File Flags (FF)

This model defines some access flags for files, fifos, symlinks and dirs. Currently, the following flags are supported:

Flag Value Checked for Notes
no_protection 0 ALL
execute_only 2 FILE, FIFO, SYMLINK
search_only 4 DIR
read_only 1 FILE, FIFO, SYMLINK, DIR
write_only 8 FILE, FIFO, SYMLINK
secure_delete 16 FILE File is blanked on delete and truncate (ext2, ext3, msdos/vfat, minix only)
no_execute 32 FILE
no_delete_or_rename 64 FILE, FIFO, SYMLINK, DIR new in 1.1.1, not inherited
append_only 256 FILE, FIFO, SYMLINK new in 1.1.2, write accesses are limited to APPEND_OPEN and WRITE, read accesses are allowed
no_mount 512 DIR Disallows mounting to this dir
no_search 1024 FILE, DIR, SYMLINK, FIFO Hides filesystem object completly and denies futher access to it
add_inherited 128 FILE, FIFO, SYMLINK, DIR Add inherited values from parent dir, not inherited itself

These flags are checked on every access to the given target types. Only users in system_role 'security officer' can change the flags.

Please note that the attributes are independent from each other and restrictive: All attributes that are set are applied, e.g. execute_only and no_execute together (or read_only and write_only) lead to no access.

Flags that are only checked for some target types are ignored for the other ones. This can be used to set e.g. search_only and execute_only on a dir - you can SEARCH (not READ!) in the dir and EXECUTE files in it, but nothing else.

To set more flags on a target you just add (or) their numerical values, for example: add_inherited+read_only = 129. This numerical value is the one used by the administrative tools.

The add_inherited flag is special: If set, the parent dir's flags are added (or'd) to the target's own flags. Attention: the flags no_delete_or_rename and add_inherited cannot be inherited, they must always be set explicitely!

By default all targets have only add_inherited (128) set. The root of the filesystem by default has no FF restriction, which means that if all targets have only add_inherited set, FF does not protect any target.

The following table explains the effects of the flags of the FF module with respect to the action requested on a file or other target. Not all flags are meaningful for all targets. For each request are listed the flags which PREVENT the request to be satisfied, i.e. the flags which forbid the action (from the list are missing the actions related to managing RSBAC and similar).

REQUEST PREVENTING FLAGS
APPEND_OPEN FF_read_only FF_execute_only
CHANGE_GROUP FF_read_only FF_execute_only FF_append_only
MODIFY_ACCESS_DATA FF_read_only FF_execute_only FF_append_only
MODIFY_PERMISSIONS_DATA FF_read_only FF_execute_only FF_append_only
CHANGE_OWNER FF_read_only FF_execute_only FF_append_only
CHDIR FF_search_only
CREATE FF_read_only FF_search_only
DELETE FF_read_only FF_execute_only FF_no_delete_or_rename FF_append_only
RENAME FF_read_only FF_execute_only FF_no_delete_or_rename FF_append_only
EXECUTE FF_write_only FF_no_execute FF_append_only
LINK_HARD FF_read_only FF_execute_only
MOUNT FF_read_only FF_execute_only FF_write_only FF_append_only FF_no_mount
UMOUNT FF_read_only FF_execute_only FF_write_only FF_append_only FF_no_mount
READ FF_execute_only FF_write_only FF_search_only
READ_OPEN FF_execute_only FF_write_only FF_search_only
READ_WRITE_OPEN FF_read_only FF_execute_only FF_write_only FF_append_only
TRUNCATE FF_read_only FF_execute_only FF_append_only
WRITE_OPEN FF_read_only FF_execute_only FF_append_only
WRITE FF_read_only FF_search_only FF_execute_only

Thus for example FF_read_only permits: CHDIR, EXECUTE, READ, READ_OPEN; FF_execute_only permits: CHDIR, EXECUTE, CREATE; FF_write_only permits: WRITE, WRITE_OPEN, LINK_HARD, DELETE, RENAME, CREATE, CHANGE_OWNER, APPEND_OPEN, CHANGE_GROUP.

Above list does not apply to FF_no_search flag - by setting it all access is denied and file is completly hidden (both from direct access and directory listing)

Obviously since FF_read_only and FF_write_only have an empty intersection, if one sets both of them on the same target, no action is allowed on it! Instead if one sets both FF_read_only and FF_execute_only on the same target, only CHDIR and EXECUTE are permitted.

Example1:

Set write_only on a logging dir.
All log files created in that dir inherit the write_only flag,
thus the log can never be read unless the flag is removed.

Example1b:

Set append_only on a logging dir.
All log files created in that dir inherit the append_only flag,
thus the log can be read, but writing can only append to the file, unless the flag is removed.
Add flag write_only, if the files should not be read either.

Example2:

Set no_execute on /home.
All executables below that dir inherit this flag,
thus no user can execute files from her home directory, unless the flag is removed.

Example3:

Set no_delete_or_rename on /home.
User home dirs below can be added, removed and individually protected,
but the parent dir /home cannot be moved or replaced to fake other home dirs for most users.

File Flags should be used, if you need global access settings which are valid for all users.



Table of Contents: RSBAC Handbook
Back: Security Models