Index > Auth > 2021-03-01: Module 3: MAC and SELinux

2021-03-01: Module 3: MAC and SELinux

Administrative

An empty DACL is a dacl with no contents. A null dacl doesn’t exist.

The quizzes are confirmed to be open internet

Files

• Directory Files
  • /homework/
• Regular Files
  • /homework/week6.docx
• Special Files
  • Pipes
  • Devices
  • hard/soft Symlinks
  • Network Sockets
  • “doors” (for ipc on solaris)

ACLs

Entries are called Access Control Entries (ACEs).

The typical ACEs include:

• Attributes
  • SetUID
  • SetGID
  • Sticky Bits
• Base Permissions
  • chmod 777 / owner / group / everyone
• Extended Permissions

When running ls -l, the first character in the permissions list is the file type. - is regular, d is a directory, l is a link.

There are only 3 levels of access by default, but there can be…

Extended Permissions

An ACL with more than three ACEs is called an Extended ACL.

There’s something about masks but Prof. isn’t clear about it, do outside research.

Process Permissions

Processes also get a user ID (UID) and group ID (GID).

By default, the UID of a process is the same as the user who started the process. Same with the GID.

If the process binary has the SetUID bit set, then the process runs with the UID of its file. Same with the GID.

Processes can only send signals to other processes with the same UID. Joe can’t kill bob’s processes.

root

The root user, with uid=0, can do anything. ACLs do not apply.

SetUID

Binaries with the SetUID bit in their ACL are started with the UID of the file owner, rather than the caller.

The passwd command has the SetUID bit set. This way, users cannot read the shadow file, but the password change process can write to it.

SetGID is the same, but for groups.

The Sticky Bit

Rarely used. On program files, it loads the file into ram so it doesn’t get loaded from the hdd multiple times.

On a directory, it prevents users from deleting each other’s files.

Default Permissions

Files: 666 Directories: 777

Umask

the umask variable removes permissions. The default umask is 022.

default file: 110 110 110 (666)
umask:        000 010 010 (022)
effective:    110 100 100 (644)

aka remove write for group and global.

Linux-Specific single-file access passing

We can pass access to a single file to a process, without passing any other perms.

Something something file handles? Thanks for the in-depth explanation, prof.

TODO: read what file handles are outside of class.

Pluggable Authentication Modules (PAM)

Any system that wants to authenticate users can use PAM. Root can edit PAM files to create backdoors.

PAM acts as a centralized authentication services - this keeps user authentication data in sync everywhere.

sudo

Sudo lets users run commands as root, without knowing the root password. Additionally, commands can be allow/block-listed.

On wednesday, there will be a lab demo to get us started. “This is the lab folks groan about and struggle with”. - Prof.

SELinux

Linux Security Modules (LSM)

A set of hooks in the kernel that perform checks:

1. DAC checks
   • If this fails, we don’t go further.
2. LSM Hook checks
3. Resource Access

The wikipedia page for LSM actually provides a really good overview. The Kernel calls LSM hooks before accessing resources, to do extra checks. All SELinux is, is some functions for those hooks to call.

LSM is not for auditing - the kernel can return failures well before approaching an LSM hook, since the hooks are right in front of the resources. There would need to be a lot more hooks in order to make LSM an auditing tool.

Task Hooks

These hooks detect and validate some stuff:

• creating a process
• killing a process
• allocating / freeing a “security field”

There are a lot of types of hooks:

• Program Loading hooks
• Filesystem hooks
• IPC hooks
• others

SELinux Modes

• Disabled
• Permissive
• Enforcing
• Management

“This lab is a tough one, start working on it before Wednesday” - Prof.

---

Index > Auth > 2021-03-01: Module 3: MAC and SELinux