333.1 任意アクセス制御
課題 333: Access Control
333.1 任意アクセス制御
LPIC303の試験範囲である主題331~335まであるうちの「333 Access Control」から「333.1 任意アクセス制御」についてのまとめ
総重量:3
説明:
任意アクセス制御(DAC: discretionary access control)を理解していて、アクセス制御リスト(ACL: access control list)を利用してどのように実装するかの知識があります。さらに、拡張された属性をどのように利用するかを理解しているひつようがあります。主要な知識範囲:
SetUID, SetGIDビットを含む、ファイルの所有権・パーミッションの管理と理解。
アクセス制御リスト(ACL)の管理と理解。
拡張属性と属性クラスの管理と理解。
重要なファイル、用語、ユーティリティ:
getfacl
setfacl
getfattr
setfattr
SetUID, SetGIDビットを含む、ファイルの所有権・パーミッションの管理と理解
SetUID
プログラムを実行する際に、プログラムの所有者でないユーザーでも一時的にプログラムの所有者になって実行できる仕組み
`chmod`コマンドで "u+s" または "4xxx" とすると設定できる。
実行権(x)があると "s" 、ないと "S" になる。
[rocky@lpic303-rocky34 ~]$
[rocky@lpic303-rocky34 ~]$ ls -la `which passwd`
-rwsr-xr-x. 1 root root 32656 5月 15 2022 /usr/bin/passwd
[rocky@lpic303-rocky34 ~]$[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setuid_test
-rw-r--r-- 1 root root 0 2月 20 01:08 setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod u+s setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setuid_test
-rwSr--r-- 1 root root 0 2月 20 01:08 setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod u-s setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setuid_test
-rw-r--r-- 1 root root 0 2月 20 01:08 setuid_test
[root@lpic303-rocky34 ~]#[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setuid_test
-rw-r--r-- 1 root root 0 2月 20 01:08 setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod 4644 setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setuid_test
-rwSr--r-- 1 root root 0 2月 20 01:08 setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod 0644 setuid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setuid_test
-rw-r--r-- 1 root root 0 2月 20 01:08 setuid_test
[root@lpic303-rocky34 ~]#SetGID
プログラムを実行する際に、プログラムの所有者でないユーザーでも一時的にプログラムの所有者になって実行できる仕組み
`chmod`コマンドで "g+s" または "2xxx" とすると設定できる。
実行権(x)があると "s" 、ないと "S" になる。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setgid_test
-rw-r--r-- 1 root root 0 2月 20 01:09 setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod g+s setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setgid_test
-rw-r-Sr-- 1 root root 0 2月 20 01:09 setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod g-s setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setgid_test
-rw-r--r-- 1 root root 0 2月 20 01:09 setgid_test
[root@lpic303-rocky34 ~]#[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setgid_test
-rw-r--r-- 1 root root 0 2月 20 01:09 setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod 2644 setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setgid_test
-rw-r-Sr-- 1 root root 0 2月 20 01:09 setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# chmod 0644 setgid_test
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l setgid_test
-rw-r--r-- 1 root root 0 2月 20 01:09 setgid_test
[root@lpic303-rocky34 ~]#パーミッション
管理コマンド
・chmod
・chown
参考
アクセス制御リスト(ACL)の管理と理解
ファイルシステムで有効化されていないと使えない
ubuntu@lpic303:~$
ubuntu@lpic303:~$ df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 392M 1.1M 391M 1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv 48G 9.8G 36G 22% /
tmpfs 2.0G 0 2.0G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 4.0M 0 4.0M 0% /sys/fs/cgroup
/dev/sda2 2.0G 244M 1.6G 14% /boot
tmpfs 392M 4.0K 392M 1% /run/user/1000
tmpfs 1.0M 0 1.0M 0% /var/snap/lxd/common/ns
ubuntu@lpic303:~$
ubuntu@lpic303:~$
ubuntu@lpic303:~$ cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/dm-uuid-LVM-NqMjNH61qs8yznsofvNy1gLGS83fDcRIuk3chuaY5eXjgnmITubuYLbFlLu6dv5u / ext4 defaults 0 1
# /boot was on /dev/sda2 during curtin installation
/dev/disk/by-uuid/2536ce07-0701-47ed-a9b4-005425d165f5 /boot ext4 defaults 0 1
/swap.img none swap sw 0 0
ubuntu@lpic303:~$
ubuntu@lpic303:~$
ubuntu@lpic303:~$ sudo tune2fs -l /dev/disk/by-id/dm-uuid-LVM-NqMjNH61qs8yznsofvNy1gLGS83fDcRIuk3chuaY5eXjgnmITubuYLbFlLu6dv5u
tune2fs 1.47.0 (5-Feb-2023)
Filesystem volume name: <none>
Last mounted on: /
Filesystem UUID: f03b1c6d-d41b-4f7f-96a9-0182ec415b48
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent 64bit flex_bg sparse_super large_file huge_file dir_nlink extra_isize metadata_csum
Filesystem flags: signed_directory_hash
Default mount options: user_xattr acl <---★
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 3145728
Block count: 12581888
Reserved block count: 563510
Overhead clusters: 243508
Free blocks: 9910407
Free inodes: 3021238
First block: 0
Block size: 4096
Fragment size: 4096
Group descriptor size: 64
Reserved GDT blocks: 1021
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 8192
Inode blocks per group: 512
Flex block group size: 16
Filesystem created: Sun Dec 31 01:10:07 2023
Last mount time: Fri Jan 19 23:52:34 2024
Last write time: Fri Jan 19 23:52:32 2024
Mount count: 19
Maximum mount count: -1
Last checked: Sun Dec 31 01:10:07 2023
Check interval: 0 (<none>)
Lifetime writes: 11 GB
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 32
Desired extra isize: 32
Journal inode: 8
First orphan inode: 1314847
Default directory hash: half_md4
Directory Hash Seed: e2bc86fa-2202-44c2-b682-c1802fc85278
Journal backup: inode blocks
Checksum type: crc32c
Checksum: 0x1d6afad7
ubuntu@lpic303:~$
ubuntu@lpic303:~$
ubuntu@lpic303:~$ sudo tune2fs -l /dev/disk/by-id/dm-uuid-LVM-NqMjNH61qs8yznsofvNy1gLGS83fDcRIuk3chuaY5eXjgnmITubuYLbFlLu6dv5u | grep option
Default mount options: user_xattr acl
ubuntu@lpic303:~$getfaclコマンド
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# getfacl --help
getfacl 2.3.1 -- get file access control lists
Usage: getfacl [-aceEsRLPtpndvh] file ...
-a, --access display the file access control list only
-d, --default display the default access control list only
-c, --omit-header do not display the comment header
-e, --all-effective print all effective rights
-E, --no-effective print no effective rights
-s, --skip-base skip files that only have the base entries
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P, --physical physical walk, do not follow symbolic links
-t, --tabular use tabular output format
-n, --numeric print numeric user/group identifiers
--one-file-system skip files on different filesystems
-p, --absolute-names don't strip leading '/' in pathnames
-v, --version print version and exit
-h, --help this help text
[root@rocky9-samba31 ~]#実行例
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# ls -l /var/samba_share/share1/
:
-rw-r--r-- 1 user00 user00 17 6月 11 23:04 windows10-user00.txt
-rw-r--r-- 1 user01 user01 17 6月 11 23:04 windows10-user01.txt
-rw-r--r-- 1 user02 user02 17 6月 11 23:05 windows10-user02.txt
:
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# cat /var/samba_share/share1/windows10-user00.txt
edited by user00
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# cat /var/samba_share/share1/windows10-user01.txt
edited by user01
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# cat /var/samba_share/share1/windows10-user02.txt
edited by user02
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# getfacl /var/samba_share/share1/windows10-user00.txt
getfacl: Removing leading '/' from absolute path names
# file: var/samba_share/share1/windows10-user00.txt
# owner: user00
# group: user00
user::rw-
group::r--
other::r--
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# getfacl /var/samba_share/share1/windows10-user01.txt
getfacl: Removing leading '/' from absolute path names
# file: var/samba_share/share1/windows10-user01.txt
# owner: user01
# group: user01
user::rw-
group::r--
other::r--
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# getfacl /var/samba_share/share1/windows10-user02.txt
getfacl: Removing leading '/' from absolute path names
# file: var/samba_share/share1/windows10-user02.txt
# owner: user02
# group: user02
user::rw-
group::r--
other::r--
[root@rocky9-samba31 ~]#setfaclコマンド
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# setfacl --help
setfacl 2.3.1 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
-m, --modify=acl modify the current ACL(s) of file(s)
-M, --modify-file=file read ACL entries to modify from file
-x, --remove=acl remove entries from the ACL(s) of file(s)
-X, --remove-file=file read ACL entries to remove from file
-b, --remove-all remove all extended ACL entries
-k, --remove-default remove the default ACL
--set=acl set the ACL of file(s), replacing the current ACL
--set-file=file read ACL entries to set from file
--mask do recalculate the effective rights mask
-n, --no-mask don't recalculate the effective rights mask
-d, --default operations apply to the default ACL
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P, --physical physical walk, do not follow symbolic links
--restore=file restore ACLs (inverse of `getfacl -R')
--test test mode (ACLs are not modified)
-v, --version print version and exit
-h, --help this help text
[root@rocky9-samba31 ~]#実行例
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# ls -l /var/samba_share/share1/
:
-rw-r--r-- 1 user00 user00 17 6月 11 23:04 windows10-user00.txt
-rw-r--r-- 1 user01 user01 17 6月 11 23:04 windows10-user01.txt
-rw-r--r-- 1 user02 user02 17 6月 11 23:05 windows10-user02.txt
:
[root@rocky9-samba31 ~]#
★ user00に切り替えてファイルを編集する ★
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# su - user00
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ cat /var/samba_share/share1/windows10-user00.txt
edited by user00
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 AAA" >> /var/samba_share/share1/windows1
0-user00.txt
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ cat /var/samba_share/share1/windows10-user00.txt
edited by user00
edited by user00 AAA
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 AAA" >> /var/samba_share/share1/windows10-user01.txt
-bash: /var/samba_share/share1/windows10-user01.txt: 許可がありません
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 AAA" >> /var/samba_share/share1/windows10-user02.txt
-bash: /var/samba_share/share1/windows10-user02.txt: 許可がありません
[user00@rocky9-samba31 ~]$
★ user01のファイルにuser00の書き込み権を付与する ★
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ exit
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# setfacl -m user:user00:rw- /var/samba_share/share1/windows10-user01.txt
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# ls -l /var/samba_share/share1
:
-rw-r--r-- 1 user00 user00 38 6月 11 23:07 windows10-user00.txt
-rw-rw-r--+ 1 user01 user01 17 6月 11 23:04 windows10-user01.txt <--- ACLが設定され「+」表示が追加される
-rw-r--r-- 1 user02 user02 17 6月 11 23:05 windows10-user02.txt
:
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# getfacl /var/samba_share/share1/windows10-user01.txt
getfacl: Removing leading '/' from absolute path names
# file: var/samba_share/share1/windows10-user01.txt
# owner: user01
# group: user01
user::rw-
user:user00:rw- <--- 追加されたACL
group::r--
mask::rw- <--- 追加されたACL
other::r--
[root@rocky9-samba31 ~]#
★ user00に切り替えてuser01のファイルにuser00で書き込めるか確認する ★
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# su - user00
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 BBB" >> /var/samba_share/share1/windows10-user00.txt
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ cat /var/samba_share/share1/windows10-user00.txt
edited by user00
edited by user00 AAA
edited by user00 BBB <--- user00によって追加された行
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 BBB" >> /var/samba_share/share1/windows10-user01.txt
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ cat /var/samba_share/share1/windows10-user01.txt
edited by user01
edited by user00 BBB <--- user00によって追加された行
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 BBB" >> /var/samba_share/share1/windows10-user02.txt
-bash: /var/samba_share/share1/windows10-user02.txt: 許可がありません
