INSE 6130 Operating Systems Security

Lab 3 - security Fall 2014

Updated by Paria Shirani - Saed Alrabaee

Overview In this lab session, students will learn the basics of UNIX administration, and user/group’s access rights regarding files and groups. Students will be able to perform the following operations: (i) adding groups and creating users’ accounts, (ii) creating files and changing their access rights, and (iii) defining access control lists (ACLs).

Introduction Unix file system permissions are organized into three classes:

 User: The user who owns the file  Group: Users belonging to the file's defined ownership group  Other: Everyone else

In turn, for each of these classes of user, there are three types of file access:

 The ability to look at the contents of the file ("Read")  The ability to change the contents of the file ("Write")  The ability to run the contents of the file as a program on the system ("Execute")

On and other Unix-like operating systems, there is a set of rules for each file which defines who can access that file, and how they can access it. These rules are called file permissions or file modes. The command name stands for "change mode", and it is used to define the way a file can be accessed. chmod chmod is used to change the permissions of a file or files.

chmod options permissions filename If no options are specified, chmod modifies the permissions of the file specified by filename to the permissions specified by permissions. Permissions defines the permissions for the owner of the file (the "user"), members of the group who owns the file (the "group"), and anyone else ("others"). There are two ways to represent these permissions: with symbols (alphanumeric characters), or with octal numbers (the digits 0 through 7).

Let's say you are the owner of a file named myfile, and you want to set its permissions so that:  the user can read, write, and execute it;  members of your group can read and execute it; and  others may only read it. This command will do the trick which is an example of using symbolic permissions notation:

chmod u=rwx,g=rx,o=r myfile

The letters u, g, and o stand for "user", "group", and "other". The equals sign ("=") means "set the permissions exactly like this," and the letters "r", "w", and "x" stand for "read", "write", and "execute", respectively. The commas separate the different classes of permissions, and there are no spaces in between them. Here is the equivalent command using octal permissions notation:

chmod 754 myfile

Here the digits 7, 5, and 4 each individually represent the permissions for the user, group, and others, in that order. Each digit is a combination of the numbers 4, 2, and 1:  4 stands for "read"  2 stands for "write"  1 stands for "execute" So 7 is the combination of permissions 4+2+1 (read, write, and execute), 5 is 4+0+1 (read, no write, and execute), and 4 is 4+0+0 (read, no write, and no execute).

NOTE: before you start:

Note 1: If you are in the Virtual Machine, press Ctrl+Alt to return to Windows.

Note 2: To start a shell with root privileges, issue the command and enter your when prompted.

Note 3: To switch from a user firstuser to user seconduser, type 'su seconduser'. Unless firstuser is the root, you will need to enter the password of seconduser.

Note 4: Type the command ‘whoami’ to know your username. Use ‘pwd’ to know your actual location. Note 5: To know more about a command and understand its syntax, type ‘man commandname’ or ‘info commandname’. Quit the manual by pressing ‘q’.

A. Adding groups and creating/assigning user's accounts Assume you are the (root) of a fictional university that have one student (alice) and two professors (bob and malory).

. Create the professor group using the groupadd command.

groupadd professor

. Create bob's account and assign it to the professor group using the useradd command.

useradd -g professor bob

. Set a password for bob.

bob

. Using the same command as above, create malory's account and assign it to the professor group.

useradd -g professor malory

. Set a password for malory.

passwd malory

. Create student group and assign alice to this group.

. Type the following command to view the current group settings.

cat /etc/group

B. Creating files and changing their access rights . Go the shared directory

cd shared

. Log in as bob: su bob

. Create one empty file using the touch command: touch bobfile.txt

. List the files using the ‘ –l’ command. Observe the permissions. ls –l bobfile.txt

QUESTIONs:

Why alice cannot write into bobfile.txt?

Why malory cannot write into bobfile.txt although bob and malory are in the same group?

. Use the chmod command, edit the permissions on bobfile.txt so that malory can read and write it and alice can only read it.

. Try to make malory the new owner of bobfile.txt using chown command: chown malory:professor bobfile.txt

QUESTIONs:

Why is the operation not allowed although bob owns bobfile.txt?

Who can change the ownership of the file?

. Switch to user malory (Refer to Note 2) and create a new file maloryfile.txt. touch maloryfile.txt

. Use the chmod command to only give the write permission to the professor group and the others (DO NOT GIVE THE READ PERMISSION).

. Switch to user bob (refer to Note 2 or just type exit). Write something inside maloryfile.txt.

nano maloryfile.txt

NOTE: You should be user bob at this step.

