Authors: Adam Gray cism
|
|  Yüklə 279 Kb.
|
File PermissionsThanks to OS X’s UNIX core, file permissions on OS X are very similar to other flavors of UNIX. There are the standard POSIX compliant owner permissions, owning group permissions, and other or world permissions, with permissions being read, write, and/or execute. How the meaning of these read, write, and execute permissions differ between files and directories is also the same as other flavors of UNIX. Again, like other UNIX flavors, OS X understands the umask concept as well. A detailed explanation of these capabilities is beyond the scope of this document. This section isn’t so much about file permissions, as it is about how to set up your system so that files are created with secure permissions, and how to find files with potentially weak permissions. We'll talk more about securing existing file permissions further down. Change the default umask The umask is short for user file-creation mask. Like file permissions in octal format, the umask is an octal number. File and directory permissions are technically a 4 digit octal number, but the left most digit is optional unless you’re specifically trying to set that set of bits. For some reason in at least some versions of OS X, the umask displays as a 4 digit number with a leading 0, but technically, you can’t change that digit; only the last 3 digits. Each digit of the umask is subtracted from 7 to give you the permissions for a newly created file. For example, if the umask is 0022, then a newly created file would have permissions 755, or user=read,write,execute, group=read,execute,other=read,execute. In OS X the default umask is 022. This means that everyone will have read permissions to all newly created files. It’s a good idea to change this umask to 027, which removes all access to “everyone”. What isn’t standard UNIX in this case is OS X using base 10, instead of base 8. Octal 027 == decimal 23. So, in a terminal window, or from a script type the following:
NOTE: there is a file called /Library/Preferences/.GlobalPreferences.plist, but that is not what we want to type in the command. We want the GlobalPreferences domain. Shell expansion, might add the “.plist” part: be careful. You’ll need to logout and back in, as this setting takes affect at login time. Find weak file permissions So, now we’ve taken care of files that will be created in the future, but what about files already created? We need to find all the files that have weak permissions. To find files that have world write permissions:
This will produce a list of files that are world writable. Another problem is looking for programs that are Set User ID (suid) and world executable. suid and Set Group ID (sgid) deal with that 4th octet I was speaking about above in the umask section. When this is set, the execution of the program is run with the program owner’s or program group owner’s authority, not the authority of the user who executed the script. A classic example is the su command. This command will let you switch to another user in a terminal window. This program is owned by root, and needs to be run with root authority, so that it can switch you to the other user (possibly root itself). Everyone has execute permissions (both group and other) because everyone has the ability to switch to another user if they know that user’s password. It’s possible, however, that there are programs that don’t really need to be suid or sgid. To find these ID’s:
The [ -a -user root ] is optional. Sometimes you might only be concerned if a program is SUID/SGID if the privileges granted would be for root. Consult your man page for the find command to extend the complexity of the search. Be very careful changing file permissions that are suid or sgid, because if you remove that permission you could break the system. Generally, we’re looking for them to remove the world execute privileges, not the suid/sgid privileges. The best way to stay out of trouble is to perform this find on a brand new system, and assume that (for the most part anyway) those permissions are correct. Then you just run this again periodically and compare the results to the original run. Just add a:
… to the end of the find command and the output will go to that file, instead of standard out. File ACLsAs a lot of other flavors of UNIX are implementing file ACLs, as of 10.4 OS X has extended file ACLs as well. Theses ACLs provide for more granularity beyond traditional UNIX file and directory permissions. Again, a detailed explanation of these capabilities is beyond the scope of this document. First, you have to enable file ACLs. By default, they are disabled in OS X 10.4. To enable them:
To enable a user based ACL for a file called secrets.txt:
To enable a group based ACL for the same file:
With ACLs you can also specifically deny access. So, we've allowed the administrators to have write access, but what if we don't want user bob to have write access. Let's deny bob access:
To view ACLs from the command line:
Encrypting Home FoldersOn OS X it is possible to have all the files and folders within your home directory encrypted on the fly using AES-128 bit encryption. This is done using the FileVault (see the System Preferences section). It is a good idea to enable this on all portable computers. One thing to remember here though is that if you have a large iTunes library, it is a good idea to move it out of your home directory as this can cause problems. First, from the/an administrator’s account:
Select a strong password here, and do not use the same password that you use to login in to the system with. Then, within each account that you want to have an encrypted home directory:
This will then log you out of your system and then encrypt your home folder. This can take a while, so be patient here. Once done, your system will reboot, and your home folder icon should now look like a safe. Recently whole disk encryption has been released as an addon to Mac OS X. Both Checkpoint and PGP offer competitive products that encrypt the entire contents of both the Mac boot volume as well as external drives. |