[user00@rocky9-samba31 ~]$
★ user01のファイルに設定したuser00の書き込み権を削除する ★
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ exit
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# getfacl /var/samba_share/share1/windows10-user01.txt
getfacl: Removing leading '/' from absolute path names
# file: var/samba_share/share1/windows10-user01.txt
# owner: user01
# group: user01
user::rw-
user:user00:rw- <--- 削除するACL
group::r--
mask::rw- <--- 削除するACL
other::r--
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# setfacl -x mask:,u:user00 /var/samba_share/share1/windows10-user01.txt
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# getfacl /var/samba_share/share1/windows10-user01.txt
getfacl: Removing leading '/' from absolute path names
# file: var/samba_share/share1/windows10-user01.txt
# owner: user01
# group: user01
user::rw-
group::r--
other::r--
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# ls -l /var/samba_share/share1
:
-rw-r--r-- 1 user00 user00 80 6月 11 23:19 windows10-user00.txt
-rw-r--r-- 1 user01 user01 38 6月 11 23:13 windows10-user01.txt <--- ACLが削除され「+」が消えた
-rw-r--r-- 1 user02 user02 17 6月 11 23:05 windows10-user02.txt
:
[root@rocky9-samba31 ~]#
★ user00に切り替えてuser01のファイルにuser00で書き込めなくなることを確認する ★
[root@rocky9-samba31 ~]#
[root@rocky9-samba31 ~]# su - user00
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 CCC" >> /var/samba_share/share1/windows10-user00.txt
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ cat /var/samba_share/share1/windows10-user00.txt
edited by user00
edited by user00 AAA
edited by user00 BBB
edited by user00 CCC <--- user00によって追加された行
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 CCC" >> /var/samba_share/share1/windows10-user01.txt
-bash: /var/samba_share/share1/windows10-user01.txt: 許可がありません
[user00@rocky9-samba31 ~]$
[user00@rocky9-samba31 ~]$ echo "edited by user00 CCC" >> /var/samba_share/share1/windows10-user02.txt
-bash: /var/samba_share/share1/windows10-user02.txt: 許可がありません
[user00@rocky9-samba31 ~]$参考
【 getfacl 】コマンド――ファイルのアクセス制御リスト(ACL)を表示する:Linux基本コマンドTips(233) - @IT
【 setfacl 】コマンド(基礎編)――ファイルのアクセス制御リスト(ACL)を設定/削除する:Linux基本コマンドTips(234) - @IT
拡張属性と属性クラスの管理と理解
インストール
RockyLinux9では attr パッケージをインストールする
[root@rocky9-333 ~]#
[root@rocky9-333 ~]# dnf install attr
[root@rocky9-333 ~]#
[root@rocky9-333 ~]# rpm -qa | grep attr
libattr-2.5.1-3.el9.x86_64
attr-2.5.1-3.el9.x86_64
[root@rocky9-333 ~]#getfattr
[root@rocky9-333 ~]#
[root@rocky9-333 ~]# getfattr --help
getfattr 2.5.1 -- get extended attributes
Usage: getfattr [-hRLP] [-n name|-d] [-e en] [-m pattern] path...
-n, --name=name get the named extended attribute value
-d, --dump get all extended attribute values
-e, --encoding=... encode values (as 'text', 'hex' or 'base64')
--match=pattern only get attributes with names matching pattern
--only-values print the bare values only
-h, --no-dereference do not dereference symbolic links
--one-file-system skip files on different filesystems
--absolute-names don't strip leading '/' in pathnames
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P --physical physical walk, do not follow symbolic links
--version print version and exit
--help this help text
[root@rocky9-333 ~]#setfattr
[root@rocky9-333 ~]#
[root@rocky9-333 ~]# setfattr --help
setfattr 2.5.1 -- set extended attributes
Usage: setfattr {-n name} [-v value] [-h] file...
setfattr {-x name} [-h] file...
-n, --name=name set the value of the named extended attribute
-x, --remove=name remove the named extended attribute
-v, --value=value use value as the attribute value
-h, --no-dereference do not dereference symbolic links
--restore=file restore extended attributes
--raw attribute value is not encoded
--version print version and exit
--help this help text
[root@rocky9-333 ~]#参考
Linuxで拡張属性を設定してみるhttps://zenn.dev/motisan/articles/20230104_xattr
この記事が気に入ったらサポートをしてみませんか?