va-scan Copyright 2002, Marchany

Unit 6 – Solaris File Unit 6 – Solaris File SecuritySecurity

Randy Marchany

VA Tech Computing Center

va-scan Copyright 2002, Marchany

Regular Expressions - grep

The grep command searches its target for a specific string. It is a very powerful tool.

Regular expression are used in combination with grep and other commands to do pattern matching.

* - allows selection of 0 or more characters– Example: *.doc selects anything that end

with .doc

va-scan Copyright 2002, Marchany

Regular Expressions

? – allows selection of any single character.– ?J will select any occurrence of the letter J.

. – following any character will match that character.– X. will match the X followed by any character.

^ - matches the characters that follow it if they are at the beginning of a line.– ^J selects any line that begins with a J

$ - matches the characters that follow it if they are at the end of the line.– J$ selects any line that ends with a J

va-scan Copyright 2002, Marchany

Grep Options

-b – prints the block number where the pattern was found

-c – prints the count of lines matching the pattern -i – matches upper or lower case -l – prints only the filename of those matching

the pattern. -n – prints the line number where the pattern was

found.

va-scan Copyright 2002, Marchany

Grep Options

-v – suppresses lines that match the pattern. In other words, search for everything BUT the pattern

-w – search for the pattern as if it were a word

va-scan Copyright 2002, Marchany

ls Command Options

The ls command lists the contents of a directory. There are several options that are very useful

when examining possible security issues. -l – list the long format, access permission,

owner, group, date modified, etc. -a – list all hidden files -t – sort by time stamp, latest first -i – list by inode

va-scan Copyright 2002, Marchany

chmod Command

The chmod command modifies the permissions of a file or directory.

I use the numeric method of denoting the permission

7 = rwx, if a directory, the X bit set allows searching in the directory

777 = rwx rwx rwx (owner, group, other) 1000 – sticky bit 2000 – SGID bit 4000 – SUID bit

va-scan Copyright 2002, Marchany

Sticky Bit

Purpose is to prevent files in a directory from being removed, renamed or deleted.

One of the following conditions must be met before a user can delete the file:– The user must own the file– The user must own the directory– The file must be writable by the user– The user is root

va-scan Copyright 2002, Marchany

umask Command

The umask command sets the default permissions for new files.

Umask values are usually set in /etc/profile. Umask values are a little strange. They are the

1’s complement of the the permission you want. Subtract the umask value from the default permissions to see what your target value is.

va-scan Copyright 2002, Marchany

umask

File Directory

Default Value 666 777

Umask 022 022

Target Permission value

644 755

va-scan Copyright 2002, Marchany

Access Control Lists

Solaris allows more granular access control on files and directories.

This is an Access Control List (ACL). Example: you can specify a certain group

ownership for a file but you can allow multiple groups to have lesser permissions on the same file. Not possible under the standard group permissions. ACLs make it possible.

va-scan Copyright 2002, Marchany

ACL

To display the File System ACLs:– getfacl –ad file

• -a – display the filename, owner, group owner and the ACL of the file

• -d – display the filename, owner, group owner and default ACL if it exists.

– You can assign multiple users different permissions on the file.

va-scan Copyright 2002, Marchany

ACL

Getfacl output– ACLs are displayed in the order in which they

are evaluated when an access check is done.– User entry – user::perm means the permissions

are granted to the owner only. User:randy:perm would mean user ‘randy’ has the following permissions.

– Group entry - similar to user but it applies to groups.

va-scan Copyright 2002, Marchany

ACL

Getfacl output– Mask entry indicates the max permissions

allow to any user except the owner of the file and to any group owner including the file group owner. This mask restricts the permissions you can give out.

– Example: mask is set to RW, you try to specify RWX for a user, the mask will allow you to set it to RW only.

va-scan Copyright 2002, Marchany

setfacl

Setfacl sets the permissions for ACL. syntax:

– setfacl acl_entries file Setfacl will do one of the following

– Replace the entire ACL including the default ACL for a directory

– Add, modify or delete one or more ACL entries including default entries