Home arrow Security arrow Page 8 - Vectors

Read, Write, Execute - Security

Many of us who use use security products on our computers religiously are bewildered to find that we still get infected with malware. How does this happen? No matter what we do, our computers are constantly in touch with the vectors that carry malicious software. Thomas Greene explains what this means, and what we can do about it.

TABLE OF CONTENTS:
  1. Vectors
  2. Common Vectors
  3. Other Vulnerabilities
  4. “Unsafe at Any Speed”
  5. Defense
  6. Linux Services
  7. Becoming a User
  8. Read, Write, Execute
By: Apress Publishing
Poor Best
Rating: starstarstarstarstar / 3
February 02, 2005

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Permissions for limited user accounts can be fine-tuned beyond the default levels of access afforded by Windows and Linux, which may be too permissive in some situations. However, tweaking file and directory permissions is not trivial and can cause problems if done carelessly.

The three basic file and directory permissions are read, write, and execute. Such permissions are usually granted, in varying levels of authority, to groups such as users or administrators. However, it is possible in both Windows and Linux to choose individual directory and file permissions for particular users. This enables the machine’s owner to set up a user account for himself with fairly liberal permissions, and to set up another user account for a child, say, or a housemate, with more restrictive ones. This way, people sharing your computer can be kept from opening (i.e., reading) files and directories with sensitive data, from altering (i.e., writing to) program configuration files, and from activating (i.e., executing) programs you choose not to make available to them.

However, altering permissions recursively, that is, applying access restrictions that affect all of the contents in a directory, can result in unpleasant surprises. A directory, or a subdirectory within it, may contain program executables or configuration files needed by applications. If these files are unintentionally restricted with recursive changes, a user might be unable to launch programs that he is otherwise authorized to use.

Applying permissions is a good deal more complicated in multiuser versions of Windows than it is in Linux, but Windows allows more granular control, which is good for experienced administrators, though it presents a challenge to home users. The procedure may seem confusing, but basically, you will first choose the directory or file to be restricted, then choose the users to be permitted or denied access. To restrict individual users from running particular programs or browsing certain directories in Windows, do the following:

  1. Log in to your administrator account and left-click on the My Computer desktop icon.

  2. Under Hard Disk Drives, click on Local Disk (C:). You will see a list of top- level directories such as Program Files, WINDOWS, etc. (Alternatively, you can launch the Windows Explorer file browser; the procedure is the same.)

  3. Let’s assume that you have a user called tcg with an account on your machine and you want to disable access to the system directory for him alone. Navigate to the WINDOWS\system directory.

  4. Highlight the directory, right-click, and select Properties from the right- click menu (Figure 2-10). 

Figure 2-10. Selecting properties for the system directory

   5.  When the Properties dialog pops up, choose the Security tab.
        There will be two fields: at the top, a list of user groups, and 
        below, a list of possible permissions. However, if you apply
        restrictions to a group such as Users, then every user will be
        denied access. To specify an individual user, click on the
        Advanced button (Figure 2-11).

       
       Figure 2-11. Choosing the Advanced user permissions dialog

   6.  This will bring up the advanced security settings dialog. Again,
        you will see Users listed as a group. Click the Add button and
        enter the desired username, tcg, manually in the lower field 
        under Enter the object name to select (Figure 2-12). Click OK.


Figure 2-12.  Choosing a user instead of a group

   7.  You will then get another dialog showing the user you chose
        associated with the system directory. You can now choose the
        user’s permissions for that directory. Unfortunately, there is a
        plethora of options. To make it simple, choose Deny in the top
        line labeled Full Control to remove the user’s permission to view
        or launch files in the system directory. This will change all of the
        options at once (Figure 2-13).


Figure 2-13.  Denying a user access to the system folder

   8.   Click the OK button; you will return to the advanced security
         settings dialog. Click Apply.

   9.   You will see a new line with the word Deny followed by the
         username. Click OK and close the system directory Properties
         box. The user you chose will not be able to view or activate 
         any files in the system directory.

You can use this basic procedure to fine-tune file and directory permissions for each user. You could, for example, deny a small child permission to use a chat client like ICQ or an e-mail client on his own. But remember, if you apply limits to the Users group, all users will be kept from the directory or program file chosen. To specify users for particular file and directory restrictions, you must bring up the advanced security settings dialog and apply the restrictions individually as just described.

