Administrator's Guide
5 File System Security
This chapter explains file system security. Before you read this chapter, you should have
a basic understanding of files and file systems.
Because data is stored in files, it is important to understand how to protect them. This
chapter discusses the following topics:
• Controlling file access (Section 5.1)
• Setting access control lists (Section 5.2)
• Using HFS ACLs (Section 5.3)
• Using JFS ACLs (Section 5.4)
• Comparison of JFS and HFS ACLs (Section 5.5)
• ACLs and NFS (Section 5.6)
• Security considerations for /dev devices special files (Section 5.7)
• Protecting disk partitions and logical volumes (Section 5.8)
• Security guidelines for mounting and unmounting file systems (Section 5.9)
• Controlling file security on a network (Section 5.10)
5.1 Controlling File Access
Working groups, file permissions, file ownership, and compartment rules determine who
can access a given file. The simplest of the file access rules are standard UNIX file
permissions.
You can divide users into groups so that files owned by the group can be shared within
the group and can be protected from outsiders.
The traditional UNIX file permissions are displayed using the ls command with the -l
flag. The permissions indicate what kind of access (that is, the ability to read, write, and
execute) is granted to the owner and groups on your system. Traditional UNIX file
protections allow some control over who can access your files and directories, but they
do not allow you to define access for individual users and groups beyond the owning
user and the owning group. The following is a brief review of UNIX file permissions.
Each file and each directory has nine permissions associated with it. Files and directories
have the following three types of permissions:
• r (read)
• w (write)
• x (execute)
These three permissions occur for each of the following three classes of users:
• u (user/owner)
• g (group)
• o (all others; also known as world)
5.1 Controlling File Access 87