2004.01_Access Control Lists-Setting Up and Applying Selective File Access.pdf

KNOW HOW

Access Control Lists

File Allocation Access

The traditional Linux filesystem

provides only basic protection

for your data. Permissions are

handled on a file by file basis rather

than on an individual user’s needs .

If you need to provide selective

access to various users, Access

Control Lists are your best option.

BY VOLKER SCHMITT

kind of control facility for

years, where a group of users

with various permissions accesses a sin-

gle file object. The RACF implementation

for the z/OS operating system is just one

example. This OS runs on IBM main-

frames – which you may be familiar with

from the “Someone stole our servers”

adverts.

Patches for the current Linux kernel

2.4 that bring this functionality to Linux

have been available for some time now.

But before we provide multiple users

with access to our data, let’s first take a

look at the traditional approach to

assigning permissions.

devices). To allow this, each object, and

each process, has two attributes: an

owner and a group.

Also, each object can define distinct

permissions for the owner, the group,

and all other users of the system. When

you output a directory list ( ls -l ), the per-

missions are shown in the column on the

left (see Box 1).

Whenever you access a file, Linux

checks what kind of access the program

you are using is permitted. It is impor-

tant to have the right permissions. Bear

in mind that the process will take your

user and group IDs into consideration,

but also evaluate the effective user ID

and effective group id .

The “effective user” is typically

derived from your user ID when you

launched the program, and this also

applies to the group ID. If the program

then launches another program, this pro-

gram will inherit the user and groups IDs

from the calling process. The effective

user is identical to the real user in this

case.

Box 1: Permissions for

Objects on a Linux System

Table 1: Minimum

Permissions for File

Operations

Indicator

Description

Meaning

Traditional Permissions

In addition to password protecting

access to the local machine, the operat-

ing system also controls access to

individual objects (files, directories, and

read

Read or copy file

content

Operation

Directory

(Target) File

Read (cat, more, less, pg)

--x

r--

write

Write or modify file

content

Write (cat, >, ed)

--x

-w-

Rename (mv)

-wx

—

execute

Execute the programs

the files contain

Launch prog

--x

January 2004

www.linux-magazine.com

Setting Up and Applying Access Control Lists

M ainframes have provided this

Access Control Lists

KNOW HOW

The effective user ID changes if the S

(sticky) bit has been set for a program.

In this case, the process will not inherit

the user and group IDs of the parent

process. Instead, it will run with the

privileges of the user who is specified as

the owner of the binary in the filesystem

tree. To allow you to discover who actu-

ally launched the process, there is a real

user ID (in addition to the effective user

ID). The following few lines show an

example.

root@maus:# cp /bin/sleep U

/bin/rootsleep

root@maus:# chmod u+s U

/bin/rootsleep

root@maus:# su volker -c U

"rootsleep 25" &

root@maus:# /bin/ps -aeo pid, U

euser,ruser,command|grep fdisk

12887 root volker rootsleep 25

Figure 1: The OS uses this approach to check if access to a file is permitted

the permissions that belong to the effec-

tive user, root . With the effective user set

to root , and since root has write access to

the /etc/passwd file, users can easily edit

the file and thus change their passwords

when required. The passwd program

ensures that the users can change only

their own entries.

ment of an enhanced group concept for

more modern systems: Access Control

Lists – or ACLs for short. ACLs allow for

more granular control of the traditional

permission paradigm.

When ACLs are applied, the operating

system appends an additional list of spe-

cific users and groups to the general file

permissions. This allows you to assign

read or write access for a file to two or

three individual users. The system

assigns these users individually defined

privileges.

The best way to understand how ACLs

operate, is to take a closer look at the get-

facl and setfacl commands, which are

used to read and write these special per-

missions.

The passwd Utility

The passwd utility is a good example of

the use of the S bit. A Linux system

stores encrypted user passwords in a file

called /etc/passwd . For security reasons,

this file is protected to allow only supe-

ruser write access.

But users need the ability to change

their own passwords. The passwd tool

sets the S bit for the owner to achieve

this, and some distributions also do this

for the group. In this case, the x is

replaced by an s in the directory list cre-

ated by ls -l :

Minimum Permissions

Individual file operations require certain

minimum permissions of the read, write,

or execute access file settings. Tables 1

and 2 provide us with a few examples

that explain the minimum permissions

involved.

Table 2 shows that w and x are inter-

preted differently for directories than for

files. Write permissions can be inter-

preted as allowing modifications or

additions to the list of files.

If the x is set, the directory can

become the current directory or part of

the pathname. Figure 1 shows how

access control flows when a process

accesses a file.

