Ethical Penetration Cybersecurity

Testbed for Educational Purposes

CENG685 –
Information
Security
Lab 03 – Discretionary Access
Control (DAC) & Access
Control Lists (ACLs)
Implementation in Linux
1. Objectives
In this lab, we will study the Discretionary Access Control (DAC) Mechanism supported in
Linux. In this tutorial, we will use Ubuntu VM.

2. Introduction to DAC in Linux

Linux is a multiuser system that uses permissions and ownerships for security. Resources in
Linux look like a file, where each file has an owner (UID who created the file). There are 3
types of users on a Linux system (also called Subjects) which are Owner (user), Group and
Other (World). In the figure below, A is the user (owner), B: Group, C: Other (world). Also,
X, Y and Z are the resources (files, directories, etc.).

When DAC model is used, the ACL (Access Control list) data structure is adopted. We can see
that the ACL contains ACEs (Access Control Entries), where each entry is associated with a
resource. Linux divides the permissions into read, write and execute denoted by r, w and x.

Ps: the capability lists will be covered in another lab experiment.

DAC allows users to have a certain amount of control over their resources. Resource owner
(or any authorized users such as root/users in the sudo group) can define access
permissions for specific users or groups of users.

This ACL can be generated automatically when a user grants access to another subject or can
be created by an administrator. The ACL acts as a security policy.

Gaining access in the DAC model works like this:

▪ User 1 creates a file and becomes its owner or obtains access rights to an existing file.
▪ User 2 requests access to this file.
▪ User 1 grants access at his own discretion. However, user 1 can’t grant access rights that
exceed his own. For example, if user 1 can only read a document, they cannot allow user 2
to edit it.
▪ If there is no contradiction between the ACL and the decision made by user 1, access is
granted.

We will see examples in next sections.

1
DAC allows for a lot of flexibility, freedom and decreases the load on system administrators as
users can manage access on their own. On the other hand, it doesn’t provide a high level of
security for several reasons:

▪ If user 1 shares access rights with user 2, there is no guarantee that user 2 needs this access
to work or will not steal or corrupt data or grant access to a malicious user.
▪ It is impossible to enforce the principles of least privilege (PoLP), and separation of
duties (SoD). Least privilege enforcement ensures the non-human tool has the required
access needed and nothing more, which reduces the cyberattack surface and stops the
spread of malicious codes. We will see later how MAC can ensure the PoLP.

DAC cannot be used by organizations that work with extremely sensitive data (medical,
financial, military, etc.) → MAC is used by such organizations.

3. Where does Linux store the permissions for a resource?

A file system relies on data structures about the files, as opposed to the contents of that file.
Each file is associated with an inode (index node), which is identified by an integer. Inodes
store information about files and directories (folders), such as file ownership, access mode
(read, write, execute permissions), and file type.

What's in an inode? Metadata contained in an inode are:

• Size: Usually in bytes

• File type: Directory, regular file, symbolic link, etc.
• Permissions: Describes user/group/other access to the file
• Link count: Keeps of the number of hard links to the file
• Timestamp: Contains the time last modified and time last accessed.
• Address of Data Blocks: Pointers to the disk block that stores the file's actual contents

4. DAC Implementation in Linux

To understand how Linux implements the DAC model, we need to know the following:

• Original ACL implementation had a compact fixed size representation (9 bits)

• Few other bits were also added such as sticky bit, setuid bit, setgid bit.

4.1 Authorization Levels:

We distinguish between two levels which are crucial in Linux:

• Ownership
• Permissions

Ownership: three types which are User (Owner), Group, Other.

a) User (Owner): By default, the logged user who creates the file becomes its owner. Later,
we will see how to create new users using either useradd or adduser commands.

2
b) Group: Any permissions group that your account belongs to. A group can contain multiple
users. All users in the group have the same file permissions. So, you can add many users to
a group, and assign group permission in such a way only group members can read or modify
them. Later, we will see how to manage groups (primary and secondary), and add users to
groups.

c) Other: Any account that is not yours and that does not belong to a permissions group that
your account belongs to. Thus, it means everybody else who does not own the file and does
not belong to the user group.

