Linux 101 : Short overview of different Linux security schemes for filesystems - DAC, MAC, RBAC, ... -
Discretionary Access Control:
Discretionary Access Control - DAC - is the basic access control system that handles Linux filesystems security for files, devices, ...
DAC bases it security on using the permissions of the user or the group that owns the file or the directory to give or deny access.
The root user manages all this.
Within the DAC, users for example, have control over the filesystem objects they create or the ones they have permission over.
They could share these objects, give access to them for other users, ...
Below is an diagram explaining the DAC permissions. We get a similar output using the "ls -l filename" command:
- r : read.
- w : write.
- x : execute.
- - : no permission.
Access Control Lists:
Access Control Lists - ACLs - dictate which users or groups can access which files or directories.
In the ACL system, we have two elements:
- Subjects : represent users and groups.
- Objects : represent files and directories
Using the DAC permissions, files and directories can only have one user and one group that owns them.
Access Control Lists - ACLs - address this limitation.
ACLs add a more granular control for accessing files and directories without modifying their DAC regular permissions.
ACLs allow us to add permissions for other users and groups on top of the regular permissions that we have mentioned before - DAC -.
We could use commands like "getfacl" and "setfacl" to set or list the ACLS for a file.
Below an example of ACLs applied to the file "file-1":
We can see that have the user "Albert", who is not the owner of the file, who has "read" rights on the file through ACLs.
This could be achieved through the below command:
The second group "group-1" - that we added using ACLs - will have in it users who have "write" and "execute" rights over the file.
Mandatory Access Control:
MAC uses additional labels to categorize different objects in the filesystem.
Subjects - users and groups - must have a clearance for a category to access the object belonging to that category.
MAC is is used by Security-Enhanced Linux - SELinux -, which is a Linux security system for handling permissions and access control policies for different resources in a system.
SELinux uses MAC rules as one of its security components in the form of policies, that users can't change whether they are the owners of the file, or they have root access to a system.
A file and its level of access is not tied to its owner.
Role-Based Access Control:
Role-Based Access Control - RBAC - is another way of dealing with access rights, it is based on roles instead of permissions - as it is the case for DAC -.
Roles have access to specific resources in a system. For example if "role-1" have access to "resources-1", in order for a user "Albert" to have access to "resources-1", the administrator needs to assign "role-1" to "Albert".
Roles could be based on different criteria - departments, user-access level, ... -
In RBAC, subjects - users and groups - must "have" a role to be able to access any object or resource in the system.
In the Multi-Level Security scheme - MLS - subjects are processes
and the objects are files, sockets, devices, ...
MLS uses sensitivity levels - or security level - that dictates how crucial a resource is in a system.
Subjects - processes - and objects - files, devices, ... - in an MLS system have a security label that dictates their "clearance" or security level.
The MLS security level have two parameters:
- sensitivity : for example, ultra confidential.
- category : for example, internal documents.
SELinux works with the MAC, RBAC, and MLS security models.