M01: Introduction to Operating Systems
TU1: Installing, configuring and exploiting a computer system
ASIX1
Practical Exercise 7: setuid bit. ACL
10-1-17

Practical Exercise 7:  The setuid bit. ACL(Access Control Lists)

GENERAL CONDITIONS
1-Deadline: 22-1-17
2- Send your report as a PDF file attached to an e-mail with the following specifications:
     a) E-mail address:
cf(at)collados.org or jordi.binefa(at)fje.edu depending who is your teacher
     b) File Name:
        b.1) ASIX1 (Catalan): asix1_surname_name_m01tu01pr7.pdf
        b.2)
DAW1 (English): daw1_surname_name_m01tu01pr7.pdf

    c) Subject:
        c.1) ASIX1 (Catalan): asix1_surname_name_m01tu01pr7
        c.2)
DAW1 (English): daw1_surname_name_m01tu01pr7
3- Make this report individually.
4- Left, right, top and bottom margins: 2cm.
5- Character format: a) Font:Times New Roman (or Liberation Serif), b) Size: 10, c) Questions typeface: Bold, d) Answers typeface: Regular

The setuid bit. ACL (Access Control Lists): DOCUMENTATION

1- Introduction

Linux supports two method of controlling who can access a file or folder and how they can acces it: a) traditional Linux access permissions,  b) ACL (Access Control Lists), which provide finer-grained control of access permissions. This practical exercise discuss the second method. Additionally, we will study the setuid (set user ID) permission, which gives a user the privilege of running a command or program with the rights of the program's owner, and the setuid bit, which is linked to the setuid permission.

2- The setuid bit

a) Description
When you execute a file (a script or compiled program) that has setuid (set user ID) permission, the process executing the file takes on the privileges of the file's owner. In other words, if you are the user "student" and a program, owned by the user "teacher"  called prog.sh has the setuid permission set then, you will be able to run prog.sh with the permissions of the user "teacher". In that case, if prog.sh can modify contents of a text file owned by "teacher", you will be able to remove, add or modify text in that file as well, even if you do not normally have permission to do so. Another example: If prog.sh removes all files in any folder owned by "teacher", you will be able to remove all files in any of the directories owned by "teacher" as well, even if you do not normally have permission to do so.

The mechanism by which a command or program can be executed with the effective privilege of the program file's owner is quite simple. Only you need to set a  bit, called the setuid bit,  in the file's permission mask. A program with the setuid bit set (for instance: passwd) will display the following line when you run the command ls  -l:
 
-rwsr-xr-x 1 root root 37140 2010-01-26 18:09 /usr/bin/passwd

As you can see, an "s" is showed in the owner's executable permission of the program passwd.

b) Adding and removing the setuid permission


c) Example
d) Some notes

NOTE 1) If the setuid bit of a program (for instance: passwd) is set and its execution permission is cleared then, the following line will be displayed when you run the command ls  -l:

-rwSr-xr-x 1 root root 37140 2010-01-26 18:09 /usr/bin/passwd

As you can see, a capital "S" is showed in the owner's executable permission of the program passwd. Even though the bit setuid is set, you will not able to change your password because root does not have execution permission. 

NOTE 2)
The setuid permission  set on a directory is ignored on Linux systems.

NOTE 3)
Running programs as setuid can be dangerous, but  some  programs or commands such as passwd or ping, which are owned by the user root,  sometimes need to be  run by  another users. But,  apart from some few cases, if you're running a multiuser Unix environment and security is an important issue to you, make sure that you avoid using the setuid bit.

NOTE 4)
On most operating systems, only compiled programs can be setuid. Scripts, i.e. programs executed by an interpreter such as the Bourne shell (bash) can have their setuid bit set, but it does not have any effect in order to avoid security holes (most interpreters have not been written with security in mind).

3- ACL (Access Control Lists)

3.1- Introduction

ACL (Access Control Lists) provides a finer-grained control over which users can access specific directories and files than do traditional Linux permissions. Using ACLs  you can specify the ways in which each of several users and groups can access a directory or file. Imagine a system with the following users: student00, student01, student02, student03, student04, student05 and student06. In that system, users student01 and student02 are members of a group called sysop.  and the rest of the users are not members of sysop. The user student00 creates a new file called script00.sh. For this new file (script00.sh), the owner (student00) has read, write and execute permissions, the group sysop has read and execution permissions, and the rest of the users (i.e, others) only have the read permission. Now,  we want to give to student05 the following permissions: read and write (but not execute permission). With traditional Linux permission we cannot give this particular set of permissions to student05 because neither as a member of others nor as a member of sysop that user would have the desired permissions. Therefore, it is clear that sometimes we will need a most sophisticated system of controlling the permissions for files and directories, i.e., we will need to work with ACLs (Access Control Lists).

