|
|
Remember that ACLs provide greater security by enabling you to define file permissions for each user class. With UNIX file permissions, you're limited to making a file either read-only or read-write; however, by using ACLs, you can make files read-only for a certain group, and also read-write for a specific user in that group. In this section, we'll determine whether a file has an ACL, how to add an ACL to a file, and finally how to tweak ACLs.
The first step is to determine whether a file or files already has an ACL. This is easy to do with the ls command. Simply issue the command ls -l filename, where filename is the name of a specific file or directory. Take a look at the following example:
ls – l memo.txt -rwxr-----+ 1 john memos 167 Dec 01 9:30 memo.txt
You know the file has an ACL because the plus sign (+) is listed after the mode field in this output. Unless you have added ACL entries that extend UNIX file permissions, the plus sign does not display to the right of the mode field.
To set an ACL on a file, we use the setfacl command:
setfacl -s user::perms,group::perms,other:perms,mask:perms,acl-entry-list filename ...
where
-s sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the user::, group::, and other:: entries.
user::perms specifies the file owner permissions.
group::perms specifies the group ownership permissions.
other:perms specifies the permissions for users other than the file owner or members of the group.
mask:perms specifies the permissions for the ACL mask. The mask indicates the maximum permissions that are allowed for users (other than the owner) and for groups.
acl-entry-list specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory.
filename ... specifies one or more files or directories on which to set the ACL. Multiple filenames are separated by spaces.
Let's consider the following example:
Here, the owner permissions are set to read and write (user::rw-); group permissions are set to read only (group::r--); other permissions are set to none (other:---); the ACL mask permissions are set to read and write (mask:rw-, which means that no user or group can have execute permissions); and user joe is granted read and write permissions (user:joe:rw-) on file memo.txt. Note that if an ACL already exists on a file, the -s option replaces the entire ACL with the new one. To verify the file has your ACL, issue the getfacl filename command.
If you should need to copy an ACL of one file to another file, you can do so by issuing this command:
getfacl filename1 | setfacl -f -filename2
where, filename1 is the file whose ACL you wish to apply to filename2.
If you should need to modify or delete ACL entries, use the command
setfacl (-d or -m) acl-entry-list filename ...
where
-d deletes the specified ACL entries.
-m modifies the existing ACL entry.
acl-entry-list specifies the list of one or more ACL entries to modify on the file or directory. You can also modify default ACL entries on a directory.
filename ... specifies one or more files or directories, separated by a space.
Here are some of the key points from the certification objectives in Chapter 10.
Access control lists (ACLs) provide better file security by enabling you to define file permissions for each user class.
The ls command is used to list files and some information about the files contained within a directory.
The chown command is used to change file ownership.
The chgrp command is used to change group ownership of a file.
The chmod command is used to change permissions on a file. The command changes or assigns the mode of a file (permissions and other attributes), which may be absolute or symbolic.
When setuid permission is set on an executable file, a process that runs this file is granted access on the basis of the owner of the file. This permission presents a security risk, as attackers can find a way to maintain the permissions that are granted to them by the setuid process even after the process has finished executing.
You should always monitor the system for unauthorized setuid and setgid permissions to gain superuser privileges.
Unless you have added ACL entries that extend UNIX file permissions, the plus sign (+) does not display to the right of the mode field.
To set an ACL on a file, use the setfacl command. Note that if an ACL already exists on a file, the -s option replaces the entire ACL with the new one. To verify the file has your ACL, issue the getfacl filename command.
The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, because there might be more than one correct answer. Choose all correct answers for each question, and in some cases explain your answer. Some questions are short-answer questions to ensure you have a good understanding of the material.
|
With regard to general UNIX file permissions, which permissions can be applied? |
|
|
|
Explain the difference between UNIX file permissions and ACLs. |
|
|
|
You can set general UNIX file permissions to which user classes? |
|
|
|
What are the attributes of the Read permission? |
|
|
|
What are the attributes of the Write permission? |
|
|
|
What are the attributes of the Execute permission? |
|
|
|
What are the attributes of the permission indicated with the - symbol? |
|
|
|
Which of the following commands is used to change user ownership of a file?
|
|
|
|
Which of the following commands is used to change permissions on a file?
|
|
|
|
Which of the following commands is used to list files and some information about the files contained within a directory?
|
|
|
|
Which of the following commands is used to change group ownership of a file?
