Determining User Access on a Linux Filesystem with „Classic Permissions“

Introduction

Looking at a Linux filesystem, checking if a certain file or directory is accessible for reading, writing or executing by certain users or groups poses interesting challenges.

Let the basic and seemingly simple question be: „Given a user X and a file Y, can it be determined if X has access to Y, and if yes, how can it be determined?“ A simple answer was: „Let X try to access Y, and if it does not work, X does not have that kind of access.“ However, this may not be feasible: The users, files and directories in question may not exist yet. More generally, access by users to files and directories should be predictable; appropriate access restrictions should be placed in advance, not after exposing possibly sensitive information. Also, certain types of access, such as deleting a file or directory, can not be simulated in a safe manner.

Moreover, a test procedure that just involves „trying to access the file“ may be incomplete: Just because the way the test procedure has attempted access did not succeed, that does not mean that there is no procedure at all by which the user in question can access the file.

This article investigates Linux filesystems that implement the semantics of „classic UNIX permissions“ in an effort to find more exhaustive methods of determining access.

The Backport of Bugfix #4864 to Squid Version 4

With SSL-bumping enabled, with an unpatched version of Squid, the service can crash with this errormessage: 

!Comm::MonitorsRead assertion in HttpStateData::maybeReadVirginBody()

This bug is fixed in Squid version 5, which was a sponsored effort by the developers of Squid. There is an effort of getting a bugfix into v4, which can be followed here.

There also is an unofficial backport of the v5 patch announced by Alex Rousskov here and attached here. It apparently fixes the crash (all my reproducible test cases were resolved by this patch, and i am not aware of side-effects). Some Linux distributions apply this patch to their packaged versions of Squid version 4, but unfortunately is not included with Debian GNU/Linux 10 „buster“, which is the current stable release.

Until then, the following describes a simple way of creating a locally patched version of the squid package:

apt -y install build-essential devscripts quilt
apt-get -y build-dep squid
cd /usr/src/packages
apt-get source squid
cd squid-4.6
curl -k https://bugs.squid-cache.org/attachment.cgi?id=3739 -o /tmp/4846.diff
quilt import /tmp/4846.diff
rm /tmp/4846.diff
debchange --local "~patch" --no-auto-nmu \
"Applied long term fix v4 take 2 for Squid bug 4864"
# Check debian/changelog
debuild
cd ..
ls squid*deb

This renders Debian packages of squid that can be installed using dpkg. The packages will have their version appended with local suffix „~patch1“. Change the value for option --local of debchange to control the version suffix. During above procedure, check debian/changelog where indicated to see if the result meets your requirements.

Taking an Online Backup of a SAMBA-4 ActiveDirectory

Notes:

  • The following procedure is available starting with SAMBA version 4.9.
  • The procedure can be performed on a host that is unrelated to the domain, but one domain controller must be reachable, must be used as a nameserver at the time of the backup and have open ports for DNS (53/tcp and /udp) SSH (22/tcp), LDAP (389/tcp), Kerberos (88/tcp and udp) and SMB (445/tcp).

1. On the machine that will be used to perform the backup, if not already present, install SAMBA.

apt -y install samba

2. Get the current smb.conf from the DC you want to query:

scp dc01.ad.example.com:/etc/samba/smb.conf ./smb.conf.dc01

3. Create a backup output directory:

mkdir samba-domain-backup

4. Ensure that /etc/resolv.conf contains the IP address of dc01 as the nameserver.

5. Perform the backup:

samba-tool domain backup online \
    --server=dc01.ad.example.com \
    --configfile=smb.conf.dc01 \
    --realm=AD.EXAMPLE.COM \
    --username=administrator@AD.EXAMPLE.COM \
    --targetdir=samba-domain-backup

Neue Foto-Galerie (mit alten Fotos)

Ich habe alle Fotos aus meiner alten Galerie in PhotoShow gekippt.

Zur neuen Galerie

Re-Enable TLS 1.0 for OpenSSL-based Clients on Debian Buster

OpenSSL shipped with Debian 10 „Buster“ disables TLS protocol versions below 1.2. The web-browsers Chromium and Firefox ship with an embedded SSL implementation and are not affected (they will issue warnings about legacy websites), but it can cause problems with curl, Squid and other clients that are linked against the OpenSSL.

To re-enable TLS version 1.0 for OpenSSL, change /etc/ssl/openssl.cnf as follows :

[system_default_sect]
...
# MinProtocol = TLSv1.2
MinProtocol = TLSv1.0
...

It might be preferable to not change the system-wide setting. Programs linked to OpenSSL respect the value of environemnt variable OPENSSL_CONF pointing to the location of a dedicated configfile (unless they are setuid or setgid executables):

OPENSSL_CONF=/etc/ssl/openssl.curl.cnf \
    curl https://example.com/legacy-url

AD-Precreation using ktutil, kinit and adcli

Using computer object precreation you can enable machines to join an Active Directory domain with knowledge of just one dedicated one-time-password. Combined with delegation you can offload management of computer objects to an otherwise unprivileged AD user.

Weiterlesen … »

Das hoffentlich nervigste Cookie-Banner von allen.

Ich habe mal wieder das nervigste Cookie-Banner von allen aktiviert, dies in der Hoffnung, dass ich solchermaßen meine Webseite weiterhin selbst hosten darf, und nicht gezwungen bin, auf einen Hoster mit ausreichender Rechtsabteilung auszuweichen.

Drawing a Yellow Rectangle on Android

As an addendum to my previous article, there now also is an Android App „YellowRectangle“ that draws a yellow rectangle and terminates on the first touch event. It runs on Android version 4.0.3 (Ice Cream Sandwich MR1) and upward. It is written in Java and C++ and uses the Allegro game development library (http://liballeg.org/).

YellowRectangle running on Android 7.0 in the Genymotion emulator.

Weiterlesen … »