Filesystem permissions: Linux and UNIX

Traditionally, Linux and UNIX have used what are now called POSIX file permissions for filesystem access control. Filesystem objects have an "owner" and a "group", and can have read, write, and execute set individually for owner, group, and world, that is all processes which are executing under a uid which does not correspond to the owner and do not have the file's group in their group set.

Linux and many UNIX variants now also support Access Control Lists (ACLs) in one form or another for filesystem access control. ACLs are more flexible and in some respects easier to manage, and security-conscious organizations may want to investigate them. However, their use is outside the scope of this document.

Permissions can be set interactively using commands such as chmod in a shell session, but Micro Focus recommends using a script, so the sequence of commands used can be saved and repeated.

Here is one possible approach to using POSIX file permissions to restrict filesystem access as recommended in the Hardening filesystem permissions topic:

1. Identify what system files (programs, shared objects, data files) are required for normal Enterprise Server operation. Typically these will have appropriate permissions for all users, but in some cases users may need to be members of a certain group to gain access to some feature of the OS or an installed package. If any such groups are identified, make a note of them.
2. Create user accounts for Enterprise Server components as discussed in this chapter.
3. Create a user group for use by Enterprise Server. Make this the default group for the user accounts created in the previous step; that will ensure that new files created by Enterprise Server processes belong to this group.
4. Change files and directories specific to Enterprise Server so they are owned by one of the Enterprise Server user accounts (usually the one which regions run under), and by the group created in the previous step. If these files have been organized as recommended in the Hardening filesystem permissions topic, this can be done with a few chown commands using the recursion option.
5. If there are any other user accounts which need access to Enterprise Server files, add them to the group created in step 3.
6. Configure the umask for Enterprise Server processes. The umask controls the permissions that new files and directories are created with, if the process creating them does not override it. For example, a umask of 0770 will permit read, write, and execute permission for owner and group, but clear all permissions for other processes. The umask for Enterprise Server processes will be inherited from the shell used to start those processes, so for example it can be set in the $COBDIR/bin/mfds shell script for the MFDS process, and it will be inherited by any regions started using MFDS.