20160804 ACL(Access Control List)

 

ACL(Access Control List)

 

 

 

ACL은 파일과 디렉토리의 확장 속성 중에 하나이다. setfacl 명령어를 사용해서 파일의 소유자나 그룹을 더 만들수 있다. 또한 확장 속성의 정보를 확인 하기 위해서 getfacl 명령어를 사용할 수 있다. 파일의 확장 속성은 Shadow Inode에 저장되어 있다.

 

[그림] Shadow Inode

inode : 파일의 기본 속성 정보 (ls -l하면 보이는 정보) Shadow Inode : 파일의 확장 속성 정보

 

 

원래는 file1을 user01, user02 등의 사용자가 변경하고 싶으면 group의 권한에 사용자를 추가해주면 되지만 각각의 사용자 마다의 권한을 달리해줄수는 없었다. 파일에 대한 ACL 설정을 통해서 file1에 대해서 소유자를 root 사용자 외에도 user01, user02 등 다중 사용자가 소유할수 있도록 설정할수 있다. 또한 그룹에 관해서도 추가로 속하도록 설정할수 있다.

 

# ls -l file1

-rw-r--r-- 1 root root 0 Mar 23 19:23 file1

 

file1 소유권 : root + user01 + ....

file1 그룹권 : other + class1 + ....

 

setfacl 명령어는 기본적으로 chmod 명령어와 같은 역할을 가진다. Permission Mode를 변경 하는 역할을 갖는것이다. chmod 명령어는 파일에 대한 사용권한이나 그룹권한이 하나로 정해져 있지만 setfacl 명령어를 사용하면, 파일에 대한 사용권한이나 그룹권한을 늘려 줄 수 있다.

 

getfacl(get file access control list) /* 파일의 확장 속성정보를 보여주는 명령어 */

setfacl(set file access control list) /* 파일의 확장 속성정보를 설정하는 명령어 */

 

# man getfacl

NAME getfacl - get file access control lists   SYNOPSIS getfacl [-dRLPvh] file ...   getfacl [-dRLPvh] -   DESCRIPTION For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, get- facl also displays the default ACL. Non-directories cannot have default ACLs.   If getfacl is used on a file system that does not support ACLs, getfacl displays the access permissions defined by the traditional file mode permission bits.   The output format of getfacl is as follows: 1: # file: somedir/ 2: # owner: lisa 3: # group: staff 4: user::rwx 5: user:joe:rwx #effective:r-x 6: group::rwx #effective:r-x 7: group:cool:r-x 8: mask:r-x 9: other:r-x 10: default:user::rwx 11: default:user:joe:rwx #effective:r-x 12: default:group::r-x 13: default:mask:r-x 14: default:other:---   Lines 4, 6 and 9 correspond to the user, group and other fields of the file mode permission bits. These three are called the base ACL entries. Lines 5 and 7 are named user and named group entries. Line 8 is the effective rights mask. This entry limits the effective rights granted to all groups and to named users. (The file owner and others permis- sions are not affected by the effective rights mask; all other entries are.) Lines 10--14 display the default ACL associated with this direc- tory. Directories may have a default ACL. Regular files never have a default ACL.   The default behavior for getfacl is to display both the ACL and the default ACL, and to include an effective rights comment for lines where the rights of the entry differ from the effective rights.   If output is to a terminal, the effective rights comment is aligned to column 40. Otherwise, a single tab character separates the ACL entry and the effective rights comment.   The ACL listings of multiple files are separated by blank lines. The output of getfacl can also be used as input to setfacl.   PERMISSIONS Process with search access to a file (i.e., processes with read access to the containing directory of a file) are also granted read access to the file’s ACLs. This is analogous to the permissions required for accessing the file mode.

