% ---------------------------- \subsubsection{Users and Groups} \begin{frame}[fragile] \frametitle{Users} \begin{itemize} \item Multiple Users per System \item Login spawn shell with user privileges \item Process(es) inherit user privileges \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Tools:} \begin{scriptsize} \begin{verbatim} # Add new user (interactive) adduser # Remove existing user deluser # Change password passwd [] # Switch user ID su # Run command as superuser (root) sudo \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Groups} \begin{itemize} \item Group contain 0..n users (static) \item Default group for each user \item 0..n supplementary groups for each user \item User can change group dynamically (password required) \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Tools:} \begin{scriptsize} \begin{verbatim} # Add new group addgroup # Remove existing group delgroup # Add user to group usermod [-g ] [-G ] # Show current user and group ID id # Switch group ID newgrp \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Local Authentication Databases} \begin{itemize} \item User Database: /etc/passwd \item Group Database: /etc/group \item User Password Database: /etc/shadow \item Group Password Database: /etc/gshadow \end{itemize} \end{frame} % ---------------------------- \subsubsection{Pluggable Authentication Modules (PAM)} \begin{frame}[fragile] \frametitle{Pluggable Authentication Modules (PAM)} \begin{itemize} \item Pluggable shared libraries \item System-wide Authentication \item Plugins available for: \begin{itemize} \item UserID and Password (local) \item LDAP \item Kerberos (e.g. NIS, Windows Domain Controller) \item Hardware-based Authentication (e.g. SmartCard) \end{itemize} \item Extendable with own PAM modules \end{itemize} \end{frame} % ---------------------------- \subsubsection{File Access Control} % ---------------------------- \begin{frame}[fragile] \frametitle{File Access Control} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/file_access_control.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Basic File Permissions} \begin{itemize} \item for each File or Directory \item checked by Virtual Filesystem Layer \item Access Mode: \\ read, write, execute (entry) \item Access Role: \\ user, group, other \item Special: \\ set UID, set GID, sticky \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Basic File Permissions: Example} \begin{beamerboxesrounded}[shadow=true]{Example} \begin{scriptsize} \begin{verbatim} $ ls -l /dev/ttyS? crw-rw---- 1 root dialout 4, 64 Nov 5 08:14 /dev/ttyS0 crw-rw---- 1 root dialout 4, 65 Nov 5 08:14 /dev/ttyS1 crw-rw---- 1 root dialout 4, 66 Nov 5 08:14 /dev/ttyS2 crw-rw---- 1 root dialout 4, 67 Nov 5 08:14 /dev/ttyS3 # Change ownership chown service /dev/ttyS1 chgrp test /dev/ttyS1 # Change permissions chmod u=rw g=r o= /dev/ttyS1 $ ls -l /dev/ttyS? crw-rw---- 1 root dialout 4, 64 Nov 5 08:14 /dev/ttyS0 crw-r----- 1 service test 4, 65 Nov 5 08:14 /dev/ttyS1 crw-rw---- 1 root dialout 4, 66 Nov 5 08:14 /dev/ttyS2 crw-rw---- 1 root dialout 4, 67 Nov 5 08:14 /dev/ttyS3 \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Access Control Lists} % ---------------------------- \begin{frame}[fragile] \frametitle{Access Control List (ACL)} \begin{itemize} \item More Users and Groups \item Round up Groups \item Tools: \\ setfacl, getfacl \item Requires: \\ mount \dots -o acl \item Pitfalls: \\ Not all tools support ACLs (e.g. busybox-tar) \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{ACL: Example} \begin{itemize} \item Sue, Bob and Henry working together on ProjectX. Sue and Henry are members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}. \item Q: Do we really need another group \emph{project\_x} with members Sue, Bob and Henry? \item A: Not mandatory. \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Alternative Solution:} \begin{scriptsize} \begin{verbatim} mkdir /data/shared/project_x chown pm_admin:pm_admin /data/shared/project_x setfacl -m user:sue:rwx /data/shared/project_x setfacl -m user:bob:rwx /data/shared/project_x setfacl -m user:henry:rwx /data/shared/project_x \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{ACL: Example (2)} \begin{beamerboxesrounded}[shadow=true]{Result:} \begin{scriptsize} \begin{verbatim} getfacl /data/shared/project_x # file: data/shared/project_x/ # owner: pm_admin # group: pm_admin user::rwx user:sue:rwx user:bob:rwx user:henry:rwx group::r-x mask::rwx other::r-x \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Extended File Attributes} % ---------------------------- \begin{frame}[fragile] \frametitle{Extended File Attributes} \begin{itemize} \item More File Attributes \begin{itemize} \item a - append only \item i - immutable \item s - Override with zeros on delete \end{itemize} \item Tools: \\ lsattr, chattr \item Requires: \\ root or mount \dots -o user\_xattr \item Pitfalls: \\ Not all tools support xattr (e.g. busybox-tar) \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{xattr: Example} \begin{itemize} \item Q: You want to check what user Franz is typing on commandline? \item A: Look at /home/franz/.bash\_history \item But Franz is clever and deletes /home/franz/.bash\_history \item Q: How can you prevent that? \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Solution:} \begin{scriptsize} \begin{verbatim} sudo chattr +a /home/franz/.bash_history lsattr /home/franz/.bash_history -----a-------e-- /home/franz/.bash_history rm /home/franz/.bash_history rm: cannot remove `/home/franz/.bash_history': Operation not permitted \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Multi-user Programming} % ---------------------------- \begin{frame}[fragile] \frametitle{UserIDs and GroupIDs of a Process} \begin{itemize} \item Real \begin{itemize} \item privileged: \\ set to any value \item unprivileged: \\ set to real, effective, saved \end{itemize} \item Effective \begin{itemize} \item privileged: \\ set to any value \item unprivileged: \\ set to real, effective, saved \item initial value (s-Bit): \\ set to file UID/GID \end{itemize} \item Saved \begin{itemize} \item privileged: \\ set to any value \item unprivileged: \\ set to real, effective, saved \item initial value: \\ set to effective UID/GID \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{UID/GID: change} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/proc_uidgid.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{UID/GID: Programming I} \begin{beamerboxesrounded}[shadow=true]{temporary change of Effective:} \begin{scriptsize} \begin{verbatim} printf("\nChange effective UID/GID back...\n"); if(setegid(real_gid)) /* error handling */; if(seteuid(real_uid)) /* error handling */; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{and back again:} \begin{scriptsize} \begin{verbatim} printf("...and forth\n"); if(seteuid(saved_uid)) /* error handling */; if(setegid(saved_gid)) /* error handling */; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Drop finally:} \begin{scriptsize} \begin{verbatim} printf("\nChange finally to stored UID/GID“); printf(" (there is no way back)\n"); if(setregid(saved_gid, saved_gid)) /* error handling */; if(setreuid(saved_uid, saved_uid)) /* error handling */; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{UID/GID: Programming II} \begin{beamerboxesrounded}[shadow=true]{Result:} \begin{scriptsize} \begin{verbatim} $ ls -l -rwsr-sr-x 1 dengler dengler 8480 Aug 19 17:22 ugid_to_stored $ ./ugid_to_stored Backup all UID/GID UIDs/GIDs after start eUID 1000 (rUID 1002, sUID 1000) eGID 1000 (rGID 1002, sGID 1000) Change effective UID/GID back... eUID 1002 (rUID 1002, sUID 1000) eGID 1002 (rGID 1002, sGID 1000) ...and forth eUID 1000 (rUID 1002, sUID 1000) eGID 1000 (rGID 1002, sGID 1000) Change finally to stored UID/GID (there is no way back) eUID 1000 (rUID 1000, sUID 1000) eGID 1000 (rGID 1000, sGID 1000) \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Summary} % ---------------------------- \begin{frame}[fragile] \frametitle{Summary} \begin{itemize} \item Resource \begin{itemize} \item File, Directory, or Device-Node \item assigned to User and Group \end{itemize} \item Access Rules \begin{itemize} \item Permission Bits (base) \item Access Control Lists (opt.) \item Extended File Attributes (opt.) \end{itemize} \item Process/Thread \begin{itemize} \item Resource Access: Effective UserID/GroupID \item UIDs/GIDs for each Process/Thread \item UID/GID are changeable \item PAM: assign UID/GID, based on Authentication \end{itemize} \item Conclusion \begin{itemize} \item Multi-User Support in Linux can be used to control Access to Data and Device for Userspace Processes. \end{itemize} \end{itemize} \end{frame}