4.9. Expanding Access Permission

4.9. Expanding Access Permission

Regulating access is a complicated process. This is the main task of a system administrator, and the system's security depends greatly on it. Any mistake can cause you problems, ranging from being chewed out by the boss to losing your job. In the world, in which information has become the most valuable product, you have to protect it with all available means.

Take your time and check the entire system to ensure the proper assignment of rights. No user , file system object, or program should have any rights it does not need; at the same time, each should have all permissions necessary for proper work.

The method of assigning rights based on the principle "boss," "boss's friends ," and "rest of the crowd " is obsolete and does not provide the necessary security. Suppose you have two groups: accountants and economists. Files created by any accountant will have the -rwxrwx--- access permissions and will be accessible to all workers of the accounting department, because members of the owner's group have the same right to the files as the owner.

But what should you do if an economist needs to view files belonging to the accounting group? Moreover, the files not of all accounting group users but of one user only and not all files but a select set. This is a rather difficult problem to solve. Setting access permissions to the accounting files to -rwxrwxrwx will give any user rights to view the accounting information, which is not desirable from the security standpoint.

You could try to solve the problem by using links to copies of the files with other access permissions, but you will become confused in the tangle of different files, copies of files, and file links, all with different access permissions.

The problem can be solved relatively easily using Access Control Lists (ACLs), the way it is done in Windows. The difficult part with this solution is that there is no standard for Linux. In essence, this operating system is a kernel, to which any developer can attach anything he or she desires, so each developer goes his or her own way in solving a particular problem, or simply leaves it alone.

I cannot recommend a universal solution, because there are several different solutions by different developers. This means that whatever solution is used, the system's stability can only be guaranteed for the already-existing Linux kernel versions. There is no guarantee that the ACL system will function error-free when the kernel is updated. This is why I can only recommend that you take a look at the Linux Extended Attributes and ACLs project ( http://acl.bestbits.at/ ). If you decide to employ it, you will be doing this at your own risk.

Linux Extended Attributes and ACLs is a product that requires the kernel to be recompiled after the installation. Its operating principle is based on storing extended attributes for each file. Not all file systems support extended attributes, so make sure your system does so before using ACLs. I consider Reiser and Ext3 the best file systems to use with this software.

After the patch and supplementary programs are installed, you can start working with ACLs. An ACL allows you to assign individual users their own file access rights. The creator of the file remains its owner and has full rights. Other access permissions for the file may not be set.

For example, the access permissions for a file can be set to -rwx------ . Despite such stringent controls, it is possible to specify other users that will have access to the file in addition to the owner.

Thus, in addition to the main access permissions, there will be a list stored in the system of users that have access to it other than those specified by the main access permission.

If this approach were implemented on the kernel level and were supported by all distributions, I would consider Linux the most secure and stable operating system there is.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net