 

[명령어 형식]

# getfacl file1

# getfacl file1 file2

 

 

[명령어 옵션]

옵션	설명
-d	기본 정보에 대해 확인
-R	recursive의 약자로 디렉토리의 경우 하위 디렉토리 내용까지 확인 가능

 

 

# man setfacl

NAME setfacl - set file access control lists   SYNOPSIS setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...   setfacl --restore=file   DESCRIPTION This utility sets Access Control Lists (ACLs) of files and directories. On the command line, a sequence of commands is followed by a sequence of files (which in turn can be followed by another sequence of com- mands, ...).   The options -m, and -x expect an ACL on the command line. Multiple ACL entries are separated by comma characters (‘,’). The options -M, and -X read an ACL from a file or from standard input. The ACL entry format is described in Section ACL ENTRIES.   The --set and --set-file options set the ACL of a file or a directory. The previous ACL is replaced. ACL entries for this operation must include permissions.   The -m (--modify) and -M (--modify-file) options modify the ACL of a file or directory. ACL entries for this operation must include permis- sions.   The -x (--remove) and -X (--remove-file) options remove ACL enries. Only ACL entries without the perms field are accepted as parameters, unless POSIXLY_CORRECT is defined.   When reading from files using the -M, and -X options, setfacl accepts the output getfacl produces. There is at most one ACL entry per line. After a Pound sign (‘#’), everything up to the end of the line is treated as a comment.   If setfacl is used on a file system which does not support ACLs, set- facl operates on the file mode permission bits. If the ACL does not fit completely in the permission bits, setfacl modifies the file mode per- mission bits to reflect the ACL as closely as possible, writes an error message to standard error, and returns with an exit status greater than 0.   EXAMPLES Granting an additional user read access setfacl -m u:lisa:r file   Revoking write access from all groups and all named users (using the effective rights mask) setfacl -m m::rx file   Removing a named group entry from a file’s ACL setfacl -x g:staff file   Copying the ACL of one file to another getfacl file1 | setfacl --set-file=- file2   Copying the access ACL into the Default ACL getfacl --access dir | setfacl -d -M- dir

 

[명령어 형식]

# setfacl -m [acl] file1 /* -m: modify */

# setfacl -x [acl] file1 /* -x: delete */

 

 

[명령어 옵션]

옵션	설명
-m	modify의 약자로 권한을 지정하거나 수정할 때 사용
-x	권한을 삭제할 때 사용
-R	recursive의 약자로 디렉토리의 경우 하위 디렉토리와 파일까지 권한을 변경
-b	권한 및 mask 등 지정한 권한을 전부 제거

 

[EX] 파일의 속성정보중 사용자와 그룹에 대한 정보 변경 및 삭제

 

■ 사용시스템

- linux200

 

chmod CMD = setfacl -m

 

(linux200)

 

# cd /test

# rm -rf /test/*

 

# touch file1

# ls -l file1

-rw-r--r-- 1 root root 0 6월 14 14:19 file1

 

# getfacl file1

# file: file1 # owner: root # group: root user::rw- group::r-- other::r--

 

# chmod 664 file1

# ls -l file1

-rw-rw-r-- 1 root root 0 1월 27 03:51 file1

 

# getfacl file1

# file: file1 # owner: root # group: root user::rw- group::rw- other::r--

 

# setfacl -m user::rwx file1

# ls -l file1

-rwxrw-r-- 1 root root 0 1월 27 03:51 file1

 

# getfacl file1

# file: file1 # owner: root # group: root user::rwx group::rw- other::r--

 

 

 

 

 

[EX] 파일에 대한 새로운 사용자 추가 및 그룹 추가

 

# setfacl -m user::rwx file1

# setfacl -m u::7 file1

user = u

group = g

other = o

 

rwx = 7

r-- = 4

 

# getfacl file1

# file: file1 # owner: root # group: root user::rwx group::rw- other::r--

 

# setfacl -m u:user01:7 file1

# ls -l file1

-rwxrwxr--+ 1 root root 0 1월 27 03:51 file1

 

