Join Mike Chapple for an in-depth discussion in this video File permissions, part of CISM Cert Prep: 3 Information Security Program Development and Management.
- [Instructor] File system access controls allow administrators to limit data access to only those users with authorized access. All modern file systems provide administrators with a way to restrict access to files and directories based upon the identities of users and groups. These access control systems allow the simple enforcement of an organization's security policies. The NTFS file system, used on Windows servers and workstations, provides a graphical interface that allows file owners to easily add and remove users and groups from file access, and modify the access that users and groups have to existing files.
NTFS has five basic sets of permissions that may be assigned to your users and groups. Full control is just that. A user with full control of a file or folder may perform any action on that file or folder. They can read, execute, delete, modify, take ownership, or change file permissions. They're in full control. Read permission allows a user to read the contents of a file or list the contents of a folder. Read and execute gives the same permissions as read, but also allows users to traverse directories and execute application files.
Write permission allows the user to create files and folders and write data to those files and folders. Modify is a combination of read and execute and write, with the additional ability to delete files. Let's take a look at how we might implement file system access controls on Windows system. Here I am inside the documents folder on a Windows server. This simple folder has three items in it, a document containing sensitive employee information, a product catalog that contains no sensitive information, and a folder full of files belonging to the accounting department.
Let's go ahead and set some file permissions on this NTFS folder. First, we want to make sure that everyone in the organization has access to read the product catalog, and that only Carol Adams, the catalog supervisor, may edit it, so I'm going to right click on Product Catalog, and then choose properties. I'll open the security tab in the properties window, and I can see here the permissions that are already set. I need to do two things. I need to give Carol Adams the ability to edit this file, and I need to give everyone the ability to read it.
Let's go ahead and give Carol the editing permission, first. I'm going to click edit here to edit the permissions, and now I'm going to click add, because I want to add a new entry to this access control list. In this box where it says enter the object names to select, I need to enter the user ID of the person I'm giving access to, that would be Carol Adams, and I happen to know her user ID is cadams. I'll click the check names button just to make sure I got that correct, and Carol Adams's user ID is now underlined, so that means it checked properly.
I'm going to go ahead and click okay, and then I can look at the permissions that Carol will have. The default, here, is that she has read and read and execute permissions, but I also want her to have the ability to write and modify this file, so I'll click those options, and then click apply. Now, Carol's entry is added to the access control list. The next thing I want to do is give everyone the ability to read this file, so I'll again click the add button, and then in object names, I'm just going to type Everyone, and click the check names button.
You can see that got underlined, so we're good to go, there, and the only permission I want everyone to have is read, so I'm going to make sure that's the only check box that's selected in the allow column. Then, I'll click okay to save this access control list. I'll close the properties tab, and we've gone ahead and set the product catalog properties correctly. Now, let's restrict access to the employee file, so that only members of the human resources group have access to read and modify this file. I'll go ahead and do the same thing, here.
Properties on employee information, security, and we have this set, now, so only the system and administrators can read it, that's okay. Let's go ahead and add that permission for the human resources group. We'll click the add button, and we'll type Human Resources, here. I happen to know that's the name of a local group on the server. The check button says that's okay. Now, we need to set the permissions properly, and I want users in this group to be able to read and modify, so let's go ahead and alter these permissions.
Notice that when I click modify, write was automatically selected. That's because the write permissions are a subset of the modify permissions. I'll just click okay, here, and close that out after we've done that properly. Then, the last thing I want to do is give the same read and modify permissions on this Accounting Files folder to members of the accounting group. So, for a folder, I just follow that same process. I click properties, security, I'm going to edit this access control list, I want to add a new entry, and this time, it's going to be for the accounting group, so I type that in and click check names, and okay, and then modify is the permission I want them to be able to have.
So, I click modify, verify these permissions are okay, click okay, and I've gone ahead and set the access control settings on this NTFS file system for the business needs of this organization. Linux file systems use a somewhat more complicated set of permissions. Each file or folder belongs to both an individual user and a group. There are two commands use to change the ownership of files and folders. The chown command, short for change owner, changes the user owner of a file or folder.
The chgrp, for change group command, changes the group owner, and we use the chmod command, C-H-M-O-D, short for change mode, to alter the permissions granted to users or groups on files. Linux uses three different permissions for each file, the read permission, abbreviated with an r, write permission, abbreviated with a w, and execute permission, abbreviated with an x, and then uses letter abbreviations for each type of owner, the user owner, abbreviated with a u, the group owner, abbreviated with a g, and all other users, abbreviated with an o.
One quick exam tip for you. Be careful not to confuse the user owner permission, which uses the letter u, and the others permission, which uses the letter o. It's easy to get confused and forget that o means others and not owner. When we want to change Linux file permissions using the chmod command, we use all of these abbreviations. We first use the chmod command, and then add the letter of the ownership type we wish to change permissions for, then the plus sign if we're adding permissions, or the minus sign if we're removing them, followed by the permission letters that we wish to change, and finally, the name of the file or directory that we want to modify.
For example, if we wanted to add read permission for all users to a file named PublicFile, we'd use this command, chmod o, for any user, plus to add permissions, r for read, and then the file name. Let's try this on a real Linux system. Let me first list the contents of this directory, using the ls minus l command, and you can see that there are two files in this directory, PublicFile and PrivateFile. Both of them have a user owner of mchapple, my account name, and a group owner of users.
First, let's use the chown command to change the ownership of one of these files. Let's say I want to give the PublicFile ownership to my friend Carol Adams. I go head and enter sudo, because I need to run this command using root privileges, the chown command, Carol's user ID, cadams, it's the same on the Linux system as it was on the Windows system, and then the name of the file, PublicFile. I'm asked to enter the password to be able to use sudo, and then it executes.
If I go ahead and type ls minus l again, you can see that the PublicFile's owner has now changed to Carol Adams. Next, let's change the group owner of my PrivateFile to a group called Friends. I'm again going to use sudo, here. I'm going to use the change group command. The group name is friends, and the file name is PrivateFile. If I do ls minus l, you can see that the group name for the PrivateFile has now changed to friends.
One quick note, here, you notice when I entered the sudo command a second time, it did not ask me for the password like it did the first time. That's because it's cached and knows that I currently have the ability to use administrative privileges. Finally, let's work with permissions a little bit. If you look at the output of the ls minus l command, you can see that permission here are already set. They're shown as three groups of three letters. This is the first group, the second group, and the third group. They appear in the order r, w, x.
The first group, here, is the permissions for the user owner, the second group is the permissions for the group owner, and the third group are the permissions for everyone else. Where there's a dash instead of a letter indicates that that permission is not currently set. On these files, you can see that the user and group owners have read and write permissions on a file, while other users have no permissions. Let's go ahead and give all users permissions to read the PublicFile. I'm going to use the chmod command, C-H-M-O-D.
I'm going to say others, and I want to add the read permission to PublicFile, and I received an error message, here, because I forgot to use the sudo command. It says chmod changing permissions of PublicFile, operation not permitted. That's because I had changed the ownership of this file from my own user ID to Carol Adams, and I'm not logged in as Carol. If I go ahead and repeat this command, using sudo in front of it this time, it executes successfully, and I can verify using ls minus l, that other users now have read permissions to PublicFile, and those are basic file permissions settings on Windows and Linux systems.
- Building a security team
- Conducting a gap analysis
- Improving personnel security
- File permissions and data encryption
- Cloud computing and virtualization
- Host-based network security controls
- Securing mobile devices
- Choosing encryption algorithms
- Physical and network security
- Biometrics and multifactor authentication
- Development methodologies