Table of Contents

Back to igraltist's experiences/ACL

RSBAC ACL Example

Problem description

On standard linux system nothing prevented the root user switch to any other user.

Solution with ACL Groups

This is only example for ACL. The AUTH and or the RC module is much comfortable. All have to do as security user (uid 400).

2. Create your first 'ACL' group

Named as example Suing.
The P is using as type Private. The other options is G as type Global.
The number 1 on then and set the group-id. So it was empty on test befor and therefor i using the number 1.

$acl_group add_group P Suing 1

3. Controll the setup

$acl_group list_groups
Group 1: owner 400 (security), type P, name 'Suing'

4. Add this new created 'ACL' group to the file /bin/su

The subj_type is GROUP.
The subj_id is the group-id number from previous created group.
The rights is A which grant all.
The target-type is FILE.
The filename is the absolute pathname /bin/su.

$acl_grant GROUP 1 A FILE /bin/su

5. Add the user(s) to the new create 'ACL' group for allow changing user(su)

The number 1 after add_member indicates the group-id number.
The number 1000 is in my case the first default user-id.

$acl_group add_member 1 1000

6. Check the 'ACL' group for members

$acl_group get_group_members 1 
1000		jens

7. List the 'ACL' rights from filename /bin/su

List the rights and save it to restore later.

$acl_rights FILE /bin/su 
/bin/su            : 11100000011000011111101110100000011011110011111111110110100

8. Change the default 'ACL' mask to allow nothing

The rights [-s] is set to 0.
The target-type is FILE.
The filename is the absolute path /bin/su.

$acl_mask -s 0 FILE  /bin/su

9. List again the 'ACL' rights from filename /bin/su

$acl_rights FILE /bin/su 
/bin/su            : 10000000000000000000000000000000000000000000000000000000000

From now on, only member from 'ACL' group Suing are able to change to other user, when 'ACL' is using.

10. Test change user as root user

su - security
-bash: /bin/su: Operation not permitted

This is the output from security-log.

Wed Nov 3 12:54:01 2010 :<6
0000000658|rsbac_adf_request(): request EXECUTE, pid 26958, ppid 14663, prog_name bash, prog_file /bin/bash, uid 0, remote ip 192.168.1.5, target_type FILE, tid Device 253:01 Inode 88530 Path /bin/su, attr none, value none, result NOT_GRANTED by ACL

The root user don't have EXECUTE rights, because befor we remove with acl_mask the default rights and set them to zero.

11. Remove an user from ACL

For example to remove an user from a acl file entry:

acl_grant -m USER "ID" FILE "/path/to/file"

12. Example to prevent an user to use dmesg

Create a acl group to assing to file /bin/dmesg.

acl_group add_group P Dmesg 2

Add the acl group to the file.

acl_grant GROUP  2 A FILE /bin/dmesg

Remove all default entries from the target file.

acl_mask -s 0 FILE  /bin/dmesg

Try the setup.

dmesg
-bash: /bin/dmesg: Operation not permitted

Visit the rsbac logfile.

Fri Jul  1 06:09:32 2011 :<6>0000000416|rsbac_adf_request(): request GET_STATUS_DATA, pid 15922, ppid 15921, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL
Fri Jul  1 06:09:34 2011 :<6>0000000417|rsbac_adf_request(): request EXECUTE, pid 10231, ppid 15922, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL

Conclusion

The 'ACL' modul offers a good possibility and is easy to use.

This example can easy modify to use on other cases.