[[wiki:experiences/igraltist#acl|Back to igraltist's experiences/ACL]]\\
====== RSBAC ACL Example ======
== Problem description ==
On standard linux system nothing prevented the root user switch to any other user.
== Solution with ACL Groups ==
This is only example for ACL.
The AUTH and or the RC module is much comfortable.
All have to do as security user (uid 400).
===== 2. Create your first 'ACL' group =====
Named as example Suing.\\
The P is using as type Private. The other options is G as type Global.\\
The number 1 on then and set the group-id. So it was empty on test befor and therefor i using the number 1.
$acl_group add_group P Suing 1
===== 3. Controll the setup =====
$acl_group list_groups
Group 1: owner 400 (security), type P, name 'Suing'
===== 4. Add this new created 'ACL' group to the file /bin/su =====
The subj_type is GROUP.\\
The subj_id is the group-id number from previous created group.\\
The rights is A which grant all.\\
The target-type is FILE.\\
The filename is the absolute pathname /bin/su.
$acl_grant GROUP 1 A FILE /bin/su
===== 5. Add the user(s) to the new create 'ACL' group for allow changing user(su) =====
The number 1 after add_member indicates the group-id number.\\
The number 1000 is in my case the first default user-id.\\
$acl_group add_member 1 1000
===== 6. Check the 'ACL' group for members =====
$acl_group get_group_members 1
1000 jens
===== 7. List the 'ACL' rights from filename /bin/su =====
List the rights and save it to restore later.
$acl_rights FILE /bin/su
/bin/su : 11100000011000011111101110100000011011110011111111110110100
===== 8. Change the default 'ACL' mask to allow nothing =====
The rights [-s] is set to 0.\\
The target-type is FILE.\\
The filename is the absolute path /bin/su.
$acl_mask -s 0 FILE /bin/su
===== 9. List again the 'ACL' rights from filename /bin/su =====
$acl_rights FILE /bin/su
/bin/su : 10000000000000000000000000000000000000000000000000000000000
From now on, only member from 'ACL' group Suing are able to change to other user, when 'ACL' is using.
===== 10. Test change user as root user =====
su - security
-bash: /bin/su: Operation not permitted
This is the output from security-log.
0000000658|rsbac_adf_request(): request EXECUTE, pid 26958, ppid 14663, prog_name bash, prog_file /bin/bash, uid 0, remote ip 192.168.1.5, target_type FILE, tid Device 253:01 Inode 88530 Path /bin/su, attr none, value none, result NOT_GRANTED by ACL
The root user don't have EXECUTE rights, because befor we remove with acl_mask the default rights and set them to zero.
===== 11. Remove an user from ACL =====
For example to remove an user from a acl file entry:
acl_grant -m USER "ID" FILE "/path/to/file"
===== 12. Example to prevent an user to use dmesg =====
Create a acl group to assing to file /bin/dmesg.
acl_group add_group P Dmesg 2
Add the acl group to the file.
acl_grant GROUP 2 A FILE /bin/dmesg
Remove all default entries from the target file.
acl_mask -s 0 FILE /bin/dmesg
Try the setup.
dmesg
-bash: /bin/dmesg: Operation not permitted
Visit the rsbac logfile.
Fri Jul 1 06:09:32 2011 :<6>0000000416|rsbac_adf_request(): request GET_STATUS_DATA, pid 15922, ppid 15921, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL
Fri Jul 1 06:09:34 2011 :<6>0000000417|rsbac_adf_request(): request EXECUTE, pid 10231, ppid 15922, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL
===== Conclusion =====
The 'ACL' modul offers a good possibility and is easy to use.
This example can easy modify to use on other cases.