Ensure That Permissions on Important Files and Directories Are Minimized
According to the least privilege principle, appropriate minimum access permissions must be correctly set for critical system files, especially those containing sensitive information. Ensure that only users with the required privileges can access these files, and the same requirements apply to the directories. Improper file or directory permissions may lead to sensitive information leakage. For example, configuring access permissions to 644 or looser allows access to all users and may expose files to tampering. Similarly, if a program intended exclusively for root execution is set to 755, any user will be permitted to execute it, thereby introducing privilege escalation risks.
Common files/directories requiring permission control
Common files or directories requiring access control are as follows:
- Executable files (binary files and scripts) and their directories: Improper permission configurations may cause privilege-escalation attacks.
- Configuration files, key files, log files, data files storing sensitive information, temporary files generated during system runtime, and static files: These files may contain sensitive data and privacy data. Improper permission configurations increase information leakage risks.
The basic principles of permission control are as follows.
File Type |
Permission |
|---|---|
User home directory |
750 (rwxr-x---) |
Program files (including script files and library files) |
550 (r-xr-x---) |
Program file directory |
550 (r-xr-x---) |
Configuration file |
640 (rw-r-----) |
Directory for storing configuration files |
750 (rwxr-x---) |
Log files (recorded or archived) |
440 (r--r-----) |
Log files (being recorded) |
640 (rw-r-----) |
Directory for storing log files |
750 (rwxr-x---) |
Debug files |
640 (rw-r-----) |
Directory for storing debug files |
750 (rwxr-x---) |
Directory for storing temporary files |
750 (rwxr-x---) |
Directory for storing maintenance and upgrade files |
770 (rwxrwx---) |
Service data files |
640 (rw-r-----) |
Directory for storing service data files |
750 (rwxr-x---) |
Key component, private key, certificate, and ciphertext file directory |
700 (rwx------) |
Key components, private keys, certificates, and ciphertext data |
600 (rw-------) |
Encryption/Decryption interfaces/scripts |
500 (r-x------) |
According to the principle of least privilege for processes, the system generally uses non-root users to execute tasks. To ensure that these users can properly access necessary directories and files in the Linux system, permissions may be appropriately relaxed for system directories, configuration files, executable files, and certificate files critical to system operations. The suggestions are as follows.
File Type |
Permission |
|---|---|
Directory |
755 (rwxr-xr-x) |
Program files (including script files and library files) |
755 (rwxr-xr-x) |
Configuration file |
644 (rw-r--r--) |
Certificate files (without a private key) |
444 (r--r--r--) |
Recommended permissions for common files that require access control are as follows:
File name |
Permission |
|---|---|
/etc/passwd |
0644 (-rw-r--r--) |
/etc/group |
0644 (-rw-r--r--) |
/etc/shadow |
0000 (----------) |
/etc/gshadow |
0000 (----------) |
/etc/passwd- |
0644 (-rw-r--r--) |
/etc/shadow- |
0000 (----------) |
/etc/group- |
0644 (-rw-r--r--) |
/etc/gshadow- |
0000 (----------) |
/etc/ssh/sshd_config |
0600 (-rw-------) |
- Run the ll or ls -l command to check file permissions (using the test file as an example):
ls -l test
The following is an example.
-rwxr-sr-t. 1 root root 33 Nov 5 14:44 test
- If the permissions do not meet the requirements, run the chmod command to modify them:
chmod 750 test ll test
The following information is displayed.
-rwxr-x---. 1 root root 33 Nov 5 14:44 test