path: root/security/advanced/frm_multiuser_dac.tex

% ----------------------------
\subsubsection{Users and Groups}

\begin{frame}[fragile]
\frametitle{Users}
\begin{itemize}
\item Multiple Users per System
\item Login spawn shell with user privileges
\item Process(es) inherit user privileges
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Tools:}
\begin{scriptsize}
\begin{verbatim}
# Add new user (interactive)
adduser <new_user>
# Remove existing user
deluser <user_name>

# Change password
passwd  [<user_name>]

# Switch user ID
su <user_name>
# Run command as superuser (root)
sudo <command>
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Groups}
\begin{itemize}
\item Group contain 0..n users (static)
\item Default group for each user
\item 0..n supplementary groups for each user
\item User can change group dynamically (password required)
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Tools:}
\begin{scriptsize}
\begin{verbatim}
# Add new group
addgroup <new_group>
# Remove existing group
delgroup <group_name>

# Add user to group
usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>]

# Show current user and group ID
id
# Switch group ID
newgrp <group_name>
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Local Authentication Databases}
\begin{itemize}
\item User Database: /etc/passwd
\item Group Database: /etc/group
\item User Password Database: /etc/shadow
\item Group Password Database: /etc/gshadow
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{Pluggable Authentication Modules (PAM)}
\begin{frame}[fragile]
\frametitle{Pluggable Authentication Modules (PAM)}
\begin{itemize}
\item Pluggable shared libraries
\item System-wide Authentication
\item Plugins available for:
\begin{itemize}
\item UserID and Password (local)
\item LDAP
\item Kerberos (e.g. NIS, Windows Domain Controller)
\item Hardware-based Authentication (e.g. SmartCard)
\end{itemize}
\item Extendable with own PAM modules
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{File Access Control}

% ----------------------------
\begin{frame}[fragile]
\frametitle{File Access Control}
\begin{figure}[h]
\centering
\includegraphics[width=8cm]{images/file_access_control.png}
\end{figure}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Basic File Permissions}
\begin{itemize}
\item for each File or Directory
\item checked by Virtual Filesystem Layer
\item Access Mode: \\
      read, write, execute (entry)
\item Access Role: \\
      user, group, other
\item Special: \\
      set UID, set GID, sticky
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Basic File Permissions: Example}
\begin{beamerboxesrounded}[shadow=true]{Example}
\begin{scriptsize}
\begin{verbatim}
$ ls -l /dev/ttyS?
crw-rw---- 1 root dialout 4, 64 Nov  5 08:14 /dev/ttyS0
crw-rw---- 1 root dialout 4, 65 Nov  5 08:14 /dev/ttyS1
crw-rw---- 1 root dialout 4, 66 Nov  5 08:14 /dev/ttyS2
crw-rw---- 1 root dialout 4, 67 Nov  5 08:14 /dev/ttyS3

# Change ownership
chown service /dev/ttyS1
chgrp test /dev/ttyS1

# Change permissions
chmod u=rw g=r o= /dev/ttyS1

$ ls -l /dev/ttyS?
crw-rw---- 1 root    dialout 4, 64 Nov  5 08:14 /dev/ttyS0
crw-r----- 1 service test    4, 65 Nov  5 08:14 /dev/ttyS1
crw-rw---- 1 root    dialout 4, 66 Nov  5 08:14 /dev/ttyS2
crw-rw---- 1 root    dialout 4, 67 Nov  5 08:14 /dev/ttyS3
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Access Control Lists}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Access Control List (ACL)}
\begin{itemize}
\item More Users and Groups
\item Round up Groups
\item Tools: \\
      setfacl, getfacl
\item Requires: \\
      mount \dots -o acl
\item Pitfalls: \\
      Not all tools support ACLs (e.g. busybox-tar)
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{ACL: Example}
\begin{itemize}
\item Sue, Bob and Henry working together on ProjectX. Sue and Henry are
members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}.
\item Q: Do we really need another group \emph{project\_x} with members Sue, Bob
and Henry?
\item A: Not mandatory.
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Alternative Solution:}
\begin{scriptsize}
\begin{verbatim}
mkdir /data/shared/project_x
chown pm_admin:pm_admin /data/shared/project_x
setfacl -m user:sue:rwx /data/shared/project_x
setfacl -m user:bob:rwx /data/shared/project_x
setfacl -m user:henry:rwx /data/shared/project_x
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{ACL: Example (2)}
\begin{beamerboxesrounded}[shadow=true]{Result:}
\begin{scriptsize}
\begin{verbatim}
getfacl /data/shared/project_x
# file: data/shared/project_x/
# owner: pm_admin
# group: pm_admin
user::rwx
user:sue:rwx
user:bob:rwx
user:henry:rwx
group::r-x
mask::rwx
other::r-x
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Extended File Attributes}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Extended File Attributes}
\begin{itemize}
\item More File Attributes
 \begin{itemize}
 \item a - append only
 \item i - immutable
 \item s - Override with zeros on delete
 \end{itemize}
\item Tools: \\
      lsattr, chattr 
\item Requires: \\
      root or mount \dots -o user\_xattr
\item Pitfalls: \\
      Not all tools support xattr (e.g. busybox-tar)
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{xattr: Example}
\begin{itemize}
\item Q: You want to check what user Franz is typing on commandline?
\item A: Look at /home/franz/.bash\_history
\item But Franz is clever and deletes /home/franz/.bash\_history 
\item Q: How can you prevent that?
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
sudo chattr +a /home/franz/.bash_history
lsattr /home/franz/.bash_history
-----a-------e-- /home/franz/.bash_history
rm /home/franz/.bash_history
rm: cannot remove `/home/franz/.bash_history': Operation not permitted
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Multi-user Programming}

% ----------------------------
\begin{frame}[fragile]
\frametitle{UserIDs and GroupIDs of a Process}
\begin{itemize}
\item Real
 \begin{itemize}
 \item privileged: \\
       set to any value
 \item unprivileged: \\
       set to real, effective, saved
 \end{itemize}
\item Effective
 \begin{itemize}
 \item privileged: \\
       set to any value
 \item unprivileged: \\
       set to real, effective, saved
 \item initial value (s-Bit): \\
       set to file UID/GID
 \end{itemize}
\item Saved
 \begin{itemize}
 \item privileged: \\
       set to any value
 \item unprivileged: \\
       set to real, effective, saved
 \item initial value: \\
       set to effective UID/GID
 \end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{UID/GID: change}
\begin{figure}[h]
\centering
\includegraphics[width=8cm]{images/proc_uidgid.png}
\end{figure}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{UID/GID: Programming I}
\begin{beamerboxesrounded}[shadow=true]{temporary change of Effective:}
\begin{scriptsize}
\begin{verbatim}
printf("\nChange effective UID/GID back...\n");
if(setegid(real_gid))
        /* error handling */;
if(seteuid(real_uid))
        /* error handling */;
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{and back again:}
\begin{scriptsize}
\begin{verbatim}
printf("...and forth\n");
if(seteuid(saved_uid))
        /* error handling */;
if(setegid(saved_gid))
        /* error handling */;
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Drop finally:}
\begin{scriptsize}
\begin{verbatim}
printf("\nChange finally to stored UID/GID“);
printf(" (there is no way back)\n");
if(setregid(saved_gid, saved_gid))
        /* error handling */;
if(setreuid(saved_uid, saved_uid))
        /* error handling */;
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{UID/GID: Programming II}
\begin{beamerboxesrounded}[shadow=true]{Result:}
\begin{scriptsize}
\begin{verbatim}
$ ls -l
-rwsr-sr-x 1 dengler dengler 8480 Aug 19 17:22 ugid_to_stored

$ ./ugid_to_stored
Backup all UID/GID
UIDs/GIDs after start
eUID  1000 (rUID  1002, sUID  1000)
eGID  1000 (rGID  1002, sGID  1000)

Change effective UID/GID back...
eUID  1002 (rUID  1002, sUID  1000)
eGID  1002 (rGID  1002, sGID  1000)
...and forth
eUID  1000 (rUID  1002, sUID  1000)
eGID  1000 (rGID  1002, sGID  1000)

Change finally to stored UID/GID (there is no way back)
eUID  1000 (rUID  1000, sUID  1000)
eGID  1000 (rGID  1000, sGID  1000)
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Summary}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Summary}
\begin{itemize}
\item Resource
 \begin{itemize}
 \item File, Directory, or Device-Node
 \item assigned to User and Group
 \end{itemize}
\item Access Rules
 \begin{itemize}
 \item Permission Bits (base)
 \item Access Control Lists (opt.)
 \item Extended File Attributes (opt.)
 \end{itemize}
\item Process/Thread
 \begin{itemize}
 \item Resource Access: Effective UserID/GroupID
 \item UIDs/GIDs for each Process/Thread
 \item UID/GID are changeable
 \item PAM: assign UID/GID, based on Authentication
 \end{itemize}
\item Conclusion
 \begin{itemize}
 \item Multi-User Support in Linux can be used to control Access to Data and
       Device for Userspace Processes.
 \end{itemize}
\end{itemize}
\end{frame}