Linux trustees (ACL) project
Project in brief
The main goal is to create advanced permission management system for linux.
In fact, UNIX permission system is not suitable for solution of very common tasks.
E.g., let a system administrator
wants to create a directory that available for some groups in write mode,
for another groups - in read only. The files in the directory and subdirectories
should inherits the parent's behavior, unless other is stated explicitly.
Using standard UNIX (and linux) security model it is generally speaking
impossible to implement the situation when different groups have read/write
and read/only permissions. This issue can be resolved by ext2-fs ACL project,
but the problem is that nobody wants to copy mask or ACLs from parent directory
to subdirectories either by hands or using special scripts.
The solution proposed is mainly inspired by Novell Netware approach and
Java security API.
Special objects (called trustees) can be bounded to every
file or directory. Trustee object means that access to file
or directory or directory with subdirectories is granted (or denied) to
certain user or group (or all except user or group).
How the permissions are calculated
The following rights are used in trustee objects:
- Deny if the access is explicitly denied
- Grant if the access is explicitly granted
- Deny by default
||Write files and directories
||Browse (like UNIX execute for directories)
||Use UNIX permissions
||Clear the permissions (instead of set them)
||Deny access (instead of grant)
|!|| The trustee object applies to all except user or group|
|O||One level. The trustee object applies to the surectory and files in in, not to subdirectories|
The trustees objects are stored in the kernel memory (I hope that even
if somebody will have thousands of trustees, it will be OK) that allows
very quick lookup.
The permission to access a file (or directory) is calculated using
the following algorithm:
Note, that string names (not inode numbers) are stored in trustees object,
so the trustee system is work despite of the mount points, filesystem types
Dereference file name (all symbolic links are replaced
by physical path).
- Set initial deny mask to  (empty mask) and allow mask
to [U] (use unix rights by default).
- Starting from root directory check all the parents of file and
file itself and find trustee
objects applicable, and set (or clear,
if C in the trustee mask) the rights in trustee mask in the permission mask applicable.
- After the masks for file
name is calculated:
If user is the superuser, grant the access.
If at least one of the access modes requested is denied, deny the access.
If U flag is set in allow mask, and U flag is not set in deny mask, and the normal
Linux permission code allows the access, grant access
If all the access flags requested set in allow mask, grant the access
User level program and configuration file
A user level program settrustee reads permissions database /etc/trustee.conf and loads it to the kernel. It should be scheduled for execution at system startup and after every /etc/trustee.conf modification (with -d option).
The format of /etc/trustee.conf is follows:
Each line is either a comment (line from #) or a set of trustee
objects for a file or a directory. In the later case the line has the following format:
<File or directory name>:<trustee object info>:.....:<trustee
The starting / in file names is mandatory, double / are
prohibited, trailing slashes are not recommended. <Trustee object info> is
<User or group information>:<Rights mask>
<User or group information> is either a
- * - means everybody
- User name
- + followed by a group name
# Allows access for a very trusted user to all filesystem
# Denies access to secret directory for most of the users,
#clear access granted before
#(rights of very_trusted_user calculated using UNIX permissions),
# if the very_trusted_user is a member of +most_of_users_group,
# access is denied.
# Deny access to all except trusted group
This code was carefully tested by the author and in a production usage more than 2 months. At least a hundred downloaded this code. The author recieved some positive feedback. No bugs were found at least a couple of months. So, the code is considered as stable.
The patch provided can be applied to any 2.2.X or 2.3.X kernel. cd /usr/src
patch -p0 <trustees.XX.patch
make xconfig or menuconfig or config
Answer Yes to CONFIG_TRUSTEES question (in FileSystems section)
make dep; make install; make modules; make modules_install
Create file /etc/trustee.conf
Put settrustee in a startup script.
Reboot the system
Contacting the author
Please report bugs and succesfull testing to email@example.com.
Personal message from the author:
Hi everybody. My name is Vyacheslav Zavadsky. I live in Minsk, Belarus (former USSR). I am looking for contracts for off-shore software development. I can do well C/C++/Java/Perl server-side programming, internet programming, high tech programming (I mean complex data structures, algorithms, mathematics etc) and scientific programming. My resume aka internet programmer can be found here.
- A nice user-level and administration program
- Non i386 ports testing and debugging
- Currently samba forks in order to check rigths to a file. I implemented a syscall
access_uid(char * name, int mode, uid_t uid, gid_t gid). I would like somebody to make samba use this syscall
and benchmark it.
User contributed software
- A SYSV init script by Manfred Kissel. In order to use these script on Red Hat Linux and other distribution that use /etc/rc.d/init.d directory download file aclfs and put it to /etc/rc.d/init.d. Create file /etc/trustee.conf. Activate the cript by chkconfig aclsfs on . Reboot the system.