Before you start:

Help - if you have technical issue with this lab, please contact the IST Helpdesk

Important - Please look at the "Report" section below to see what is required of you before starting, so you will know what you need to document as you work through this lab.

Hands-on Lab: Understanding Linux

Understanding Linux File System Access Control

The Security Mindset

The essence of secure information is the principle of least privilege. When you build a system, it is important to only let those who need information have access. This will save you and your organization time, money, and stress while causing hackers and malicious insiders considerable difficulty. The way to do this is to assign users into groups and assign permissions to individual files to only the groups that need them to do their jobs. In the case of more sensitive information, only the individuals that have the need should have the access.

While for most organizations a security failure is not a matter of life and death, it is usually a best practice to behave like it is. While loose lips might not sink ships, they could cause a drop in stock price, embarrassment, and possible bankruptcy. Does the sales team need to know human resource records? Of course not. Does the CEO need access to the human resources records? She might think so, but it is more secure for her to have an HR director get them for her. The length of time information can be kept secret is based mainly on how many people know it. With sensitive HR data, it is best that as few people as possible have access to it. It is best that the CEO deal with the minor inconvenience to help keep personal data secure. When personally identifiable information gets exposed, not only is it embarrassing to read about in the papers, but notification and exposure to civil litigation make the balance sheet and the career prospects of the security administrator look pretty bad.

The key is to assign folder permissions to groups and individuals based on their roles in the organization. Both active directory and Linux allow for setting group and individual permissions.

Objectives

In this lab, you will:

Assign permissions to files and directories

Understand the principle of least privilege and Role-Based Access Control

Scenario

You are a security administrator.Your job is to make sure only the people who need-to-know have access to sensitive information.

The Linux File System

The Linux file system is organized differently than the Windows file system. Where the Windows file system was designed for ease of use, the Linux file system was designed for security and adaptability. Where Windows keeps everything arranged under a few basic directories, Linux compartmentalizes itself into several basic folders.

/BIN - Executables

/SBIN - Executables available to the Root user

/BOOT - The Kernel and boot files

/DEV - Device drivers and special device files

/ETC - System Configuration files

/HOME - Users Home Directories

/INITRD - Information for Booting; Cron jobs

/OPT - Third party software

/MNT - the location the system mounts your external file systems. i.e. CDROM, USB

/ROOT - The Home Directory of the Root user

/TMP - Temporary space used by the system

/VAR - Storage of variable and temporary files

Task 1: Navigating the Linux File System

Navigating the Linux file system requires two commands: ls and cd.

"ls" stands for list. It shows you the contents of the directory you are currently in. "cd" stands for change directory and allows you to move from directory to directory.

Login to VHOL and select your SRA221 Unified - Ubuntu virtual machine. Login to the administrator account (the password is password). Open a terminal window by clicking on the Dash Home icon in the upper left corner of the screen. It is at the top of the icon bar. Then type terminal (without quotes) into the search area. Then click on the terminal icon to open the command line interface. (Note: if this does not work, just follow the pathway Applications -- Accessories -- Terminal to open the terminal.)

To learn about the usage of any Linux command, type in the command man followed by the command in question. For example, "man ls" gives you a listing of all of the options of the command. Type in man ls and peruse the options. Type q when done.

Type in ls -al (This lists everything in a folder and displays it in the long format).

We will now examine the various parts of the bolded argument. Beneath each is a description of the highlighted content.

-rw-rw-r-- # user group file-size date file-name

-rw-rw-r-- # user group file-size date file-name

The first character is a description of the type of item.

- indicates a regular file, and d indicates a directory.

-rw-rw-r-- # user group file-size date file-name

The next three characters assign the permissions for the owner of the file.

-rw-rw-r-- # user group file-size date file-name

The next three characters assign the permissions for the group.

-rw-rw-r-- # user group file-size date file-name

The next three characters assign the permissions for everyone else.

-rw-rw-r-- # user group file-size date file-name

The # symbol is a number that shows the amount of hard links a file or directory has.

-rw-rw-r-- # user group file-size date file-name

User shows the user that owns the file or directory.

-rw-rw-r-- # user group file-size date file-name

Group shows the group to which the owner belongs.

-rw-rw-r-- # user group file-size date file-name

File-size gives the size in bytes or the size of the directory, not the total size of the directorys contents.

-rw-rw-r-- # user group file-size date file-name

Date gives the date and time the file was last modified.

-rw-rw-r-- # user group file-size date file-name

File-name is the name of the file or directory.

The letters used in the permissions area to show what permissions are granted are:

r	r is for permission to read the file.
w	w is for permission to write or delete the file.
x	x allows the user to execute the file if it is executable.
X	X is not a permission in itself but can be used instead of x. It applies execute permissions to directories regardless of their current permissions settings and applies execute permissions to a file that already has at least one execute permission bit already set. [Wikipedia]
s	s sets the setuid and the setgid settings.
t	t is the sticky bit. It tells the machine to keep a record of the text of the program after the process exits so it can be run again, faster.

Type in the command cd /usr/bin

This will move you to the bin folder in the usr directory.

Sometimes as the directory listing is too large to be viewed at once, you need to make it more manageable. Type in the command ls -al p*

This command lists the full listing of everything in the current directory, but only the files and directories that start with p.