3.2- Displaying access permissions: getfacl and ls -l commands


a)
When a file or folder has an ACL, the ls -l command displays a plus sign (+) following the permissions:
student00@computer00:~>ls  -ls  tasks.txt
-rwxr-xr--+ 1 student00 sysop 27 2012-01-12 02:12 tasks.txt
The ls -l command can tell us if a folder or file has an ACL but, that command can not give us information about the ACL associated to that folder or file.

b)
The getfacl command displays the file name, owner, group and the existing ACL for a file:
student00@computer00:~>getfacl  tasks.txt
# file: tasks.txt
# owner: student00
# group: sysop
user::rwx
user:student05:rw-            # The user student05, member of other, has a rule in the ACL for file tasks.txt.
group::r-x
group:vboxusers:rw-         # Members of group vboxusers have another rule in the ACL for file tasks.txt.
mask::rwx
other::r--

3.3- setfacl  -m

a)
Description: The setfacl command sets ACLs of files and directories. The -m (or --modifiy) option adds o modifies one or more rules in a file or folder's ACL.

b)
Synopsis:  setfacl   -m   ugo:user_or_group_name:permissions   file_or_folder_name

c)
Permissions in numeric mode: A one digit number in octal format (0 to 7):
0 => ---  // 1 => --x // 2 => -w- // 3 => -wx // 4 => r-- // 5 => r-x // 6 => rw- // 7 => rwx

d)
Permissions in symbolic mode:  Symbolic permissions uses characters rwx- (read,write,execute, no permission) to represent file permissions.

e)
Examples:
    setfacl  -m  u:student04:7  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives student04 read, write and execute permissions to that file.
   
setfacl  -m  u:student04:rw-  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives student04 read and write and execute permissions to that file.
    setfacl  -m  g:sysop:r-x  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives sysop read and execute permissions to that file.
    setfacl  -m  o::6  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives others read and write permissions to that file.
    setfacl  -m  u:student04:rx  script00.sh  => Adds (or modifies) a rule to the ACL for the script00.sh file that gives student04 read and execute permissions to that file.
    setfacl  -m  u:student04:rx  folder00 => Adds (or modifies) a rule to the ACL for the folder00 folder that gives student04 read and execute permissions to that folder.
    setfacl  -m  u:student06:5  script00.sh folder00 => Adds (or modifies) a rule to the ACL for the folder00 folder and file  script00.sh that gives student06 read and execute permissions to         that folder and that file.

f)
Recursive option -R for folders. Example: setfacl  -R -m  u:student04:rx  folder00 => Adds (or modifies) a rule to the ACL for the folder00 folder, and every file and folder in folder00.

3.4- setfacl  -x

a)
Description:
The -x option removes rules in a file or folder's ACL.

b)
Synopsis:
setfacl   -x   ugo:user_or_group_name   file_or_folder_name

c)
Examples:
   
setfacl  -x  u:student04  script00.sh  => Removes a rule that gives student04 permission to access the files script00.sh.
   
setfacl  -x  g:sysop  script00.sh  => Removes a rule that gives sysop permission to access the files script00.sh.
   
setfacl  -x  u:student04  folder00 => Removes a rule that gives student04 permission to access the folder foldert00.
    setfacl  -x  u:student06:5  script00.sh folder00 => Removes a rule that gives student06 permission to access the folder folder00 and the file script00.sh.

d)
Recursive option -R for folders. Example: setfacl  -R -x u:student04  folder00 => Removes a rule that gives student04 permission to access the folder foldert00, and every file and folder in folder00.

3.5- setfacl  -b

a)
Description:
The -b option removes all ACL rules and the ACL itself from the folder o file you specify.

b)
Synopsis:
setfacl   -b  file_or_folder_name

c)
Examples:
   
setfacl  -b  script00.sh  => Removes all rules, and the ACL itself, from the file script00.sh. Now, the ls -l command will not display a plus sign (+) following the permissions.
   
setfacl  -b  folder00 => Removes all rules, and the ACL itself, from the folder folder00.

d)
Recursive option -R for folders. Example: setfacl  -R -b folder00 => Removes all rules, and the ACL itself, from the folder foldert00.


