Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

chkstat utility and permissions files in SUSE (/etc/permissions.local, .easy and .secure)

News

 Linux security

Softpanorama Laws of Computer Security

Recommended Books

Recommended Links

Red Hat security

Hardening

Suse Hardening
Apparmor Seccheck Pure-FTPd configuration Applying Patches in SLES Baseliners  Computer Security Intrusion Detection Unix/Linux Security-related Perl Scripts

wheel group

PAM

Disabling Unnecessary Services

  RPMs SecurId

Humor

Etc

In SuSE you have 3 security levels, which determine what permissions.* file is applied to the filesystem:
easy, secure and paranoid. So you have permissions.easy , permissions.secure and permissions.paranoid files under /etc. You can set the security level via YAST -> Security and Users -> Security Settings

You can also edit the corresponding permissions.* file.

The permissions of the more than 200,000 files included in a SUSE distribution are carefully chosen. A system administrator who installs additional software or other files should take great care when doing so, especially when setting the permission bits.

To minimize damage from incorrect permissions a SLES includes so called  4 permissions files:

all in the directory /etc. The purpose of these files is to define special permissions, such as world-writable directories or, for files, the setuser ID bit (programs with the setuser ID bit set do not run with the permissions of the user that has launched it, but with the permissions of the file owner, in most cases root).

An administrator can use the file /etc/permissions.local to add his own permissions of specific files, directories, and devices depending on the local security settings which overwrite specified in other files.

The local security setting (easy, secure, or paranoid) can be configured iether via YAST or in /etc/sysconfig/security.

PERMISSION_SECURITY="easy local"
#/usr/sbin/suexec2 root:root 4755

# setuid bit on Xorg is only needed if no display manager, ie startx

 #/usr/bin/Xorg root:root 4711

#
# /etc/permissions.local
#
# Description: Roman Drahtmueller , 2001
#
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
#
# In particular, this file will not be touched during an upgrade of the
# SuSE Linux installation. It is designed to be a placeholder for local
# additions by the administrator of the system to reflect filemodes
# of locally installed packages (usually under /opt/local or /usr/local).
#
# Format:
#  . 
#
# Please see the file /etc/permissions for general usage hints of the
# /etc/permissions* files.
# Keep in mind that this file (/etc/permissions.local) is being used by
# default by SuSEconfig, the shell script that is used by yast and yast2
# after package installation and configuration changes to make the changes
# effective for the respective packages (eg generating the "real"
# configuration files).
# Always check if there are no conflicts between your \"local\" changes here
# and the settings in the other permissions files by calling
# \"SuSEconfig\" as root!
# Please remember that logfiles might be modified by the logfile
# rotation facilities (e.g. logrotate) so local settings might
# be overridden.
#
# example:
#/usr/local/bin/mtr         root.root       4755
/var/spool/clientmqueue      smmsp:smmsp     770

chkstat - Tool to check and set file permissions

The program /usr/bin/chkstat is a tool to check and set file permissions. Multiple permissions files can be given on the commandline. If the permission files contain multiple entries for a single file, the last entry found will be used.

chkstat [--set|-set] [--noheader] [[--examine file ]...] [[--files filelist ]...] [[--root directory ]...] permission-file ...

Options

The command

chkstat -set /etc/permissions.local

will parse the file /etc/permissions.local and set the access mode and the user- and group memberships each file listed. The format for the input file is

FILEPATH OWNER:GROUP MODE

and wildcards are not supported for the filepath. Lines starting with ’#’ and empty lines are treated as comments.

SUSE Linux includes a utility called chkstat (not the most imaginative name) that checks, and optionally corrects, the ownerships and permissions of key files in the filesystem. As such, it can be used as a low-grade system hardening tool or perhaps for intrusion detection, if an intruder has left permissions deliberately lax. chkstat reads one or more permissions files to find out what files to check, and what the ownership and permissions are supposed to be. The system ships with several permissions files, described in

File in /etc

Description

permissions

A really basic set of permissions. File modes that differ from the settings in this file should be considered broken, not merely insecure.

permissions.easy

A fairly lax set of permissions for use on standalone single-user systems.

permissions.secure

A more secure set of permissions for use on multiuser or networked systems. To quote from the comments in the file itself: "The primary target of this configuration is to make the basic things such as changing passwords, the basic networking programs as well as some of the all-day work programs properly function for the unprivileged user."

permissions.paranoid

A very secure set of permissions. This file is similar to permissions.secure but has all the set-user-id and set-group-id bits cleared. These settings will prove inconvenient for ordinary users and are probably best reserved for servers or firewalls which do not support ordinary user log-ins.

permissions.local

This file provides a place for administrators to add entries for locally installed programs; for example those in /opt or /usr/local.

 

Entries in these files have the syntax:

filename  owner:group  mode

 

For example, here are a few lines from /etc/permissions.secure:

/usr/bin/passwd                       root:shadow       4755
/usr/bin/crontab                      root:trusted      4750
/etc/fstab                            root:root          644
/var/spool/fax/archive                fax:uucp           700

 

The file permissions (mode) are written in octal. The 4000 bit is the set-user-id bit; the bottom three digits correspond to the usual rwxrwxrwx permissions on the file.

Comparing permissions.secure with permissions.paranoid, you can see that (for example) in the paranoid settings the passwd command does not run set-uid to root:

/usr/bin/passwd                       root:shadow       0755

 

This means that nonroot users would not be able to change their passwords.

To run chkstat against the permissions.secure file (for example), just supply the file name as an argument. On my test system, the command:

# chkstat /etc/permissions.secure

 

produces no outputthe system passes with flying colors (whatever that means). Running chkstat against permissions.paranoid, however, produces a long list of warnings, mostly about config files that are readable by nonroot users, or about programs that have the set-user-id bit on.

Running chkstat with the --set option tells it to fix the problem automatically. Let's try making one of the permissions deliberately too lax, and re-run the program. The line numbers in this listing are for reference; they are not part of the input or output.

1 # chmod 666 /etc/fstab
2 # chkstat /etc/permissions.secure
3 Checking permissions and ownerships - using the permissions files
4         /etc/permissions.secure
5 /etc/fstab should be root:root 0644. (wrong permissions 0666)
6 # chkstat --set /etc/permissions.secure
7 Checking permissions and ownerships - using the permissions files
8         /etc/permissions.secure
9 setting /etc/fstab to root:root 0644. (wrong permissions 0666)
10 # ls -l /etc/fstab
11 -rw-rr--  1 root root 670 Oct 11 09:35 /etc/fstab

 

At line 1, I deliberately changed the permissions on /etc/fstab. At lines 25, I ran chkstat and it duly reported the problem. At lines 69, I ran chkstat again with the --set flag and at lines 10 and 11 verified that chkstat had indeed corrected the permissions problem.

It's time to tie all this up with the File Permissions setting in the YaST security module you've seen in this lab. The setting made within YaST sets a line in the file /etc/sysconfig/security; for example if I set the file permissions to "Easy," I will see a line in /etc/sysconfig/security like this:

PERMISSION_SECURITY="easy local"

 

This line says to run chkstat with the files permissions.easy and permissions.local as parameters.

The chkstat program is run by SuSEconfig, the script that YaST runs whenever it commits a configuration change. This means that the file permissions are checked pretty well every time you change something in YaST.


Recommended Links

Top Visited

Bulletin Latest Past week Past month
Google Search



File system permissions - Wikipedia, the free encyclopedia

....



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: August 13, 2017