ACL, ACE … Permission… How to handle security? Nowadays, security concerns are increasing in all industry companies and research institutes. We need to control who is accessing the information and when it is accessible. Windows provides a built-in way for accessing information and checking user privileges to know who should be able to access a document/folder or not. Knowing how to manage permission when you are a CERN user is even more important because most of documents you use are stored on DFS folders that are directly dependant on the Windows Access Control system This article will first introduce ACL and related notions. We will then present the way Windows handles security on files/folders and the way to manage them. Then a section will introduce the notion of rights inheritance before evoking the notion of Owner and its function. Finally a few “typical test cases” will be presented. SID, Permission, ACE, ACL: barbarous words To fully understand the permissions concept, some words need clarification. . . . . . 1 ACE SID, Permission Acess Control Entry SID, Permission SID, Permission 1 ACL Acess control List This information can be shown by displaying the file/folder properties (right click on the file) in the Security tab. In that case “Bruno Lenski” is the SID of the user, the permissions are listed below and the couple Bruno Lenski and its permission consist in the ACE. The ACL are the set of ACE for Bruno Lenski and for Administrators SID (Security Identifier): user identity. This is basically the user login or the group name. Permission : integer that represent the access given to the associated SID (read, write, ...) ACE (Access Control Entry): couple (SID, permission). It thus represent the access that is given to a user/group ACL (Access Control List): list of ACE sat on a given file or folder The above view of permission is the condensed way windows displays the permissions on the folder. To display the full list of permissions, one would have to click on the Advanced button in the above picture and get to the screen on the right. These permissions can be modified by clicking on the Edit button. Question to think about before granting permissions? Before setting permissions on a folder, there are few points to be considered: • • • Who will have access? Is that a set of user or a single user? (SID, list of SID) How often do I expect that list of SID to change? (for instance in the case of a newcomer in the group, ...) What are the rights to be granted for each SID? To address the first and second point, on should be aware that, permission are set on file/folder level. Adding a new permission for a single user in a folder is not a trivial task as it implies modifying all ACL. Therefore it is strongly recommended to user Groups to give access to folder to avoid massive ACL modification for each new user. For example, if I want to give access to all persons in IT/IS group to a specific folder I should use the group called “Users IT-IS” to set permissions. Then any newcomer will simply be added to the group and will automatically be given permissions to the set of folders. Existing groups can be displayed via the win services web page: https://winservices.web.cern.ch/winservices/Services/GroupManager/GroupManager.aspx They can also be managed via the e-group application: http:\\e-groups.cern.ch It is also strongly recommended to give access to resource rather than denying access to it. If a user is granted access then he will be able to access a resource. If he is not granting access then he will not be able to access. Denying the access (in a Windows way) is another process that can have side effect (described below) and thus it is strongly recommended not to use that functionality. (See the examples for more in formations) List of possible permissions. There are 13 permissions in Windows whose names are understandable. These permissions are all stated in the table below all together and in parallel with UNIX permissions: Permission Types (Unix) Permission Components Read (R) Traverse Folder / Execute File List Folder / Read Data Read Attributes Read Extended Attributes Create Files / Write Data Create Folders / Append Data Write Attributes Write (W) Execute (X) Delete (D) Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership A few notes about this table: • • Delete Subfolders and Files can be applied as an individual permission to folders. There is actually a 14th permission component, called Synchronize. This permission is used to control synchronization of access to file or folder handles for multithreaded applications. Ownership and permission assignment Every file and folder has an owner, which is a user identified as being the one who controls it. By default, the user who creates a file or folder becomes its owner. The significance of ownership is that the owner of a file or folder always has the ability to assign permissions for that object. The owner can decide what permissions should be applied to the object, controlling others' access to the file or folder. The two special permissions that are associated with ownership and permission assignment are "Change Permissions" (P) and "Take Ownership" (O). If a user is granted the "Change Permissions" permission, the user can change the permission settings for the object even if he or she does not own it. If a user has "Take Ownership" permission, the user has the ability to take over ownership of the resource, and of course, once it is owned the user can do anything he or she wants with the permissions. Note that by default, members of the "Administrators" group can always take ownership, or change permissions on, any file or folder. This allows Administrators to fix permission problems if they occur. Thus removing/denying permissions to the Administrator is pointless as these persons can reassign all the rights to themselves if needed Not allowing administrators to access the data does not make it more secure, instead it puts your data at risk. Permission inheritance The notion of inheritance is based on the notion of folder and subfolder. The permission set on a parent folder can be propagated to all the subfolders it contains. An Administrator or user is though inheritance able to manage a hierarchical tree of permissions that matches the hierarchical tree of directories. Since each child inherits permissions from its parent, when you set up a hierarchy of three or more levels of folders, the objects deep within the structure will inherit permissions from their parent, "grandparent", "great grand-parent" and so on. In addition to this powerful dynamic inheritance feature, Windows offers several advanced inheritance control features that give the Administrator more power on how inheritance works: • • Child Protection: The main security properties dialog box for each object contains a check box labelled "Allow inheritable permissions from parent to propagate to this object". If this check box is cleared, it breaks the normal inheritance link between this child and its parent (and higher-level ancestors as well). When this is done, the child will no longer dynamically inherit permissions from higher up in the directory tree. Such a child object is said to be protected from inheritance changes. Forced Propagation: An option called "Reset permissions on all child objects and enable propagation of inheritable permissions" is provided. This works the same way as the "Replace Permissions on Subdirectories" and "Replace Permissions on Existing Files" options from the older Windows NT static permission model. When selected, NTFS will force propagation down to all child objects and remove any permission that were directly assigned to those child objects. This allows Administrators to easily "fix" permission problems in large directory structures. Inheritance is thus a powerful tool even though it brings a disadvantage: performance. Inheritance requires more processing resources to deal with changes to files and folders, and to determine which permissions take over each time access to an object is attempted... Permission resolution Here is the difficult part... How does the system interpret the list of ACL? How permissions are granted... this section might seems a bit technical but few examples afterwards will try to clarify the situation. Here is the algorithm used to check whether one has access or not: 1. 2. 3. 4. "Deny" permissions takes over "allow" permissions. Permissions applied directly to object take over permissions inherited from a parent object. Permissions inherited from near relatives take over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on. Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course. :^) The system combines these rules into a process that it uses to resolve various permission settings. Since directly-applied permissions take precedence over inherited ones, and "deny" permissions take precedence over "allow" permissions, it first looks for directly-set "deny" permissions, combining them all together for all groups the user is a member off. If it finds sufficient deny permission to refuse access, it is done--the access is refused. Otherwise, it looks at directly-set "allow" permissions. If it finds sufficient permission to allow access, the access is allowed. If not, it continues on; the sequence is as follows: Examples Here is a set of example to explain the system behaviour. Let’s assume I am Bruno lenski part of the IT-IS group. In this example the inheritance of rights are removed from that folder. Case 1: If I create a folder in “My document”, it has the following ACL : • • Bruno lenski has full Control Administrators has full Control In that case Bruno Lenski and administrators of the cenhome12 machine have access to the folder and its content. All other persons from IT-IS have no access. Case 2: I want my colleagues from IT-IS to access this folder with read permission. I thus have to add the “User IT-IS” Group to the list of SID and allow them to have read rights. Note that these “Read” rights for the user are composed of 3 different Windows rights : • List folder /Read Data • Read Attributes • Read Extended Attributes Restraining the right only to “List Folder/Read Attribute” would lead to have “Special permission” ticked instead of “Read”. When a user X wants to access the folder, the group member resolution is done and if he is member of IT-IS group, he is granted the right. As Bruno Lenski is member of IT-IS he gets the rights. Case 3: Let’s assume that I now want to deny access to all persons from IT-IS group on that folder. I could apply a deny permission on the read rights to the IT-IS ACL. This would lead to the following behaviour: If a user X want to access, the system successfully checks: • Is X member of IT-IS, if yes the access is denied. • If not, is X = Bruno Lenski, if yes the access is granted • If not is he in the cernhome12\Administrator Group The problem here is that Bruno Lenski is member of IT/IS group though the first rule gives an access deny. So even if the second rule grants access, the first rule applies and thus Bruno lenski is NOT granted access. Due to this behaviour, we recommend not using deny access. Instead, simply remove the Read access for the “Users IT-IS” group; it will give the same result. Case 4: Starting back from the status in case 2. Let’s assume I want people from TE-MSC to have access in read mode instead of IT-IS. Then I remove the IT-IS entry and add a TEMSC entry with read rights. Thus if a user X tries to read the repository, the system will successively check : • Is X = Bruno Lenski, if yes he has full control • If not, is X member of Users TE-MSC • If not is he in the cernhome12\Administrator Group If all tests fail then the access will not be granted. Case 5: Let’s assume now, that I am creating a folder inside that folder. This folder inherits it the parent folder rights. Thus the security Tab is showing me the permission in grey. To remove this inheritance, one should click on “Advanced” to open the detailed rights window. Then one should click on edit on that newly opened window and untick : The system will then ask if the user want to remove all permissions or copy the current permissions. Let’s assume we remove the permissions. The folder then has no SID and thus nobody has permissions on that folder. Nobody except the owner (person that created this folder) have the permission to change the permissions. Then I can add myself permission on that folder The owner can be displayed by clicking on “Advanced” on the security tab and browse “Owner” tab Note that the machine Administrator can always take ownership and thus give himself rights afterwards for maintenance reasons. I can then add access to myself as having full control on the folder. The problem I face then is that I cannot grant access to Administrators anymore (in our case CERNHOME12\Administrators) thus, the folder will have backup problems. Thus removing all permissions is not good. I should have copied the permissions instead of removing the permissions when I was prompted.
© Copyright 2024