File Access
Although this password protection stops most
attempts to gain unauthorized access to the system, many security
issues
involve users that already have accounts. Unchecked, curious users could
access payroll information and find out what their boss gets paid. Corporate
spies could steal company secrets. Disgruntled workers could wreak havoc by
destroying data or slowing down the system.
Once logged in, Linux (among
other UNIX
dialects) provides a means of limiting the access of
"authorized" users. This is in the form of file permissions,
which we already talked about. File permissions
are one aspect of security that most
people are familiar with in regard to UNIX
security. In many cases, this is the only kind
of security other that user accounts.
As we talked about earlier, each
file has an owner, whether or not some user explicitly went out there and
"claimed" ownership. Its a basic characteristic of each file and is
imposed upon them by the operating system.
The owner of the file is stored,
along with other information, in the inode
table in the form of a number. This
number corresponds to the User ID (UID) number from /etc/passwd.
Normally, files are initially owned by the user who creates them. However, there are many
circumstances that would change the ownership. One of the obvious ways is that
the ownership is intentionally changed. Only the owner of the file and root can
change its ownership. If you are the owner of a file, you can, in essence,
"transfer ownership" of the file to someone else. Once you do, you are
no longer the owner (obviously) and have no more control over that
file.
Another characteristic of a file is its group. Like the owner,
the file's group is an intrinsic part of that files characteristics. The file's
group is also stored in the inode
as a number. The translation from this number
to the group name is made from the /etc/group file. As we talked about in the
section on users, the concept of a group has only real meaning in terms of
security. That is, who can access which files.
What this means is that
only "authorized" users can access files in any of the three manners:
read, write and execute. It makes sense that normal users cannot run the fdisk
utility, otherwise they would have the ability to re-partition the hard disk,
potentially destroying data. It also makes sense that normal users do not have
write permission on the /etc/passwd file, otherwise they could change it so that
they would have access to the root account.
Since we talked about it in the
section on shell
basics and on users, there is no need to go into more details
here.
|