Advanced User and Group Management in Unix-like Systems
The intricacies of user and group management extend beyond mere account provisioning, delving into the realms of access control lists (ACLs), role-based access control (RBAC), and discretionary access control (DAC) mechanisms, which collectively contribute to the establishment of robust and granular security postures. Furthermore, the adoption of best practices in user and group management fosters a culture of accountability, transparency, and compliance, aligning with industry standards and regulatory frameworks governing data protection and system integrity.
Access Control Lists (ACLs) provide a more granular level of permissions than traditional UNIX permissions. In this guide, I’ll walk you through how to use ACLs for user and group management on a Linux system.
Overview of ACLs
Traditional UNIX permissions use a simple permission model based on three levels: owner, group, and others (often referred to as ugo). ACLs extend this model by allowing you to specify permissions for multiple users and groups at the same time.
Here is a breakdown of the basic ACL permissions:
-
r: read -
w: write -
x: execute -
a: append only -
d: delete -
D: delete child -
t: execute only (directories) -
R: read permissions for directories -
W: write permissions for directories -
X: execute permissions for directories
Prerequisites
Before you start, make sure your filesystem is mounted with ACL support. You can check this by examining the output of the mount command:
1
mount | grep acl
If ACL support is enabled, you should see acl in the mount options.
Setting Up ACLs
1. Setting ACLs on a File
Using setfacl
The setfacl command is used to set ACLs on files and directories.
Syntax:
1
2
setfacl -m u:<user>:<permissions> <filename>
setfacl -m g:<group>:<permissions> <filename>
Example:
Let’s say you want to give read and write permissions to a user named john and read-only permissions to a group named developers for a file named example.txt.
1
2
setfacl -m u:john:rw- example.txt
setfacl -m g:developers:r-- example.txt
Explanation:
-
setfacl -m: Modify ACLs -
u:john:rw-: Grant read and write permissions to the userjohn -
g:developers:r--: Grant read-only permissions to the groupdevelopers
Using getfacl
You can use the getfacl command to view the ACLs set on a file.
1
getfacl example.txt
2. Setting Default ACLs on a Directory
Default ACLs are applied to newly created files and directories within the specified directory.
Using setfacl
Syntax:
1
2
setfacl -d -m u:<user>:<permissions> <directory>
setfacl -d -m g:<group>:<permissions> <directory>
Example:
Let’s say you want to set default read and write permissions for the user john and read-only permissions for the group developers on a directory named mydir.
1
2
setfacl -d -m u:john:rw- mydir
setfacl -d -m g:developers:r-- mydir
Explanation:
-
setfacl -d: Set default ACLs -
u:john:rw-: Grant read and write permissions to the userjohn -
g:developers:r--: Grant read-only permissions to the groupdevelopers
3. Removing ACLs
You can remove ACLs using the setfacl command with the -x option.
Syntax:
1
2
setfacl -x u:<user> <filename/directory>
setfacl -x g:<group> <filename/directory>
Example:
Remove ACL for user john on example.txt:
1
setfacl -x u:john example.txt
Example: Using ACLs for User and Group Management
Let’s say you have a directory named shared and you want to manage access for multiple users and groups.
1
2
3
4
5
6
7
8
9
10
# Create a directory
mkdir shared
# Set default ACLs
setfacl -d -m u:alice:rw- shared
setfacl -d -m u:bob:r-- shared
setfacl -d -m g:developers:r-x shared
# Verify ACLs
getfacl shared
Explanation:
-
setfacl -d: Set default ACLs -
u:alice:rw-: Grant read and write permissions to the useralice -
u:bob:r--: Grant read-only permissions to the userbob -
g:developers:r-x: Grant read and execute permissions to the groupdevelopers
Summary
-
setfacl: Used to set or modify ACLs on files and directories. -
getfacl: Used to view ACLs set on files and directories. -
-m: Modify ACLs -
-d: Set default ACLs -
-x: Remove ACLs
ACLs provide a flexible and powerful way to manage access control on Linux systems by allowing you to set permissions for multiple users and groups simultaneously.
Overview of RBAC
Using the /etc/sudoers.d directory is a recommended practice for managing sudo configurations, especially when dealing with complex or multiple configurations. This approach allows you to create separate files for different roles or users, making it easier to manage and audit sudo permissions.
Below are examples demonstrating how to manage RBAC for multiple users and roles using
/etc/sudoers.dwithsudo.
Role-Based Access Control (RBAC) with /etc/sudoers.d
1. Define Commands for Roles:
-
Create a file for each role in
/etc/sudoers.dand define the commands that each role can execute usingCmnd_Alias.1
sudo visudo -f /etc/sudoers.d/editor
Add the following lines to the
editorfile to define the commands that theeditorrole can execute:1 2 3
Cmnd_Alias EDITOR_CMDS = /bin/cat, /bin/vi, /bin/nano, /bin/echo # Add another line in the file for john to be able to use the sudo john ALL=(ALL) EDITOR_CMDS
1
sudo visudo -f /etc/sudoers.d/admin
Add the following lines to the
adminfile to define the commands that theadminrole can execute:1 2 3 4 5
Cmnd_Alias ADMIN_CMDS = /bin/systemctl restart httpd.service, /bin/systemctl reload httpd.service # Add another line in the file for jane to be able to use the sudo jane ALL=(ALL) ADMIN_CMDS # Or add the following line in the file to assign the admin role to the group admin_group %admin_group ALL=(ALL) ADMIN_CMDS
Also, we can directly assign the role to the group and then add the users to that group.
1 2 3 4
# /etc/sudoers.d/<role_name> # Allow user to execute any command %<group_name> ALL=(ALL:ALL) ALL
1 2 3 4
# /etc/sudoers.d/<role_name> # Allow user to execute only specific commands %<group_name> ALL=/usr/bin/less /var/log/syslog, /usr/bin/cat /etc/passwd
Then create the group and add some users to that group.
1
sudo usermod -aG <group_name> <user_name>
Explanation:
-
Cmnd_Alias: Defines a group of commands that can be executed by the roles. Here, we have defined two command aliases:EDITOR_CMDSfor the ‘editor’ role andADMIN_CMDSfor the ‘admin’ role. -
user/group ALL=(ALL): Specifies that the user or members of the group can execute the commands defined in theCmnd_Alias. -
EDITOR_CMDSandADMIN_CMDS: The command aliases defined in the previous step. -
%<group_name> ALL=(ALL:ALL) ALL: This line allows all members of the group to execute any command with sudo. -
%<group_name> ALL=/usr/bin/less /var/log/syslog, /usr/bin/cat /etc/passwd: This line allows all members of the group to execute only theless /var/log/syslogandcat /etc/passwdcommands with sudo.
2. Set Permissions:
-
Ensure that the files in
/etc/sudoers.dhave the correct permissions and ownership.1 2
sudo chmod 440 /etc/sudoers.d/* sudo chown root:root /etc/sudoers.d/*
Explanation:
-
chmod 440: Sets the permissions to440, which means read and write for the owner and read-only for the group and others. -
chown root:root: Changes the ownership of the files toroot:rootfor security reasons.
3. Test the Configuration:
-
Verify the configurations by logging in as each user and attempting to execute the allowed commands.
1 2 3
sudo -u john cat /etc/passwd # for john sudo -u jane vi /etc/hostname # for jane sudo -g admin_group systemctl status apache2 # for admin_group
Explanation:
-
sudo -u: Executes the command as the specified user. -
sudo -g: Executes the command as a member of the specified group.
Summary:
-
Define Commands for Roles:
- Create files for each role in
/etc/sudoers.dand define the commands each role can execute usingCmnd_Alias.
