Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Table of Contents
Back to igraltist's experiences/ACL
RSBAC ACL Example
Problem description
On standard linux system nothing prevented the root user switch to any other user.
Solution with ACL Groups
This is only example for ACL. The AUTH and or the RC module is much comfortable. All have to do as security user (uid 400).
2. Create your first 'ACL' group
Named as example Suing.
The P is using as type Private. The other options is G as type Global.
The number 1 on then and set the group-id. So it was empty on test befor and therefor i using the number 1.
$acl_group add_group P Suing 1
3. Controll the setup
$acl_group list_groups Group 1: owner 400 (security), type P, name 'Suing'
4. Add this new created 'ACL' group to the file /bin/su
The subj_type is GROUP.
The subj_id is the group-id number from previous created group.
The rights is A which grant all.
The target-type is FILE.
The filename is the absolute pathname /bin/su.
$acl_grant GROUP 1 A FILE /bin/su
5. Add the user(s) to the new create 'ACL' group for allow changing user(su)
The number 1 after add_member indicates the group-id number.
The number 1000 is in my case the first default user-id.
$acl_group add_member 1 1000
6. Check the 'ACL' group for members
$acl_group get_group_members 1 1000 jens
7. List the 'ACL' rights from filename /bin/su
List the rights and save it to restore later.
$acl_rights FILE /bin/su /bin/su : 11100000011000011111101110100000011011110011111111110110100
8. Change the default 'ACL' mask to allow nothing
The rights [-s] is set to 0.
The target-type is FILE.
The filename is the absolute path /bin/su.
$acl_mask -s 0 FILE /bin/su
9. List again the 'ACL' rights from filename /bin/su
$acl_rights FILE /bin/su /bin/su : 10000000000000000000000000000000000000000000000000000000000
From now on, only member from 'ACL' group Suing are able to change to other user, when 'ACL' is using.
10. Test change user as root user
su - security -bash: /bin/su: Operation not permitted
This is the output from security-log.
- Wed Nov 3 12:54:01 2010 :<6
0000000658|rsbac_adf_request(): request EXECUTE, pid 26958, ppid 14663, prog_name bash, prog_file /bin/bash, uid 0, remote ip 192.168.1.5, target_type FILE, tid Device 253:01 Inode 88530 Path /bin/su, attr none, value none, result NOT_GRANTED by ACL
The root user don't have EXECUTE rights, because befor we remove with acl_mask the default rights and set them to zero.
11. Remove an user from ACL
For example to remove an user from a acl file entry:
acl_grant -m USER "ID" FILE "/path/to/file"
12. Example to prevent an user to use dmesg
Create a acl group to assing to file /bin/dmesg.
acl_group add_group P Dmesg 2
Add the acl group to the file.
acl_grant GROUP 2 A FILE /bin/dmesg
Remove all default entries from the target file.
acl_mask -s 0 FILE /bin/dmesg
Try the setup.
dmesg -bash: /bin/dmesg: Operation not permitted
Visit the rsbac logfile.
Fri Jul 1 06:09:32 2011 :<6>0000000416|rsbac_adf_request(): request GET_STATUS_DATA, pid 15922, ppid 15921, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL Fri Jul 1 06:09:34 2011 :<6>0000000417|rsbac_adf_request(): request EXECUTE, pid 10231, ppid 15922, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL
Conclusion
The 'ACL' modul offers a good possibility and is easy to use.
This example can easy modify to use on other cases.