LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-29-2010, 09:59 PM   #1
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Rep: Reputation: 51
ACLs, default permissions, directories and files


Okay, so I have this user, webdev (names have been changed to protect the guilty). webdev owns a folder at /projects/webdev, with permissions to do whatever the heck he wants in there. Then I've got another user, backup. Through the magic of POSIX ACLs, backup is supposed to have READ-ONLY access to everything in /projects/webdev, as well as everything in every sub-folder that will ever be created in /projects/webdev. backup shouldn't be able to to delete any files, execute any files, or modify any files.

So, I'm thinking I should be using "default permissions" to ensure that, if webdev creates a new directory in /project/webdev, backup should have access to that directory. But if I make default permissions on /projects/webdev to be 'r-x' for backup, does that mean that backup will get execute permissions for regular files (i.e., non-directories) as well? But if I just make default permissions 'r', then backup won't have access to the directories, correct? So how do I make this work the way I want?
 
Old 12-30-2010, 04:45 AM   #2
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Make the executable file only executable for the user, but not group or other. Then you should see in getfacl:
Code:
user:backup:r-x			#effective:r--
despite the file being executable.
 
Old 01-07-2011, 01:03 AM   #3
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Original Poster
Rep: Reputation: 51
Okay, but if that is true, it seems like I still don't get what I want, because control seems to slip from my hands (the system administer) to the hands of user webdev. Let's say, for example, that I add entry default:user:backup:r-x to webdev's project folder. Then webdev comes along later, cd's to that directory, and executes the command

Code:
mkdir -m 0700 mysecretdirectory
Now what webdev has done is created a directory that the backup account doesn't have /any/ access to, which is not good.
 
Old 01-07-2011, 04:53 AM   #4
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
On the one hand you are right: webdev can change the ACLs any time he likes and locking out the backup user. But the above command:
Code:
mkdir -m 0700 mysecretdirectory
would still inherit the default settings which are present at time of creation and give access to the backup user. What settings do you get when you check with getfacl for mysecretdirectory?
 
Old 01-08-2011, 02:03 AM   #5
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by Reuti View Post
On the one hand you are right: webdev can change the ACLs any time he likes and locking out the backup user. But the above command:
Code:
mkdir -m 0700 mysecretdirectory
would still inherit the default settings which are present at time of creation and give access to the backup user. What settings do you get when you check with getfacl for mysecretdirectory?
I couldn't use webdev to experiment for certain reasons, but I did similar test with root and backup accounts. Result

Code:
$ getfacl parentdirectory/
# file: parentdirectory/
# owner: root
# group: root
user::rwx
user:backup:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:backup:r-x
default:group::r-x
default:mask::r-x
default:other::r-x
$ mkdir -m 0700 parentdirectory/mysecretdirectory
$ getfacl parentdirectory/mysecretdirectory/
# file: parentdirectory/mysecretdirectory/
# owner: root
# group: root
user::rwx
user:backup:r-x			#effective:---
group::r-x			#effective:---
mask::---
other::---
default:user::rwx
default:user:backup:r-x
default:group::r-x
default:mask::r-x
default:other::r-x
Changed user to backup and could not even cd into the new directory.
 
Old 01-10-2011, 12:08 PM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
When ACL are in use, the output of r-x for the group permissions doesn't necessarily reflect the permissions of the group listed in ls. Although I can't find it stated anywhere in particular, it looks like being the to be used mask for the ACL.

Code:
soft@pc:/home/reuti> id
uid=1001(soft) gid=100(users) groups=16(dialout),33(video),100(users)
soft@pc:/home/reuti> ls -lhd tester
drwxr-x---+ 6 reuti users 4.0K 2011-01-10 18:22 tester
soft@pc:/home/reuti> ls tester
ls: cannot open directory tester: Permission denied
User soft has no access, although he is in the group users as in the ACL the group permissions are set to group::---. Then the followup problem is of course that chmod doesn't know anything about ACL, and will do anything it likes to the mask. I wonder, why there is no ACL aware chmod then.

To your original problem: when webdev sets any permissions by hand, I see no solution (besides having a cron job setting the correct permissions before the backup). If he never ever set permissions by hand, the inherited default ACL should work though.
 
Old 01-10-2011, 11:48 PM   #7
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by Reuti View Post
When ACL are in use, the output of r-x for the group permissions doesn't necessarily reflect the permissions of the group listed in ls. Although I can't find it stated anywhere in particular, it looks like being the to be used mask for the ACL.

