dcsimg

From the ACLU: Know Your Rights

Know your rights. Protect your rights. Another lesson from the ACLU.

Last week you learned the basics of using Access Control Lists (ACLs) and the command associated with them: getfacl, setfacl and chacl. This week you’ll learn that protecting the rights of your users is as important as protecting your users from themselves. You’ll also learn the effects of changes to user’s rights.

Managing users and permissions is a full-time job. That’s why your job as System Administrator (SA) exists. Your job is to keep the system running smoothly for the system’s users. That includes patching, file maintenance, performance measurement, capacity planning and user maintenance.

It might sound dehumanizing to say, user “maintenance” but that’s exactly what you’re doing. You have to create, remove, edit and maintain user accounts. By maintain, you have to enforce corporate policy and balance those with user requests. This is never an easy balance to strike.

Background Basics

Yes, it’s true that your job is to “protect and serve.” Often a dirty job, but you’ve chosen to do it. Fortunately for you, Linux systems set very high user restrictions by default. Users have full rights to their home directories and the /tmp directory but nothing else. This default permissions policy protects them from destroying important files, it protects other system users from accidents, it does a good job of preventing most malicious attacks and perhaps most refreshing of all: It protects you, the SA.

For example, you create a user account for a new hire into the Human Resources and Accounting Department named John Oker, and following corporate account policy, you create his user account in the usual way.

Note: The HR group (444) and the Accounting group (999) already exist on your system.

$ sudo useradd -m -g 444 -c "John Oker" joker

$ grep joker /etc/passwd

joker:x:1001:444:John Oker:/home/joker:/bin/sh

John’s life is good, since you’ve created his account and added him to HR (444) as his primary group. John should have everything he needs. But, he doesn’t. He is also part of the Accounting group.

$ sudo usermod -a -G 999 joker

grep joker /etc/group
Accounting:x:999:bjones,fsmith,ldavis,dbrown,joker

Now he’s all fixed up, or is he? You forgot to read the second page of the request which clearly states that John Oker also needs special (full) access to the Management HR Files and Management Accounting Files. Everyone else in John’s group has read-only access to those files. These files exist under the HR and the Accounting directories.

$ getfacl Accounting/*
# file: Employees.txt
# owner: root
# group: root
user::rw-
group::r--
mask::rwx
other::r--

# file: Managers.txt
# owner: root
# group: root
user::rw-
group::r--
mask::rwx
other::r--

You might think, from this ACL, that everyone has read-only access to these files. They do. However, the Accounting directory ACL explains this otherwise glaring error.

$ getfacl Accounting
# file: Accounting
# owner: root
# group: root
user::rwx
group::r-x
group:Accounting:r-x
mask::r-x
other::---

As you can see, no one outside of the Accounting group can cd into the Accounting directory.

$ cd Accounting
-bash: cd: Accounting/: Permission denied

Setting restrictive permission for John Oker will ensure that he can’t accidentally remove a file.

$ sudo setfacl -m user:joker:rwx Managers.txt

$ getfacl Managers.txt

# file: Managers.txt
# owner: root
# group: root
user::rw-
user:joker:rwx
group::r--
mask::rwx
other::r--

John can edit the Managers.txt file but he can’t remove it due to the Accounting directory permissions (r-x) for the Accounting group.

Note: A malicious user can empty the file and save it as a workaround to his inability to remove the file from the filesystem. This is why good backups on critical files takes first priority over the best laid security or ACL scheme. And, in the case of financial or HR files, several snapshots per day, scheduled via cron, should be in place.

Now that you’ve established the background for this lesson, let’s give John and his account a workout.

ACL Limitations

ACLs aren’t perfect. No permissions structure is. Next, you’ll a demonstration of the greatest limitation of the Unix file permissions schema.

As stated earlier, every user has a home directory where he may create files and directories at will. There are other directories that a user might have access to as well. For this example, let’s say that user robert has used the system for a while and has 100MB or so in his home directory. He also has access to the Techs document repository, which is a shared directory for all members of the Techs group to create documentation. Robert has created his share of files in this shared directory. He is the owner but the Techs group also has full rights (rwx) to all files.

A new manager has taken over Robert’s area and has decided to promote Robert to a new Tech Lead position within the group. As a Tech Lead, his User ID (UID) must fall in the range of 6000-6999. Currently, his UID is 505. The change to is UID is a simple one to perform but the consequences of such a change carry substantial weight. Let’s take a look at why this is true.

$ sudo usermod -u 6543 robert

$ grep robert /etc/passwd

robert:x:6543:6340:Bob Alodob:/home/robert:/bin/bash

Robert, curious about the consequences of this change, checks the files in his home directory. They’re all OK. What about his files under the Tech directory? They’re not OK.

$ ls -al netconnect.txt

-rwxrwx---+  1 508 techs    5 May  9 10:04 netconnect.txt

You’ll see similar results when examining ACLs.

$ getfacl netconnect.txt

# file: netconnect.txt
# owner: 508
# group: techs
user::rwx
user:508:rwx
group::rw-
mask::rwx
other::---

It’s a fairly simple task to change a few files to reflect Robert’s new UID but what if Robert has files on 50 different systems? Home directory files aren’t a problem. Those receive the updated UID automatically. The stray files that Robert owns on 50 systems is a real problem. Why? The answer is that files without a proper owner set off alerts to security scans and the threat of removal of those files is real.

Changing a user’s Group ID doesn’t have the same effect unless that user is the only member of a particular group. Changing a UID has far reaching effects and should only occur when absolutely necessary.

The Cleanup Process

Are you ready to find out what happens when you have to perform some negative user maintenance? That is to say, removing users from the system. This unpleasant task is two-fold: You must remove the user account (which is often associated with negative circumstances) and you have to clean up all files owned by the former user.

Files that have lost their owners will show up in those security scans mentioned earlier and risk removal regardless of their importance. This is what you see in the Techs directory after user john‘s dismissal from the company.

$ ls -al
total 32
drwxrwxrwx   2 root   root  4096 May  9 16:01 .
drwxr-xr-x  12 root   root  4096 May  8 20:57 ..
-rw-rwxr--+  1    506 techs    0 May  9 16:01 john1.txt
-rw-rwxr--+  1    506 techs    0 May  9 16:01 john2.txt
-rw-rwx---+  1 robert techs    0 May  8 21:08 howto4.txt
-rwxrwx---+  1 robert techs    5 May  9 10:04 netconnect.txt

$ getfacl john*

# file: john1.txt
# owner: 506
# group: techs
user::rw-
user:506:rwx
group::rw-
mask::rwx
other::r--

# file: john2.txt
# owner: 506
# group: techs
user::rw-
user:506:rwx
group::rw-
mask::rwx
other::r--

You can handle a situation like this in a couple of different ways. You can remove the dismissed user’s account and face the orphaned files issue or you can simply disable the account by placing a # in front of the account entry in the /etc/passwd file. Disabling the account will have the effect of blocking the user’s access and keeping the files as “owned” until other group members can take ownership of the departed user’s files.

Standard file permissions and ACLs provide you, the System Administrator, with a great deal of power over user’s rights. And, you need to remember that with great power comes great responsibility. Practice ACLs before implementing them for your users. Or, in some cases, subjecting your users to them.

Next week, you’ll add a new tool to your System Administration Toolbox by looking at a new way to extensively query your Ethernet devices.

Fatal error: Call to undefined function aa_author_bios() in /opt/apache/dms/b2b/linux-mag.com/site/www/htdocs/wp-content/themes/linuxmag/single.php on line 62