ACL: Setting Access Controls and Permissions to Files and Folders in Linux PDF

Summary

This document discusses Access Control Lists (ACLs) in Linux, emphasizing how to set permissions for files and folders. It covers installation procedures and provides examples using commands (e.g., setfacl, getfacl), with illustrations included through figures. The overall focus in on technical data security details within Linux.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Data Security ACL: Setting Access Controls and Pe...

Certified Cybersecurity Technician Exam 212-82 Data Security ACL: Setting Access Controls and Permissions to Files and Folders in Linux QO Q In Linux, ACLs are used to implement access control by setting access permissions for specific files and folders % setfacl command: To assign alice read access to alice@alice-Virtual-Machlne:~ alice@alice-Virtu al-Machlne:~ M[ == -- aQ demo.txt file demo.txt file t~$ ls t=$ s -1 root root 7 Feb ¢ Q root@alice-Virtual-Machine: /home/alice /home/alice M = - 0 root root 85 Feb ¢4 2 alice alice 4096 Feb root@alice-virtual-Machine: /hone/alices root@alice-virtual-Hachine: setfacl -m uialice:r | 2 allce allce 4096 Feb S /home falice/demo, txt /homefalice/demo. txt 2 alice alice 4096 Feb root@alice-virtual-Machine: /hone/altces root@alice-virtual-Hachine: /hone/alices ii allce allce 8980 Feb -x 2 alice alice 4096 Feb - )X 2 all 2 2 s 4096 Fe.. SZiatiosfaticesiorcires e allce R 4096 A5 Feb — p— % command:ToTo displays getfacl command: " the file v name, owner, alice alice "R“‘ -’{t“‘ :23:‘ 4096 ;lg Feb the group, and the access control list (ACL) 22 alice alice alice alice 4096 4 ri-b e =% Q root@alice-Virtual-Machine: /home/alice [ = - D(= Check permissions Check permissions using using Is lS command command | ““* = —— M root@alice-Virtual-Machine: /home/allces getfacl root@alice-Virtual-Machine:/home/allce# getfacl demo.txt demo.txt Access Accens Aeadonly Aead-only - % flle:e: demo.txt # owner: root othy # group: root Access Aead-anly - User::rw- user::irw- t wecute Leecute Al ow executing fle file a525 pros program Check permissions using GUI root@alice-Virtual-Machine: /home/alices Copyright © by EC-Councll. All Rights Reserved. ReproductionIs Strictly Prohibited ACL: Setting Access Controls and Permissions to Files and Folders in Linux In Linux, a user can use commands such as chmod, chown, chgrp, etc. to set the permissions on files or folders. ACL provides detailed access control features. It can precisely configure permissions on files or folders. Steps to Configure ACLs to Set File and Folder Permissions = Step 1: Install ACL Package Install the acl package to use ACLs. You can use the below statement to install acl package: # yum install acl = Step 2: Configure ACL Support on a File System The file system consisting of the files or directories should be supported. Use the following statement to mount a local ext3 file system with ACL support: # mount -t ext3 -o acl [device-name] [mount-point] For example, # mount -t ext3 -o acl /dev/mapper/VolGroup00-LogVol00 /data If /etc/fstab contains a partition, include the acl options: # vi /etc/fstab LABEL=/data /data ext3 acl 0 0 Module 15 Page 1769 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security Step 3: ACL Rules ACL rules define how a specific user or group can access the file or directory. There are two types of ACL rules: o Access ACLs: It specifies user and group access permissions for a specific file or directory o Default ACLs: It is applied only to a directory. It specifies the access permissions that a directory inherits from its parent directory. Commands for Setting up Access ACL Permission for Files To set or modify one or more ACL rules on any file or directory, use setfacl command as follows: # setfacl -m [rules] [files] where the rules are: o0 u:name:permissions: It configures access ACL for a specific user [r, w, and x for read, write, and execute, respectively] O g:name: permissions: It configures access ACL for a specific group o m:permissions: It configures the effective rights mask. It is a combination of permissions for user / group. o o:permissions: It configures access ACL for everyone For example, To set read and write permission in the ACL of file test for a guest user, use the following statement: # setfacl -m u:userl:rwx test To remove all access ACL rules of the file test for a guest user, use the following statement: # setfacl -x u:guest test To remove all ACL rules of the file test for a guest user, use the following statement: # setfacl -b u:guest test Command for