. Inside the shared folder, there is another folder that is owned by the root. Go into that folder: cd /shared/rootowned

. The folder contains one file (rootfile). Check the permissions of the files.

ls -l

QUESTION: Which permissions do bob has on the rootfile.txt?

. Try to rename the file:

mv rootfile.txt renamedfile.txt

QUESTION: Why bob cannot rename rootfile.txt although he has been granted full permissions on it?

C. Access Control Lists (ACLs) Discretionary Access Control (DAC) allows a user or administrator to define an Access Control List (ACL) on a specific resource (e.g. file, registry key, database table, OS object, etc.), this List will contain entries (ACE) that define each user that has access to the resource, and what his/her privileges are for that resource. This section will present a very brief introduction to access control list in Linux. ACL are not very used in Linux since the 9-bits permissions bits are much simpler. The basic commands are getfacl (get file ACL) that display the ACL of a file and setfacl (set file ACL) that modify the file access control list. To know the many options these commands can take, please refer to the manual.

. Go the shared directory

cd shared . Log as user alice (Refer to Note 2) . Create a new file (not empty) and set the permissions (remove all the permissions of others) echo “I belong to alice.” > alicefile.txt chmod 760 alicefile.txt

. Display the permissions bits and the ACL of the file. ls –l alicefile.txt getfacl alicefile.txt . Use the ACL to give user bob the right to read, write and execute alicefile. setfacl –m user:bob:rwx alicefile.txt . Display the permissions bits and the ACL of the file. ls –l alicefile.txt getfacl alicefile.txt

QUESTION: What is the difference? What do you see?

. Switch to user bob (refer to Note 2). Try to read alicefile.txt. Does it work? cat alicefile.txt

Let’s do the opposite: . Log as user alice (Refer to Note 2 or just type exit) . Edit the permissions of alicefile.txt (grant full rights to others). chmod 777 alicefile.txt . Remove bob right to read and write in the ACL. setfacl –m user:bob:x alicefile.txt . Display the permissions bits and the ACL of the file. ls –l alicefile.txt getfacl alicefile.txt • Switch to user bob (refer to Note 2). Try to read alicefile.txt. cat alicefile.txt

QUESTION: Does it work? Can bob read alicefile.txt?

C.1 Sharing a file with a particular user (Optional)

. Switch to user bob (refer to Note 2), delete the previous bobfile.txt and create a new file. rm –f bobfile.txt && touch bobfile.txt . Use the chmod command to remove the permissions of the groups and others. Only bob (and the root) can access the file. chmod 700 bobfile.txt . Use acl to give permissions to malory. setfacl –m user:malory:rwx bobfile.txt . Display the permissions bits and the acl of the file. ls –l bobfile.txt getfacl bobfile.txt

The group professor is denied in the ACL, but not in the 9-bits permissions. The user malory is allowed in the ACL.

QUESTIONs:

Can malory access bobfile.txt?

Do you think another member of the professor group can access bobfile.txt? If you can create a new user (let call him tom) using the commands in section A and try to see what happen.

Appendix Some of the commands used in the lab are presented here along with a short description. This is in no way an exhaustive documentation. Please refer to their manual if you wish to know more.

Command Description ls ls - list directory contents ls [OPTION]... [FILE]...

ls – l / use a long listing format ls – a / do not hide entries starting with . cd change the working directory cd [OPTION] [directory] cd pathtofolder / go to folder cd .. / go to the parent directory echo Print a string. echo “message” cat Concatenate – display the content of a file cat file nano (or Simple text editor pico) nano filename Ctrl+X to exit touch Create an empty file touch filename umask Change the default permissions that are assigned when you create a new file. You can also the .bashrc in the home directory file to do the same. chmod Change the permissions of a file or a folder chmod xyz filename (x are the owner permissions, y the group permissions and z the others permissions). 1 = execute 2 = write 4 = read

Permissions are established by the sum of the preceding values y = 5 means group can read and execute chown Change the owner of a file chown newowner:group file useradd Add a new user. useradd [OPTIONS] username groupadd Add a new group. Command Description groupadd groupname su switch user. su username, it will ask you the password of username unless you are a root. getfacl View the acl of a file. getfacl [OPTIONS] filename setfacl Edit the acl of a file. setfacl [OPTIONS] filename clear clear the terminal You can also do Ctrl+L

References [1] Linux Administration Handbook second edition, Evi Nemeth, Garth Snyder, Trent R. Hein [2] Linux online manual (man command)