Grsecurity ACL system (1)

Summary of the ACL (access control list AccessControlList) system is a software, it is able to your computer and provide better access control.

Grsecurity is LinuxACL system more typical and mature. This document is the grsecurity project an official document, is my recent research Linux ACL system, by the way translation. And lids, system, grsecurity, and the document is more complex inside has been spoken in many places, so the error is inevitable. 1. What is the introduction of the ACL system? ACL (access control list AccessControlList) system is a software, it is able to your computer and provide better access control, 2. Why do I need ACL system? access control system's role is to limit includes the root user, all user files, capacity, resource, or socket access. This is a kind of legitimacy of access control (MandatoryAccessControl) model. With the growing concern of system security, there have been many Linux systems for access control systems. Most of these LinuxACL system to the kernel patch in the situation of the Grsecurity is one of the more typical and mature. Use grsecurity, system administrators can give permission to the process as small as possible, allowing an attacker to gain root privileges even if they are unable to control the entire system. 3. support of grsecurity has the following features: access control based on a process; the process of resource constraints based; IP access control; to prevent violent attacks by limiting the process; fully intelligent learning model; readable configuration files; an intelligent user space management tools include directives; the adoption, support additional ACL configuration. Parameter is a directory or a file; O (1) search algorithm; administrator mode; capacity and ACL inheritance. Install Grsecurity system 1. grsecurity kernel patch download and management tools gradm from the official website of http://www.grsecurity.net grsecurity, we can obtain the latest version of the grsecurity kernel patches and source code management tool gradm. This article will be based on Redhat7.3 and the latest version of the Linux-2.4.19 kernel as an example. 2. install grsecurity kernel patches to download finishes, we begin the installation. Enter the directory containing the kernel source code, source code for kernel grsecurity patch on: nixe0n @ nixe0n nixe0n] $ cdlinux-2.4.19 nixe0n @ nixe0n linux-2.4.19] $ patch-p1 and then in the Configure menu, open the grsecurity support options (Options feature will be described in more detail) and recompile the kernel: nixe0n @ nixe0n linux-2.4.19] $ makemenuconig root @ nixe0n linux-2.4.19] # makedep&&makebzImage&&makemodules&&makemodules_install root @ nixe0n linux-2.4.19] # cparch/i386/boot/boot/bzImage/GRSecKernel Finally, use your favorite editor in/boot/grub/menu.lst file to GRSecKernel joined the boot menu. Install grsecurity management tool gradm Grsecurity system management tool called gradm, download the latest version of gradm, as long as you use the following commands to compile and install: tar – zxfgradm-.tar.gz cdgradm make makeinstall makeinstall commands executed, you need to define a management GrsecurityACL system password. For system security, should make the password long enough, do not enable the password and the password of root account is the same. Grsecurity configuration 1.GrsecurityACL structure grsecurityACL rules by topic processes and objects. Topic process is the process of being implemented; objects are files, resources, capacity (capability) and on IP access control. System access control list file is located in/etc/grsec/acl, without this file, start the grsecurity system would be an error. GrsecurityACL rule structure looks like this: {[+ |-] connect {/:-} bind {/:-}} 2.grsecurityACL rules some conventions grsecurity access control rule contains some of the issues that need attention. It is important to remember when using these conventions, in order to accurately use its strengthening system security. These conventions include: all paths must be absolute; if you want to prevent access to a file, as long as you ignore mode (mode) parameter on the can; use includE keywords, you can include in the rule has defined rules, for example: include grsecurity access control rules in support of the comments that most of the UNIX system's configuration files, and shell, and other scripts are comment lines with # as the start of the rule is also grsecurity; themes and objects do not have to be a file, they can also be a valid directory; subject modes include: h, p, v, k, and o (wait we will detail); object model including: r, w, x, a, h, I and o (wait we will detail); capacity (capabilities) only I one mode; no matter how to configure, and requires at least one default ACLs, it is/. If not, start grsecurityACL system, gradm will tell you the missing default ACL; any topic process ACL rules should include a/object; CAP_ALL is not a real capability, only as a convenience, so that it represents all of the capabilities. For example, if you want to remove the CAP_SETUID capability of all, you can use the-and + CAP_SETUID CAP_ALL; traditional UNIX, only the file system is given access permission to access the files on the file system, grsecurityACL system. 3. mode and their meanings 3.1. topic process mode in grsecurityACL system, themes have the following pattern: h that process is hidden, only to be a process that saw v mode; this mode of v with process has the ability to view hidden processes; p process is protected, this process can only be a k mode process kill; k has the pattern process can kill is in protected mode (p) process; l for this process open learning mode; o undo ACL inheritance 3.2. object model grsecurity access control rules in object can have the following pattern: r this object can open reading; w this object you can open and write or add; o this object you can open the Add; h the object is hidden; I this mode is used only for binary executable files. When the object is executed, it inherits the main processes of access control lists; 4. inheritance in grsecurityACL system, there is a known as inheritance (inheritance) features, and c++ inheritance very similar species. Inheritance include two ways, first, and configuration files, while the second and the River on the treatment of ACL. In addition to the themes contains o mode rule, all the ACL rules can use inheritance. In ACL configuration file has some simple rules to control inheritance: for an object of the current rules, if a parent ACL rules exist on the object's access control, grsecurity compares two rules limit, as far as possible, so that the current rules allow permissions not greater than the parent rule allowed permission, unless the current rules are defined as o mode. If the current ACL rules there is no restriction on an object, the grsecurity automatically uses the parent rule restrictions on this object. 4.1. inheritance example in order to facilitate understanding, we give you a few examples about inheritance:/{/rwx/etcrx/usr/binrx/tmprw}/usr/bin/mailman {/tmprwxo} this two involves inherited ACL rules was launched, will be as follows:/{/rwx/etcrx/usr/binrx/tmprw}/usr/bin/mailman {/rwx/etcrx/usr/binrx/tmprwx}/usr/bin/mailman and/two rules are contained in the access control/tmp object. And in the rules,/usr/bin/mailman/tmp object o mode, so/rules/tmp object limit is ignored. Grsecurity system uses inheritance algorithm not only calculates the parent rule inheritance (for example:/bin and/bin/su), it will follow the path of the current rules on calculating all the ancestors of the inheritance rules. For example, when using a/usr/X11R6/bin/XFree86 theme access control rules, grsecurity automatically calculate/usr/X11R6/bin,/usr/X11R6,/usr,/rules set of access control. For many of the executable file's access control has some common settings, in order to reduce duplication of grsecurity introduced only set the inherited characteristics. In some special rules, you can use o topics mode, the entire rule, prohibited to inherit the parent's access control rules; you can also use the o object mode, simply cancel the access control to an object's inheritance. Kernel for inherited handling is slightly different, in this example, when performing the object with I-mode, kernel included a copy of the theme ACL. In this way, you can give a specific process to derive a process with special permissions. For example:/{/rwx/tmprw}/usr/bin/mozilla {/usr/bin/mozilla-binrxi/tmprwxo} in this example, suppose/usr/bin/mozilla is a script (true), it performs the real mozilla program/usr/bin/mozilla-bin. When/usr/bin/mo