# getfacl file1

# file: file1 # owner: root # group: root user::rwx user:user01:rwx group::rw- mask::rwx other::r--

 

# groupadd class1

# grep class /etc/group

 

# setfacl -m g:class1:7 file1

# getfacl file1

# getfacl file1 # file: file1 # owner: root # group: root user::rwx user:user01:rwx group::rw- group:class1:rwx mask::rwx other::r--

 

# setfacl -x u:user01 file1 (# setfacl –x u:user01:rwx file1)

# getfacl file1

# getfacl file1 # file: file1 # owner: root # group: root user::rwx group::rw- group:class1:rwx mask::rwx other::r--

 

 

 

 

# setfacl -x g:class1 file1

# getfacl file1

# getfacl file1 # file: file1 # owner: root # group: root user::rwx group::rw- mask::rw- other::r--

 

 

 

[EX] root 사용자의 파일을 일반사용자(예: user01)가 쓸수 있도록 설정

# cd /test

# rm -rf /test/*

 

# echo 1111 > file1

# ls -l file1

-rw-r--r-- 1 root root 5 Oct 15 21:02 file1

 

 

# setfacl -m u:user01:7 file1

# getfacl file1

# file: file1 # owner: root # group: root user::rw- user:user01:rwx group::r-- mask::rwx other::r--

 

# su user01

$ echo 2222 >> file1

$ cat file1

1111 2222

 

$ exit

#

 

[EX] 확장 속성정보를 동일하게 유지하는 파일 만들기

 

# cd /test

# rm -rf /test/*

 

# touch file1 file2 file3 file4

# setfacl -m u:user01:7 file1

# getfacl file1

# file: file1 # owner: root # group: root user::rwx user:user01:rwx group::r-- mask::rwx other::r--

 

# getfacl file1 > file.acl

# setfacl --set-file=file.acl file2

# getfacl file1 | setfacl --set-file=- file2

 

# getfacl file1 file2

# file: file1 # owner: root # group: root user::rw- user:user01:rwx group::r-- mask::rwx other::r--   # file: file2 # owner: root # group: root user::rw- user:user01:rwx group::r-- mask::rwx other::r--

 

 

[EX] mask, effecitvie 값에 대해서

---------------------------

# file: file1

# owner: root

# group: root

user::rw-

user:user01:rwx

group::r--

group:class1:rwx

mask::rwx

other::r--

---------------------------

 

# cd /test

# rm -rf /test/*

 

# echo 1111 > file1

# getfacl file1

 

# setfacl -m u:user01:7 file1

# setfacl -m g:class1:7 file1

# getfacl file1

 

# setfacl -m m::6 file1

# getfacl file1

 

# setfacl -m m::1 file1

# getfacl file1

 

[EX] 디렉토리의 확장 속성정보(Default ACL)

 

# mkdir dir1

# setfacl -m d:u::7,d:g::5,d:o::5 dir1 (# setfacl -m d:u::rwx,d:g::r-x,d:o:r-x dir1)

# ls -ld dir1

drwxr-xr-x+ 2 root root 4096 1월 27 04:14 dir1

 

# getfacl dir1

# file: dir1 # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:other::r-x

 

# setfacl -m d:u:user01:7,d:m::5 dir1 (# setfacl -m default:user:user01:rwx,d:m::r-x dir1)

# getfacl dir1

# file: dir1 # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:user01:rwx #effective:r-x default:group::r-x default:mask::r-x default:other::r-x

 

# mkdir dir1/subdir1

# getfacl dir1/subdir1

# file: dir1/subdir1 # owner: root # group: root user::rwx user:user01:rwx #effective:r-x group::r-x mask::r-x other::r-x default:user::rwx default:user:user01:rwx #effective:r-x default:group::r-x default:mask::r-x default:other::r-x

 

# setfacl -m d:u::7,d:g::7,d:o::7,d:m::7 dir1

# setfacl -m d:u::rwx,d:group::rwx,d:other:rwx,d:mask:rwx dir1

# getfacl dir1

# file: dir1 # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:user01:rwx default:group::rwx default:mask::rwx default:other::rwx

 

# getfacl dir1/subdir1

# file: dir1/subdir1 # owner: root # group: root user::rwx user:user01:rwx #effective:r-x group::r-x mask::r-x other::r-x default:user::rwx default:user:user01:rwx #effective:r-x default:group::r-x default:mask::r-x default:other::r-x

 

# mkdir dir1/subdir2

# getfacl dir1/subdir2

# file: dir1/subdir2 # owner: root # group: root user::rwx user:user01:rwx group::rwx mask::rwx other::rwx default:user::rwx default:user:user01:rwx default:group::rwx default:mask::rwx default:other::rwx

 

 

 

 

 

 

 

 

 

[추가적인 실습]

 

■ 목표

/test/dir1/file1

-> user01 (r)

-> user02 (rw)

-> user03 (rwx)

 

① 파일생성

# vi /test/dir1/file1

--------------------------

#!/bin/bash

echo "test messages"

--------------------------

# chmod 700 /test/dir1/file1

# ls -l /test/dir1/file1

-rwx------ 1 root root 33 Jun 7 11:56 /test/dir1/file1

# /test/dir1/file1

-> 정상적으로 실행된다.

 

② 사용자 추가

# egrep '(user01|user02|user03)' /etc/passwd

# useradd user01

# useradd user02

# useradd user03

# echo user01 | passwd --stdin user01

# echo user02 | passwd --stdin user02

# echo user03 | passwd --stdin user03

 

 

# su - user01

$ cat /test/dir1/file1

$ exit

 

# setfacl -m u:user01:4 /test/dir1/file1

# setfacl -m u:user02:6 /test/dir1/file1

# setfacl -m u:user03:7 /test/dir1/file1

# getfacl /test/dir1/file1

# file: test/dir1/file1 # owner: root # group: root user::rwx user:user01:r-- user:user02:rw- user:user03:rwx group::--- mask::rwx other::---

 

# su - user01

(0) $ cat /test/dir1/file1

(X) $ /test/dir1/file1

 

$ su - user02

(0) $ cat /test/dir1/file1

(0) $ echo "echo test messages2" >> /test/dir1/file1

$ cat /test/dir1/file1

(X) $ /test/dir1/file1

 

$ su - user03

(0) $ cat /test/dir1/file1

(0) $ /test/dir1/file1

 

$ exit

$ exit

$ exit

 

 

 

[EX] 지정된 일반사용자가 /etc/shadow 파일을 읽을수 있도록 설정

# id

# ls -l /etc/shadow

# setfacl -m u:user01:4 /etc/shadow

# su - user01

$ cat /etc/shadow

 

(복원) 반드시 /etc/shadow 파일의 설정을 복원한다.

# setfacl -x u:user01 /etc/shadow

 

 

[EX] 지정된 사용자만 파일을 못읽게 설정

$ exit

# cd /test

# echo 1111 > file.txt

# chmod 777 file.txt

# setfacl -m u:user01:0 file.txt

# su - user01

$ cat /test/file.txt

 

 

 

 

 

Linux 개발하는 경우에 고려사항 허용/차단 target 권한상승

 

SELinux(RBAC(Role-Based Access Control)) -> 허용 file(user/role/process/securitylevel) X

sudo CMD, /etc/sudoers -> 허용 file(CMD) O

File ACL(getfacl/setfacl) -> 허용 file(user/group) △

lsattr/chattr CMD -> 차단 file(mode) X

ex) i, a

 

사용자가 실행할 수 있는 CMD1

관리자만 실행할 수 있는 CMD2

사용자가 CMD2를 실행하려고 하면? sudo, role(SELinux, MLS)

 

