Linux file system tips & tricks

Recently I upgraded one of my Drupal installations and also took the opportunity to tighten security. While doing that, I came across a number of issues and found a solution to them. What I then realized is that those solutions didn't pertain to Drupal itself, but to the underlying file system and where therefor applicable to a far wider range of situations.

In order to preserve that knowledge I'm blogging about it, with an added benefit that it could help someone else too :-)

Introduction

With the linux file system you can determine what someone is allowed to do with a certain file or folder. If you don't want to deal with a "Permission denied" message, you can choose to give everyone all rights to all files and folders. That's probably not what you want though and in some cases it will even prevent you from using a particular program, like ssh.

If you have files/folder accessible from the internet, like a website, you should minimize the access rights in order to improve security. You want to minimize the chance that someone breaks into your system and if they do, you want to minimize the damage they can do. Even though your file may not be accessible from the internet, it is a best practice to give the right access to people who need it, while denying everyone else.

All the examples/commands you'll find in the blog post will be for CLI (Command Line Interface) also known as terminal.
There are a number of reasons for that:

  1. Uniformity: There are a number of GUI tools to operate on files/folder, but they probably won't look or operate the same, while they do with the CLI
  2. Availability: A GUI may not always be available. This can be because there is no X-Server/GUI installed, which is quite common for servers. Another reason could be that there's something broken on your system, be that your file manager or your whole X-Server. The CLI however, will still be available and if not, you have issues way beyond the scope of this blog post :-P

The first step in the Update Drupal Core procedure is to make a backup first and so should you before playing with the security settings on your file system!
I made my backup with the following command:

rsync -avz <sourcefolder> <backupfolder>

Let's start with a basic explanation of how security works on a linux/unix file system.

Linux file system security basics

When you do "ls -l" in a directory you'll get a listing of the files and folders in that directory and the listing contains a number of columns. The first column shows access rights, the 3rd column the user ownership of the file/folder, the 4rd column the group ownership of the file/folder and the last column shows the name of the file/folder.
Below you'll find the listing of my drupal folder from which I've removed some files in order to make the listing a bit shorter.

#ls -l
total 76
-rw-r--r--  1 www-data www-data  6605 May  3 00:10 authorize.php
-rw-r--r--  1 www-data www-data   720 May  3 00:10 cron.php
drwxr-xr-x  4 www-data www-data  4096 May  3 00:10 includes
-rw-r--r--  1 www-data www-data   529 May  3 00:10 index.php
-rw-r--r--  1 www-data www-data   688 May  3 00:10 install.php
drwxr-xr-x  4 www-data www-data  4096 May  3 00:10 misc
drwxr-xr-x 42 www-data www-data  4096 May  3 00:10 modules
drwxr-xr-x  5 www-data www-data  4096 May  3 00:10 profiles
drwxr-xr-x  2 www-data www-data  4096 May  3 00:10 scripts
drwxr-xr-x  4 www-data www-data  4096 May  3 00:10 sites
drwxr-xr-x  7 www-data www-data  4096 May  3 00:10 themes
-rw-r--r--  1 www-data www-data 19416 May  3 00:10 update.php
-rw-r--r--  1 www-data www-data  2051 May  3 00:10 web.config
-rw-r--r--  1 www-data www-data   417 May  3 00:10 xmlrpc.php

In the above listing in the first column, you see as the first character is a 'd' or '-' and that character denotes what type of 'file' it is.
In linux everything is considered a file, unless it is a process. If the first character is a '-', then it is an ordinary file, when that character is a 'd' it means that it is a file of type directory. There are other types of files, but I won't discuss them here.

The first character of the first column is followed by 3 sets of 3 characters containing 'r/w/x' which stand for read/write/execute or a '-' if the user/group does not have that permission. The 3rd and 4th column show that the www-data user is the user-owner of the files and folders and that the www-data group is the group-owner of them.
On a Debian system, www-data is the user/group representing the (apache) webserver, so this is not uncommon for a website. When you do "ls -l" in your home directory you'll probably see your username as both user and group owner. Note that there is then both a user and a group with the same name, just like in the example above there's a www-data user and a www-data group.

I said that there were 3 sets of 3 characters. The first set is for user, the second set is for group and then we have a third set and that is for everyone else, also known as other.
Let's inspect the first file in that list and I'll explain who can do what with that file:

-rw-r--r--  1 www-data www-data  6605 May  3 00:10 authorize.php
  • rw-   This means that the www-data user can read and write (modify) the file, but not execute it
  • r--    This means that the www-data group can read the file, but not write or execute it
  • r--    This means that everyone else (=other) can read the file, but not write or execute it

The terms read and write are probably obvious, but what does the execute permission mean when it comes to files? In this case you should think about programs, like LibreOffice Writer/Calc/Impress or a media player like SMPlayer or shell scripts which often end in .sh. Here's how the permissions for SMPlayer are set on my system:

$ ls -l /usr/bin/smplayer 
-rwxr-xr-x 1 root root 2532912 Apr 14 07:25 /usr/bin/smplayer

Since the execute bit for 'other' is set (the last 'x'), I can execute/run SMPlayer (as a normal user).
Now that I've shown and explained the security settings with respect to files, let's see what it means when it comes to directories:

drwxr-xr-x  4 www-data www-data  4096 May  3 00:10 includes

Here you see that "includes" is a file of type directory and I'll explain what the other 9 characters entail:

  • rwx    This means that the www-data user can read (=list) the contents (=files and subdirectories) of the directory. Furthermore it can write to that directory, meaning it can add files and sub-directories to that directory. The last character ('x') means that the www-data user can enter the directory.
  • r-x     This means that the www-data group can read/list the contents of the directory and enter it, but it can not write to that directory, ie creating/adding files and directories.
  • r-x     This means that everyone else (others) can read/list the contents of the directory and enter it, but it can not write to that directory, ie creating/adding files and directories.

The read and write terms are probably obvious again, but what does 'enter the directory' mean and why is that important?
dfd

Tips and Tricks

 

Delete all but 1 file/directory

rm -rf $(ls * | grep -v SAVETHISDIRECTORY)

source: How do I delete all but one directory in Linux?

Change permissions of all directories (recursive)

find . -type d -print0 | xargs -0 chmod o+x

source: chmod recursion