In this section we will look at what permission bits should be set on various files and directories in your Linux directory hierarchy, in order for your system to remain reasoriably secure.
In the main, all the standard Linux commands (i.e. the executable commands in the /bin and /usr/bin directories) should be owned by root and need have no more permission bits set on them than rwx--x--x if they are executable binary files and rwxr-xr-x if they are executable shell scripts. Specifically, this set of permission bits will stop users other than root from being able to write to the files, so that ordinary users cannot change any of the standard commands. In general, it is good practice to set as few permission bits on a file as are necessary for it to perform its function.
Normally, when a program is executed, it runs with the permissions of the user who executed it. Sometimes, this would not give the process enough privileges to perform its task correctly. In these cases, it is possible to set either the SUID or SGID bits on the program so that users running the program will take on the permissions of the programs owner or group, respectively, rather than their own permissions.
This is the only way to get some programs (such as the passwd program) to work properly. It does, however, open up all sorts of possibilities for abuse if the facility should get into the wrong user's hands. For example, if you are logged on as root and leave your terminal unattended briefly, it takes only a few moments, while you are away, for a hacker to type:
# cp /bin/bash /home/hacker/.innocuous.file # chmod 4755 /home/hacker/.innocuous.file # clear
and you would probably be none the wiser upon your return. Yet now the hacker has a SUID root shell hidden away that can be used anytime without much fear of detection as long as the hacker doesn't do anything stupidly visible.
It might also be that, on your system, you want to have a group of users who can change the contents of some system data files. In this case it is possible to set up a special user group and have the GID of the relevant files set to be this group. If you then set the permissions on the files to rw-rw-r-- it will allow members of the special group to read and write to the files without the need for root privileges and will also only allow read access to other system users. Restricting the need for root access in this way is an important security consideration.
Don't forget that as an added security feature there is a bit mask value (set by the umask command) which will be masked out of the permission bits set on any file when it is created.
As well as setting the correct permission bits on data and executable files, it is also very important (and often overlooked) to get the right permission bits on your directories, too. It is particularly important to make sure that the system directories (with /tmp and /usr/tmp as obvious exceptions) do not have public write permission associated with them. Remember that write permission on a directory means that you can add new file links to the directory contents and also delete existing links.
Read permission on a directory means that you can read the names of the files contained in the directory - not that you can read the contents of the files themselves. The execute permission bit on a directory is used to allow the directory to be used in a pathname, to access the files below it. Taken together, the read and execute permissions on a directory can be set up so that users are unable to list the contents of a directory to find out what it contains, while at the same time being allowed access to files known to be there. To allow this kind of access, the directory permissions need to be set up as:
rwx--x--x
These permissions allow the directory owner full access to the directory and its contents, while all other users can only access things in the directory whose names are explicitly known.