Discretionary access control
Discretionary access controls (DAC) are the security aspects that are under the control of the file or directory owner.
UNIX permissions
- Directly grant access to other users
- Grant access to a copy to other users
- Provide a program to allow access to the original resource (for example, using SUID programs)
Permission bits enable users to grant or deny access to the data in a file to users and groups (based on the need-to-know criterion). This type of access is based on the user ID and the groups to which the user belongs. All file system objects have associated permissions to describe access for the owner, group, and world.
The owner of a file can also grant access privileges to other users by changing the ownership or group of the file with the chown and chgrp commands
umask
When a file is created, all permission bits are initially turned on. The file then has certain permission bits removed by the umask process, which has been set during the login process. The default umask applies to every file created by the user's shell and every command run from the user's shell.
- You can change the umask values in your .profile, .login, or .chsrc files. These changes will affect any file that is created during your login session.
- You can set the umask levels for individual processes with the umask command.
After running the umask command, all new files that are
created will be affected by the new umask value until one of the following
two events occur:
- You run the umask command again
OR
- You exit the shell in which the umask command was issued
- You run the umask command again
You should allow the login session to inherit the kernel's 022 umask value by not specifying a umask in your profiles. Umask values less restrictive than 022 should only be used with great caution.
If additional permissions are needed for certain files, these permissions should be set with judicious use of the chmod command after the files have been created.
Access Control Lists
In addition to the standard UNIX permission bits and umask value, AIX also supports access control lists (ACLs).
UNIX permission bits only control access for the file owner, one group, and everyone on the system. With an ACL, a file owner can specify access rights for additional specific users and groups. Like permission bits, ACLs are associated with individual system objects, such as file or directory.
setuid and setgid permission bits
The setuid and setgid permission bits (set user ID and set group ID) allow a program file to run with the user ID or group ID of the file owner rather than the user ID or group ID of the person who is running the program, This is accomplished by setting the setuid and setgid bits that are associated with the file. This permits the development of protected subsystems, where users can access and run certain files without having to own the files.
If the setgid bit is set on a parent directory when an object is created, the new object will have the same group as the parent directory, rather than the group of the object's creator. However, objects created in a directory with the setuid bit set are owned by the object's creator, not the directory owner. The setuid/setgid bits of the parent directory are inherited by subdirectories when subdirectories are created.
The setuid and setgid permission bits represent a potential security risk. A program that is set to run with root as the owner could have essentially unlimited access to the system. On Trusted AIX systems, however, the use of privileges and other access controls significantly reduces this security risk.