CHAPTER 15. Securing Your Linux Server

If you don't incorporate security considerations into every step of your planning and every layer of your actual deployment, then you can be fairly confident that someday something is going to happen. In this chapter you are going to learn about permissions, metadata associated with all Linux filesystem objects that control who gets to do what. First I will be talking about hardening your server by regularly applying software updates and patches, and by ensuring that there aren't any network ports sitting open and unprotected. Next, we will discuss protecting your data at rest and in transit by encrypting your disks, websites, and email servers. But it will be nice to see those permissions and attributes in action. While I explain how to do that, you'll also learn just how Linux permissions actually work. 

Every object in a Linux filesystem, whether it's a file or a directory, has unique metadata associated with it. This metadata is represented by characters displayed when you run “ls” with the “-l” argument where “l” stands for the long version. If you check out “cd” to the secret directory and then type “su bob”. The command “su” stands for switch user. And this means you would be logged on as Bob. You can use “touch” to have Bob create a new file called “data.txt”. If Bob wasn't a member of the “secret group” group and if the secret directory wasn't owned by “secret group”, then this would be impossible. You can prove that by having Bob try to create a file called stuff in the “/var/log” directory, which is owned by “root”. It will not work. That's why it can be so useful to associate groups with particular assets, like directories. It's not just about Bob. You could add any number of users to this group and they'd all have the ability to create and edit files in any directories belonging to the group. Let's find out how it works. You can run “ls –l” within your “/var/secret” directory to display the file attributes of the contents. You can run “ls” with the “d” argument, which will list the attributes, not of the contents, but of the secret directory itself. If you look at what those two commands give you; first, the file “data.txt”. The 10 characters at the beginning of that line are really made up of 4 groups. The first dash would, if this directory was a directory, be a “d”. If you jump down a couple of lines, you should see that the first character of the directory secret attributes is, in fact, a “d”. 

The next three characters, “r”, “w”, and “dash”, represent the ways that the object's owner can use the file. 

In this case, the “r” tells that the owner can read the file contents, the “w” means to write or edit, which includes delete, and the “dash” is in place of an “x”, which would mean that Bob can, if appropriate, execute the file. 

In this case, the “dash” means that the owner does not have to execute rights. The next three characters represent the permissions of members in the owning group; Bob's group, in this case. All group members will have both read and write authority, but not execute. 

The final cluster of three characters represents the rights of all other “non-root” users. They can read, but not write or execute. 

The next field tells you that the file owner is Bob, and its group is Bob. Even though the directory is owned by root, the file is Bob's because he's the one who created it. Now let's look at the directory's attributes. Already mentioned the “d” for directory, but you should also see how both the owner and group have full rights, read, write, and execute. 

Others will be able to read and execute, but not write. Why is the directory owned by root? Because it was created using “sudo”, which is effectively acting as “root”. 

The “change own operation” you should have run a while back changed only the group, but not the owner. To do that, you should have included some value, like your own username before the colon, and then “secret-group” after the colon to set the group. 

You can change an object's attributes using “change mod”. It wouldn't hurt you to try a few more of these to make sure the process is perfectly clear. 

Add execute powers over “data.txt” for others. You can use “o” for others, the plus sign to say that you are adding power, and “x” to indicate executable. There are two points that should be emphasized here. The first is that since you are currently logged in as Bob, who is the owner of “data.txt”, you didn't need to use “sudo” for this operation. 

The second point is that this operation would be pointless. Unless Bob happens to turn the file into a script, as you'll never need to execute a simple data file. 

I can't move on without telling you about a different way of representing object attributes using numeric notation. You will remember that there are three kinds of permissions, read, write, and execute. Well, if you use the number 4 to represent read, 2 for write, and 1 for execution; based on this, by adding together the value of those 3 permissions, 7 would indicate the highest permissions level possible for plus 2 plus 1 equals 7. 

Someone with reading and execute powers, but not write, will be worth 5, while someone with only executes powers would be 1. So how would you describe the current values of “data.txt” where the user and group both have read and write while others have read and execute? 

That would be 6, 6, 5. The secret directory, on the other hand, would be 7, 7, 5. Work that out for yourself. You can use this notation with “change mod”, applying 7, 7, 7 to “data.txt”, for instance would add execute powers to the user and group and write to others. 

This is one of those things that will become like second nature to you after you've done it a bunch of times in the real world, but right now, it's probably kind of hard to absorb. The solution is to practice as much as possible!