Extended File Attributes
of 3
Transcript of Extended File Attributes
-
8/2/2019 Extended File Attributes
1/3
TechRepubli c : A Z DN et T e c h C om m u n i t y
Learn to use extended file attributes in Linux toboost security
Da t e: De ce m b e r 1 5 t h , 2 0 0 9A u t ho r : V i nc e nt D a ne n
Category: G ene ra l
Ta g s : A t t r i b ut e , Fi l e, A C L , L inu x , U N IX , Op e n S our c e , Ope ra t i ng S y st e m s , S e c ur i t y ,
S of t w a r e , V i nc e nt D a ne n
Special Reports See m ore posts on: Linu x T ip
CLs and extended attributes fo r files are simple and eas y to us e in Linux, and can go a long w ay
in se curing files. Vincent Danen goes ov er som e of the b asic file protection enh ancem ents provided
by the Linux k ernel.
W i t h a l l t h e t a l k o f enh a n c e d fi l e sy st e m se c ur i t y a n d se c ur i t y f ra m e w o rks , som e of t h e b a s icf il e pro t ec t i on e n h a nc e m e nt s p rov i d ed b y t h e L i nux ke rne l h a v e b e en forg o t t e n . W h i l e t h e re
i s c e r t a i n l y a d i s t inc t p l a c e for se c ur i t y a p p l ic a t i ons l i ke S EL inu x , G r S e c ur i t y a n d ot h e rs ,
th ere ar e sim ple m ean s for securin g f i l es as wel l . ACLs and exten ded at tr ibu tes for f i l es ar e
s im p l e a n d e a sy t o us e , a nd c a n g o a l ong w a y i n s ec ur i ng f i le s.
Th e f irs t tools to use with exten ded at tr ibutes is chattr, w hich cha ng es f i le at tr ibutes for f i l es,
a n d lsattr w h i c h l i st s t h o se a t t r i b ut e s . T h e re a re a n um b e r of ex t e nd e d a t t r i b ut e s y ou c a n a d d
or r e m ov e fro m f i l es, i nc l ud i ng a , w h i c h m a ke s a fi l e a p p e nd -onl y , a n d i w h i c h m a ke s a
f il e im m ut a b l e ( c a nn ot b e m od i fi ed , d el et e d , or r e na m e d , nor c a n a ny l ink b e c re a t e d t o t h e
f i le) . There ar e oth er at t r ibu tes th at deal w ith com pression, u ndelet ion, secur e delet ion, a nd
our na l i ng a s w e l l.
By d e fa u l t , on l y t h e r oot u se r c a n c h a ng e t h e se e x t e nd ed a t t r i b ut e s. If y ou w a n t t o a l low us e rst o se t a nd re m ov e t h e se ex t e nd e d a t t r i b ut e s, y ou m us t m oun t t h e fi l esy st e m w i t h t h e
user_xattr m oun t o p t ion:
UUID=661ab9f1-c381-4962-bcfc-0b5e2aab1ce9 /home ext4 defaults,user_xattr,acl 1 2
T h e o t h e r t o ol s t h a t c a n se t a n d l i st a t t r i b ut e s a re t h e setfattr a n d getfattr p rog ra m s. T h e se a r e
us e fu l w i t h p ro g ra m s li ke Be a g l e t h a t s t ore c e r t a i n m e t a d a t a w i t h f i le s, b ut t h e y c a n b e us efu l
out s i d e of t h e se a p p l ic a t i ons a s w e l l . T h e se d on t h a v e m uc h t o do w i t h s e cur i t y , b ut t h e y a r e
u seful noneth eless:
$ setfattr -n user.comment -v "this is a comment" testfile
$ getfattr testfile
# file: testfile
user.comment
$ getfattr -n user.comment testfile
# file: testfile
user.comment="this is a comment"
Fina l ly , to set A CLs (A ccess Contr ol Lists) on fi les, use the setfacl an d getfa cl tools. In order to
Learn to use extended file attributes in Linux to boost security | . . . http://blogs.techrepublic.com.com/opensource/?p=
of 3 12/16/2009 09:46
-
8/2/2019 Extended File Attributes
2/3
us e t h e se c om m a n d s, a nd A C L s i n g e ne ra l , t h e f il esy st e m m us t b e m oun t e d w i t h t h e acl
m oun t o pt i on .
T ra d i t iona l l y , f il es h a v e t h r e e di st i nc t a c c e ss c ont r ol s: re a d , w r i t e , a nd e x e c u t e , a nd t h e y a r e
for t h r e e d ist i nc t g r oup s : us er , g ro up , a n d ot h e r ( or w or l d ) . If y ou w a n t e d t o h a v e t w o or t h re e
p e op l e h a v e w r i t e a c c e ss t o a f i l e, y ou w oul d h a v e t o c re a t e a g ro up t h a t a l l pe op l e w e re
m e m b e rs of , g i v e t h e fi l e a p p ro pr i a t e g ro up ow ne rs h i p , a nd m a ke i t w r i t a b l e b y t h e g ro up .
W i t h A C L s, y ou c a n b y p a s s t h e n e ed for c re a t i ng g ro up s i n t h i s fa sh i on. F or i ns t a nc e , i f y oucrea te a f i l e th at i s ow ned joe: joe with 06 4 4 per m iss ions (read/wr ite to joe , read-only to
e v e ry one e l se ) , on l y J oe c a n e d it i t . If y ou w a n t A ng e la t o h a v e a c c e ss t o w r i t e t o t h i s fi le , b ut
no one e l se , A CLs can help:
$ setfacl -m u:angela:rw testfile
$ getfacl testfile
# file: testfile
# owner: joe
# group: joe
user::rw-
user:angela:rw-
group::r--
mask::rw-
other::r--
% ls -al testfile
-rw-rw-r--+ 1 joe joe 6 2009-11-11 14:28 testfile
Th e abov e m odifies the A CLs on t he f i l e testfile a n d a d d s a n A C L for t h e us er a n g e l a a nd g i v e s
her r ead/w rite (rw ) perm iss ions. Using g et fac l , it i s obv iou s th at a ng ela ha s rw perm iss ions,
as does joe . Wh en u sing l s, y ou ca n a lso see tha t th e fi l e has an A CL assoc iated w ith i t du e to
t h e + i n t h e p erm i ssi ons a n d a t t r i b ut e s st r i ng .
Now th is f il e can be edi ted by joe an d an gela , a nd n o one e l se , despite i t being ow ned by th e
u ser a nd gr oup joe .
Th is i s, of cou rse , a brie f introduct ion to ACLs an d extended at t r ibu tes. Th e m an pag es for
g e t fa c l, s et fa c l , c h a t t r , l s a t t r , g e t fa t t r , a n d s et fa t t r a l l e x p la i n t h e v a r i ous o pt i ons , A C L s , a nd
att r ibu tes. Al l of th ese opt ions should w ork on an y f il esy stem in recent k ern els, prov ided th ey
a r e m oun t e d w i t h t h e a p pro pr i a t e acla n d user_xattr options.
Delivered eac h Tues day, TechRepublics free Linux and Open Sou rce new sletter provides tips,
articles, and o ther reso urces to help yo u h one you r Linux s kills. Autom atically s ign up today!
V incent Danen w orks o n the Red Hat Security Respons e Team and lives in Canada. He has been
w riting ab ou t and dev eloping on Linux for ov er 10 yea rs. Re ad h is full bio and p rofile.
My U p da t e s
My C ont a c t s
Popu lar on CBS sites: SEC Footbal l | NFL | V ideo Ga m e Ch eat s | iPhone | V ideo Ga m e Rev iew s |
Notebooks | An t iv iru s Softwa re
Learn to use extended file attributes in Linux to boost security | . . . http://blogs.techrepublic.com.com/opensource/?p=
of 3 12/16/2009 09:46
-
8/2/2019 Extended File Attributes
3/3
BNET | CBS Ca r es | CBS College Spor ts | CBS Film s | CBS Radio | CBS.com | CBSIn ter a ctiv e |
CBSNews.com | CBSSport s.com | CHOW | CNET | Find A rt icles | Ga m eSpot | Help.com | Last .fm
| Max Preps | Metacr i t ic .com | Money w atch | Mov ieTom e | MP3.com | m y Sim on | NCAA |
Radio.com | Sear ch.com | Shopper.com | Show tim e | Sm ar tPlanet | TechRepu bl ic | Th e Insider
| TV .com | Urba nBaby .com | ZDNet
A bout C BS Int era ctiv e | Jobs | A dv ert ise | Mobile | Site Map
2 009 CBS Int era ct iv e Inc . A l l r ight s reserv ed. | Priv acy Pol icy (upda ted) | Term s of Use
Learn to use extended file attributes in Linux to boost security | . . . http://blogs.techrepublic.com.com/opensource/?p=
of 3 12/16/2009 09:46
