Security basics, Part 2
More advice on file attribute bits and modes
Summary
Could you use a quick refresher course on binary numbers? Need an expert to clarify hexadecimal and octal notation? This month in Unix 101, Mo Budlong continues his three-part series on Unix security with a closer look at file attribute bits and modes. (1,900 words)
While everyone knows that computers are binary, not many people understand the numbering systems that represent the binary numbers stored in computers, or the notational conventions used for displaying this information.
This may be a teensy bit painful, but I need to cover it to further explain setting file modes. If you understand binary numbering, feel free to skip ahead.
Binary numbers
An odometer in an automobile measures mileage by wheels that rotate through the digits 0 to 9. Each time a wheel completes a revolution from 0 through 9 and back to 0, it trips the wheel to its left up one position. When that wheel reaches 9 and is tripped over to 0, it increments the next wheel to its left.
Now imagine that each wheel in your odometer only had the digits 0 and 1. The first wheel would increment from 0 to 1 and back to 0 again. As it rotated back to 0, it would trip the wheel to the left over to 1. Wheel 1 would again spin through 1 and back to 0, and this time it would trip wheel 2 over to 0. This would trip wheel 3 over to 1. The following illustrates the sequence of positions for our wheels. The wheel positions are numbered down the left-hand side so that position 0 is 0000, position 1 is 0001, position 2 is 0010, and so on.
wheel -> 4 3 2 1
position
0 0 0 0 0
1 0 0 0 1
2 0 0 1 0
3 0 0 1 1
4 0 1 0 0
5 0 1 0 1
6 0 1 1 0
7 0 1 1 1
8 1 0 0 0
9 1 0 0 1
10 1 0 1 0
11 1 0 1 1
12 1 1 0 0
13 1 1 0 1
14 1 1 1 0
15 1 1 1 1
Figure 1. Binary notation
|
Here are some basics to keep in mind:
- A byte of computer data is made up of 8 bits, which could be represented by eight wheels.
- All information in a computer is stored as accumulations of bits and bytes.
- A byte of data might represent a single character or eight separate flags. Two bytes could be strung together to hold 16 separate flags.
Hexadecimal notation
You could represent the value in a byte by writing out all of the 0s and 1s on each wheel (e.g., 01001101), but that would be cumbersome. Hexadecimal notation is a convenient way of representing the values in a byte with two characters. The characters used are the numbers 0 through 9 and the letters A through F. Figure 2 illustrates how a single hexadecimal digit can represent 4 bits.
wheel -> 4 3 2 1
position Hex
0 0 0 0 0 0
1 0 0 0 1 1
2 0 0 1 0 2
3 0 0 1 1 3
4 0 1 0 0 4
5 0 1 0 1 5
6 0 1 1 0 6
7 0 1 1 1 7
8 1 0 0 0 8
9 1 0 0 1 9
10 1 0 1 0 A
11 1 0 1 1 B
12 1 1 0 0 C
13 1 1 0 1 D
14 1 1 1 0 E
15 1 1 1 1 F
Figure 2. Binary numbers and their hexadecimal equivalents
|
The 8 bits of a byte are frequently represented by grouping the bits into two collections of 4 bits each, then representing each of these with a hexadecimal digit. In our case, the number 00101101 becomes 0010 1101, and that, in turn, becomes 2D.
Octal notation
Hexadecimal notation represents bits in groups of four. Octal notation slices a byte and represents it in groups of three, as shown in Figure 3.
wheel -> 3 2 1
position Oct
0 0 0 0 0
1 0 0 1 1
2 0 1 0 2
3 0 1 1 3
4 1 0 0 4
5 1 0 1 5
6 1 1 0 6
7 1 1 1 7
Figure 3. Octal notation
|
Using this technique, 00111101 becomes 00 111 101 which, in turn, becomes 075 in octal notation. A byte only has 8 bits, so the highest 2 bits are presented as if they had a leading 0, and 10111101 becomes 010 111 101, or 275 in octal. In fact, longer strings of bits can be represented by longer hexadecimal or octal notation. The 16 bits of 2 bytes, 00101011 10010110, become 0010 1011 1001 0110, which can be represented as 2B96 in hexadecimal. If you divide the number into groups of 3 bits and add two extra 0s to the beginning, you get 000 010 101 110 010 110, or 025626 in octal.
The mode bits
From last month's article, you know that the ls -l mode bits are displayed (from left to right) as read, write, and execute for owner; read, write, and execute for group; and read, write, and execute for other.
-rwxrwxr-x 1 mob wp 2018 Aug 30 23:45 afile
These nine flags are actually saved as 9 mode bits (a byte plus part of another), and the mode bits can be represented by the octal notation for that bit pattern.