This technique can be used to keep children from applications and directories that parents don’t want them to access without supervision, even when they’ve been given their own computers. A parent simply needs to set up an administrator account for himself with which to maintain the machine and assign user accounts to each child. Children can be granted different levels of access depending on their ages, regardless of whether they use their parents’ computer, share one among themselves, or have their own machines. This way, young children can be kept from e-mail, browsers, and chat clients, while older children can be allowed to use them in their own accounts. This can help ensure that the very young will not be exposed to online content unless an older sibling or a parent is around to supervise them. Even when each child has his own computer, a parent can still administer it and decide which programs can be accessed. Thus, multiuser systems like Windows XP and Linux offer significant advantages for parental control regardless of whether children use their parents’ computers, each others’, or their own. Because a good deal of malware installs itself to the C:\WINDOWS\System, C:\WINDOWS\System32 and ~\Startup directories, it’s not a bad idea to restrict write access for all users following the preceding instructions. This way, if a user encounters a bit of malware, it will not be able to install itself to these directories. This will not prevent all malware from installing itself, but these are popular destinations, so disabling write access is worth the effort. Simply navigate to the ~\System and ~\System32 directories and disable write access for the entire group Users. You should deny the actions Write and Modify in the Properties -> Security setup field. You will still be able to write to these directories from your administrator account, which may be necessary when you’re installing new software or hardware.

NOTE  The tilde (~) can indicate two things: a shortened directory path or a directory whose name would vary on different computers. Thus,
C:\Windows\Temp might be shortened to ~\Temp, and /home/username/ Documents might appear as /home/~/Documents.

Unfortunately, there is a separate Startup directory for each user, and write access must be disabled for each one individually. The Startup directories are located in C:\Documents and Settings\~\Start Menu\ Programs\Startup, that is, C:\Documents and Settings\username\Start Menu\Programs\Startup.

  1. Navigate to the Startup directory for each account, including your administrator account and the accounts All Users and Default User, and deny write access to these directories for the group Users.

  2. It may be necessary to add the group Users with the Advanced button in the Properties -> Security dialog.

  3. You should deny the actions Write and Modify in the setup field. This is not at all difficult, but it is tedious, though worthwhile.

You will still be able to add startup programs to any user account and install software from your administrator account.

Linux goes about things differently. An unprivileged account under Linux is better controlled than one under Windows: users have a harder time getting into mischief or mucking up the system because there’s not much damage they can do outside their home directories to begin with. Thus, malware is far less likely to affect the system overall.

NOTE  Setting up the /home directory alone on a separate primary partition will further enhance the system protection inherent in the Linux user sandbox.

On Windows, it’s often easier to work with users, whereas on Linux it’s often easier to work with groups. When you wish to restrict users on a Linux system from directories or program files, a simple approach is to raise the level of privilege needed, then increase the privileges of users to whom you wish to grant access by adding them to a group with greater privileges. (You can do this on Windows, too, but with so many options it can become confusing.) For example, on Linux you might confine the ICQ (licq) program file to access by the group trusted, and then add yourself, your spouse, and your older children to that group. Young children would remain in the group users only, and not be able to access the ICQ binary from their accounts. The other users would belong to two groups, users and trusted, and so be permitted access by virtue of their membership in the trusted group.

The easiest way to change file and directory permissions is by using a GUI file browser like Krusader or Nautilus, because if you have a lot of files to deal with, making these changes at the command line will be tedhttp://webhosting.devshed.com/ious. You can certainly make these changes from a user account with a root shell if you understand the commands chmod, chuser, and chgroup (well worth learning, by the way), but if you want to use a GUI method, you’ll have to log in as root. Simply navigate to the files you wish to restrict, right-click, and pull up their properties. You will find a simple dialog for setting permissions. The options are read, write, and execute. If you want only one user to have access, then clear the checkboxes on the lines labeled Group and Others. If you wish to allow a group to access it, simply check off the permissions you intend to grant on the line labeled Groups and then specify the group in the field below. If you wish to allow every user to have some access, check off the permissions you intend to grant to members of additional groups on the line labeled Others.

In Figure 2-14, the user tcg is the only one permitted to view, enter, or write to his /home/tcg/Documents directory. Root has free access to the entire system by default, but fellow members of the group to which tcg belongs (users), and all others, are denied access.


Figure 2-14.  Setting directory permissions with Krusader

Because permissions are simpler on Linux than on Windows, it’s easier to work with groups than with individual users. If you wish to grant file or directory access to some but not all users, you can assign a directory’s or a file’s access rights to a more privileged group, such as trusted, then add only the users you choose to that group. And that’s all there is to it. Linux makes this procedure quite painless.

You can do permission tweaking with directories, but the earlier cautions about recursive changes apply. If you overprotect a directory, you may block user access to program files or configuration files that you wish to make available. It’s also very easy to edit group permissions in terms of the system services available. Small children can have Internet access disabled, for example, by raising the permission level needed to access the service and then denying them membership in the group authorized to do so.

So, if you’ve carried out the instructions in this chapter, you’ll have hardened your machine significantly according to the first two of our trio of principles: prevention, resistance, and tolerance.

And neither your firewall nor your antivirus software had a thing to do with it.

1. Ian Austin, “To Each, His Own: Sharing a Family PC,” New York 
   Times, August 14, 2003.

This chapter is from Computer Security for the Home and Small Office by Thomas C. Greene (Apress, 2004, ISBN: 1590593162). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Security Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
Find More Security Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: