wiki:experiences:igraltist:acl
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Last revision Both sides next revision
wiki:experiences:igraltist:acl [2012/07/21 21:50]
127.0.0.1 (old revision restored)
wiki:experiences:igraltist:acl [2012/07/21 21:54]
127.0.0.1 (old revision restored)
Line 1: Line 1:
 [[wiki:​experiences/​igraltist#​rsbac_acl|Back to igraltist'​s experiences/​ACL]]\\ [[wiki:​experiences/​igraltist#​rsbac_acl|Back to igraltist'​s experiences/​ACL]]\\
 +
  
  
Line 15: Line 16:
 The AUTH and or the RC module is much comfortable. The AUTH and or the RC module is much comfortable.
 All have to do as  security user (uid 400). All have to do as  security user (uid 400).
 +
 +===== 2. Create your first '​ACL'​ group =====
 +
 +Named as example Suing.\\
 +The P is using as type Private. The other options is G as type Global.\\
 +The number 1 on then and set the group-id. So it was empty on test befor and therefor i using the number 1.
 +
 +<code bash>
 +$acl_group add_group P Suing 1
 +</​code>​
 +
 +===== 3. Controll the setup =====
 +
 +<code bash>
 +$acl_group list_groups
 +Group 1: owner 400 (security), type P, name '​Suing'​
 +</​code>​
 +
 +===== 4. Add this new created '​ACL'​ group to the file /bin/su =====
 +
 +The subj_type is GROUP.\\
 +The subj_id is the group-id number from previous created group.\\
 +The rights is A which grant all.\\ ​
 +The target-type is FILE.\\
 +The filename is the absolute pathname /bin/su.
 +
 +<code bash>
 +$acl_grant GROUP 1 A FILE /bin/su
 +</​code>​
 +
 +===== 5. Add the user(s) to the new create '​ACL'​ group for allow changing user(su) =====
 +
 +The number 1 after add_member indicates the group-id number.\\
 +The number 1000 is in my case the first default user-id.\\
 +
 +<code bash>
 +$acl_group add_member 1 1000
 +</​code>​
 +
 +===== 6. Check the '​ACL'​ group for members =====
 +
 +<code bash>
 +$acl_group get_group_members 1 
 +1000 jens
 +</​code>​
 +
 +===== 7. List the '​ACL'​ rights from filename /bin/su =====
 +
 +List the rights and save it to restore later.
 +<​code>​
 +$acl_rights FILE /​bin/​su ​
 +/​bin/​su ​           : 11100000011000011111101110100000011011110011111111110110100
 +</​code>​
 +
 +
 +
 +===== 8. Change the default '​ACL'​ mask to allow nothing =====
 +
 +The rights [-s] is set to 0.\\
 +The target-type is FILE.\\
 +The filename is the absolute path /bin/su.
 +
 +<code bash>
 +$acl_mask -s 0 FILE  /bin/su
 +</​code>​
 +
 +===== 9. List again the '​ACL'​ rights from filename /bin/su =====
 +
 +<​code>​
 +$acl_rights FILE /​bin/​su ​
 +/​bin/​su ​           : 10000000000000000000000000000000000000000000000000000000000
 +</​code>​
 +
 +From now on, only member from '​ACL'​ group Suing are able to change to other user, when '​ACL'​ is using.
 +
 +===== 10. Test change user as root user =====
 +
 +<code bash>su - security
 +-bash: /bin/su: Operation not permitted
 +</​code>​
 +
 +This is the output from security-log.
 +
 +<code bash
 +Wed Nov  3 12:54:01 2010 :<​6>​0000000658|rsbac_adf_request():​ request EXECUTE, pid 26958, ppid 14663, prog_name bash, prog_file /bin/bash, uid 0, remote ip 192.168.1.5,​ target_type FILE, tid Device 253:01 Inode 88530 Path /bin/su, attr none, value none, result NOT_GRANTED by ACL
 +</​code>​
 +
 +The root user don't have EXECUTE rights, because befor we remove with acl_mask the default rights and set them to zero.
 +
 +===== 11. Remove an user from ACL =====
 +For example to remove an user from a acl file entry:
 +<code bash>
 +acl_grant -m USER "​ID"​ FILE "/​path/​to/​file"​
 +</​code>​
 +
 +
 +
 +
 +
 +===== 12. Example to prevent an user to use dmesg =====
 +Create a acl group to assing to file /​bin/​dmesg. ​
 +<code bash>
 +acl_group add_group P Dmesg 2
 +</​code>​
 +
 +Add the acl group to the file.
 +<code bash>
 +acl_grant GROUP  2 A FILE /bin/dmesg
 +</​code>​
 +
 +Remove all default entries from the target file.
 +<code bash>
 +acl_mask -s 0 FILE  /bin/dmesg
 +</​code>​
 +
 +Try the setup.
 +<code bash>
 +dmesg
 +-bash: /bin/dmesg: Operation not permitted
 +</​code>​
 +
 +Visit the rsbac logfile.
 +<code bash>
 +Fri Jul  1 06:09:32 2011 :<​6>​0000000416|rsbac_adf_request():​ request GET_STATUS_DATA,​ pid 15922, ppid 15921, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5,​ target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL
 +Fri Jul  1 06:09:34 2011 :<​6>​0000000417|rsbac_adf_request():​ request EXECUTE, pid 10231, ppid 15922, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5,​ target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL
 +</​code>​
 +
 +===== Conclusion =====
 +
 +The '​ACL'​ modul offers a good possibility and is easy to use.
 +
 +This example can easy modify to use on other cases.
 +
  
//
wiki/experiences/igraltist/acl.txt · Last modified: 2012/07/21 21:55 by 127.0.0.1

wiki/experiences/igraltist/acl.txt · Last modified: 2012/07/21 21:55 by 127.0.0.1
This website is kindly hosted by m-privacy