Skip to content

Instantly share code, notes, and snippets.

@mshardey

mshardey/least-privilege-access-linux-file-permission-configuration.md

Last active September 21, 2024 05:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mshardey/9609ba1f4387215b4c1e2aae23175419 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mshardey/9609ba1f4387215b4c1e2aae23175419 to your computer and use it in GitHub Desktop.
Download ZIP
Linux File Permissions: Enforcing least privilege access for enhanced security, reducing vulnerabilities and improving system integrity.
Raw
least-privilege-access-linux-file-permission-configuration.md

This project enhances Linux system security by optimising file permissions, ensuring least privilege access. Key updates include permission adjustments for sensitive files and directories, aligning with organisational policies.

Analysing File and Directory Permissions

The following screenshot demonstrates how to use Linux commands to verify current permissions for a specific directory.

Bash shell output from Kali Linux Verifying file and directory permissions using ls -la command in Linux.

The initial line in the screenshot displays the command entered, while the subsequent lines show the output. This code lists all items in the projects directory. We used the ls command with the -la option to display a detailed list of file contents. This option shows:

  • All files, including hidden files (. prefix)
  • Detailed file information, including permissions, ownership, and timestamps

Describing the Permissions String

The 10-character string represents file permissions, indicating who has access and what permissions are granted.

File Permission Structure

The string follows the ugo=rwx format, where:

  • u represents user permissions
  • g represents group permissions
  • o represents other permissions
  • r represents read permission
  • w represents write permission
  • x represents execute permission

Breaking Down the String

  • File Type (1st character)
    • d: Directory
    • - (hyphen): Regular file
  • User Permissions (2nd-4th characters)
    • r: Read permission
    • w: Write permission
    • x: Execute permission
    • - (hyphen): Absence of permission
  • Group Permissions (5th-7th characters)
    • r: Read permission
    • w: Write permission
    • x: Execute permission
    • - (hyphen): Absence of permission
  • Other Permissions (8th-10th characters)
    • r: Read permission
    • w: Write permission
    • x: Execute permission
    • - (hyphen): Absence of permission

Note: "Others" includes all system users except the user and group.

Example

Consider the file project_t.txt with permissions -rw-rw-r--.

Changing File Permissions

Following the organisation's decision to restrict write access for other users to all files, we reviewed the previously obtained file permissions. We identified that project_k.txt required removal of write access for other.

To achieve this, we used the chmod command. The following screenshot demonstrates the command execution:

Executing chmod o-w project_k.txt to remove write access for other users Executing chmod o-w project_k.txt to remove write access for other users.

The first two lines in the screenshot display the commands entered:

chmod o-w project_k.txt
ls -la

The subsequent lines present the output of the ls -la command, showcasing the updated permissions.

Leveraging the chmod command, we specified other as the target. The first argument o-w indicated the removal of write permissions, and the second argument project_k.txt specified the file.

Before and After permissions:

Before: -rw-rw-r-- After: -rw-r--r--

To confirm the changes made, we utilised ls -la to review the updated permissions. The output verifies that write permissions were successfully removed for other users.

Changing Permissions on a Hidden File

Our organisation's research team archived project_x.txt and required restricted write access, allowing only the user and group to have read access. We utilised Linux commands to modify the permissions:

Restricting write access to .project_x.txt using chmod Restricting write access to .project_x.txt using chmod

The screenshot displays:

  1. Commands entered:
chmod u-w,g-w,g+r .project_x.txt
ls -la
  1. Output of ls -la command

Recognising .project_x.txt as a hidden file (due to its period prefix), we:

  • Revoked write permissions from user and group using u-w and g-w
  • Granted read permissions to the group with g+r

Enhancing Directory Access Control

To align with organisational policies, we restricted access to the drafts directory and its contents to researcher2 only. We ensured no other users possessed execute permissions:

Revoking group executive permissions on drafts directory using chmod Revoking group execute permissions on drafts directory using chmod

The screenshot displays:

  1. Commands entered:
chmod g-x drafts
ls -la
  1. Output of ls -la command

Having identified the group's execute permissions, we utilised chmod to eliminate them. Since researcher2 already had execute permissions, no further adjustments were necessary.

Project Summary

In summary, our efforts ensured comprehensive alignment of file and directory permissions with organisational security requirements. Key takeaways:

  • Initial ls -la assessment provided crucial insights
  • Systematic permission adjustments using chmod
  • Robust security posture for the projects directory

This project showcased our expertise in Linux commands and proactive cybersecurity measures through effective permission management.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment