Advanced User and Group Management in Unix-like Systems

The intricacies of user and group management extend beyond mere account provisioning, delving into the realms of access control lists (ACLs), role-based access control (RBAC), and discretionary access control (DAC) mechanisms, which collectively contribute to the establishment of robust and granular security postures. Furthermore, the adoption of best practices in user and group management fosters a culture of accountability, transparency, and compliance, aligning with industry standards and regulatory frameworks governing data protection and system integrity.

Access Control Lists (ACLs) provide a more granular level of permissions than traditional UNIX permissions. In this guide, I’ll walk you through how to use ACLs for user and group management on a Linux system.

Overview of ACLs

Traditional UNIX permissions use a simple permission model based on three levels: owner, group, and others (often referred to as ugo). ACLs extend this model by allowing you to specify permissions for multiple users and groups at the same time.

Here is a breakdown of the basic ACL permissions:

• r: read
• w: write
• x: execute
• a: append only
• d: delete
• D: delete child
• t: execute only (directories)
• R: read permissions for directories
• W: write permissions for directories
• X: execute permissions for directories

Prerequisites

Before you start, make sure your filesystem is mounted with ACL support. You can check this by examining the output of the mount command:

mount | grep acl

If ACL support is enabled, you should see acl in the mount options.

Setting Up ACLs

1. Setting ACLs on a File

Using setfacl

The setfacl command is used to set ACLs on files and directories.

Syntax:

setfacl -m u:<user>:<permissions> <filename>
setfacl -m g:<group>:<permissions> <filename>

Example:

Let’s say you want to give read and write permissions to a user named john and read-only permissions to a group named developers for a file named example.txt.

setfacl -m u:john:rw- example.txt
setfacl -m g:developers:r-- example.txt

Explanation:

• setfacl -m: Modify ACLs
• u:john:rw-: Grant read and write permissions to the user john
• g:developers:r--: Grant read-only permissions to the group developers

Using getfacl

You can use the getfacl command to view the ACLs set on a file.

getfacl example.txt

2. Setting Default ACLs on a Directory

Default ACLs are applied to newly created files and directories within the specified directory.

Using setfacl

Syntax:

setfacl -d -m u:<user>:<permissions> <directory>
setfacl -d -m g:<group>:<permissions> <directory>

Example:

Let’s say you want to set default read and write permissions for the user john and read-only permissions for the group developers on a directory named mydir.

setfacl -d -m u:john:rw- mydir
setfacl -d -m g:developers:r-- mydir

Explanation:

• setfacl -d: Set default ACLs
• u:john:rw-: Grant read and write permissions to the user john
• g:developers:r--: Grant read-only permissions to the group developers

3. Removing ACLs

You can remove ACLs using the setfacl command with the -x option.

Syntax:

setfacl -x u:<user> <filename/directory>
setfacl -x g:<group> <filename/directory>

Example:

Remove ACL for user john on example.txt:

setfacl -x u:john example.txt

Example: Using ACLs for User and Group Management

Let’s say you have a directory named shared and you want to manage access for multiple users and groups.

# Create a directory
mkdir shared

# Set default ACLs
setfacl -d -m u:alice:rw- shared
setfacl -d -m u:bob:r-- shared
setfacl -d -m g:developers:r-x shared

# Verify ACLs
getfacl shared

Explanation:

• setfacl -d: Set default ACLs
• u:alice:rw-: Grant read and write permissions to the user alice
• u:bob:r--: Grant read-only permissions to the user bob
• g:developers:r-x: Grant read and execute permissions to the group developers

Summary

• setfacl: Used to set or modify ACLs on files and directories.
• getfacl: Used to view ACLs set on files and directories.
• -m: Modify ACLs
• -d: Set default ACLs
• -x: Remove ACLs

ACLs provide a flexible and powerful way to manage access control on Linux systems by allowing you to set permissions for multiple users and groups simultaneously.

Overview of RBAC

Using the /etc/sudoers.d directory is a recommended practice for managing sudo configurations, especially when dealing with complex or multiple configurations. This approach allows you to create separate files for different roles or users, making it easier to manage and audit sudo permissions.

Below are examples demonstrating how to manage RBAC for multiple users and roles using /etc/sudoers.d with sudo.

Role-Based Access Control (RBAC) with /etc/sudoers.d

1. Define Commands for Roles:

• Create a file for each role in /etc/sudoers.d and define the commands that each role can execute using Cmnd_Alias.

  sudo visudo -f /etc/sudoers.d/editor
  

  Add the following lines to the editor file to define the commands that the editor role can execute:

  Cmnd_Alias EDITOR_CMDS = /bin/cat, /bin/vi, /bin/nano, /bin/echo
  # Add another line in the file for john to be able to use the sudo
  john ALL=(ALL) EDITOR_CMDS
  

  sudo visudo -f /etc/sudoers.d/admin
  

  Add the following lines to the admin file to define the commands that the admin role can execute:

  Cmnd_Alias ADMIN_CMDS = /bin/systemctl restart httpd.service, /bin/systemctl reload httpd.service
  # Add another line in the file for jane to be able to use the sudo
  jane ALL=(ALL) ADMIN_CMDS
  # Or add the following line in the file to assign the admin role to the group admin_group
  %admin_group ALL=(ALL) ADMIN_CMDS
  

  Also, we can directly assign the role to the group and then add the users to that group.