- Create files for each role in
-
Assign Roles to Users and Groups:
- Create files for each user and group in
/etc/sudoers.dand assign the corresponding roles to them.
- Create files for each user and group in
-
Set Permissions for
/etc/sudoers.dFiles:- Ensure that the files in
/etc/sudoers.dhave the correct permissions and ownership to maintain security.
- Ensure that the files in
-
Test the Configuration:
- Verify the configurations by logging in as each user and attempting to execute the allowed commands.
Important Notes:
- Always use
visudoto edit sudo configurations to ensure that the syntax is correct and avoid locking yourself out of the system due to incorrect sudo configurations. - Make sure to test the configuration thoroughly to ensure that the RBAC setup is working as expected.
By following this guide, you can implement role-based access control (RBAC) for user and group management effectively using /etc/sudoers.d on Linux.
Overview of DAC
Discretionary Access Control (DAC) is a type of access control that restricts access to objects based on the identity of the subject and the group to which the subject belongs. In Linux, DAC is implemented using file permissions and ownership.
Here’s a breakdown of DAC components:
-
File Permissions:
- Read (
r): Allows reading of the file. - Write (
w): Allows writing to the file. - Execute (
x): Allows executing the file or accessing directories.
- Read (
-
Ownership:
- Owner: The user who owns the file.
- Group: The group associated with the file.
- Others: Any user that is not the owner or in the group.
File Permissions
File permissions in Linux can be viewed and modified using the ls command with the -l option and the chmod and chown commands.
View File Permissions
To view file permissions, use:
1
ls -l filename
For example:
1
ls -l myfile.txt
This will display something like:
1
-rw-r--r-- 1 user group 0 Apr 16 12:00 myfile.txt
Here:
-
rw-: Owner has read and write permissions. -
r--: Group has read-only permissions. -
r--: Others have read-only permissions.
Change File Permissions
To change file permissions, you use the chmod command followed by a three-digit number or symbolic notation.
Numeric Notation:
-
4: Read -
2: Write -
1: Execute
To set the permissions to rw-r--r--:
1
chmod 644 myfile.txt
Symbolic Notation:
-
u: User/Owner -
g: Group -
o: Others -
a: All
For example, to add execute permissions to the owner:
1
chmod u+x myfile.txt
Ownership
Ownership of a file can be changed using the chown command.
Change Owner
To change the owner of a file:
1
sudo chown newowner myfile.txt
Change Group
To change the group of a file:
1
sudo chown :newgroup myfile.txt
User and Group Management
To manage users and groups on a Linux system, you can use the following commands:
Users
Add a User:
1
sudo adduser username
Delete a User:
1
sudo deluser username
Groups
Add a Group:
1
sudo addgroup groupname
Delete a Group:
1
sudo delgroup groupname
Add User to Group
To add a user to a group:
1
sudo usermod -aG groupname username
Example
Let’s go through an example to put these concepts together.
- Create a file:
1
echo "Hello, World!" > myfile.txt
- View file permissions:
1
ls -l myfile.txt
You’ll see something like:
1
-rw-r--r-- 1 user group 13 Apr 16 12:00 myfile.txt
- Change file permissions to
rwxr-xr--:
1
chmod 754 myfile.txt
- Change file owner to
newuserand group tonewgroup:
1
sudo chown newuser:newgroup myfile.txt
- Create a new group:
1
sudo addgroup newgroup
- Add
newusertonewgroup:
1
sudo usermod -aG newgroup newuser
Now, newuser has rwx permissions, newgroup has r-x, and others have r-- on myfile.txt.
This example shows the basics of how to use DAC for user and group management in Linux. Remember, managing permissions and ownership effectively is crucial for maintaining the security and integrity of your system.
Summary
By using DAC, we have implemented a simple access control system for managing file permissions on a Linux system. This approach allows for a granular way of managing access control by setting permissions for the owner, group, and others, making it easier to manage and audit access control.