Rate This Document
Findability
Accuracy
Completeness
Readability

Ensure That Permissions on Important Files and Directories Are Minimized

According to the least privilege principle, appropriate minimum access permissions must be correctly set for critical system files, especially those containing sensitive information. Ensure that only users with the required privileges can access these files, and the same requirements apply to the directories. Improper file or directory permissions may lead to sensitive information leakage. For example, configuring access permissions to 644 or looser allows access to all users and may expose files to tampering. Similarly, if a program intended exclusively for root execution is set to 755, any user will be permitted to execute it, thereby introducing privilege escalation risks.

Common files/directories requiring permission control

Common files or directories requiring access control are as follows:

  • Executable files (binary files and scripts) and their directories: Improper permission configurations may cause privilege-escalation attacks.
  • Configuration files, key files, log files, data files storing sensitive information, temporary files generated during system runtime, and static files: These files may contain sensitive data and privacy data. Improper permission configurations increase information leakage risks.

The basic principles of permission control are as follows.

File Type

Permission

User home directory

750 (rwxr-x---)

Program files (including script files and library files)

550 (r-xr-x---)

Program file directory

550 (r-xr-x---)

Configuration file

640 (rw-r-----)

Directory for storing configuration files

750 (rwxr-x---)

Log files (recorded or archived)

440 (r--r-----)

Log files (being recorded)

640 (rw-r-----)

Directory for storing log files

750 (rwxr-x---)

Debug files

640 (rw-r-----)

Directory for storing debug files

750 (rwxr-x---)

Directory for storing temporary files

750 (rwxr-x---)

Directory for storing maintenance and upgrade files

770 (rwxrwx---)

Service data files

640 (rw-r-----)

Directory for storing service data files

750 (rwxr-x---)

Key component, private key, certificate, and ciphertext file directory

700 (rwx------)

Key components, private keys, certificates, and ciphertext data

600 (rw-------)

Encryption/Decryption interfaces/scripts

500 (r-x------)

According to the principle of least privilege for processes, the system generally uses non-root users to execute tasks. To ensure that these users can properly access necessary directories and files in the Linux system, permissions may be appropriately relaxed for system directories, configuration files, executable files, and certificate files critical to system operations. The suggestions are as follows.

File Type

Permission

Directory

755 (rwxr-xr-x)

Program files (including script files and library files)

755 (rwxr-xr-x)

Configuration file

644 (rw-r--r--)

Certificate files (without a private key)

444 (r--r--r--)

Recommended permissions for common files that require access control are as follows:

File name

Permission

/etc/passwd

0644 (-rw-r--r--)

/etc/group

0644 (-rw-r--r--)

/etc/shadow

0000 (----------)

/etc/gshadow

0000 (----------)

/etc/passwd-

0644 (-rw-r--r--)

/etc/shadow-

0000 (----------)

/etc/group-

0644 (-rw-r--r--)

/etc/gshadow-

0000 (----------)

/etc/ssh/sshd_config

0600 (-rw-------)

  1. Run the ll or ls -l command to check file permissions (using the test file as an example):
    ls -l test 

    The following is an example.

    -rwxr-sr-t. 1 root root 33 Nov  5 14:44 test
  2. If the permissions do not meet the requirements, run the chmod command to modify them:
    chmod 750 test 
    ll test 

    The following information is displayed.

    -rwxr-x---. 1 root root 33 Nov  5 14:44 test