PRACTICAL EXERCISE


PART ONE: THE SETUID BIT
NOTE 1: user "by default" is the user  that was created when your system was installed, and it is the user with which you are working regularly.
1.- Download cfje002  and dfje002.  The  cfje002  script  will create a new user called fje002 (password = fje002) in your  system. You have to change its permissions in order to make it an executable file. The  dfje002  script  will delete the user called fje002. You have to change its permissions in order to make it an executable file. Both of them must be run as a root user. Check if a new user called cfje002 has been created in your system.
2.- Using the su command, become the user fje002. Create a new folder called esb.
3.- As user fje002, try to remove esb. Are you able to remove esb?. Why?.
4.- Create another time the folder called esb. Using the exit command, become another time your user "by default". Try to remove /home/fje002/esb. Are you able to remove that folder?. Why?.
5.- Working with the bash shell, as user fje002 and using the program wget, download http://www.collados.org/asix1/m01/tu1/esbEsb01.c in the home folder of fje002. Compile using the command gcc esbEsb01.c -o esbEsb01. This program will remove the folder /home/fje002/esb, provided that you have the proper permissions. As user fje002, check that you can  remove /home/fje002/esb using esbEsb01. Create another time the folder esb.
6.- Become another time your user "by default". Try to run esbEsb01. Can you run the program? Why?. Can you remove the esb folder. Why?. What is the difference between running esbEsb01 as fje002 or your user "by default"?.
7.- As user fje002,  set the setuid bit of esbEsb01 using the numeric mode. Check it the setuid bit has been set. Become another time your user "by default", and run esbEsb01. Can you remove the esb folder. Why?.
8.- As user fje002 clear the setuid bit of esbEsb01 using the numeric mode. Check it the setuid bit has been cleared.
9.- As user fje002, set the setuid bit of esbEsb01 using the symbolic mode. Check it the setuid bit has been set.
10.- As user fje002 clear the setuid bit of esbEsb01 using the symbolic mode. Check it the setuid bit has been cleared.
11.- Become your user "by default". Try to change your password using the command passwd. Can you change your password?.
12.- Become the root user. Check where is the command passwd. Check the permissions of passwd. Is the setuid bit cleared or set?. Why?
13.- As root user, clear the setuid bit of the passwd command. Become your by user "by default", and try to change your password. Now, can you change your password? Why?.
14- As a root root user, set the setudi bit of /bin/mkdir. Become your by user "by default", and try to create a new directory called test in the /etc directory. Answer the following questions:
    a) Can normal users cr
eate files in the  /etc directory?.
    b)
Have you been able to create test in the directory /etc?. Why?.
    c)
Check the owner and group for the new folder?. Explain to me the results shown by the system.
15- As root user, set the setuid bit of the passwd command and clear the setuid bit of /bin/mkdir.

PART 2: ACL (ACCESS CONTROL LISTS)
NOTE 1: You will need the fje and fje002 users in your system to answer some of the following questions. If fje does not exist in your system download cusr  and dusr. The  cusr  script  will create a new user called fje (password = fje0000) in your  system. The  dusr  script  will delete the user called fje.
16- Create a folder called folder007 in your home folder. Display the folder007's ACL. At the moment, Are there any differences between using ls -ls and getfacl?.
17.- Become fje002. Try to add a new folder called fje002Folder inside folder007. Can you create this folder?. Why?.
18.- Become your user "by default" another time. Add a new rule (using the symbolic mode) to the ACL for the folder folder007 that gives fje002 read,write and execute permissions to that folder. Display the folder007's ACL. Display the permissions of folder007 using ls -ls. Is there any difference with regard to the information showed by this command in question 16?
19.- Become fje002. Try to add a new folder called fje002Folder inside folder007. Can you create this folder?. Why?. Can you remove this folder? Why?.
20.- Become fje. Try to add a new folder called fjeFolder inside folder007. Can you create this folder?. Why?. Can you remove fjeFolder? Why?.
21.- Become your user "by default". Using the numeric mode, add a new rule to the ACL for the folder folder007 that gives user fje002 read, write and execute permissions tot that folder. Add a new rule (using the symbolic mode) to the ACL for the folder folder007 that gives fje read,write and execute permissions to that folder. Display the folder007's ACL.
22.-Become fje002. Try to add a folder called fje002Folder1 inside folder007. Can you create this folder?. Why?. Can you remove this folder? Why?.
23.-Become fje. Try to add a folder called fjeFolder1 inside folder007. Can you create this folder?. Why?. Can you remove this folder? Why?.
24.- Become your user "by default". Remove  the rule in the ACL for the folder folder007 that gives fje002  permissions to access that folder. Display the folder007's ACL.
25.- Remove  the rule in the ACL for the folder folder007 that gives fje  permissions to access that folder. Display the folder007's ACL.
26.- Remove  the ACL for the folder folder007.
27.- Create a folder called folder008 in your home folder. Create two folders in folder008 called folder008_00 and folder008_01. Create a file called test008_00.txt in the folder folder008_00. Create a file called test008_01.txt in the folder folder008_01. Add recursively a new rule (using the symbolics mode) to the ACL for folder008 that gives fje002 read permission. Display the ACL of  folder008, folder008_00, folder008_01, test008_00.txt and test008_01.
28.- Remove recursively the rule that gives fje002 permission to access the folder folder008_00. Display the ACL of  folder008_00 and test008_00.txt.
29.- Remove all ACL rules and the ACL itself from the file test008_01.txt. Display the ACL of test008_01.txt. Check if the the ACL itself  has been removed using ls -l.
30.- Remove recursively all ACL rules, and the ACL itself,  from every file and folder of folder008. Check if the the ACL themselves  have been removed using ls -l.