User Authorizations

User Authorizations

Users should be given only the authorizations needed to perform the tasks that they must perform for their duties . Minimizing the users' authorization minimizes the damage, accidental or malicious, that they can cause.

Carefully design the user and group relationships on your system to allow for the most restrictive permissions possible. There should be no access allowed except at the user and group levels. Users can be allowed to have access to multiple groups through supplemental groups that are configured in /etc/logingroup . You want to restrict your system as much as possible but still allow the system to operate correctly. Generally speaking, the read and write permissions should be removed from all executable programs. However, some implementations require read permissions on shell scripts.

Identity-based Authorizations

Most authorizations are based on individual identity. Individual identities will be given specific privileges. It provides the greatest level of flexibility: Every user can be given unique authorizations based on his or her specific needs. It also requires the greatest amount of administration.

Group-based Authorizations

Users are often put into groups and authorizations are applied to these groups to simplify the administration of authorizations.

The newgrp command allows a user to change his group association if he is allowed to by the /etc/group file. The group file is composed of four colon -separated fields. The first is the group name , followed by the group ID, followed by an encrypted password field, followed by a comma-delimited list of login names that can change their group affiliations to this group.

The following example illustrates a group called "admin" with the group ID of 100. The users root, nathaniel, and jocelyn have the ability to change their group affiliation to this group with the newgrp command with the correct password.

 admin:100:dpBIMfa.UshYc:root,nathaniel,jocelyn 

This file must be readable by all users, but it should be writable only by root. If you are not using the new group feature, you should not have any users in the group file. Some automated administrative tools will add these users automatically. In any case, you should disable the newgrp command by setting the password field to LOCKED.

Some UNIX implementations support supplemental groups with the use of the file /etc/logingroups . This feature allows a user to be associated with more than one group at a time. Properly administered, it eliminates the need for the newgrp command. Each of the user's login groups is used to evaluate whether the user has access to a resource. This file has the same format as the system group file. Some documentation suggests linking these two files.

Role-based Authorizations

A user may perform many roles in an information system. A user's needs are based on the role that she is performing at that time. The role may be based on the relationship to the file or process (e.g., owner).

Controlled by Rules

Rules can be used to add greater granularity and flexibility to the levels of authorizations. The rules can incorporate additional information and relationships. They can add restrictions based on dynamic information, such as the time of day or the phase of the moon. Rules generally are represented by a list of relationships which all have to be met for the privilege to be granted.