|
|
|
|
Explain why the setuid permission set on an executable file poses a security risk. |
|
|
|
Explain how to locate files with setuid permissions using the find command. |
|
|
|
What steps should you take to disable executable stacks and enable stack message logging? |
|
Answers
|
þ UNIX file permissions provide read, write, and execute permissions. |
|
|
þ Using standard UNIX file permissions, you can provide read, write, and execute permissions for three user classes (file owner, group, and other users), whereas ACLs take security a step further by enabling you to define file permissions for each user class. For example, let's say you want the sales user group to read a particular file; however, you want only the sales manager— part of the sales group—also to have permission to make changes to that file. With UNIX file permissions, you're limited to making the file either read-only or read-write for the sales group. On the other hand, by using ACLs, you can make the file read-only for the sales group, with the exception of read-write for the sales manager. |
|
|
þ UNIX file permissions provide permissions for three user classes (file owner, group, and other users). |
|
|
þ The Read permission is indicated with the symbol r. This permission allows users to open and read a file and list files in a directory. |
|
|
þ The Write permission is indicated with the symbol w. This permission allows users to open, read, delete, and modify the contents of a file, and list and add files and links in a directory or remove them. |
|
|
þ The Execute permission is indicated with the symbol x. This permission allows users to execute a file (program or shell script) in a directory. |
|
|
þ The Deny permission is the one indicated with the symbol -.This permission denies read, write, and execute access. |
|
|
þ B. The chown command is used to change user ownership of a file. ý A is wrong because ls is used to list files and some information about the files contained within a directory. C is wrong because chgrp is used to change group ownership of a file. D is wrong because chmod is used to change permissions on a file. |
|
|
þ D. The chmod command is used to change permissions on a file. ý A is wrong because ls is used to list files and some information about the files contained within a directory. B is wrong because chown is used to change user ownership of a file. C is wrong because chgrp is used to change group ownership of a file. |
|
|
þ A. The ls command is used to list files and some information about the files contained within a directory. ý B is wrong because chown is used to change user ownership of a file. C is wrong because chgrp is used to change group ownership of a file. D is wrong because chmod is used to change permissions on a file. |
|
|
þ C. The chgrp command is used to change group ownership of a file. ý A is wrong because ls is used to list files and some information about the files contained within a directory. B is wrong because chown is used to change user ownership of a file. D is wrong because chmod is used to change permissions on a file. |
|
|
þ When setuid permission is set on an executable file, a process that runs this file is granted access on the basis of the owner of the file. This permission presents a security risk, as attackers can find a way to maintain the permissions that are granted to them by the setuid process, even after the process has finished executing. |
|
|
þ Use the find command to locate files with setuid permissions and then view the results with the more command. First, log in with an account that has root privileges, or use the switch user (su) command to become superuser. As superuser, you'll have full privileges, which may be required to search all files. Next, search for files with setuid permissions with the find command: find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/findresults
View the results in /tmp/findresults using the more command, like so: more /tmp/findresults where findresults is the name of the file to which you wrote your find results to in the /tmp directory. |
|
|
þ To disable executable stacks and enable stack message logging, you need to make changes in the /etc/system file, and then reboot the operating system to initiate the changes.
|
|
What command(s) would you use to set an ACL on a file? |
|
|
|
What command(s) would you use to verify an ACL was set? |
|
|
|
What command(s) would you use to modify or delete ACL entries? |
|
Answers
|
þ To set an ACL on a file, use the setfacl command. |
|
|
þ To verify the file has your ACL, issue the getfacl filename command. Use the setfacl command with the following syntax: setfacl -s user::perms,group::perms,other:perms,mask:perms,acl-entry-list filename ...; where:
|
|
|
þ If you should need to modify or delete ACL entries, use the setfacl (-d or -m) acl-entry-list filename... command; where:
|
|
You are called to ABCD Inc.'s site to prevent executable files from compromising the system by disabling programs from using executable stacks. The customer has already confirmed that its software does not require running code from the stack. Additionally, ABCD would like to have the system log any time a program attempts to execute stack code. What steps would you perform onsite? |
|
Answers
|
Most programs will run smoothly without running code from the stack; however, the customer has confirmed that its software does not require executable stacks. Therefore, if you can, you should disable executable stacks. To do so, follow these steps:
To enable executable stack message logging, follow these steps:
|
|
|