Box 2: getfacl Output

v@maus:~> ls -l /usr/bin/passwd

-rw s r-xr-x 1 root shadow 27604 U

Sep 20 2001 /usr/bin/passwd

v@maus:> getfacl filename

creates the following output

01 # file: filename

02 # owner: userid-of-owner

03 #group: groupid

04 user:: permissions

05 user: other-userid : permissions

06 group:: permissions

07 group: other-

groupid : permissions

08 mask: permissions

09 world: permissions

10 default:user:: permissions

11 default:user: other-userid :

permissions

12 default:group:: permissions

13 default:group: other-groupid :

permissions

14 default:mask: permissions

15 default:world: permissions

v@maus:~> ls -l /etc/passwd

-rw-r--r-- 1 root root 2070 U

Feb 10 2002 /etc/passwd

Simple or Convenient

This excursion into the world of tra-

ditional permissions shows how an

access control mechanism for various

files can be built up, by using just a set

of nine bits, and two extra bits, per file.

The upside of this design is its absolute

simplicity.

Unfortunately, if an administrator

wants to permit or deny every possible

combination of permissions for a file to n

users, he will need 2 n different groups.

This is obviously confusing in practical

applications, and has led to the develop-

Any user can call the passwd tool, and

the S bit is additionally set for the owner.

This means that the process will inherit

Table 2: Minimum

Permissions for Directory

Operations

Operation

Directory ./.. Directory ./.

List directory content (ls)

r-x

Delete directory (rm -r)

rwx

Create file (cp, mv, ln)

--x

-wx

www.linux-magazine.com

January 2004

KNOW HOW

Access Control Lists

Next, Please

The getfacl command shows you the ACL

for a file. The command outputs several

text blocks for any filename passed to it,

using empty lines to separate the blocks

(see Box 2). The first line of each block

contains the filename, while the second

line shows the (traditional) file owner ,

and the third line giving the (traditional)

assigned group, followed by a detailed

list of the ACL for the file.

The program first lists the permissions

for the owner, and then for any other

users with ACL assignments. The name

of the traditional owner is not repeated

in the first line with the user entry, dis-

playing two colons instead. In the

following user lines, the user added to

the ACL is defined in the gap between

these two colons.

At the end of each line, the tool shows

the special privileges assigned to each

user in the typical rwx notation. The

lines containing user entries are followed

by group lines that also use the same

notation.

The next two lines are the mask line

with a description of the permissions,

and the traditional world permissions.

The last few lines in this output con-

tain the default lines for any other users

and groups, and the mask entry for the

ACL, which defines the default per-

missions. These entries are only

available for directories at present, as

they have not been implemented for

other file types.

The operating system needs defaults to

assign new ACLs to entries created by

users in the current directory. The sys-

tem then parses the defaults for the

parent directory to discover the user and

group permissions. Thus, a new file will

inherit the default entries, as the exam-

ple in Box 3 shows.

There are two options that facilitate

working with the getfacl command: -d

which displays default entries only, and -

a which display only the ACL and

ignores the default entries.

Effective Security

Instead of specifying permissions for

additional users and groups in the ACL,

you can use a mask to restrict the per-

missions for any entry apart from the

current owner’s entry.

If you use the mask to remove write

permissions, leaving only Read and Exe-

cute , this will apply to additional users,

no matter what their ACL entries permit.

To allow access, the entry must be avail-

able to the specified user or group, and

at the same time allowed by the mask.

Linux checks pairs of ACL entries to

ensure that the correct permissions are

applied.

This feature allows admins to define

“looser” permissions for a user’s ACL

entry than they actually want to apply.

Thankfully, getfacl points this kind

of problem out, by adding the #effective:

comment to the line in question (see

Box 4).

However, you should be aware that the

effective permissions in an ACL have

nothing to do with the effective user

or group for a process. An ACL entry

simply describes the access options. But

how do you go about modifying or

extending an ACL?

New Users

You will need the counterpart to getfacl ,

setfacl , for one thing. This command has

a number of options that can be applied

to various operations to modify ACLs

(see Table 3).

The easiest way to do this, is to use the

--set option to define an entry:

v@maus:~> setfacl --set U

acl-entry file

Box 5 contains a list of values for acl-

entry .

The -m option basically has the same

effect as --set , provided there is no entry

defined for this user or group at present.

Otherwise it will simply overwrite exist-

ing permissions using the new values.

The -x option deletes an ACL entry but

without changing the owner , group and

other entries. There is no need to quote

the permissions to delete them.

If you set a too restrictive mask entry

in the ACL, other users will have no

Box 3: Inherited owner

privileges for files

Box 4: An getfacl

effective message

01 volker@maus:~> getfacl

directory

02 # file: directory

03 # owner: volker

04 #group: users

05 user::rwx

06 group::r-x

07 other:r-x

08 default:user::rwx

09 default:user:robin:rw-

10 default:group::r-x

11 default:mask:rwx

12 default:other:r-w

14 volker@maus:~> touch

directory/file

15 volker@maus:~> getfacl

directory/file

16 # file: file

17 # owner: volker

18 #group: users

19 user::rwx

20 user:robin:rw-

21 group::r-x

22 mask:rwx

23 other:r-x

# file: file

# owner: volker

#group: users

user::rwx

user:robin:rwx #effective:rw-

group::r-x

mask:rw-

other:r-x

Box 5: List of possible ACL

entries for setfacl

u[ser]:: permissions

u[ser]: other-userid : permissions

g[roup]:: permissions

g[roup]: other-groupid : permissions

m[ask]: permissions

o[ther]: permissions

d[efault]:u[ser]:

: permissions

d[efault]: other-

userid : permissions

d[efault]:g[roup]:: permissions

d[efault]:g[roup]: other-

groupid : permissions

The items in brackets can be omitted.