Setting the Default ACLs By adding d: before the access rule and defining a directory name in place of a file name, you can configure the default ACL. # setfacl -m d:o:rx /[directory] For example, To set default ACL for test directory, use the following statement: # setfacl -m d:o:rx /Testdir Module 15 Page 1770 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security Q root@alice-Virtual-Machine: /home/alice root@alice-virtual-Machine: root@alice-Virtual-Machine: /home/alice# setfacl -m u:alice:r /home/alice/demo. txt root@alice-Virtual-Machine: /home/alice# I Figure 15.5: setfacl command Command to Display ACLs Rules on Files To display ACL on any file or directory, you can use the getfacl command, as shown below. #getfacl [file/directory] For example, #getfacl #igetfacl test will display the ACL for the test file Q root@alice-Virtual-Machine: /home/alice /home/alice [~ = - o @& root@alice-virtual-Machine: /home/alice# getfacl demo.txt # file: demo.txt # owner: root # group: root user::rw- user:alice:r-- group::r-- mask::r-- other::r-- root@alice-Virtual-Machine: /home/alice# root@alice-Vvirtual-Machine: Figure 15.6: getfacl command Q alice@alice-Virtual-Machine: ~ alice@alice-virtual-Machine:~$ alice@alice-Virtual-Machine:~$ 1s -1 total 52 “fW-F=--r-- “TW-r--r-- root root 7 Feb demo. txt NNNNENNNRS RS WWwwwwwwuuwdbsdbd WWwwwwwwuuwdbhbd “FW-r--r-- “FW-F=--r-- root root 85 Feb demo.txt.gpg demo. txt.gpg NNNNENNNRRS drwxr-xr-x alice alice 4096 Feb drwxr-xr-x alice alice 4096 Feb drwxr-xr-x alice alice 4096 Feb -fW-F=--r-- -FW-F=--r-- alice alice 8980 Feb examples.desktop drwxr-xr-x alice alice 4096 Feb drwxr-xr-x alice alice 4096 Feb drwxr-xr-x alice alice 4096 Feb drwxr-xr-x alice alice 4096 Feb drwxr-xr-x 2 alice alice 4096 Feb alice@alice-Virtual-Machine:~$ l Figure 15.7: Checking permissions using Is command Module 15 Page 1771 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security examples.desktop Properties X Basic Permissions Open With Owner: Access: Read and write v Group: alice v Access: Read-only v Others Access: Read-only v Execute: Allow executing file as program Security context: unknown Figure 15.8: Checking permissions using GUI Module 15 Page 1772 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security Encrypting “Data at Rest” % QW 0 ('7 D( R) ENCRYPT20! 'ENCRYPT. Encryption of data in Encryption of data Encryption of data Encryption of data removable media stored in files/folders | = | stored in files/folders stored in databases devices.. Encryption of data in. Encryption of data Encryption of data S p Encryption of data removable media stored in files/folders stored in files/folders devi stored in databases devices evices Figure 15.9: “Data at rest” encryption = Disk encryption: Encryption of data stored in a physical or logical disk. Full disk encryption is the encryption of all data in a disk except the master boot record (MBR). The data is automatically converted into a form which cannot be easily deciphered by an unauthorized user. In full disk encryption, the data is encrypted while being written on the disk, and decrypted when the user reads the data from the disk. The benefits of full disk encryption are o ltisasimple encryption method. o The encryption method is clear and coherent to users, applications, and databases. Module 15 Page 1773 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security o Itis ahardware-based encryption with high performance. File-level encryption: Encryption of data stored in files/folders. In this type of encryption, the encryption occurs at a filesystem level, and in combination with a cryptographic algorithm, the encrypted data will be extremely secure. File-level encryption regulates the access of unauthorized users to files or folders on networks or shared computers. The advantages of file-level encryption are as follows: o Each file is encrypted with a discrete encryption key. o Access control is enforced using public key cryptography. o Both structured and unstructured data are supported. Removable media encryption: Removable media encryption prevents removable media devices such USB flash drives, portable hard disks, digital cameras, smartphones, tablets, etc. from unauthorized access. Database encryption: Encryption of a specific subset of data or entire data stored in a database. The advantages of database encryption are as follows: o Itsafeguards the data in a database. o It protects against a wide range of threats, including malicious insiders. Module 15 Page 1774 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser