Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
51525354555657585960
Solaris 9 Security CX-310-301 58
¾ An attacker can gain valuable information about the system which can be used later to aid further
attacks
¾ Files can be accidentally deleted or corrupted by legitimate users
¾ Sensitive management information could potentially be read by employees
¾ Customer confidence in the organization can suffer greatly if data is exposed in the public domain
¾ An organization might be vulnerable to prosecution if data protection legislation is deemed to have
been breached through mis-management of customer information held on a system with lax
permissions
Permissions can be made more secure by applying a more restrictive umask on a system wide basis. The
standard umask of 022 only restricts “group” and “other” categories from writing. If a umask of 027 is
implemented, then the “other” category will have no access at all, by default.
Access Control Lists (ACL)
Access Control Lists provide a much finer level of control over file permissions. The standard Unix
permissions are sometimes not enough to do what you want, so ACLs allow permissions to be set on a per-
user basis or allow other groups access to files without having to give access to everybody.
ACL entries are applied to files using:
¾ setfacl – to establish, modify or delete an ACL – as well as an option recalculate the ACL mask
¾ getfacl – to list the details of an ACL
Identifying an ACL
The simplest method of identifying that an ACL has been placed on a file is run a long listing, using ls.
The following two listings show the file testfile before and after an ACL has been applied to the file:
# ls –l testfile
-rwxr----- 1 johnp johnp 252 Apr 12 15:41 testfile
# ls –l testfile
-rwxr-----+ 1 johnp johnp 252 Apr 12 15:43 testfile
Notice the addition of a “+” character. It is this that indicates an ACL is present.