Index > Auth > 2021-03-01: Module 3: MAC and SELinux
An empty DACL is a dacl with no contents. A null dacl doesn’t exist.
The quizzes are confirmed to be open internet
/homework/
/homework/week6.docx
Entries are called Access Control Entries (ACEs).
The typical ACEs include:
When running ls -l
, the first character in the permissions list is the file type. -
is regular, d
is a directory, l
is a link.
There are only 3 levels of access by default, but there can be…
An ACL with more than three ACEs is called an Extended ACL.
There’s something about masks but Prof. isn’t clear about it, do outside research.
Processes also get a user ID (UID) and group ID (GID).
By default, the UID of a process is the same as the user who started the process. Same with the GID.
If the process binary has the SetUID
bit set, then the process runs with the UID of its file. Same with the GID.
Processes can only send signals to other processes with the same UID. Joe can’t kill bob’s processes.
The root user, with uid=0, can do anything. ACLs do not apply.
Binaries with the SetUID bit in their ACL are started with the UID of the file owner, rather than the caller.
The passwd
command has the SetUID bit set. This way, users cannot read the shadow file, but the password change process can write to it.
SetGID is the same, but for groups.
Rarely used. On program files, it loads the file into ram so it doesn’t get loaded from the hdd multiple times.
On a directory, it prevents users from deleting each other’s files.
Files: 666 Directories: 777
the umask variable removes permissions. The default umask is 022.
default file: 110 110 110 (666)
umask: 000 010 010 (022)
effective: 110 100 100 (644)
aka remove write for group and global.
We can pass access to a single file to a process, without passing any other perms.
Something something file handles? Thanks for the in-depth explanation, prof.
TODO: read what file handles are outside of class.
Any system that wants to authenticate users can use PAM. Root can edit PAM files to create backdoors.
PAM acts as a centralized authentication services - this keeps user authentication data in sync everywhere.
Sudo lets users run commands as root, without knowing the root password. Additionally, commands can be allow/block-listed.
On wednesday, there will be a lab demo to get us started. “This is the lab folks groan about and struggle with”. - Prof.
A set of hooks in the kernel that perform checks:
The wikipedia page for LSM actually provides a really good overview. The Kernel calls LSM hooks before accessing resources, to do extra checks. All SELinux is, is some functions for those hooks to call.
LSM is not for auditing - the kernel can return failures well before approaching an LSM hook, since the hooks are right in front of the resources. There would need to be a lot more hooks in order to make LSM an auditing tool.
These hooks detect and validate some stuff:
There are a lot of types of hooks:
“This lab is a tough one, start working on it before Wednesday” - Prof.