Endpoint Administration Guide for UNIX › Protecting Files and Programs › Restricting Access to Files and Directories

Restricting Access to Files and Directories

CA ControlMinder leaves the UNIX system of permissions intact but adds a layer of enhanced access control to it.

CA ControlMinder intercepts each of the following file access operations and verifies that the user has authorization for the specific operation before returning control to UNIX. The access type is in parentheses.

• File create (create)
• File open for read (read)

  Note: If you want read privileges to control whether users can perform operations that obtain information about the file (such as ls -l), set the STAT_intercept configuration setting to 1. For more information, see the Reference Guide.

• File open for write (write)
• File execute (execute)
• File delete (delete)
• File rename (delete, rename)
• Change permission bits (chmod)
• Change owner (chown)
• Change timestamp—for example, as a result of executing the touch command (utime)
• Edit native ACL—using the acledit command—for systems that support ACLs (sec)
• Change directory (chdir)

CA ControlMinder access checking differs from the native UNIX authorization in the following ways:

• CA ControlMinder bases its authorization checks on the original user ID of the user who logged in, not on the effective user ID (euid). For example, if userA invokes the su command to surrogate to another user, userA still only has access to those files to which userA is permitted. Surrogating to another user does not automatically give the original user access to the target user's files as it does in UNIX.
• CA ControlMinder does not give the superuser (root) automatic access to every file on the system. The superuser is subject to authorization checking like all other users of the system.
• Authorization checking is based on the CA ControlMinder normal and conditional access lists, day and time restrictions, security levels, security categories, and security labels.
• If you do not specifically authorize a user to access a file, CA ControlMinder checks whether that user belongs to any group authorized to access the file.
• Each file access is audited trough the normal CA ControlMinder audit procedures.
• When deleting a file, CA ControlMinder requires the user to have DELETE access authority to the specified file, whereas UNIX requires the user to have WRITE authority for the parent directory.
• To rename a file, the user must have DELETE access authority to the source file and RENAME access authority to the target file. UNIX also requires that they user have WRITE access authority for the parent directory.
• All users are given permanent READ access (as a minimum) to the files /etc/passwd and/etc/group, regardless of the default setting of these files. This prevents the possible hanging of the system.
• The owner of a FILE object in the CA ControlMinder database always has full access to the file protected by the object.
• The chdir access type controls the chdir command specifically, and does not execute, as UNIX does.

The following are the limits of the File Protection System:

• With respect to users who are not members of the special _restricted group, CA ControlMinder protects only those files and directories that:
  • Are defined by their individual names in the database
  • Match a name pattern (for example, /etc/*) that is defined in the database

  For users that belong to the group _restricted, all system files are protected by CA ControlMinder. For files that are not defined in the database, authorization is based on the _default record of the FILE class.

• CA ControlMinder maintains a table of all file names and directory names (including patterns using wildcards) that indicate resources that need protection. The amount of memory available for this table is limited. Normally, the maximum number of files and directories you can define by individual names in the database is 4096, and the maximum number of name patterns is 512.
• Some files receive protection even if no explicit access rules exist for them. These include the CA ControlMinder database files, audit logs, and configuration files.

  Note: For more information, see the FILE class in the Reference Guide.

CA ControlMinder supports the following access types for files.

• ALL
• CHDIR
• CHMOD
• CHOWN
• CONTROL
• CREATE
• DELETE
• EXECUTE
• NONE
• READ
• RENAME
• SEC
• UPDATE
• UTIME
• WRITE

The File Protection System is useful for protecting selected sets of files that contain sensitive data. For example, you can use CA ControlMinder to protect the following files:

• /etc/passwd
• /etc/group
• /etc/hosts
• /etc/shadow

You should use CA ControlMinder to protect databases (access should be granted only to the server daemon) and all other sensitive files at your site.

Some files that always need access control are governed by rules even without you specifying them.