Access Control in Unix

Introduction- the basics:

• Original Unix principles:
• Objects (files/processes) have owners.
• You own new objects you create
• A special user account called root can act as owner of any object.
  
• Only root can perform sensitive admin operations
• Every file has an owner and a group
• Kernel tracks access through user identification numbers (UIDs) and group identification numbers (GIDs)
• Access maintained through three files
  
• /etc/passwd   : 7 fields including user name, optional password, userid, group id,....
  
• /etc/shadow:  9 fields, includes user name, encrypted password (see man shadow)
  
• /etc/group:     :      group_name:passwd:GID:user_list
• jjm:x:1000    the x says no password
• sudo:x:27:jjm  this says  jjm is a member of group sudo

Controlling access to files:

Let's do another example: Issue a 'ls -lt' and assume we see:

drwxrwxr-x.  2 jjm jjm      4096 Apr 20 21:01 tmp

-rw-rw-r--.  1 jjm jjm     86112 Apr 20 17:16 resultsEXP1.tar.gz

Let's talk about these two lines. The first group of information is the 'permission bits'. The second field (with the number 2 or 1) indicates the number of links or directories in the current directory. We usually use octal numbers to represent the permission bits.

• Review octal:
  • digits: 0, 1, ... , 7
  • number 8 is represented as 10
  • So... to capture rwx in a single digit: values are: 0-7. To encode has read/write but NO execute permission: 6
  • Three octal digits capture the permissions across the three access control groups (user, group, world) :
• The first character specifies the file type:
  
• d (directory)
  
• -(regular file)
• c or b (character or block device file)
• s (domain socket)
• p (named pipe)
• l  (symbolic link) :   create 'ln -s'.   
  
• Next 9 bits identies the permissions (rwx) for the user, the group, the world
  • Basically, there are three things that can be done to an ordinary file or directory:
    • r: read. Examine the contents
    • w: write. Change the contents
    • x: execute. Run a program, or search the directory
  • When deciding who can have access to a file, UNIX recognises three categories of users:
    • Owner. The owner of the file or directory
    • Group. Other users belonging to the user's group
    • Public. All other users on the system
• Test question: if you add content to a web site meant for read only access: usually only give user and group write access.
  • chmod 644 webfile.html
    • Note: it is safer to set numerically as it does not require you to know the current settings
    • If you know the current permission bits and want to make a change relative to what you see, the letter notation might be easier (e.g., chmod a-x webfile.html removes execute bit for all three access groups)
  • example: a file on my web site:
    • -rw-r--r-- 1 jmarty cuuser 410377 Apr 24 13:24 EXAM2Spring2017-TakeHome.pdf
      
• Setuid/setgid/sticky bit: permission bits with octal values 4000 and 2000 and 1000 (i.e., the most significant digit of the permissions bits) : uid, gid, sticky bit respectively
• Users have their UID and GUID set in the login configuration. 
  • The uid is set if we see an 's' in the  listing:   'ls -lt /usr/bin/passwd'
    • -rwsr-xr-x. 1 root root 27012 Aug 21  2010 /usr/bin/passwd
    • To remove >chmod -s /file
    • To add >chmod u+s /file
  • Use the stat command to see the value
    • jjm@jjm-VirtualBox:/usr/bin$ stat passwd
      File: 'passwd'
      Size: 54256 Blocks: 112 IO Block: 4096 regular file
      Device: 801h/2049d Inode: 262573 Links: 1
      Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
      Access: 2016-03-29 05:25:09.000000000 -0400
      Modify: 2016-03-29 05:25:09.000000000 -0400
      Change: 2017-01-17 02:48:26.806131116 -0500
      Birth: -
      
  • the setuid allows one user to execute the program of another user by temporarily giving the caller the same access level as the owner of the executable.
  • Simple explanation of SUID
• gid: if set on an executable file, the caller is elevated to the group access level of the file prior to executing. . If gid set on a directory, all new files created in the directory take on the group ownership of the directory rather than the default group of the user. This was intended to make it easier for a group of users to share a common directory.
• Sticky bit-
  • Appears to no longer be of interest AND unclear if it is consistantly supported across all types of Unix systems. The original idea was it set on a directory, the filesystem won't allow you to delete or rm files in the directory. Again, this was targeted to help a group of users share a common directory (e.g, like /tmp).
  • Like the uid/guid appear as an 's' on the execute bit, the stick bit appears as a 't' on the world
    • $ ls -lt / | grep tmptotal 100
      drwxrwxrwt 9 root root 4096 Apr 26 12:25 tmp

Changing Files Modes or File Permissions

Note: information related to Ubuntu is here..

Summary: The access privileges are sometimes called the mode of the file or directory.o change the mode. Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'. The notation is based on :

• u: user(owner) of the file
• g: group
• o: others
• a: all
• =: assign a permission
• +: add a permission
• -: remove a permission

The chmod command is used to change the mode. For example: $chmod g-rw filename. Alternatively, chmod will accept octal encoding of the bits. For example, create a script file ex.sh and place a line of text in the file. On a ubuntu 16.04 system, the permissions are set to

-rw-rw-r-- 1 jjm jjm 474 Jan 28 16:29 ex.sh

To make this file read/write/executable by the owner, and exectutable by users from the group or the world, we could do either: >chmod 755 ex.sh or >chmod u+rwx

-rwxr-xr-x 1 jjm jjm 474 Jan 28 16:29 ex.sh

As another example, safe permission settings for your web site directories would be exececute permissions to everyone so they can get step into directories:  'chmod a+x ./'   AND then add  read permission to others on all files that can be viewed by web browsers:  'chmod o+r ./ .

The following pipeline sets all files to 644 and dir's to 755

• find . -type d -exec chmod 755 {} \;
  find . -type f -exec chmod 644 {} \;

Controlling who can execute programs

• Traditional Unix access control complemented by identity substitution (e.g., su ) and even better, sudo
  • Substitute User
    • su -l otheruser;If you have multiple accounts or know the pwd for another user (and are allowed!!), this simply logs you in as the other user.
    • su -l ; this is how you can switch (or substitute ) user to root. By default this is not configured on ubuntu - and for good reasons.
      • read this !!!  This explains why sudo is much safer than enabling a root login.
      • One method to su to root is to issue 'sudo su -l' and enter your pwd.
      • Another method is :
        • >sudo passwd ; and it prompts for roots password; enter your pwd and then enter a new pwd for root.
        • Then 'su -l ' and enter roots pwd to become root.
    • Warning: as root, you can destroy your system!! See this page on Rootsudo.
  • Sudo - temp elevates to root for duration of the command
    
• More modern approaches:  ACL or   role-based access control (RBAC)
  • Access Control List (ACL):
    • Linux supports the Access Control List (ACL) that is specified by a POSIX standards (draft).
      • By default, extended ACL is not used, and instead the traditional file access based on user/group/world with rwx is used.
        • To check, issue '>getfacl /etc' - if it just shows the owner/group/world then extended ACL is not enabled.
      • Refer to ubuntu's ACL page for further details.
  • Role-based Access Control
    
    • concept is similar to the Unix group, however it extends beyond just the filesystem
• Might define a hierarchy of admin capabilities
• Other approaches
• Security-enhanced Linux (SELinux) :  over the edge policy control.....provides fine grain control of who can do what.

Relevant Unix commands.

• chmod, chown, chgrp : change permissions, owner, group
• setuid, getuid: sets UID or GID
• chroot - change the root directory of a program or process
• mknod - creating device files
  • /dev
  • /dev/random
    • random="$(dd if=/dev/urandom bs=3 count=1)"
• usermod - modify user account information
• adduser (preferred over useradd), rmuser
  

Remote Desktop - Ubuntu natively supports VNC.  Refer to this link for detailed instructions:

http://ubuntuhandbook.org/index.php/2016/07/remote-access-ubuntu-16-04/

On Ubuntu User InterFace search enter Desktop and select  Desktop Sharing.

From another Ubutnu, start Remote Desktop Client, specify target IP and use VNC protocol

From windows 10,  install TightVNC.     There is a problem however .... on the target ubuntu,

• sudo apt-get dconf-editor
• run  this program....shows a GUI
• select org -> gnome -> desktop -> remote-access and uncheck 'require-encryption'

Last update: 8/8/2018