Welcome to Day 15 of 30days linux challenge. We will be treating the 4th topic in our Linux Security Basics series! By now, you've learned why Linux is secure by design, how to secure SSH, and how to protect against brute force attacks with fail2ban. Today, we’re diving into a critical aspect of Linux security: hardening file permissions. Properly managing file permissions ensures that only authorized users can access sensitive data, reducing the risk of unauthorized access or accidental leaks. Let’s explore practical steps to lock down your data.
Index
- Why File Permissions Matter
- Understanding Linux File Permissions
- Practical Steps to Harden File Permissions
- Harden Home Directories
- Secure Directories with Sticky Bits
- Secure Directories with Sticky Bits
- Use
chownto Correct Ownership - Find and Fix Risky Permissions
- Automate with a Script
- Best Practices
Why File Permissions Matter
In Linux, every file and directory has permissions that dictate who can read, write, or execute it. Misconfigured permissions can expose sensitive files (like configuration files or user data) to attackers or unprivileged users. For example, a world readable file containing passwords or a world writable directory could allow malicious changes. Hardening file permissions is about applying the principle of least privilege: users and processes should only have the access they need.
Understanding Linux File Permissions
Before we start, let’s recap how permissions work:
-
Permission Types:
- Read (r): View file contents or list directory contents.
- Write (w): Modify a file or create/delete files in a directory.
- Execute (x): Run a file (e.g., a script or binary) or access a directory.
-
Permission Groups:
- Owner (u): The user who owns the file.
- Group (g): Users in the file’s group.
- Others (o): Everyone else.
Viewing Permissions:
Usels -lto see permissions. Example output:
-rwxr-xr-- 1 alice users 4096 May 19 2025 script.sh
Here, rwxr-xr-- means:
- Owner (
alice): Read, write, execute (rwx). - Group (
users): Read, execute (r-x). -
Others: Read only (
r--).- Numeric Notation: Permissions can be represented as numbers:
Read = 4, Write = 2, Execute = 1.
Example:
755=rwx(7 = 4+2+1) for owner,r-x(5 = 4+1) for group and others.
Practical Steps to Harden File Permissions
Let’s walk through actionable steps to secure your files and directories. These commands assume you’re logged in as a user with sudo privileges.
1. Audit Existing Permissions
Start by checking permissions on critical files and directories.
- Command:
ls -l /etc /home /var/log
-
What to Look For:
- Sensitive files (e.g.,
/etc/shadow,/etc/passwd) should not be world-readable or writable. - User home directories (
/home/username) should not be accessible to others. - Log files in
/var/logshould be restricted torootor specific services.
- Sensitive files (e.g.,
Example:
If/etc/shadowshows-rw-r--r--(world-readable), it’s a security risk. Fix it later in Step 2.
2. Set Secure Permissions for Sensitive Files
Use the chmod command to adjust permissions.
-
Secure Configuration Files:
The
/etc/shadowfile (containing hashed passwords) should only be readable/writable byroot.
sudo chmod 600 /etc/shadow
This sets rw------- (owner only).
-
Protect User Configuration Files:
Files like
~/.ssh/id_rsa(SSH private keys) should be private.
chmod 600 ~/.ssh/id_rsa
- Remove World-Readable Permissions: For files that don’t need public access, remove permissions for "others."
sudo chmod o-rwx /etc/myapp.conf
3. Harden Home Directories
Home directories should be accessible only by their owners.
- Check Permissions:
ls -ld /home/*
If a directory shows drwxr-xr-x, others can list its contents.
-
Restrict Access:
Set permissions to
700(owner only access).
sudo chmod 700 /home/username
-
Set Default Permissions for New Files:
Use
umaskto control default permissions. Aumaskof022ensures new files are not world-writable. Check your currentumask:
umask
To set it permanently, add umask 022 to ~/.bashrc or /etc/profile.
4. Secure Directories with Sticky Bits
In shared directories (e.g., /tmp), users might delete others’ files. The sticky bit prevents this.
- Set the Sticky Bit:
sudo chmod +t /tmp
Check with ls -ld /tmp. The permissions should show drwxrwxrwt.
5. Use chown to Correct Ownership
Ensure files are owned by the right user or group.
- Check Ownership:
ls -l /var/www
Web server files should typically be owned by the web server user (e.g., www-data).
- Change Ownership:
sudo chown -R www-data:www-data /var/www
6. Find and Fix Risky Permissions
Search for files with overly permissive settings.
- Find World Writable Files:
sudo find / -type f -perm -o+w
Review the output and remove unnecessary write permissions:
sudo chmod o-w /path/to/file
- Find World Readable Sensitive Files:
sudo find /etc -type f -perm -o+r
Restrict access as needed.
7. Automate with a Script
To simplify, create a script to check and fix common issues.
#!/bin/bash
# Secure critical files
sudo chmod 600 /etc/shadow /etc/gshadow
sudo chmod 644 /etc/passwd
sudo chmod 700 /home/* -R
sudo chmod +t /tmp
echo "Permissions hardened!"
Save this as harden_permissions.sh, make it executable (chmod +x harden_permissions.sh), and run it with sudo ./harden_permissions.sh.
Best Practices
-
Regularly Audit Permissions: Use
findor tools likelynixto monitor changes. - Backup Before Changes: Always back up critical files before modifying permissions.
- Test Changes: Ensure services (e.g., web servers) still function after permission changes.
- Document Exceptions: If a file needs unusual permissions, document why.
I would love to hear your thoughts, experiences, or tips about Linux!
Feel free to share in the comments and join the conversation.
Connect with me on LinkedIn !
#30DaysLinuxChallenge #CloudWhistler #RedHat #Cloudsecurity #DevOps #Linux #OpenSource #CloudComputing #RedHatEnterpriseLinux #SystemLogs #EnterpriseIT #Observability #Logging #SysAdmin #Automation #CloudEngineer #TechForBusiness #ITSupport #SRE #CloudOps