How to Disable Programs From Using Executable Stacks
Become superuser or assume an equivalent role.
Edit the /etc/system file and add the following line:
set noexec_user_stack=1
Reboot the system.
# init 6
How to Disable Executable Stack Message Logging
Become superuser or assume an equivalent role.
Edit the /etc/system file and add the following line:
set noexec_user_stack_log=0
Reboot the system.
# init 6
Using Access Control Lists (ACLs)
Traditional UNIX file protection provides read, write, and execute permissions for the three user classes: file owner, file group, and other. An ACL provides better file security by enabling you to define file permissions for the file owner, file group, other, specific users and groups, and default permissions for each of those categories.
For example, if you wanted everyone in a group to be able to read a file, you would simply give group read permissions on that file. Now, assume you wanted only one person in the group to be able to write to that file. Standard UNIX doesn't provide that level of file security. However, this dilemma is perfect for ACLs.
ACL entries are the way to define an ACL on a file, and they are set through the setfacl command. ACL entries consist of the following fields separated by colons:
entry-type:[uid|gid]:perms |
entry-type | Is the type of ACL entry on which to set file permissions. For example, entry-type can be user (the owner of a file) or mask (the ACL mask). For a listing of ACL entries, see Table 15-8 and Table 15-9. |
uid | Is the user name or user ID (UID). |
gid | Is the group name or group ID (GID). |
perms | Represents the permissions that are set on entry-type. perms can be indicated by the symbolic characters rwx or a number (the same permissions numbers that are used with the chmod command). |
The following example shows an ACL entry that sets read and write permissions for the user nathan.
user:nathan:rw- |
Caution - UFS file system attributes such as ACLs are supported in UFS file systems only. Thus, if you restore or copy files with ACL entries into the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries will be lost. Use the /var/tmp directory for temporary storage of UFS files.
ACL Entries for Files
The following table lists the valid ACL entries that you might use when setting file ACLs. The first three ACL entries provide the basic UNIX file protection.
Table 15-8 ACL Entries for Files
ACL Entry | Description |
---|---|
u[ser]::perms | File owner permissions. |
g[roup]::perms | File group permissions. |
o[ther]:perms | Permissions for users other than the file owner or members of the file group. |
m[ask]:perms | The ACL mask. The mask entry indicates the maximum permissions that are allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups. For example, the mask:r-- mask entry indicates that users and groups cannot have more than read permissions, even though they might have write and execute permissions. |
u[ser]:uid:perms | Permissions for a specific user. For uid, you can specify either a user name or a numeric UID. |
g[roup]:gid:perms | Permissions for a specific group. For gid, you can specify either a group name or a numeric GID. |
ACL Entries for Directories
In addition to the ACL entries that are described in Table 15-8, you can set default ACL entries on a directory. Files or directories created in a directory that has default ACL entries will have the same ACL entries as the default ACL entries. Table 15-9 lists the default ACL entries for directories.
When you set default ACL entries for specific users and groups on a directory for the first time, you must also set default ACL entries for the file owner, file group, others, and the ACL mask. These entries are required and are the first four default ACL entries in the following table.
Table 15-9 Default ACL Entries for Directories
Default ACL Entry | Description |
---|---|
d[efault]:u[ser]::perms | Default file owner permissions. |
d[efault]:g[roup]::perms | Default file group permissions. |
d[efault]:o[ther]:perms | Default permissions for users other than the file owner or members of the file group. |
d[efault]:m[ask]:perms | Default ACL mask. |
d[efault]:u[ser]:uid:perms | Default permissions for a specific user. For uid, you can specify either a user name or a numeric UID. |
d[efault]:g[roup]:gid:perms | Default permissions for a specific group. For gid, you can specify either a group name or a numeric GID. |
How to Set an ACL on a File
Set an ACL on a file by using the setfacl command.
$ setfacl -s user::perms,group::perms,other:perms,mask:perms,acl-entry-list filename ...
-s
Sets an ACL on the file. If a file already has an ACL, it is replaced. This option requires at least the file owner, file group, and other entries.
user::perms
Specifies the file owner permissions.
group::perms
Specifies the file group permissions.
other:perms
Specifies the permissions for users other than the file owner or members of the file group.
mask:perms
Specifies the permissions for the ACL mask. The mask indicates the maximum permissions that are allowed for users (other than the owner) and for groups.
acl-entry-list
Specifies the list of one or more ACL entries to set for specific users and groups on the file or directory. You can also set default ACL entries on a directory. Table 15-8 and Table 15-9 show the valid ACL entries.
filename ...
Specifies one or more files or directories on which to set the ACL, separated by a space.
Caution - If an ACL already exists on the file, the -s option will replace the entire ACL with the new ACL.
For more information, see setfacl(1).
Verify that an ACL was set on the file or verify which ACL entries were set on the file.
$ getfacl filename
For more information, see "How to Check If a File Has an ACL".
Examples--Setting an ACL on a File
In the following example, the file owner permissions are set to read and write, file group permissions are set to read only, and other permissions are set to none on the ch1.doc file. In addition, the user george is given read and write permissions on the file, and the ACL mask permissions are set to read and write, which means that no user or group can have execute permissions.
$ setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:george:rw- ch1.doc $ ls -l total 124 -rw-r-----+ 1 nathan sysadmin 34816 Nov 11 14:16 ch1.doc -rw-r--r-- 1 nathan sysadmin 20167 Nov 11 14:16 ch2.doc -rw-r--r-- 1 nathan sysadmin 8192 Nov 11 14:16 notes $ getfacl ch1.doc # file: ch1.doc # owner: nathan # group: sysadmin user::rw- user:george:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:--- |
In the following example, the file owner permissions are set to read, write, and execute, file group permissions are set to read only, other permissions are set to none, and the ACL mask permissions are set to read on the ch2.doc file. In addition, the user george is given read and write permissions. However, due to the ACL mask, the permissions for george are read only.
$ setfacl -s u::7,g::4,o:0,m:4,u:george:7 ch2.doc $ getfacl ch2.doc # file: ch2.doc # owner: nathan # group: sysadmin user::rwx user:george:rwx #effective:r-- group::r-- #effective:r-- mask:r-- other:--- |