Wednesday, December 16, 2009

Learn to use extended file attributes in Linux to boost security

ACLs and extended attributes for files are simple and easy to use in Linux, and can go a long way in securing files. Vincent Danen goes over some of the basic file protection enhancements provided by the Linux kernel.
—————————————————————————————

With all the talk of enhanced file system security and security frameworks, some of the basic file protection enhancements provided by the Linux kernel have been forgotten.

While there is certainly a distinct place for security applications like SELinux, GrSecurity and others, there are simple means for securing files as well. ACLs and extended attributes for files are simple and easy to use, and can go a long way in securing files.

The first tools to use with extended attributes is chattr, which changes file attributes for files, and lsattr which lists those attributes.

There are a number of extended attributes you can add or remove from files, including “a”, which makes a file append-only, and “i” which makes a file immutable (cannot be modified, deleted, or renamed, nor can any link be created to the file).

There are other attributes that deal with compression, undeletion, secure deletion, and journaling as well.

By default, only the root user can change these extended attributes. If you want to allow users to set and remove these extended attributes, you must mount the filesystem with the user_xattr mount option:
UUID=661ab9f1-c381-4962-bcfc-0b5e2aab1ce9 /home                   ext4    defaults,user_xattr,acl        1 2

The other tools that can set and list attributes are the setfattr and getfattr programs. These are useful with programs like Beagle that store certain metadata with files, but they can be useful outside of these applications as well.

These don’t have much to do with security, but they are useful nonetheless:
$ setfattr -n user.comment -v "this is a comment" testfile
$ getfattr testfile
# file: testfile
user.comment
$ getfattr -n user.comment testfile
# file: testfile
user.comment="this is a comment"

Finally, to set ACLs (Access Control Lists) on files, use the setfacl and getfacl tools. In order to use these commands, and ACLs in general, the filesystem must be mounted with the acl mount option.

Traditionally, files have three distinct access controls: read, write, and execute, and they are for three distinct groups: user, group, and other (or world).

If you wanted to have two or three people have write access to a file, you would have to create a group that all people were members of, give the file appropriate group ownership, and make it writable by the group.

With ACLs, you can bypass the need for creating groups in this fashion.

For instance, if you create a file that is owned joe:joe with 0644 permissions (read/write to joe, read-only to everyone else), only Joe can edit it.

If you want Angela to have access to write to this file, but no one else, ACLs can help:
$ setfacl -m u:angela:rw testfile
$ getfacl testfile
# file: testfile
# owner: joe
# group: joe
user::rw-
user:angela:rw-
group::r--
mask::rw-
other::r--
% ls -al testfile
-rw-rw-r--+ 1 joe    joe    6 2009-11-11 14:28 testfile

The above modifies the ACLs on the file testfile and adds an ACL for the user angela and gives her read/write (rw) permissions.

Using getfacl, it is obvious that angela has rw permissions, as does joe. When using ls, you can also see that the file has an ACL associated with it due to the + in the permissions and attributes string.

Now this file can be edited by joe and angela, and no one else, despite it being owned by the user and group joe.

This is, of course, a brief introduction to ACLs and extended attributes. The manpages for getfacl, setfacl, chattr, lsattr, getfattr, and setfattr all explain the various options, ACLs, and attributes.

All of these options should work on any filesystem in recent kernels, provided they are mounted with the appropriate acl and user_xattr options.

No comments:

Post a Comment