Type in cd /

This will move you to the root directory.

Task 2: the CHMOD command

Lets create a small bash script to experiment on. Type the command sudo gedit myscript and enter the password "password" where it asks.

The gedit window will open, and on the top line type echo Hello World!

Go to File Save to save the file.

Go back to the terminal window. Type the command ./myscript

It should not function because it isnt set as executable. Type ls -l myscript (The command above is a lower-case L, not a number 1.) What permissions are set for this file?

Chmod is a pretty simple command. It allows you to set permissions to files and directories very precisely and at a granular level. For a complete description of chmod and all of its uses, type man chmod

Chmod assigns permissions using a three-digit number. The first number assigns the permission for the owner, the second assigns permission for the group, and the third for everyone else. CHMOD assigns numeric values to the Read, Write, and Execute permissions as follows:

Read: 4

Write: 2

Execute: 1

Here are the numbers for files and directories and their values:

decimal	permission	rwx	representation
0 (0+0+0)	none	000	---
1 (0+0+1)	execute only	001	--x
2 (0+2+0)	write only	010	-w-
3 (0+2+1)	write and execute	011	-wx
4 (4+0+0)	read only	100	r--
5 (4+0+1)	read and execute	101	r-x
6 (4+2+0)	read and write	110	rw-
7 (4+2+1)	read, write and execute	111	rwx

Type the command:

sudo chmod 755 myscript By using this command you are setting full control (7) to the owner, you are giving read and execute permissions to the group (the first 5) and everyone else (the second 5).

Now type the command:

./myscript The script should run and say "Hello World!"

Task 3: Setting Permissions

Now that we have the basics of setting permissions, lets give it a try.

First, create new users. Type: $ sudo useradd -m Gina $ sudo useradd -m Bill Set Ginas password with the passwd command: $ sudo passwd Gina You will be prompted to enter a password. Type a password of your choice at each prompt. Repeat the process for Bill. Remember to write down the passwords you choose so you don't forget them.

Typing the following command will grant you root access and eliminate the need to type sudo before each command. Type: $ sudo su You will notice that the $ that precedes your argument is now a #. This indicates that you are working as root.

Next, add a group. Type: # groupadd sales

Now create a directory for the sales group. Type: # mkdir sales

Move your script into the sales folder: # mv myscript ./sales

Set the group of the sales folder to sales. Type: # chown :sales sales/

Add Gina to the sales group: # usermod Gina -g sales

Set Gina as owner and sales as the group of the sales folder and the myscript file using the chown command: # chown Gina:sales ./sales/myscript # chown Gina:sales ./sales (omitting the ./ is also valid in this instance because you are already working in the folder above sales)

Set the permissions for the folder with chmod: # chmod 770 ./sales

Check your work by entering: # ls -al ./sales

Log out as administrator and log in as Gina (like what you do in Windows by switching users). You can also use the command line in Terminal. Log out of the root account by typing: # exit Then type: $ su -- Gina You will get prompted to type the password that you set for Ginas account. After entering that, you will be logged in as Gina. You can check the permissions that you set by typing: $ cd sales (This will move you into the sale directory.) $ ./myscript What do you see? Can you open the sales folder? Can you run the script?

With these techniques and commands, you can set the permissions on files and directories very granularly. That way, if an employee goes rogue or their account is compromised, the amount of damage they can do is limited to only the material to which they have access.

Understanding Linux Report

Clearly state your results of this project. You are expected to hand in a report in the following format:

A Cover Page including:

Lab title "Understanding Linux"

Course, section number, and instructor name

Your name and PSU email address

Use double-spaced typing for convenient grading

Number pages. Size 12 font. Single column format.

Save the Microsoft Word document (.doc or .docx) with the your name in the title. Upload the document to the appropriate submission area specified by your instructor.

The report should have the following sections. Each section should cover all the topics described below (You do not need to itemize each topic). Take screenshots if necessary:

Section I: Introduction

You should describe the goal and motivation of this project. In addition to what has been stated in the project instruction, please explain your own expectations of this project.

Section II: Task 1 - Navigating the Linux File system

You should cover the following parts:

Briefly describe the Linux operating system.

Describe the commands you tried (e.g. cd, man, ls), their main functionality, and their most important options. Provide screenshots of two commands.

Section III: Task 2 - the CHMOD command

You should cover the following parts:

Briefly describe CHMOD.

Provide screenshots of your Hello World! script.

Section IV: Task 3 - Setting Permissions

You should cover the following parts:

Provide screenshots (and comment on them) of Step 1 and Step 4.

Answer the questions at Step 11. Provide a screenshot showing what happens when you log in as Bill.

Section V: Conclusion

This part should describe your activities in this project.

Note

If you worked in a group, you will each write your own report, but be sure to include the names of all the group members and all their email addresses. Submit your report to the corresponding Canvas assignment in your course by the due date and time specified there. Late submissions will be issued a grade deduction especially if permission is not obtained from your instructor. Your instructor reserves the right to grant or reject extra time for report completion.

PLEASE SHUT DOWN YOUR VIRTUAL MACHINE WHEN YOU ARE FINISHED.

?

The ENEMY Is listening He wants to know what you know KEEP IT TO YOURSELF The ENEMY Is listening He wants to know what you know KEEP IT TO YOURSELF