If you’re planning to take the SY0-501 exam, you should have a good understanding of file system security as a method of protecting data. This includes understanding Linux systems that support GNU Privacy Guard (GnuPG or GPG), which is a command-line tool used to encrypt and decrypt files with a password.
For example, can you answer this practice test question?
Q. Lisa has created an application on her development computer. She wants to test it on a Linux-based computer she commonly uses for testing. However, she wants to ensure it is isolated when she tests it. Which of the following is the BEST solution to meet her needs?
A. Use chroot.
B. Sideload the application.
C. Use FDE.
D. Use chmod.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Permission Issues and Access Violations
A common security issue with permissions is giving users more permissions than they need. The principle of least privilege is a core security principle. In short, it means that users are given only the rights and permissions they need to do their job, and no more. When users have more permissions than they need, they can accidentally, or maliciously, cause problems.
An access violation occurs if users access materials that they shouldn’t. As an example, imagine that Bart is a help-desk technician. During a review of logs, security administrators discover that Bart has accessed payroll data though he has no business looking at this data. This is an access violation and should be investigated. A primary objective of security investigators is to discover how Bart accessed the materials.
Linux Permissions
CompTIA has been increasingly adding questions about Linux so you should understand some basics about Linux permissions. There are three primary entities that you can assign permissions to within Linux. They are:
- Owner. This is a user who owns the file or directory and the owner is typically granted all permissions for the file or directory.
- Group. The file can also be owned by a named group. Members of this group are granted specific permissions for the file or directory. These permissions are typically less than the permissions applied to the owner.
- Others. You can think of this as everyone else. Permissions applied here do not override the Owner or Group permissions.
In addition to understanding who you can assign permissions to, it’s also important to understand the basic Linux permissions. These may be represented as letters (r, w, and x) or as numbers. They are:
- Read (r). This allows you to view the file and is represented with the number 4.
- Write (w). This allows you to modify the file and is represented with the number 2.
- Execute (x). This allows you to run the file (assuming it is an application) and is represented with the number 1.
If a permission is not assigned, you’ll see it represented as a dash. It’s also possible to assign multiple permissions, such as Read and Execute; Read and Write; and Read, Write, and Execute. The following bullets show the numbers used to represent combined permissions:
- 5 indicates Read (4) + Execute (1)
- 6 indicates Read (4) + Write (2)
- 7 indicates Read (4) + Write (2) + Execute (1)
The table shows how these Linux permission types are often displayed in a file access control list (FACL). Each line represents the FACL for a different file.
Looking at the table, you can see that the following permissions will be assigned to the different entities:
- Success.exe. Owner has read, write, and execute permissions (rwx), Group has read and write permissions (rw-), and other users have zero permissions (- – -).
- Study.docx. Owner has read, write, and execute permissions (rwx), Group has read and write permissions (rw-), and other users have read permissions (r- -).
- UCanPass.exe. Owner has read, write, and execute permissions (rwx), Group has read and execute permissions (r-x), and other users have read and execute permissions (r-x).
This table shows these same permissions represented as numbers.
Administrators typically use the chmod command (short for change mode) to change permissions for files. As an example, imagine that a file named Success.exe currently has the permissions set as 760 (rwx rw- – – -), but you want to change the permissions to 755 (rwx r-x r-x). You could use the following command:
chmod 755 success.exe
Windows Permissions
Windows file and folder permissions are a little easier to understand because they are assigned by just pointing and clicking. For example, to modify the permissions for a file or folder, an administrator would right-click the file within File Explorer, select the Security tab, and modify the permissions. The following list shows the basic Windows permissions:
- Read. Users granted read permission can view the contents of a file or folder.
- Read & Execute. Users granted the Read & Execute permission have Read permission and they can also run or execute programs.
- Write. Users can create new files and folders, and they can also make changes to existing files and folders. This would typically be assigned with Read permission.
- Modify. When granted the Modify permission to a file or a folder, a user can read, execute, write, and delete files and folders. The primary addition is the ability to delete files and folders.
Q. Lisa has created an application on her development computer. She wants to test it on a Linux-based computer she commonly uses for testing. However, she wants to ensure it is isolated when she tests it. Which of the following is the BEST solution to meet her needs?
A. Use chroot.
B. Sideload the application.
C. Use FDE.
D. Use chmod.
Answer is A. The best answer of the available choices is to use the chroot command to isolate the application within a sandbox.
Sideloading is the process of copying an application to a mobile device, not a Linux-based computer.
Full disk encryption (FDE) is associated with mobile devices and would not isolate an application.
The chmod command is used to change permissions on a Linux system.
See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on protecting data.
1 thought on “Implementing File System Security”