A computer server is a source of many services, resources, and facilities. Some of these are open for public use while others may be protected. The system that permits an authority to specify and control access of individuals to areas and resources in a server is called the Access Control System (ACS). In Linux almost every resource available in the system is defined as a file-system object. Therefore a crucial part of Linux security is file system permission. The following sections describe the several types of ACS available today.
This is the basic type of access protection based on the identity of the subjects and/or groups to which they may or may not belong. It is discretionary because a subject with certain permissions is capable of passing that permission on to any other subject. Linux implements DAC using the concept of owner. Every object in the file-system must have an owner and a group specified. Owner controls permissions to access the object. Any other user or group falls into the category of other. Filesystems can have files and directories. There are three basic file permissions:
- Read (r): Read access on a file means you can read the content of that file
- Write (w): Write access on a file means you can write into that file
- Execute (x): Execute access on a file means you can run the file
There are three basic directory permissions:
- Read (r): Read access on a directory means you can read the names of the files and other directories inside.
- Write (w): Write access on a directory means you can create new files or delete/rename existing files regardless of the permissions individual files may have. However, neither of these will work unless you have the execute permission. Without it, write permission is meaningless.
- Execute (x): Execute access on a directory means you can enter into that directory and traverse through the directory tree.
To demonstrate better how permissions apply to a folder, here are several examples:
drwx------ 2 test test 4096 May 25 21:04 group—User test can do everything in group directory.
dr-------- 2 test test 4096 May 30 01:02 group—User test can list the content of the directory.
dr-x------ 2 test test 6 May 30 01:05 group—User can do everything except create, delete, or rename files.
d-wx------ 2 test test 6 May 30 01:05 group—User can do everything except list the files in the directory. Files can be accessed if name is already known.
d--x------ 2 test test 6 May 30 01:05 group—User can do everything except create, rename, and delete files.
Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented. So in terms of a file system, in short Access Control Lists are a list of permissions attached to an object. This enables fine-grained settings on both user and operation levels. On Linux (starting from Kernel 2.6) ACL is a standard part of all supported file systems (EXT3, ReiserFS, JFS, XFS, etc.). By default it is not enabled on most distributions.
Mandatory Access Control (MAC) is a security mechanism that restricts the level of control that users (subjects) have over the objects that they create. Unlike in a DAC implementation, where users have full control over their own files, directories, etc., MAC adds additional labels, or categories, to all file system objects. Users and processes must have the appropriate access to these categories before they can interact with these objects. On RedHat-based distributions this system is enforced through SELinux which is one of the MAC implementations on Linux. SELinux is a rather complex subject and as such goes beyond the scope of this book. Our recommendation is to keep it enabled on your server(s).