Permissions for limited user accounts can be fine-tuned beyond the default levels of access afforded by Windows and Linux, which may be too permissive in some situations. However, tweaking file and directory permissions is not trivial and can cause problems if done carelessly.
The three basic file and directory permissions are read, write, and execute. Such permissions are usually granted, in varying levels of authority, to groups such as users or administrators. However, it is possible in both Windows and Linux to choose individual directory and file permissions for particular users. This enables the machineís owner to set up a user account for himself with fairly liberal permissions, and to set up another user account for a child, say, or a housemate, with more restrictive ones. This way, people sharing your computer can be kept from opening (i.e., reading) files and directories with sensitive data, from altering (i.e., writing to) program configuration files, and from activating (i.e., executing) programs you choose not to make available to them.
However, altering permissions recursively, that is, applying access restrictions that affect all of the contents in a directory, can result in unpleasant surprises. A directory, or a subdirectory within it, may contain program executables or configuration files needed by applications. If these files are unintentionally restricted with recursive changes, a user might be unable to launch programs that he is otherwise authorized to use.
Applying permissions is a good deal more complicated in multiuser versions of Windows than it is in Linux, but Windows allows more granular control, which is good for experienced administrators, though it presents a challenge to home users. The procedure may seem confusing, but basically, you will first choose the directory or file to be restricted, then choose the users to be permitted or denied access. To restrict individual users from running particular programs or browsing certain directories in Windows, do the following:
Figure 2-10. Selecting properties for the system directory
5. When the Properties dialog pops up, choose the Security tab.
6. This will bring up the advanced security settings dialog. Again,
7. You will then get another dialog showing the user you chose
8. Click the OK button; you will return to the advanced security
You can use this basic procedure to fine-tune file and directory permissions for each user. You could, for example, deny a small child permission to use a chat client like ICQ or an e-mail client on his own. But remember, if you apply limits to the Users group, all users will be kept from the directory or program file chosen. To specify users for particular file and directory restrictions, you must bring up the advanced security settings dialog and apply the restrictions individually as just described.
This technique can be used to keep children from applications and directories that parents donít want them to access without supervision, even when theyíve been given their own computers. A parent simply needs to set up an administrator account for himself with which to maintain the machine and assign user accounts to each child. Children can be granted different levels of access depending on their ages, regardless of whether they use their parentsí computer, share one among themselves, or have their own machines. This way, young children can be kept from e-mail, browsers, and chat clients, while older children can be allowed to use them in their own accounts. This can help ensure that the very young will not be exposed to online content unless an older sibling or a parent is around to supervise them. Even when each child has his own computer, a parent can still administer it and decide which programs can be accessed. Thus, multiuser systems like Windows XP and Linux offer significant advantages for parental control regardless of whether children use their parentsí computers, each othersí, or their own. Because a good deal of malware installs itself to the C:\WINDOWS\System, C:\WINDOWS\System32 and ~\Startup directories, itís not a bad idea to restrict write access for all users following the preceding instructions. This way, if a user encounters a bit of malware, it will not be able to install itself to these directories. This will not prevent all malware from installing itself, but these are popular destinations, so disabling write access is worth the effort. Simply navigate to the ~\System and ~\System32 directories and disable write access for the entire group Users. You should deny the actions Write and Modify in the Properties -> Security setup field. You will still be able to write to these directories from your administrator account, which may be necessary when youíre installing new software or hardware.
Unfortunately, there is a separate Startup directory for each user, and write access must be disabled for each one individually. The Startup directories are located in C:\Documents and Settings\~\Start Menu\ Programs\Startup, that is, C:\Documents and Settings\username\Start Menu\Programs\Startup.
You will still be able to add startup programs to any user account and install software from your administrator account.
Linux goes about things differently. An unprivileged account under Linux is better controlled than one under Windows: users have a harder time getting into mischief or mucking up the system because thereís not much damage they can do outside their home directories to begin with. Thus, malware is far less likely to affect the system overall.
On Windows, itís often easier to work with users, whereas on Linux itís often easier to work with groups. When you wish to restrict users on a Linux system from directories or program files, a simple approach is to raise the level of privilege needed, then increase the privileges of users to whom you wish to grant access by adding them to a group with greater privileges. (You can do this on Windows, too, but with so many options it can become confusing.) For example, on Linux you might confine the ICQ (licq) program file to access by the group trusted, and then add yourself, your spouse, and your older children to that group. Young children would remain in the group users only, and not be able to access the ICQ binary from their accounts. The other users would belong to two groups, users and trusted, and so be permitted access by virtue of their membership in the trusted group.
The easiest way to change file and directory permissions is by using a GUI file browser like Krusader or Nautilus, because if you have a lot of files to deal with, making these changes at the command line will be tedhttp://webhosting.devshed.com/ious. You can certainly make these changes from a user account with a root shell if you understand the commands chmod, chuser, and chgroup (well worth learning, by the way), but if you want to use a GUI method, youíll have to log in as root. Simply navigate to the files you wish to restrict, right-click, and pull up their properties. You will find a simple dialog for setting permissions. The options are read, write, and execute. If you want only one user to have access, then clear the checkboxes on the lines labeled Group and Others. If you wish to allow a group to access it, simply check off the permissions you intend to grant on the line labeled Groups and then specify the group in the field below. If you wish to allow every user to have some access, check off the permissions you intend to grant to members of additional groups on the line labeled Others.
In Figure 2-14, the user tcg is the only one permitted to view, enter, or write to his /home/tcg/Documents directory. Root has free access to the entire system by default, but fellow members of the group to which tcg belongs (users), and all others, are denied access.
Because permissions are simpler on Linux than on Windows, itís easier to work with groups than with individual users. If you wish to grant file or directory access to some but not all users, you can assign a directoryís or a fileís access rights to a more privileged group, such as trusted, then add only the users you choose to that group. And thatís all there is to it. Linux makes this procedure quite painless.
You can do permission tweaking with directories, but the earlier cautions about recursive changes apply. If you overprotect a directory, you may block user access to program files or configuration files that you wish to make available. Itís also very easy to edit group permissions in terms of the system services available. Small children can have Internet access disabled, for example, by raising the permission level needed to access the service and then denying them membership in the group authorized to do so.
So, if youíve carried out the instructions in this chapter, youíll have hardened your machine significantly according to the first two of our trio of principles: prevention, resistance, and tolerance.
And neither your firewall nor your antivirus software had a thing to do with it.
1. Ian Austin, ďTo Each, His Own: Sharing a Family PC,ĒNew York
Times, August 14, 2003.
blog comments powered by Disqus