Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
81828384858687888990
By default, the initial set of read and write permissions for files and directories are
determined by the creator's umask value. To change the default file permissions, use
the umask command. See umask(1).
Each bit that is set in the file mode creation mask causes the corresponding permission
bit in the file mode to be cleared (disabled). Conversely, bits that are clear in the mask
allow the corresponding file mode bits to be enabled in newly created files.
For example, a umask of octal 022 creates a mask of u=rwx, g=rx, o=rx, which
disables group and other write permissions.
5.1.2 Setting File Ownership
The chown command changes file ownership. To change the owner, you must own the
file or have the appropriate privileges.
The chgrp command changes file group ownership. To change the group, you must
own the file or have the appropriate privileges.
For more information, see chown(1) and chgrp(1).
5.1.3 Protecting Directories
Normally, if a directory is writable either through standard permissions or through ACLs,
anyone can remove the files in the directory, regardless of the permissions on the files
themselves. To protect against unwanted file deletions in a directory:
Remove write permissions for directories that should not have them.
This is particularly effective for users' private directories. The following command
allows others to read and search the mydir directory, but only the owner can delete
files from it:
# chmod 755 mydir
See chmod(1) and chmod(2).
Set the sticky bit on the directory.
The sticky bit is a special bit in the mode of every file. Setting the sticky bit prevents
users from removing other users' files from that directory. Setting the sticky bit for a
directory allows only the owner of the file, the owner of the directory, or a user with
the appropriate privileges to delete or to rename the files.
This is effective for temporary or project directories (such as /tmp and /var/tmp)
that must be accessible to many authorized users. The following command allows
anyone to create, read, and write files in /mfgproj, but only the file owner, the
directory owner, or a user with the appropriate privileges can delete files:
# chmod a+rwxt /mfgproj
Setting the sticky bit is important for directories that are used for temporary files. In
the event that a temporary directory is not set to sticky, an attacker may alter the
expected behavior of user programs by waiting for a temporary file to be created
5.1 Controlling File Access 89