333.1 - Discretionary Access Control
Key Knowledge Areas:
- Understand and manage file ownership and permissions, including SetUID and SetGID bits
- Understand and manage access control lists
- Understand and manage extended attributes and attribute classes
Partial list of the used files, terms and utilities:
- getfacl
- setfacl
- getfattr
- setfattr
Utilities
getfacl
For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, getfacl also displays the default ACL.
setfacl
This utility sets Access Control Lists (ACLs) of files and directories.
getfattr
For each file, getfattr displays the file name, and the set of extended attribute names (and optionally values) which are associated with that file.
setfattr
The setfattr command associates a new value with an extended attribute name for each specified file.
Example
user@host:/tmp/tmp.FNGaLM5kHj$ setfattr -n user.foo -v bar foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ getfattr -d -m "(security|user)" foo/bar
# file: foo/bar
security.selinux="unconfined_u:object_r:user_tmp_t:s0"
user.foo="bar"
Notes
SetUID and SetGID bit
In Unix-like systems, the access rights flags setuid and setgid (short for set user identity and set group identity) allow users to run an executable with the file system permissions of the executable’s owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges to perform a specific task.
Caveats:
/tmpis generally mounted withnosuidoption, blocking setuid/setgid functionality at runtime- shell scripts can have a setuid/setgid bit set but it won’t take effect at runtime, create a compiled binary launcher to host the desired setuid/setgid functionality
Access Control List
Every object has an associated access ACL, a directory may have an associated default ACL that sets the initial access for objects created within.
ACL entries vs permission bits
The permissions defined by ACLs are a superset of the permissions specified by the file permission bits.
Example default ACL
user@host:/tmp/tmp.FNGaLM5kHj$ mkdir foo
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl foo
# file: foo
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
user@host:/tmp/tmp.FNGaLM5kHj$ setfacl -d -m group::--x foo
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl foo
# file: foo
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::--x
default:other::r-x
user@host:/tmp/tmp.FNGaLM5kHj$ touch foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl foo/bar
# file: foo/bar
# owner: user
# group: user
user::rw-
group::---
other::r--
Example access ACL
user@host:/tmp/tmp.FNGaLM5kHj$ setfacl -m user::-w- foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl foo/bar
# file: foo/bar
# owner: user
# group: user
user::-w-
group::---
other::r--
user@host:/tmp/tmp.FNGaLM5kHj$ printf 'baz\n' > foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ cat foo/bar
cat: foo/bar: Permission denied
user@host:/tmp/tmp.FNGaLM5kHj$ setfacl -m user::rw- foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ cat foo/bar
baz
Example ACL vs permission bits
user@host:/tmp/tmp.FNGaLM5kHj$ chmod u-r foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ ls -l foo/bar
--w----r--. 1 user user 4 May 14 20:36 foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl foo/bar
# file: foo/bar
# owner: user
# group: user
user::-w-
group::---
other::r--
Example access ACL superset
user@host:/tmp/tmp.FNGaLM5kHj$ cat > foo/bar << EOF
> #!/usr/bin/bash
> printf 'hello world\n'
> EOF
user@host:/tmp/tmp.FNGaLM5kHj$ chmod o+rx $PWD
user@host:/tmp/tmp.FNGaLM5kHj$ ls -dl $PWD
drwx---r-x. 3 user user 60 May 14 20:32 /tmp/tmp.FNGaLM5kHj
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl $PWD
getfacl: Removing leading '/' from absolute path names
# file: tmp/tmp.FNGaLM5kHj
# owner: user
# group: user
user::rwx
group::---
other::r-x
user@host:/tmp/tmp.FNGaLM5kHj$ setfacl -m user:dhcpd:r-x foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl foo/bar
# file: foo/bar
# owner: user
# group: user
user::-w-
user:dhcpd:r-x
group::---
mask::r-x
other::r--
user@host:/tmp/tmp.FNGaLM5kHj$ sudo -u dhcpd -s foo/bar
hello world
Indeed, the owner is not able to execute this file, even if it can read from it:
user@host:/tmp/tmp.FNGaLM5kHj$ setfacl -m user::rw- foo/bar
user@host:/tmp/tmp.FNGaLM5kHj$ getfacl foo/bar
# file: foo/bar
# owner: user
# group: user
user::rw-
user:dhcpd:r-x
group::---
mask::r-x
other::r--
user@host:/tmp/tmp.FNGaLM5kHj$ foo/bar
bash: foo/bar: Permission denied
user@host:/tmp/tmp.FNGaLM5kHj$ cat foo/bar
#!/usr/bin/bash
printf 'hello world\n'
Extended Attributes and Attribute Classes
Extended attributes are name:value pairs associated permanently with files and directories, similar to the environment strings associated with a process. An attribute may be defined or undefined. If it is defined, its value may be empty or non-empty.
Namespaces (classes)
Attribute names are zero-terminated strings. The attribute name is always specified in the fully qualified namespace.attribute form, eg. user.mime_type, trusted.md5sum, system.posix_acl_access, or security.selinux.
The namespace mechanism is used to define different classes of extended attributes. These different classes exist for several reasons, e.g. the permissions and capabilities required for manipulating extended attributes of one namespace may differ to another.
Filesystem restrictions
In the current ext2, ext3 and ext4 filesystem implementations, each extended attribute must fit on a single filesystem block (1024, 2048 or 4096 bytes, depending on the block size specified when the filesystem was created).
In the XFS and reiserfs filesystem implementations, there is no practical limit on the number or size of extended attributes associated with a file, and the algorithms used to store extended attribute information on disk are scalable.
In the JFS filesystem implementation, names can be up to 255 bytes and values up to 65,535 bytes.