Permissions: three basic types of permissions which can be assigned to each of these three
classes of accounts (owner, group, other). These three types of permissions mean slightly
different things for files than for directories.

a) File permissions: For files, these permissions grant these rights:

▪ Read: allows the affected user to read the contents of the file
▪ Write: allows the affected user to modify or delete the file
▪ Execute: allows the affected user to run the file as a process, if possible (in such
case, the file should be a script)
▪ Setuid bit: Will be covered in section 5.
▪ Setgid bit: Will be covered in section 5.

b) Directory permissions: For directories, the permission bits have different meanings than on
regular files:

▪ Read: allows the affected user to list the files within the directory
▪ Write: allows the affected user to create, rename, or delete files within the directory,
and modify the directory's attributes
▪ Execute: allows the affected user to enter the directory, and access files and
directories inside
▪ sticky bit: Will be covered in section 5.

Other
Permissions in Linux/Unix

3
Viewing File Permissions: The ls command is used to list files and the contents of directories.
The -l parameter displays permissions. For example, to see the permissions of a file named foo
in the directory /usr/bin/bar, you would execute:

ls -l /usr/bin/bar/foo

And the command would return something like this:

-rwxr-xr-- 1 jsmith guest 3072 Feb 11 09:25 /usr/bin/bar/foo

In the example, jsmith is the account that owns foo, and guest is the name of the group that
owns /usr/bin/bar/foo. The -rwxr-xr-- at the left indicates the permissions. The first
character, the -, indicates that /usr/bin/bar/foo is a file, not a directory. The rwx shows the
permissions for the user (owner) class of accounts - in this case, jsmith. The r indicates read
permission; the w, write permission; and the x, execute permission. The next three characters,
r-x, show permissions for the group class of accounts, which is guest in this example. Finally,
the last three characters, r--, display permissions for the other class (any account that is not
jsmith and is not in the guest group)

Viewing Directory Contents: If you want to see the contents of a directory, you also use ls.
Suppose that /usr/bin/bar is a directory. Then the command:

ls -l /usr/bin/bar

may return something like this:

drwxr-x--x 5 jsmith guest 4096 Jan 23 2008 foodir

-rw-r----- 1 jsmith guest 48128 Sep 14 2004 WhatToDo.doc
-rw-rw-r-- 1 jsmith guest 464 Jul 6 2005 WinCA.txt

This shows us the contents of the directory bar. The d at the left of the entry for foodir indicates
that foodir is a directory.

Viewing Directory Permissions: If you want to see the permissions of the /usr/bin/bar
directory itself, not its contents, then you need to use the -d command-line argument for ls. So,
you'd execute this command:

ls -ld /usr/bin/bar

and you'd see something like this:

dr-xrwxr-x 3 jsmith guest 4096 Jan 23 2008 /usr/bin/bar

The Current Working Directory: The current working directory is the directory that, by
default, a Linux command will use when it is executed. For example, if you do not specify a
file or directory when you run the ls command, then ls will assume that you want to see the
contents of your current working directory. So, ls will return a list of the files and directories
in your current working directory.

To see the absolute path of your current working directory, use the pwd command which stands
for ‘print working directory’.

4
Linux provides a shorthand for your current working directory. A single period (.) indicates the
current working directory. Two periods (..) indicate the directory immediately above your
current working directory.

Hidden Files and Directories: In Linux, if a file or directory name begins with a period (.) then
by default, ls will not display the file or directory in a directory listing. To see all the files in a
directory, including hidden files, use the -a command-line argument. The command:

ls -a

will show all files and directories in a directory, including hidden files. The command:

ls -al

will display all files and directories, and also show their permissions.

Home Directories: Each Linux account is associated with a home directory. When you login
to your Linux account, by default, your current working directory will be your home directory.
Linux provides a short-hand symbol for your home directory, the tilde character, ~. So, to see
a list of files in your home directory, you can execute:

ls ~

4.2 Changing file/directory permissions with 'chmod' command

Say you do not want your colleague to see your personal images. This can be achieved by
changing file permissions. We can use the 'chmod' command which stands for 'change mode'.
Using the command, we can set permissions (read, write, execute) on a file/directory for the
owner, group and the world. Syntax: chmod permissions filename

There are 2 ways to use the command:

1) Absolute mode
2) Symbolic mode

Absolute (Numeric) Mode: Let's see the example.

In the above-given terminal window, we have changed the permissions of the file sample to
'764'.

5
'764' absolute code says the following:

• Owner can read, write and execute

• Usergroup can read and write
• Other can only read

Symbolic Mode: In the Absolute mode, the categories of people's access:

▪ a all users
▪ u the owner user
▪ g the owner group
▪ o others (neither u, nor g)

The format for permissions is: chmod {a,u,g,o} {+,-,=} {r,w,x} files.
The plus ("+") sign indicates add permission. The minus ("-") sign indicates remove
permission. The equal ("=") sign indicates gives permission. Permission examples:

• chmod g+rw files give the group read and write permission
• chmod u+rwx files give the owner all permissions
• chmod og+rw files give the others and the group read and write permission
• chmod a+r files are readable by all
• chmod a-r files cancels the ability for all to read the file
• chmod a-rwx cancels all access for all  chmod a= cancels all access for all
• chmod a=rwx grants all access for all  chmod a+rwx grants all access for all

In the symbolic mode, you can modify permissions of a specific owner. It makes use of
mathematical symbols to modify the file permissions. Let's look into an example:

Note that if you do chmod o= then it means remove all permissions from the “other” users.
Also, chmod u= means remove all permissions from the “owner”; chmod g= means remove all
permissions from the “group”.

6
4.3 Changing Ownership and Group

For changing the ownership of a file/directory, you can use the following command:

chown newuser filename

In case you want to change the user as well as group for a file or directory use the command

chown newuser:newgroup filename

Let's see this in action:

In case you want to change group-owner only, use the command

chgrp new_group_name filename

'chgrp' stands for change group.

Let’s look at this example:

4.4 Management of groups and users

To manage users and groups, you need a user account with sudo or root privileges. Groups let
you create categories of users with pre-set permissions. Instead of managing permissions for
each user account, you can simply add a user to a group to grant the appropriate permissions.

7
Primary Group

The primary group is set to the logged-in user. Any files the user creates are automatically
added to that group. A user can only belong to one primary group at a time. A primary group
with the same name as the user is created, and any files created by the user are included in that
group.

Secondary Groups

A user can belong to any number of secondary groups (including none). Secondary groups
are created to manage individual files and software applications. Members of the group inherit
the read, write, and execute privileges for that group.

How to Create a User Group

To create a new group, enter the following:

sudo groupadd new_group

Add an Existing User to an Existing Group

Use the adduser command to add a user to a group:

sudo adduser existing_user existing_group

Use the useradd command to add a user to a secondary group:

sudo useradd –G new_group user_name

You can also use the usermod command to add a user to a secondary group:

sudo usermod –a –G group_name user_name

The usermod command uses the –append and –group options to append the user to a particular
group. Without using –append, the user could be dropped from other groups.

Add a User to Multiple Groups at Once

Use the usermod command to specify multiple secondary groups to add to:

sudo usermod –a –G new_group1, new_group2, new_group3 user_name

8
Create a User and Add to Group

This is useful for creating a new user on the fly for a specific software application. Enter the
following:

sudo useradd –G new_group new_user

Next, assign a password to the new user:

sudo passwd new_user

Change a User’s Primary Group

All previous commands have been used to manage the secondary groups a user belongs to. In
most cases, a user’s primary group is the same as their username.

To change a user’s primary group, enter the command:

sudo usermod –g new_group user_name

The lower-case –g specifies the primary group. (Upper-case –G refers to a secondary group.)
A user can only have one primary group, so the old primary group user_name won’t be
primary anymore for this user.

To add a new user to an existing group and make this group primary, use this command:

sudo useradd -g primary_group_name new_user

Note that if you don’t specify the primary group, Linux will automatically assign a primary
group with same name of new_user, for example if you do: sudo useradd user1 then the
primary group name will also be user1.

Remove a User from a Group

sudo deluser username groupname

Delete a Group

To delete a group, use the command:

sudo groupdel new_group

Note that the gpasswd tool can also be used for managing groups. For example:

To remove a user from a group: sudo gpasswd –d user_name new_group

Check the manual of gpasswd for more details.

9
4.5 Tips

• We can read the file /etc/passwd that contains all the users defined in the system.
• We can read the file /etc/group that contains all the groups defined in the system.
• We can use the command "groups" or “id” to find all the groups you are a member of.
Note that there is a group “sudo” and my user id “ubuntu” belongs to this group, that
is why I can run sudo commands. Here you can notice that the user ubuntu has uid =
1000, his primary group id has gid = 1000, and he belongs to some other groups such
as cdrom (gid = 24), sudo (gid = 27), adm (gid = 4), etc.

• We cannot have 2 groups owning the same file.

• We do not have nested groups in Linux. One group cannot be sub-group of other.
• We can use the command newgrp to work as a member a group other than our default
group
• There are other permissions that you can set on Files and Directories such as setuid,
setgid, and sticky bits (SEE NEXT)

5. SetUID, SetGID, and Sticky Bits in Linux File Permissions

What is Setuid?

Setuid is a Linux file permission setting that allows a user to execute that file or program with
the permission of the owner of that file. This is primarily used to elevate the privileges of the
current user. If a file is “setuid” and is owned by the user “root” then a user that has the ability
to execute that program will do so as the user root instead of themselves. The most common
example of this in Linux is ‘sudo’. In this example, the user located the executable ‘sudo’ and
did a full listing of it with the ‘ls -l’ command.

ubuntu@ubuntu2004:~$ which sudo

/usr/bin/sudo

ubuntu@ubuntu2004:~$ ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 136808 Jan 31 13:37 /usr/bin/sudo

If you look at the permissions level of the ‘sudo’ executable, you can see the ‘s’ in the
permissions for the user ‘ubuntu’ where normally there would be an ‘x’. Also, notice that this
file is owned by the user ‘root’ (the super-user) and that the file is executable by the “other”
(the last ‘x’ in the permissions). This indicates that when a user “ubuntu” for example executes
this program, the operating system will execute that file not as the user ‘ubuntu’, but as the user

10
‘root'. In the matter of using the ‘sudo’ command, this allows a normal user to perform elevated
system functions without having to log in as the root user.

How Do I Set Up Setuid?

Setting the ‘setuid’ permission is as simple as setting any other permission in Linux. The file
ownership is modified using the command. An example command to set this would be as
follows.

ubuntu@ubuntu2004:~$ chmod u+s <filename>

In this example, we will create a file called ‘myfile’ using the command ‘touch’ and then we
will examine its permissions with the ‘ls -l' command.

ubuntu@ubuntu2004:~$ touch myfile

ubuntu@ubuntu2004:~$ ls -l myfile
-rw-rw-r-- 1 ubuntu ubuntu 0 Mar 2 17:59 myfile

Notice that the file does not have the execute permissions for user, group, or other. We will
add the setuid bit as seen below.

ubuntu@ubuntu2004:~$ chmod u+s myfile

ubuntu@ubuntu2004:~$ ls -l myfile
-rwSrw-r-- 1 ubuntu ubuntu 0 Mar 2 17:59 myfile

This output looks a little different from what we were expecting. The lowercase ‘s’ we were
looking for is the now a capital ‘S.’ This signifies that the setuid IS set, but the user that owns
the file does not have execute permissions. We can add that permission using the ‘chmod u+x’
command.

ubuntu@ubuntu2004:~$ chmod u+x myfile

ubuntu@ubuntu2004:~$ ls -l
total 0
-rwsrw-r-- 1 ubuntu ubuntu 0 Mar 2 17:59 myfile

What is Setgid?

Setgid, when used on files, is very similar to setuid. A process, when executed, will run as the
group that owns the file. A typical example of a file that uses this is the ‘crontab’ command.

ubuntu@ubuntu2004:~$ which crontab

/usr/bin/crontab
ubuntu@ubuntu2004:~$ ls -l /usr/bin/crontab
-rwxr-sr-x 1 root crontab 36080 Apr 5 2016 /usr/bin/crontab

How Do I Set Up Setgid?

Similar to ‘setuid,’ ‘setgid’ is inserted with the ‘chmod g+s’ command. Let's create a new file
called ‘myfile2’.

ubuntu@ubuntu2004:~$ touch myfile2

ubuntu@ubuntu2004:~$ ls -l myfile2
-rw-rw-r-- 1 ubuntu ubuntu 0 Mar 2 19:30 myfile2

11
Now we will run the 'chmod g+s' command and review the results.

ubuntu@ubuntu2004:~$ chmod g+s myfile2

ubuntu@ubuntu2004:~$ ls -l myfile2
-rw-rwSr-- 1 ubuntu ubuntu 0 Mar 2 19:30 myfile2

Again, we see the capital ‘S’ is set, but we can modify that.

ubuntu@ubuntu2004:~$ chmod g+x myfile2

ubuntu@ubuntu2004:~$ ls -l
total 0
-rwsrw-r-- 1 ubuntu ubuntu 0 Mar 2 17:59 myfile
-rw-rwsr-- 1 ubuntu ubuntu 0 Mar 2 19:30 myfile2

Setgid on Directories

Applying the setgid permission on a directory has as different behavior. A directory that has
‘setgid’ on it will cause all files that are created in that directory to be owned by the group of
the directory as opposed to the group of the owner. First, we create a directory.

ubuntu@ubuntu2004:~$ mkdir mydir

ubuntu@ubuntu2004:~$ ls -ld mydir
drwxrwxr-x 2 ubuntu ubuntu 4096 Mar 2 19:36 mydir

Then we change the group ownership of the directory by using the 'chgrp' command, and then
we can add the ‘setgid’ permission like before.

ubuntu@ubuntu2004:~$ sudo groupadd test2

ubuntu@ubuntu2004:~$ sudo chgrp test2 mydir/
ubuntu@ubuntu2004:~$ sudo chmod g+s mydir
ubuntu@ubuntu2004:~$ ls -ld mydir/
drwxrwsr-x 2 ubuntu test2 4096 Mar 2 19:36 mydir/

Let's test it out by creating a file in that directory. All other files in this tutorial were created
this way and had ‘ubuntu’ as the group. Because ‘setgid’ is set on the directory and it is owned
by group ‘test2’, this file will get ‘test2’ as its group.

ubuntu@ubuntu2004:~$ touch mydir/myfile3

ubuntu@ubuntu2004:~$ ls -l mydir/myfile3
-rw-rw-r-- 1 ubuntu test2 0 Mar 2 19:59 mydir/myfile3

What Is A Sticky Bit?

The final special permission is the ‘sticky bit’ (T, or t if the execute bit is set for others): When
this is set on a directory, the files in that directory only be deleted or renamed by their owner
(or root). A typical use of this is ‘/tmp/.’ The /tmp directory can be written to by any user, but
other users cannot delete the files of others.

ubuntu@ubuntu2004:~$ ls -ld /tmp

drwxrwxrwt 8 root root 4096 Mar 2 20:17 /tmp

Notice that /tmp can be written to by everyone but has the ‘t’ in place of the ‘x’ at the end of
the permissions list. This means it has the sticky bit.

12
How Do I Set Up A Sticky Bit?

The sticky bit is set with ‘chmod +t’ command.

ubuntu@ubuntu2004:~$ mkdir mydir2

ubuntu@ubuntu2004:~$ ls -ld mydir2
drwxrwxr-x 2 ubuntu ubuntu 4096 Mar 2 20:17 mydir2
ubuntu@ubuntu2004:~$ chmod +t mydir2
ubuntu@ubuntu2004:~$ ls -ld mydir2
drwxrwxr-t 2 ubuntu ubuntu 4096 Mar 2 20:17 mydir2

Removing Special Permissions

To remove special permissions, we can use the same chmod commands with a ‘-’ instead of a
‘+.’

