Network Security lecture 5: File System Security

Now you know how to implement account security and have established an effective authentication mechanism. Next, we will implement access control in security. Access control must be implemented locally and remotely. Files can be accessed locally or remotely over the network. This course will test the two methods one by one.
Windows NT File System Security
When creating file permissions, you must first implement the Windows NT File System (NTFS). Of course, you can also use the FAT format, but does not support file-level permissions. FAT is used only when it is relatively less secure. Even NTFS cannot be thought of as completely protecting files, as you will see later in the experiment.
Once the NTFS file system format has been implemented, you can use the Windows NT Resource Manager to directly manage file security. You can use NT Resource Manager to Set directory or file permissions. You can assign the following permissions for file-level permissions: Read (R), write (W), execute (X), delete (D), change (P ), obtain ownership (O ). For details, see the following table:
　　
　　
NTFS permission
Directory-based
File-based
Read (R)
Displays the directory name, attributes, owner, and permissions.
Display file data, attributes, owner and permissions
Write (W)
Add files and directories, change an attribute, and display the owner and permissions.
Display the owner and permissions; change the attributes of the file; add data to the file
Run (X)
Display Properties. You can enter the directory to display the owner and permissions.
Displays file attributes, owner, and permissions. If an executable file is running
Delete (D)
Directory to be deleted
Files that can be deleted
Change permission (P)
Change directory permissions
Change File Permissions
Ownership acquisition (O)
Obtain directory ownership
Obtain File Ownership
To simplify permission management, NT has several criteria related to permissions. When assigning permissions, you usually use the permissions in combination instead of using separate permissions. These permissions are shown in the following table:
　　
　　
　　
Standard Permissions
Directory-based
File-based
Inaccessible
None
None
List
RX
Not applicable
Read
RX
RX
Add
WX
Not applicable
Add and read
RWS
RX
Change
RWXD
RWXD
Full Control
ALL
ALL
Based on these permissions, you can achieve access control as needed. However, it is difficult to determine what is the minimum permission you need. Let's review the first lesson about a new NTFS partition. By default, the everyone group has full control permissions. This standard is unacceptable. If you do not delete the everyone group or grant inaccessible permissions to the everyone group anywhere, your NT installation may be damaged. The Everyone group must be able to access the main system directories (such as login Directories) so that users can connect to and log on to the server. Because the user has not been authenticated during the login process, you must use the everyone group to provide access so that they can be authenticated. Granting access to the everyone group is more dangerous because deny access takes precedence over allow access, and all users belong to the everyone group. In this way, access to the file system is completely blocked.
The permission allocation of directories is the same as that of files. The directory permission affects the files created in the directory. In other words, any newly created file inherits the permission of this directory.
Disk Partition
　　
Because the operating system directory permissions are very strict, it is wise to place Windows NT in your own separate partition. Installing only Windows NT on this partition without installing applications makes management tasks much easier. A disk partition may look like this.
Operating System
Program file
Data
Although this type of partition requires additional planning, it is still very attractive, especially to simplify the management of directory permissions. Directories can be separated as needed. If you are running a device such as a WEB server, you may consider using HTML, images, and other static files in one partition, while your script file is placed in another partition. You can set the script to only execute those static files that can be read. The result of this policy is the ease of permission to manage files and directories.
Copy and move files
Finally, you need to understand what happened when the file was copied and moved. When an object is copied to a new directory, the object inherits the permissions of the target directory. The process is complex when the file is moved. If a file is moved from one directory to another in the same partition, the permissions of the file are retained. When files are moved in the same partition, Windows NT updates the directory allocation table for the location of the new directory. When a file is moved in two different intervals, Windows NT first copies the file to a new location. After the file is successfully copied, Windows NTG deletes the original file. After a new file is created, it inherits the permissions of the target directory.
Remote File Access Control
Remote access to a file or directory is provided by sharing permissions. Sharing is the network access point for remote users to access files. When configuring these shares, you need to set the corresponding permissions. Apps with shared permissions are similar to those with permissions on NTFS. The main difference is that shared permissions do not have fine-grained permission settings. You can only assign inaccessible, read, change, and full control permissions. See the following table.
　　
　　
　　
Permission
Allow
Full Control
Change the permission of the file; obtain the ownership of the file on the NTFS Volume;
Can complete all tasks that have the permission to change.
　　
Change
Create a directory and add a file; change the data in the file; change the properties of the file;
Delete directories and files; complete all tasks with read permission
　　
Read
Display directory and file name; display file data and properties; run Application Files
You can go to another directory in the directory
　　
Inaccessible
Only connections can be established with the shared directory. access is denied and the contents in the directory are invisible.
Share permissions and share points must be carefully allocated. Because the permission is only assigned to the sharing point, all files or directories under any sharing point are accessed with the same permissions as the sharing point itself.
Use both local and remote Permissions
Windows NT permissions are designed to use both NTFS and shared permissions. Because Windows NT is designed as a server, users seldom access files directly. Of course, shared security is far from enough for higher security, so both sharing and remote use are required. When you use shared and NTFS permissions in combination, the strictest permissions of the two are preferred.
UNIX File System Security
In the UNIX field, all information is stored in a file and has a related name. A file is stored in a directory, but UNIX still regards it as a file. This lesson focuses on how UNIX file systems handle permissions. These permissions control what users can access and how to access them. File systems are the most basic method to enforce UNIX system security.
| File format in UNIX
　　
UNIX reads and writes files in a tree structure. Many years ago, the UXNI File System Supported long file names and directory names. All files have I-nodes or connection points. They contain all the statistics and logistics information of a file. Some data includes:
· File type
· Size (in bytes)
· Reference count. If there are other files with different names that are actually the same (called linked files)
· Drop address list indicator
· Timestamp. For example, the last time the file was accessed, the last time the file content was modified, and so on ..
· Security-related fields: UID and GID of the file owner
· File access permissions or bits, also known as Mode bits.
The Ls command is the most common UNIX Command Used to view the permissions of files and directories.
The first command ls-ld. it means to list when. normally. is the current directory. In this example, the user automatically logs in to his/her main directory, while in the command. is the meaning of the current directory
The command output result is described in the table below.
　　
　　
　　
Output symbol
　　
Description
　　
D
　　
Indicates the Directory
　　
R
　　
The owner can read and access
　　
W
　　
Owner has write permission
　　
X
　　
Owner has permission to search and execute Directories
　　

R
　　
The user in the group that the owner belongs to has the permission to read and access the database (in this example, the account is a staff group)
　　
-
　　
The owner's group does not have the write permission.
　　
X
　　
The owner's group has the permission to search and execute directories.
　　
R
　　
Other users have read permission (anyone)
　　
-
　　
Other users do not have write permission
　　
X
　　
Other users have permission to search and execute directories.
　　
4
　　
Reference count
　　
Test
　　
Owner's login name
　　
Staff
　　
Group Name of the owner user
　　
512
　　
Directory size (in bytes)
　　
Time Stamp
　　
Date of last size change
　　
08:41
　　
Time of Change
　　
.
　　
All the file names of the information

[NextPage]
The second command ls-la. bashrc_profile outputs information about the user configuration file. Its components are shown in the table below.
　　
　　
　　
Range value
　　
Description
　　
-
　　
Common File
　　
R
　　
Owner has read access permission
　　
W
　　
Owner has write permission
　　
-
　　
The owner has no execution permission.
　　
R
　　
The group of the owner has the read permission.
　　
-
　　
The owner's group does not have the write permission.
　　
-
　　
No group has the execution permission.
　　
R
　　
Other users have read permission (anyone)
　　

-
　　
Other users have write permission
　　
-
　　
Other users have no execution permission
　　
230
　　
File Size
　　
Time Stamp
　　
The date when the file was created.
The third command ls-la 123 lists the permissions of a common file. This file is called 123 here. The ls command is usually used to list the special permissions of the owner and other users on the file.
The fourth command ls-l/etc/rc. d/init. d/linuxconf lists the permissions of linux's important configuration file linuxconf. Table 3-6
　　
　　
　　
File