Linux Security Fundamentals

Advanced File Permissions

The first advanced permission is the Save Text permission. This bit, when set on a directory becomes very important. Users with write permission to a directory can delete files in that directory even if they do not have access to the files. The Save Text bit prevents this by requiring that users have write permission to the file they are trying to delete. Save Text is denoted by a [T] in the other permission string and is often referred to as the “sticky bit”.

SUID and SGID bits are important as well. SUID runs a process in the permission context of the user that owns the process, instead of the user who launches it. SGID forces all files created in a directory to be owned by the group that owns the directory, not the primary group of the user that created the file. SUID is denoted by an [s] in the user permission string, SGID is denoted by an [S] in the group permission string. In both cases this bit replaces the execute bit.

To set these bits using symbolic notation, simply add the corresponding symbol (sST).

A final advanced permission bit is the immutable bit. This bit is equivalent to Read-Only and can only be adjusted by root, regardless of the files owner. This bit is stored in the extended attribute set of a file and is not displayed as a part of the regular file listing. To list all extended attributes, use the [lsattr] command. To set the immutable bit, enter [chattr +i filename]. To remove simply subtract the bit. No changes can be made to a file, not even by root as long as the immutable bit is set.

That’s it for now. If you have any questions, please post them to the Linux Form, or email me directly. In this article I have only scratched the surface in terms of authentication and security. Future articles will extend this topic to include advanced authentication using PAM, and general configuration changes that result in a more secure system. Next week we will get a little off topic and focus on Samba. I know that many of you have both Windows and Linux systems, so I will teach you how to make those two play nicely together for file and print sharing. I will discuss how to configure Linux to allow browsing of share points, as well as to use Linux to access share points on a Windows server. Down the road we will use that same configuration to make Linux authenticate using Windows, and vice versa.