ubuntu@ubuntu2004:~$ chmod u-s myfile

ubuntu@ubuntu2004:~$ chmod g-s mydir
ubuntu@ubuntu2004:~$ chmod -t mydir2
ubuntu@ubuntu2004:~$ ls -l
total 8
drwxr-xr-x 2 ubuntu test2 4096 Mar 2 19:59 mydir
drwxrwxr-x 2 ubuntu ubuntu 4096 Mar 2 20:17 mydir2
-rwxr-xr-t 1 ubuntu ubuntu 0 Mar 2 17:59 myfile

We have seen in the above examples how to change the setuid, setgid, and sticky bits using
the symbolic mode. You can also use the absolute numeric mode to set thse bits by using four
digits.

To set setuid the first digit must be 4

To set setgid the first digit must be 2
To set sticky the first digit must be 1

For example, chmod 2777 filename will set read/write/executable bits for everyone and
also enable the setgid bit since the first digit is 2. Therefore,

chmod 4755 myfile  chmod u+s myfile

chmod 2755 myfile  chmod g+s myfile
chmod 1755 mydir  chmod +t mydir

6. Default Permissions and umask

By default, when you create a file as a regular user, it’s given the default permissions. You can
use the umask (stands for user mask) command to determine the default permissions for newly
created files.

The umask is the value that is subtracted from the 666 (rw-rw-rw-) permissions when creating
new files, or from 777 (rwxrwxrwx) when creating new directories.

For example, if the default umask is 002, new files will be created with the 664 (rw-rw-r–)
permissions, and new directories with the 775 (rwxrwxr-x) permissions.

13
Check this example:

So, to display the current value of umask, run the umask command without any options:

Ignore the first zero for now. The last three numbers represent the default umask value.

To temporarily change your umask value, run the umask VALUE command. This changes the
umask value only for the current shell:

In the picture above you can see that we have changed the umask value to 044.

umask = 044 means that the permissions for the newly created files will be rw- -w- -w- or 622
(because 044 subtracted from 666 gives 622). The permissions for the newly created directories
will be rwx -wx -wx or 733 (because 044 subtracted from 777 gives 733).

To change the default umask value permanently for a specific user, you need to modify the
.bashrc file in the user’s home directory.

For example, to change the default umask for user bob, just add the following line at the end
of the /home/bob/.bashrc file:

Reopen the shell. The default umask value is now 044:

Note that it is also possible to change the default umask value permanently for all users by
overriding the system umask.

14
7. Extended ACLs

We have dealt with creating users, groups and setting permissions. Now, consider this scenario:

Assume you are working for a company and the manager asked you to create a file and write
your comments in it so that he is the only one who can read and write in it? Here many possible
solutions may come to your mind:

a) You can add the manager to your group so that he can read/write the file, but this is not
practical since the manager must be added to all the groups where he has employees in
case, he wants to do the same with the other employees.
b) Also, if you grant permission to group and add the manager to this group, other
members of same group would be able to see the file (but we only want the manager!)
c) You can decide to grant him r/w permission using the “others” option, but this will
allow anyone else to read/write the file.

So, using the tools that we have in hand so far, we cannot find a practical solution for this
question. Fortunately, Linux answers such question using the extended ACLs. Let’s see an
example (using commands: facl, setacl).

In this figure, we create a group “users”, then we created user1 and made users as his primary
group. We then created a password for user1, and switched to user1 account.

In the same terminal, user1 creates a file doc1 under /tmp, and wrote a message to the manager.

We also created user “manager” and added a primary a primary group for him called
“managers”, then we changed the file permissions to 640.

15
Now open a new terminal and switch to manager account. Notice that manager can list the /tmp
folder but cannot read doc1 since there are no permissions for “other”.

In the next figure, using facl, we check the file ACL of doc1. Then using setacl we gave an
extended reading permission for user manager.

16
Now the manager can read the file doc1, but cannot write or modify to it.

Manager belongs to managers, so what if we grant write permission to group “managers”:

setfacl -m group:managers:w /tmp/doc1

We notice that user manager will not have the write permission (a negative permission takes
precedence).

To allow the manager to edit (write) the file, we need to do

setfacl -m user:manager:w /tmp/doc1

17