  # /etc/sudoers.d/<role_name>
  
  # Allow user to execute any command
  %<group_name> ALL=(ALL:ALL) ALL
  

  # /etc/sudoers.d/<role_name>
  
  # Allow user to execute only specific commands
  %<group_name> ALL=/usr/bin/less /var/log/syslog, /usr/bin/cat /etc/passwd
  

  Then create the group and add some users to that group.

  sudo usermod -aG <group_name> <user_name>
  

Explanation:

• Cmnd_Alias: Defines a group of commands that can be executed by the roles. Here, we have defined two command aliases: EDITOR_CMDS for the ‘editor’ role and ADMIN_CMDS for the ‘admin’ role.
• user/group ALL=(ALL): Specifies that the user or members of the group can execute the commands defined in the Cmnd_Alias.
• EDITOR_CMDS and ADMIN_CMDS: The command aliases defined in the previous step.
• %<group_name> ALL=(ALL:ALL) ALL: This line allows all members of the group to execute any command with sudo.
• %<group_name> ALL=/usr/bin/less /var/log/syslog, /usr/bin/cat /etc/passwd: This line allows all members of the group to execute only the less /var/log/syslog and cat /etc/passwd commands with sudo.

2. Set Permissions:

• Ensure that the files in /etc/sudoers.d have the correct permissions and ownership.

  sudo chmod 440 /etc/sudoers.d/*
  sudo chown root:root /etc/sudoers.d/*
  

Explanation:

• chmod 440: Sets the permissions to 440, which means read and write for the owner and read-only for the group and others.
• chown root:root: Changes the ownership of the files to root:root for security reasons.

3. Test the Configuration:

• Verify the configurations by logging in as each user and attempting to execute the allowed commands.

  sudo -u john cat /etc/passwd   # for john
  sudo -u jane vi /etc/hostname   # for jane
  sudo -g admin_group systemctl status apache2   # for admin_group
  

Explanation:

• sudo -u: Executes the command as the specified user.
• sudo -g: Executes the command as a member of the specified group.

Summary:

1. Define Commands for Roles:

   • Create files for each role in /etc/sudoers.d and define the commands each role can execute using Cmnd_Alias.

2. Assign Roles to Users and Groups:

   • Create files for each user and group in /etc/sudoers.d and assign the corresponding roles to them.

3. Set Permissions for /etc/sudoers.d Files:

   • Ensure that the files in /etc/sudoers.d have the correct permissions and ownership to maintain security.

4. Test the Configuration:

   • Verify the configurations by logging in as each user and attempting to execute the allowed commands.

Important Notes:

• Always use visudo to edit sudo configurations to ensure that the syntax is correct and avoid locking yourself out of the system due to incorrect sudo configurations.
• Make sure to test the configuration thoroughly to ensure that the RBAC setup is working as expected.

By following this guide, you can implement role-based access control (RBAC) for user and group management effectively using /etc/sudoers.d on Linux.

Overview of DAC

Discretionary Access Control (DAC) is a type of access control that restricts access to objects based on the identity of the subject and the group to which the subject belongs. In Linux, DAC is implemented using file permissions and ownership.

Here’s a breakdown of DAC components:

1. File Permissions:

   • Read (r): Allows reading of the file.
   • Write (w): Allows writing to the file.
   • Execute (x): Allows executing the file or accessing directories.

2. Ownership:

   • Owner: The user who owns the file.
   • Group: The group associated with the file.
   • Others: Any user that is not the owner or in the group.

File Permissions

File permissions in Linux can be viewed and modified using the ls command with the -l option and the chmod and chown commands.

View File Permissions

To view file permissions, use:

ls -l filename

For example:

ls -l myfile.txt

This will display something like:

-rw-r--r-- 1 user group 0 Apr 16 12:00 myfile.txt

Here:

• rw-: Owner has read and write permissions.
• r--: Group has read-only permissions.
• r--: Others have read-only permissions.

Change File Permissions

To change file permissions, you use the chmod command followed by a three-digit number or symbolic notation.

Numeric Notation:

• 4: Read
• 2: Write
• 1: Execute

To set the permissions to rw-r--r--:

chmod 644 myfile.txt

Symbolic Notation:

• u: User/Owner
• g: Group
• o: Others
• a: All

For example, to add execute permissions to the owner:

chmod u+x myfile.txt

Ownership

Ownership of a file can be changed using the chown command.

Change Owner

To change the owner of a file:

sudo chown newowner myfile.txt

Change Group

To change the group of a file:

sudo chown :newgroup myfile.txt

User and Group Management

To manage users and groups on a Linux system, you can use the following commands:

Users

Add a User:

sudo adduser username

Delete a User:

sudo deluser username

Groups

Add a Group:

sudo addgroup groupname

Delete a Group:

sudo delgroup groupname

Add User to Group

To add a user to a group:

sudo usermod -aG groupname username

Example

Let’s go through an example to put these concepts together.

1. Create a file:

echo "Hello, World!" > myfile.txt

1. View file permissions:

ls -l myfile.txt

You’ll see something like:

-rw-r--r-- 1 user group 13 Apr 16 12:00 myfile.txt

1. Change file permissions to rwxr-xr--:

chmod 754 myfile.txt

1. Change file owner to newuser and group to newgroup:

sudo chown newuser:newgroup myfile.txt

1. Create a new group:

sudo addgroup newgroup

1. Add newuser to newgroup:

sudo usermod -aG newgroup newuser

Now, newuser has rwx permissions, newgroup has r-x, and others have r-- on myfile.txt.

This example shows the basics of how to use DAC for user and group management in Linux. Remember, managing permissions and ownership effectively is crucial for maintaining the security and integrity of your system.

Summary

By using DAC, we have implemented a simple access control system for managing file permissions on a Linux system. This approach allows for a granular way of managing access control by setting permissions for the owner, group, and others, making it easier to manage and audit access control.