Table 3: setfacl Options

Option

Description

Meaning

--set

set

-m

modify

-x

remove

remove an ACL entry

-d

Delete

delete the entire ACL

January 2004

www.linux-magazine.com

Access Control Lists

KNOW HOW

access, although the intention was to

provide access explicitly. However, the

general idea is to avoid mask entries that

restrict individual permissions.

In a case like this, you can specify the -

-mask option to recalculate the entry for

the user; the other entry is not evaluated

for this operation.

As it is easy to lose track when setting

multiple ACL entries for a number of

files, you can pass a file with your set

parameters to the setfacl command.

To do so, specify the --set-file option

and point to the file that contains your

setfacl parameters.

The set parameter file must have the

same format as the output from getfacl .

The order of the individual ACL line

entries is not significant; setfacl will have

no trouble using parameters that are in a

different order than the getfacl output

(and this does help facilitate manual

editing).

Typing “-”, instead of pointing to a file,

tells setfacl to accept ACL entries from

standard input. This can be very useful if

you need to transfer the ACL entries in

one file to another ( xyz and abc in our

example). The following command takes

care of that task:

Let’s take a look at a more important

topic instead: backups. If you think

about it, it quickly becomes apparent

that a standard tool – and this unfortu-

nately includes tar – will not be able to

backup your ACLs.

A new POSIX standard that provides

for operating system specific extensions,

the PAX format, was introduced in 2001

to solve this problem. Check out the star

tape archiver [1] tool, which supports

the PAX format.

But there is a workaround that does

not require PAX, and instead involves

creating an ACL backup file. The root

user can issue the following command to

save the ACL entries:

Patch the kernel first. To do so, unpack

the kernel sources in the /usr/src/linux

directory. Save the patch in /usr/src/ ,

and then cd to linux . Then issue the fol-

lowing command to patch the Kernel

sources:

root@maus:linux# zcat ../linux- U

a.b.cacl-x.y.z.diff.gz | U

patch -p1

and go on to configure the kernel by

enabling the ACL options in the .config

file in your current directory:

CONFIG_FS_POSIX_ACL=y

CONFIG_EXT3_FS_XATTR=y

CONFIG_EXT3_FS_POSIX_ACL=y

CONFIG_EXT2_FS_XATTR=y

CONFIG_EXT2_FS_POSIX_ACL=y

root@maus:/# getfacl -R U

--skip-base / > /backup.acl

This tells getfacl to discover the ACLs,

starting at the root level, and write the

information to a file called /bakup.acl .

The -R option performs this operation

recursively across the whole filesystem

tree. --skip-base ignores the default ACLs

(that is, the nine default Unix privilege

bits), which tar will backup.

You can then restore your ACLs by typ-

ing the following command:

Now create and install the new kernel

following the usual procedure. You can

then install the RPM packages, and the

other libraries and tools. Refer to [3] for

a complete how-to.

You are only one step away from lever-

aging the permissions power of ACLs on

your filesystem. This final step involves

modifying the /etc/fstab file. Add the acl

keyword to the mount option for your

filesystem. Both Xfs and Jfs do not need

this option.

v@maus:~> getfacl xyz | setfacl U

--set-file=- abc

v@maus~> setfacl -restore= U

backup.acl

■

GLOSSARY

Figure 2 shows how a process accesses

an object with ACLs.

Way to Go?

ACL newbies can stand easy, as they do

not need to backup their previous ACLs.

To use ACLs, you need the following four

packages: e2fsprogs (this is pre-installed

by most distributions), libattr , libacl ,

and acl , and the kernel patch from [2] or

the DVD.

named pipe: The “pipeline with a name” is a

special kind of temporary file that uses the

FIFO method for read and write operations.

Backup Issues

As previously mentioned, ACLs can be

appended to directories and files. The

same approach is available for devices

and named pipes , even though not

many people actually utilize this option.

INFO

[1] Star tape archiver: http://acl.bestbits.at/

download.html#Star

[2] Kernel patch: http://acl.bestbits.at/

download.html

[3] ACL step-by-step guide: http://acl.

bestbits.at/steps.html

Figure 2: ACL-based access control

Volker Schmitt is a

mathematician and

works for a large

insurance company.

He is familiar with

multitasking pro-

gramming from

experience with

mainframe PL/1 timers. In his leisure

time Volker has a lot of fun with NQC

and his LEGO Spybot.

www.linux-magazine.com

January 2004

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: