CSCI 530 Lab

Authorization

Overview

This lab features the linux permissions system, a filesystem authorization mechanism. It governs access to files, and to anything else represented in the filesystem as if it were a file-- directories, devices, symbolic links, kernel variables, etc. Students will exercise and record results of the filesystem permissions system to grasp that the authorization decision is a function of two variables, not one. For a user who wants to access a file, permission depends on which file. For a file that a user might access, permission depends on which user. Knowing only one of those variables tells nothing about permission to do anything.

1. create user accounts and groups; create files, set  group ownership and permissions strings

Boot fedora 7 linux in VMware (or other linux environment per instructor). Log in as user root using password "password". There are 3 users, 3 groups, and 3 files to set up. 

2. test authorization to read for each user against each file

  2a. baseline

Now that you're set up, determine for each of the three users, against each of the three files, who can read what. (cat-ting a file is a test of its readability.) Identify each of the nine outcomes (file is readable, yes or no) by observing the files' permissions and group affiliations, and the users' group memberships. Write your predictions in the pre-established grid in the supplied answer file authorizationlab.doc, as a "yes" or "no" in each cell. Then test all 9 cases empirically. Do so by logging in successively as each user, and testing each of the 3 files as that user to see whether you were right. For best understanding don't make the empirical attempt till you have predictively written down your guesses of the results; then check your guesses with the empirical test.

  2b. modified (by access control lists)

You will make one change to the access control list attached to "strategies" and two changes to the one attached to "salaries." The change to "strategies" will affect a user, joe. One of the changes to "salaries" will affect a user, joe, while the other will affect a group, executives. Check these two files' initial access control lists:

getfacl   salaries strategies

Then make the changes:

setfacl  --modify  u:joe:rw-  salaries  strategies
setfacl  --modify  g:executives:rw-  salaries

and note the files' changed access control lists:

getfacl   salaries strategies

Repeat the above 9-square test of who can read what and produce a new written 9-square grid of the results. Write your predictions into the second grid before actually testing them to see whether you were right. For any square that exhibits a change, make sure you understand how the above commands are responsibile for it.

3. clean up

When you have finished, please erase your tracks:

rm workschedule
rm salaries
rm strategies

userdel -r bill
userdel -r mary
userdel -r joe

groupdel executives
groupdel humanresources
groupdel employees

The assignment:

Prepare your answers in the supplied Microsoft Word doc file named authorizationlab.doc.

1. Above you wrote predictions in the grids for both the baseline "before" case and the modified "after" case following creation of an ACL. Then you tested them. Maybe all your predictions were right, maybe not. Change the predictions, as needed, to reflect the actual empirical outcomes you saw. "Yes" or "no" should appear in each cell. In each, under "yes" or "no," write the very brief reason for that outcome. Do this for both of the grids appearing in the authorizationlab.doc answer file.

2. When you assigned identical passwords to bill, mary, and joe, different content appeared for each user in the /etc/shadow file where passwords are stored. Why?