사용자가 관리할 수 있는 File1

관리자가 관리할 수 있는 File2

사용자가 File2를 관리하려고 하면? ACL, sudo, user(SELinux)

 

process(실행중인 프로그램)를 제어하려면? process(SELinux)

 

# ls -l /etc/shadow

-r-------- 1 root root 1.4K May 24 12:38 /etc/shadow

 

# su - user01

$ cat /etc/shadow

-> 에러

 

(해결1) # setfacl -m u:user01:4 /etc/shadow

(해결2) # echo "user01 ALL=/bin/cat /etc/shadow NOPASSWD:ALL" >> /etc/sudoers

 

 

 

 

■ lsattr CMD / chattr CMD

 

# man lsattr

NAME   lsattr - list file attributes on a Linux second extended file system   SYNOPSIS lsattr [ -RVadv ] [ files... ]   DESCRIPTION lsattr lists the file attributes on a second extended file system. See chattr(1) for a description of the attributes and what they mean.

 

# cd /test && rm -rf /test/* && touch file1

# lsattr file1

------------- file1

 

# man chattr

NAME chattr - change file attributes on a Linux second extended file system   SYNOPSIS chattr [ -RV ] [ -v version ] [ mode ] files...   DESCRIPTION chattr changes the file attributes on a Linux second extended file system.   The format of a symbolic mode is +-=[ASacDdIijsTtu].   The operator ‘+’ causes the selected attributes to be added to the existing attributes of the files; ‘-’ causes them to be removed; and ‘=’ causes them to be the only attributes that the files have.   ATTRIBUTES A file with the ‘a’ attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.   A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a pro- cess possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

 

시스템에서 중요한 파일들

/etc/inittab

/etc/passwd

/etc/shadow

/etc/hosts

........

 

부팅과 상관 있는 파일 : /etc/inittab

 

목표: /etc/inittab 파일에 추가 가능하도록 설정하기

 

파일내용 추가가능

파일내용 변경가능

파일내용 삭제가능

 

파일이름 변경

파일이름 삭제

 

# mkdir -p /backup

# cp /etc/inittab /backup

 

# cp /etc/inittab /test

# cd /test

 

# ls -l inittab

-rw-r--r-- 1 root root 1.7K Jun 7 12:28 inittab

 

# lsattr inittab

------------- inittab

 

# chattr +a inittab

# lsattr inittab

-----a------- inittab

 

파일내용 추가가능

# echo "k:5:once:/etc/rc.local" >> inittab (내용 추가 가능)

파일내용 변경가능

# vi inittab (내용 변경 불가)

파일내용 삭제가능

# vi inittab (내용 삭제 불가)

 

파일이름 변경

# mv inittab inittab.old (파일 이름 변경 불가)

mv: cannot move `inittab' to `inittab.old': Operation not permitted

파일이름 삭제

# rm -f inittab

rm: cannot remove `inittab': Operation not permitted

 

# chattr -a inittab

# lsattr inittab

------------- inittab

 

# chattr +i inittab

# lsattr inittab

----i-------- inittab

 

파일내용 추가가능

# echo "k:5:once:/etc/rc.local" >> inittab (내용 추가 불가)

파일내용 변경가능

# vi inittab (내용 변경 불가)

파일내용 삭제가능

# vi inittab (내용 삭제 불가)

 

파일이름 변경

# mv inittab inittab.old (파일 이름 변경 불가)

mv: cannot move `inittab' to `inittab.old': Operation not permitted

파일이름 삭제

# rm -f inittab

rm: cannot remove `inittab': Operation not permitted

 

# chattr -i inittab

 

 

 

 

 

 

# vi passwd.sh

----------------------------------------

#!/bin/bash

 

chattr -i /etc/passwd

chattr -i /etc/shadow

 

passwd.old $*

 

chattr +i /etc/passwd

chattr +i /etc/passwd

----------------------------------------