The above flags represent a bit pattern of 111111101 or 111 111 101, and can be expressed as 775. If you wanted to set those exact permissions for the file, you would use the following command:
$ chmod 775 afile
$ ls -l
-rwxrwxr-x 1 mob wp 2018 Aug 30 23:45 afile
Figure 4 shows several examples of directly setting mode bits using octal notation. The last example makes the file read only.
$ chmod 775 afile
$ ls -l
-rwxrwxr-x 1 mob wp 2018 Aug 30 23:45 afile
$ chmod 770 afile
$ ls -l
-rwxrwx--- 1 mob wp 2018 Aug 30 23:45 afile
$ chmod 750 afile
$ ls -l
-rwxr-x--- 1 mob wp 2018 Aug 30 23:45 afile
$ chmod 740 afile
$ ls -l
-rwxr----- 1 mob wp 2018 Aug 30 23:45 afile
$ chmod 444 afile
$ ls -l
-r--r--r-- 1 mob wp 2018 Aug 30 23:45 afile
Figure 4. Setting mode bits using octal notation
|
In fact, there are 3 more bits available for controlling the mode of files and directories, but these display in different ways. Two of the bits apply to files, and one to directories.
The first bit controls the set user ID property of an executable program or shell script. When a program or script has this bit set and is executed, the script assumes the privileges of the owner of the script. The purpose of this mode would be to provide something like a backup script. The script owner would be root and root would have the privileges needed to back up all files, but the script could be executed by any backup operator who wouldn't need to be given root privileges in order to run the backup.
The second bit controls the same feature for the group. The program or script acquires the privileges of the group that owns the file.
The third bit controls the behavior of directories and is popularly called the stick bit. When this bit is set on a directory, the only people who can delete or rename files from that directory are root and the owner of the directory, regardless of any other permission a user's been granted. This is frequently used on temporary and work directories where many users need to be able to write to the directory, but where no one should be allowed to rename or delete anyone else's files.
These 3 bits are added at the front of the 9-bit bit pattern for access permission, creating a 12-bit pattern. In Figure 5, the first command prevents anyone but root or mob (the directory owner) from deleting or renaming any files in adir . Note the t in the final position of the permission string. The second command allows anyone to run the backup script, but when the script runs it has the privileges of root . Note the s :
$ chmod 1777 adir
$ ls -l
drwxrwxrwt 1 mob wp 2018 Aug 30 23:45 adir
$ chmod 4111 backup
$ ls -l
---s--x--x 1 root wp 2018 Aug 30 23:45 backup
Figure 5. Using a full 12-bit pattern for permissions
|
There is a security feature built in to the set user ID bit and set group ID bits that causes the bit to be reset if the file is written or renamed by anyone other than the superuser. This prevents someone from editing a script that has extra privileges, because root or someone with more privilege owns the script and the set user ID bit is set.
The character representation of these extra 3 bits worth of permission/behavior is handled by cramming their values into the existing permission string with different letters.
The normal state of the owner execute flag is either x or - (dash). If the owner has execute permission and the set user ID bit is on, the x becomes an s . If the owner does not have execute permission but the set user ID bit is on, the - becomes an S , as in Figure 6.
$ chmod 100 backup
$ ls -l
---x------ 1 root wp 2018 Aug 30 23:45 backup
$ chmod 4100 backup
$ ls -l
---s------ 1 root wp 2018 Aug 30 23:45 backup
$ chmod 4000 backup
$ ls -l
---S------ 1 root wp 2018 Aug 30 23:45 backup
Figure 6. The difference between s and S for a file owner
|
The normal state of the group execute flag is either x or - . If the group has execute permission and the set group ID bit is on, the x becomes an s . If the group does not have execute permission but the set group ID bit is on, the - becomes an S , as in Figure 7.
$ chmod 010 backup
$ ls -l
------x--- 1 root wp 2018 Aug 30 23:45 backup
$ chmod 2010 backup
$ ls -l
------s--- 1 root wp 2018 Aug 30 23:45 backup
$ chmod 2000 backup
$ ls -l
------S--- 1 root wp 2018 Aug 30 23:45 backup
Figure 7. The difference between s and S for a file owner's group
|
The normal state of the execute flag for others for a directory is either x , indicating that others can search the directory, or - , indicating that they cannot. If others have search permission and the sticky bit is on, the x becomes a t . If others don't have search permission but the sticky bit is on, the - becomes a T .
$ chmod 001 adir
$ ls -l
d--------x 1 root wp 2018 Aug 30 23:45 adir
$ chmod 1001 adir
$ ls -l
d--------t 1 root wp 2018 Aug 30 23:45 adir
$ chmod 1000 adir
$ ls -l
d--------T 1 root wp 2018 Aug 30 23:45 adir
Figure 8. The difference between t and T
|
Now you have two ways to set up the modes for a file and directory, and three extra security permissions to control the access level of executable programs and protect files within a directory from being deleted or renamed.
Contact
us for a free consultation. |