------- . If we
were
to do:
chmod
go+rx readme
We
are now adding read and execute privilege for group and other. So now
it
would
go from -rw------- to -rw-r-xr-x . This would make it so even
though
we
own the file, we can't execute it ourselves. This little oversight
would
cause
us to have to chmod again. While this doesn't sound particularly bad,
consider
it from a security standpoint. If an admin uses alpha notation, it
would
be easy for him to overlook permissions that could lead to problems.
Because
of the chance for accidentally setting incorrect permissions, it
is
a good idea to learn and use Octal Notation whenever possible. Why is
it
called
"absolute mode"? Because every time you set the mode of the
file,
you
are fully qualifying the permissions. Instead of adding or removing
permissions,
you are giving the file its new permissions, as if from scratch.
Instead
of the r/w/x and u/g/o method described above, we use numbers
and
placement to determine the new mode. Below are the basic modes
and
their Octal representation. While this looks like a lot to remember,
I
will show how it is actually easier and more efficient than Alpha.
400
Read by owner.
200
Write by owner.
100
Execute (search in directory) by owner.
040
Read by group.
020
Write by group.
010
Execute (search) by group.
004
Read by others.
002
Write by others.
001
Execute (search) by others.
4000
Set user ID on execution. (SUID)
2000
Set group ID on execution (SGID)
1000
Sticky bit, (see chmod(2V) for more information).
We
will go into SUID, SGID, and sticky bit in the future. As a user, you
will
have little need to set those yourself. As an admin, they will
become
very important to functionality and security of your system.
Whenever
you set the mode with Octal notation, you will always use either
three
or four numbers to do so. The only time you use four is if you are
dealing
with a special mode like SUID or SGID. In all other cases, you
are
using three. The first number deals with r/w/x privs for the user,
the
second
number deals with r/w/x privs for group, and the third for other.
Look
at the above list and see how they form together with the examples
below:
444
= -r--r--r-- (readable to everyone)
110
= ---x--x--- (executable to user/group)
421
= -r---w---x (read/user, write/group, execute/other)
Now,
we need to look at setting multiple flags for a single category. What
if
we want the user to read AND write? If you notice the numbers used,
you
may have noticed they skipped the use of 3. Why? Because any
combination
of
adding 1, 2, and 4 will create new numbers with no duplication. 1+2 =
3,
1+4
= 5, 2+4 = 6, and 1+2+4 = 7. By adding the base 1/2/4 numbers, we
obtain
the numeric representation for assigning multiple attributes
to
a file. For example, if we want read and write, we add 4 and 2,
and
apply that.
644
= -rw-r--r-- (read/write user, read group/other)
If
we want to give read/write/exec to user, we add up 4, 2, and 1 and
apply
that.
755
= -rwxr-xr-x (r/w/x user, r/x for group and other)
Other:
There are other options with chmod that are nice to know. Take into
account
that not all versions of chmod will conform to the options
I
will describe. You can "man chmod" on your system to see
what
those
options are.
-f
Force. chmod will not complain if it fails to change
the
mode of a file.
-R
Recursively descend through directory arguments, set-
ting
the mode for each file as described above. When
symbolic
links are encountered, their mode is not
changed
and they are not traversed.
(remember,
unix is case sensitive. 'R' is not 'r')
If
you use wildcards, most implementations of chmod will not set
permissions
of
files that contain a . at the beginning of the file name if you use
wildcards.
For instance, 'chmod 755 *' would set the permissions on all
the
files in the current directory to -rwxr-xr-x EXCEPT files containing
a
. at the beginning of their name. In order to wildcard chmod these
files,
you
would have to 'chmod 755 .*'
So
when is it good to know alpha notation? You may not know the current
permissions
when writing a script that calls chmod to perform a mode change.
This
would make it awkward to reset the permissions via Octal notation.
Making
chmod
add or remove permissions would then be more efficient. For example:
chmod
u-x readme Remove execute permissions for user.
chmod
go-rwx readme Remove all right for group/other.
What
does this have to do with system penetration? First and foremost,
every
unix user and security professional should know how to use the
system
they are attacking or securing. You can not effectively
test
or secure a unix box if you don't know how to use it as a standard
user
would. Second, when you compile programs or run scripts on a system,
you
have to be able to permission them in order to run them.
Carole
Fennelly writes in reminding us that there are a few times where
alpha
notation may be the better option. There is an option to chmod (-R)
that
will traverse a directory structure to change the modes of all files
and
subdirectories in the tree. For example, if you are in the directory
/usr/local/httpd,
you could enter:
chmod
-R 755 *
Which
will go through and make every file and subdirectory under
/usr/local/httpd
"rwxr-xr-x" . This may not be what you want. If you only
want
to
make sure that there is no file or directory that is world writable
and you
want
to preserve the other permissions, it is better to use the command:
chmod
-R o-w *
For
large directory trees, it is unlikely that every file and
subdirectory
should
have the same permission and the octal (absolute) value could cause
problems.
Thanking You
Hope U Like it...