Code:
soft@pc:/home/reuti> id
uid=1001(soft) gid=100(users) groups=16(dialout),33(video),100(users)
soft@pc:/home/reuti> ls -lhd tester
drwxr-x---+ 6 reuti users 4.0K 2011-01-10 18:22 tester
soft@pc:/home/reuti> ls tester
ls: cannot open directory tester: Permission denied
User soft has no access, although he is in the group users as in the ACL the group permissions are set to group::---. Then the followup problem is of course that chmod doesn't know anything about ACL, and will do anything it likes to the mask. I wonder, why there is no ACL aware chmod then.

To your original problem: when webdev sets any permissions by hand, I see no solution (besides having a cron job setting the correct permissions before the backup). If he never ever set permissions by hand, the inherited default ACL should work though.
It seems that what I really want is permission inheritance. It seems clear now that this is not provided by Linux ACLs, since default permissions cannot be considered "inherited" if they can be revoked at any branch in the tree.



Is there /any/ add-on permissions system in Linux that provides inherited permissions?
 
Old 01-11-2011, 03:12 AM   #8
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Are you bound to ext3 or alike? Maybe ZFS or XFS can provide a better implementation of ACLs.
 
Old 01-11-2011, 11:36 PM   #9
hydraMax
Member
 
Registered: Jul 2010
Location: Skynet
Distribution: Debian + Emacs
Posts: 467
Blog Entries: 60

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by Reuti View Post
Are you bound to ext3 or alike? Maybe ZFS or XFS can provide a better implementation of ACLs.
Unfortunately, the server is using ext3 and I cannot change that now. But isn't the ACL functionality the same regardless of which file system you are using (as long as the file system support the storage of the ACL entries)? I was under the impression that the kernel enforced permissions and the file system just stored the ACL entries for each file.
 
Old 01-12-2011, 03:33 AM   #10
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
ACL is an extension to the original ext file system, and it depends on the mount whether ACL is available on ext2/3/4 or not. Due to this combination the kernel has to make a compromise when making changes to the original user/group permissions and ACLs I could imagine (as we just saw the results). With XFS and ZFS the ACL is just there by design. Hence the output of user/group permissions could be an extract of the one and only ACL and it may be more self contained.

Maybe someone with XFS or ZFS experience could make a statement about the inheritance of ACL right on these file systems and how a chmod would change the ACL in a not intended way, or whether this is also covered.

(Not to mention that ACL usage by NFS is another thing...)
 
Old 01-12-2011, 05:56 AM   #11
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I tested out a couple things, because your conclusions didn't seem quite right. I created a directory ~/hd2/testdir and gave user bob rwx access:
Code:
set -m u:bob:rwx testdir
set -m d:bob:rwx testdir
I've forgotten to do both sometimes. A default acl doesn't grant access to a directory.
Code:
getfacl testdir/
# file: testdir/
# owner: jschiwal
# group: jschiwal
user::rwx
user:bob:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:bob:rwx
default:group::r-x
default:mask::rwx
default:other::---

If I start at the directory above testdir, and 
 su bob

 cd testdir
bash: cd: testdir: Permission denied

However if I first cd into ~/hd2/testdir/, and then su to bob, bob has the expected access to the subdirectories and files I created inside (after creating the default acl).
A user with acl access to a directory will also need rx access to the parent directories to enter it.
 
Old 01-12-2011, 06:19 AM   #12
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
@jschiwal: I think your post ended up in the wrong thread. Anyway: you both are right. To cd to such a protected directory all top level directories need to have rx access too. But once you are inside the subdirectory by any means of su, you have a handle of the directories's inode and can access it:
Code:
reuti@pc:~/tester/runner> su soft
Password: 
soft@pc:/home/reuti/tester/runner> ls
speed
soft@pc:/home/reuti/tester/runner> cd
soft@pc:~> cd -
bash: cd: /home/reuti/tester/runner: Permission denied
Or when you change the permissions while you are inside such a directory:
Code:
soft@pc:/home/reuti/tester/runner> ls ..
ls: cannot open directory ..: Permission denied
soft@pc:/home/reuti/tester/runner> ls
speed
soft@pc:/home/reuti/tester/runner> cd
soft@pc:~> cd -
-bash: cd: /home/reuti/tester/runner: Permission denied
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Default ownership of files and directories linuxdevil Linux - Security 4 06-02-2011 06:25 AM
Have new home directories inherit ACLs rsmccain Linux - Software 2 11-26-2007 01:39 PM
Search for files only in directories you have sufficient permissions tepez Linux - Software 1 04-08-2007 10:07 AM
Posix ACLs are only working on directories HGeneAnthony Linux - Security 3 04-07-2006 11:39 AM
How do I change permissions of files/directories? Okashira Linux - Newbie 5 01-12-2004 05:11 PM


All times are GMT -5. The time now is 10:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration