Macintosh OS X Workstation STIG, V1R1 


DISA Field Security Operations 


15 June 2004 


          Developed by DISA for the DOD 


Read 


  Users with this type of permission can view the contents of a file. 


Write 


  Users with this type of permission can change the contents of a file. 


Execute    Users with this type of permission can execute a program or search a directory. 


This group of three permissions is assigned to three classes of users: 


Owner   Usually the person who created the file. 


(Owning) Group   All users in the same group as the Owner, who have been grouped 


together by the System Administrator, perhaps by task assignment. 


Other (or world)   Any other user on the system. 


If files are other (or world) writable, they can be accessed and changed by any friendly or 


malicious user who gains access to the system.  In other words, the files could be populated with 


erroneous, malicious, and harmful information, or even deleted from the system.  For that reason, 


world writable directories will only be allowed if they are public directories, such as /tmp, 


/var/tmp, /var/spool/uucppublic, etc.  World writable files will only be allowed within those 


public directories.  Files can exist without a discernable owner or group owner by having the uid 


number and the gid number of a previous user (a user who has been deleted from the system).  If 


a new user is added to the system and assigned the same uid/gid numbers as the previous user, 


the new user inherits all of the access permissions that previously belonged to the former user.  


That could mean unauthorized access to sensitive information.  For that reason, un owned files 


and/or files without a group owner will not be allowed. 


Permissions are assigned by octal values.  The read permission has a value of 4.  The write 


permission has a value of 2.  The execute permission has a value of 1. 


The first octal value shows the owner's permissions.  The second octal value shows the group 


permissions.  The third octal value shows the other permissions. 


For example, a file with a file access permission of 764 would grant the following permissions: 


Owner    Read, write, and execute (4 + 2 + 1) 


Group   Read and write (4 + 2) 


Other   Read (4) 


There is one change in interpretation for permissions of a directory.  In a directory, execute 


means search.  For example, if the above example were a directory, not a file, a directory access 


permission of 764 would grant the following permissions: 


Owner     Read (the contents), write (into), and search (4 + 2 + 1) 


Group     Read and write (4 + 2) 


Other     Read (4) 


Only the owner of a file or directory, or the root user, can assign or modify the file permissions.  


The ability to write also implies the ability to delete a file.  The rights of a process to access a file 


are checked when the file is first accessed.  The many rules that exist for system file ownership 


and access permissions must be observed in order to protect system security.  Obviously, all 


19


UNCLASSIFIED 






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Mac Web Hosting



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved