Access Control

[20pts] Part 1: Shell Commands and Unix Protection Bits

Submit the series of Unix commands to create a directory hierarchy, files, the commands to set and reveal the protection bits, and results. Create and use a safe working directory such that nothing will be lost even if you make a mistake. Consider /tmp.

Conduct all activities from a terminal of a lab machine (locally or through SSH to ssh.cs.usna.edu). Do NOT use a VM or WSL.

Requirements:

Every step must be carried out with a single shell command.

Use one of the following shell commands:

cat, chgrp, chmod, groups, mkdir, rm, touch, umask, whoami

Use the man page or Google if you want to know how to use the above commands.

Step  Instruction                                                 File
------------------------------------------------------------------------------------
Create directory tmp 
Change the current directory to tmp

1     Create the directory hierarchy:                               ./a/b/c/d
2     Create a file:                                                ./a/foo.txt
3     Create a file:                                                ./a/b/foo.txt
4     Create a file:                                                ./a/b/c/foo.txt
5     Create a file:                                                ./a/b/c/d/foo.txt

6     Change the group to "mail" on:                                ./a/foo.txt

7     Give all access to all accounts (owner, group, others):       ./a/foo.txt
8     Give no access to owner, all access to group and others:      ./a/b/foo.txt
9     Give read and write to the owner and group 
       & Give no access to others:                                  ./a/b/c/foo.txt
10    Display the umask  


11    Display who the owner is (i.e., display your account) 

12    Display the groups you belong too   

13    Show the file contents on the terminal:                       ./a/foo.txt
14    Show the file contents on the terminal:                       ./a/b/foo.txt

15    Deny all access to the owner and group (no change to others)  ./a/b/c/d/
16    Issue the following command to display permissions: 
        find ./a -name "*.txt" -exec ls -alF {} \;





17    Give yourself permission (don't use numbers):                 ./a/b/c/d/
18    Issue the following command to display permissions: 
        find ./a -name "*.txt" -exec ls -alF {} \;



19   Forcibly remove the directory hierarchy recursively.            ./a

Sample run (shell commands deleted):

choi@ward-rweb-09:~$ mkdir -p tmp
choi@ward-rweb-09:~$ cd tmp 

choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 

choi@ward-rweb-09:~/tmp$ 
?: changing group of 'a/foo.txt': Operation not permitted
choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 

choi@ward-rweb-09:~/tmp$ 
0066

choi@ward-rweb-09:~/tmp$ 
choi
choi@ward-rweb-09:~/tmp$ 
scs
choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 
?: a/b/foo.txt: Permission denied
choi@ward-rweb-09:~/tmp$ 

choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 
-rwxrwxrwx 1 choi scs 0 Feb 23 07:33 ./a/foo.txt*
----rwxrwx 1 choi scs 0 Feb 23 07:35 ./a/b/foo.txt*
-rw-rw---- 1 choi scs 0 Feb 23 07:33 ./a/b/c/foo.txt
find: ‘./a/b/c/d’: Permission denied
choi@ward-rweb-09:~/tmp$ 
choi@ward-rweb-09:~/tmp$ 
-rwxrwxrwx 1 choi scs 0 Feb 23 07:33 ./a/foo.txt*
----rwxrwx 1 choi scs 0 Feb 23 07:35 ./a/b/foo.txt*
-rw-rw---- 1 choi scs 0 Feb 23 07:33 ./a/b/c/foo.txt
-rw------- 1 choi scs 0 Feb 23 07:33 ./a/b/c/d/foo.txt
choi@ward-rweb-09:~/tmp$

Deliverables

Give the following in the lab report.

Give the series of commands and output like the sample run above (of course, with the commands in your report). You don't need to give a screenshot; a text version of an actual sample run will be good enough. Please put the exeuction log inside a box so that it can be clearly visible.
For step 10, explain the results of umask execution. In particular, what does 0066 mean (refer to the wikipage)?
For step 14, why do you see "Permission denied" even if you You are the owner of the file?

[25pts] Part 2: Linux File ACLs

Our Linux system provides an additional and more granular access control mechanism based on Access Control Lists (ACLs). The commands, nfs4_getfacl and nfs4_setfactl are the principle means of retrieving and setting a file’s ACL.

You can use the man page to see how these commands work. You can also Google about these commands.

~$ man nfs4_setfacl
NFS4_SETFACL(1)                               NFSv4 Access Control Lists                              NFS4_SETFACL(1)

NAME
       nfs4_setfacl, nfs4_editfacl - manipulate NFSv4 file/directory access control lists

SYNOPSIS
       nfs4_setfacl [OPTIONS] COMMAND file...
       nfs4_editfacl [OPTIONS] file...

DESCRIPTION
       nfs4_setfacl  manipulates  the NFSv4 Access Control List (ACL) of one or more files (or directories), provided
       they are on a mounted NFSv4 filesystem which supports ACLs.

... (omitted) ...

Your Task

Follow the instructions below. Figure out the correct commands on the way, and add screenshots in the lab report to show that you successfully completed this task.

Display the ACL for directory public_html. Once you figure out the correct command, you will see something similar to the following:

# file: public_html
A::OWNER@:rwaDxtTcCy
A::33:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:33:rwaDxtcy
A:fdi:35002:rwaDxtcy
A:fdi:GROUP@:rxtcy
A:fdi:EVERYONE@:tcy

In the above, numbers 33 and 35002 refer to user accounts, and you can use command getent passwd <number> to tell the account name:

choi@ward-rweb-09:~$ getent passwd 33
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
choi@ward-rweb-09:~$ getent passwd 35002
choi:x:35002:10120:Choi, Seung Geol CIV USNA Annapolis:/home/scs/choi:/bin/bash

In your lab report, explain the details about the above results, in particular:

type: A
flags: fdi
permission letters: r w a D x t T c C y

Create a file index.html under the directory public_html. Contents can be anything as long as it is a legitimate html file about you.
In your report, show that your homepage is correctly accessed by a Web Browser. Use the following URL:
```
https://midn.cs.usna.edu/~mxxxxxx
```

Change the permission of public_html and index.html using chmod so that others have no access to these files. In particular, you have to see "---" for others as follows:

choi@ward-rweb-09:~$ ls -alF | grep public_html
drwxr-x---   9 choi   scs   4096 Feb 15 13:16 public_html/
choi@ward-rweb-09:~$ ls -alF public_html | grep index.html
-rwxr-x---  1 choi scs   5003 Aug  1  2023 index.html*

Ensure that a web browser won't be able to access your homepage.
Grant a read-and-execute permission for these files to account www-mids@academy.usna.edu (i.e., the web-server account).
Once you figure out the correct nfs4_setfacl command, the ACL for the index.html should look something similar to the following:
```
# file: index.html
A::OWNER@:rwaxtTcCy
A::33:rxtcy
A::99:rxtcy
A::35002:tcy
A::GROUP@:tcy
A::EVERYONE@:tcy
```
Note that file index.html still blocks access from others (except www-mids).
```
choi@ward-rweb-09:~/public_html$ls -alF index.html
-rwxr-x--- 1 choi scs 5003 Aug  1  2023 index.html*
```
Check that a web browser can now access your homepage.

[10pts] Part 3: PowerShell Basics

Read the following pages.

About Variables.
- Read up to "Using variables in commands and expressions" (inclusive).
About Environment Variables.
- Read Description.
- Read "Using and changing environment variables".
New object.
- Read Description.
- Try Example 2.
Get-Acl.
- Read Syntax.
- Read Description.
- Try examples 1-3.
Set-Acl.
- Read everything.
- Check: FileSystemAccessRule. Read and understand "Parameters": identity, fileSystemRights, and type.
How to write a PowerShell script file.
- Read "How to create and run scripts".

Deliverables:

In your lab report, affirm that you read and understood the articles.

[15pts] Part 4: Using Get-Acl and Set-Acl Commands in Windows

Use your labtop to complete Parts 4 and 5.

In Unix, everything is a file. However, as you probably know from the previous part, for Windows, recognize that everything revolves around an "object". For instance, you will get an ACL object associated with a file.

An ACL object is a list of Access Control Entry (ACE) objects. Each ACE then determines if access is granted or denied.

Obtaining an ACL

Try the following in a PowerShell.

PS C:\Users\choi> Get-Acl $env:TEMP | Format-List
...(omitted)...
PS C:\Users\choi> Get-Acl $env:TEMP
...(omitted)...
PS C:\Users\choi> $acl = Get-Acl $env:TEMP
PS C:\Users\choi> echo $acl
...(omitted)...

The above sample run does the following:

Use Get-Acl and pipe the result to a pretty-printing cmdlet Format-List.
Additionally, set a variable, $acl to the ACL object:

Creating an ACE Object

Create a rule (i.e., an ACE object) that could be inserted into an ACL object:

PS C:\Users\choi> whoami
academy\choi
PS C:\Users\choi> $me = whoami
PS C:\Users\choi> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($me, "ListDirectory", "Deny")
PS C:\Users\choi> echo $rule
...(omitted)...

The above sample run creates an ACE object with the following parameters:

identity: academy\choi (Of course, you will have a different identity).
fileSystemRights: ListDirectory
type: Deny

Adding an ACE to an ACL

You can add an ACE to an ACL as follows:

PS C:\Users\choi> mkdir randomdir
PS C:\Users\choi> $myFolder = "randomdir"
PS C:\Users\choi> $acl = Get-Acl $myFolder
PS C:\Users\choi> $acl.AddAccessRule($rule)
PS C:\Users\choi> echo $acl | Format-List
...(omitted)...

Set an ACL to a file or folder

When all rules have been added, you can the ACL with some directory or file:

PS C:\Users\choi> Set-Acl $myFolder $acl
PS C:\Users\choi> Get-Acl randomdir | Format-List
...(omitted)...

Deliverables:

Run all the above commands and show the results (in a readable screen capture) in your lab report.
Try to access the directory randomdir using the Windows File Explorer. Give the screen capture of what happens.

[20pts] Part 5: Using Get-Acl and Set-Acl Commands in Windows

Allowing Powershell to run scripts

First, we need to allow PowerShell to execute scripts. To do so, open a PowerShell (run it as Administrator) and execute run this command:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

After that type Y and press enter.

Your Task

Create a Poweshell script file p05.ps1 that works as follows. See below for how to test your script.

1. Create a variable $folder and assign it to 'a\b\c'
2. Create a variable $acl and assign it to the result of Get-Acl for $folder.
3. Create a variable $me. Assign it to the result of whoami
4. Create a variable $rule that denies $me listing the contents of $folder$.
5. Add $rule to $acl.
6. Create a variable $rule2 that denies $me executing files in $folder.
7. Add $rule2 to $acl.
8. Apply $acl to $folder.

Testing your script

Now, open a normal Powershell. Execute the following commands and activities.

cd \temp
whoami
mkdir a\b\c\d
echo “Hello world” >> a\b\c\foo.txt            
.\p05.ps1
Get-Acl a\b\c | Format-List

ls a\b\c
type a\b\c\foo.txt

1. Change to the directory  c:\temp
2. Figure out what your UID is
3. Make four directories a\b\c\d under c:\temp
4. Create a file 
5. Run the script (You will create this script; see below)
6. Print the ACL. You should see that you're denied.
7. Use Windows File Explorer to confirm (See the image below)
8. List the contents of a\b\c. You should be denied. 
9. Type (cat) the contents of foo.txt. You will see the contents.

The output of command 6 should look like the following (i.e., listing and executing should be denied for $me):

Path   : Microsoft.PowerShell.Core\FileSystem::C:\temp\a\b\c
Owner  : ACADEMY\choi
Group  : ACADEMY\Domain Users
Access : ACADEMY\choi Deny  ReadData, ExecuteFile

 ...(omitted)..

You can check the permissions using Windows File Explorer:

Deliverables

The code of p05.ps1 in the lab report (within a box).
Show the results of the 9 activites in the above so that the instructor can verify the correctness of your script.
A screenshot showing the permissions with Windows File Explorer.

[10pts] Lab Report and Submission

Write a lab report by using the provided template (check the lab ground rules). The writing quality of the lab report matters.

~/bin/submit -c=IT430 -p=lab08 lab08_report.docx