Security Groups and File Permissions for Log Files (Solaris and Linux) When you run RADIUS on a Solaris or Linux server, you can specify which users are authorized to read or edit important files, such as authentication and accounting log files. For example, you can specify that system administrators who install and configure RADIUS have read/write access for system log files and that network operators who monitor RADIUS have read-only (or no) access for system log files.
Each file and directory on a Solaris or Linux server has three security groups associated with it:
• The Owner—identifies the person who created or owns the file.
• The Group—identifies the set of users who are members of the group or groups to which the file Owner belongs. Group members can exercise special privileges with respect to that file. A user can belong to more than one group.
• The Other—consists of the set of all users who do not belong to Owner or Group.
Each security group has three flags that control what privileges that group can exercise with respect to the file or directory:
• Read (r)—determines whether the file can be read. The Read flag has an octal value of 4.
• Write (w)—determines whether the security group can create, modify, or delete the file. The Write flag has an octal value of 2.
• Execute (x)—determines whether the security group can run a script or executable file. The Execute flag has an octal value of 1.
For example, a file owner might have rwx permission for a file, which indicates that the file owner has read/write/execute access to the file. Similarly, Other might have r-- permission (where - indicates no permission), which means that the user can read but not edit or execute the file.
You can add the octal values for permission flags to generate a numeric representation of the file permissions for Owner, Group, and Other:
• 1 = execute only
• 2 = write only
• 3 = write and execute (1+2)
• 4 = read only
• 5 = read and execute (4+1)
• 6 = read and write (4+2)
• 7 = read and write and execute (4+2+1)
The security permissions exercised by Owner/Group/Other are typically expressed as string or a three-digit number. The following table provides examples of different file permissions.
The UNIX chown command allows you to change the Owner or Group (or both) associated with a file or directory. The UNIX chmod command allows you to change the permissions of files and directories.
Using the User File Creation Mode Mask
The user file mode creation mode mask (umask) determines the default file system mode for newly created files of the current process. Solaris and Linux hosts typically have a hierarchy of umask values: a server-level umask value, that can be overridden by a user-, shell-, or application-level umask value. The result is an ambient umask value, which determines what file permissions are used when files are created by any given process.
The umask value is a three-digit octal number. The first digit sets the mask for Owner, the second for Group, and the third for Other. The umask value identifies the
permissions that are withheld when a file is created: the umask value is subtracted from the full access mode value (777) to determine the access permissions for a new file. For example, if the umask value for a process is set to 022, the write permission for Group and Other are withheld from the full access mode value (777), resulting in a file permission of 755 (rwxr-xr-x). Similarly, if the umask value of 177 is configured for a process (explicitly or by virtue of the ambient umask), files created by the process have a file permission of 600 (rw---). The following table summarizes the result of using different octal numbers in a umask value.
Permission Octal value What It Means
-rwxrwxrwx 777 Read, write, and executable for Owner/Group/Other -rw-rw-r-- 664 Read and write for Owner/Group; read access for
Other
-rw-rw---- 660 Read and write for Owner/Group; no access for Other -rwx--- 700 Read, write, and executable for Owner only
-rw-rw-rw 666 Read and write for Owner, Group, and all others
Octal Number Access Permission Resulting From umask Value
0 rwx Read, Write, Execute
1 rw- Read, Write
2 r-x Read, Execute only
3 r-- Read only
4 -wx Write, Execute only
The umask value affects a file’s access permissions only when the file is created. If you change the umask value, access permissions for existing files are not affected.
Similarly, you can use the chown and chmod commands to change a file’s access permissions after the file has been created.
Implementing Default File Permissions in RSA RADIUS
The RADIUSMASK parameter in the sbrd.conf file specifies the application-level umask value used to establish access permissions for all files created by
RSA RADIUS. For information on configuring the sbrd.conf file, see the RADIUS Reference Guide.
If you do not specify a value for the RADIUSMASK parameter, RADIUS uses the ambient umask value established by the server-, user- or shell-level umask value to determine the access permissions for files it creates.
Some log files have explicit controls that allow you to override the umask value established by the RADIUSMASK parameter or the ambient umask value. For more information, see the following section, “Implementing Override File Permissions in RSA RADIUS.”
As previously noted, the umask value affects a file’s access permissions only when the file is created. If you change the RADIUSMASK setting, new files created by RADIUS are assigned the access permission specified by the new setting. This includes files that roll over periodically. The existing file would retain the access file permission it received when it was created, and the new file would be assigned the access permission specified by the new RADIUSMASK value.
Note: The execute file permission value for files created by RADIUS is always set to None for Owner, Group, and Other. Thus, a umask value of 0 (no restrictions) is equivalent to a umask value of 1 (read/write permission) for files created by RADIUS.
Implementing Override File Permissions in RSA RADIUS
To override file permissions established by the RSA RADIUS RADIUSMASK or the ambient umask for specific log files, you must modify the LogFilePermissions parameter in the applicable initialization (.ini) file.
5 -w- Write only
6 --x Execute only
7 --- No permissions
Octal Number Access Permission Resulting From umask Value
The following table identifies the configuration files you must modify to configure non-default file permissions for RADIUS log files.
The syntax for the LogFilePermissions parameter is:
LogfilePermissions = owner:group mode
• Specify the owner and group settings by entering character strings or decimal integers, as used for arguments to the UNIX chown(1) command. For example, ralphw:proj, ralphw:120, or 1007:120.
• Specify the mode setting as a character string or an octal integer. When
permissions are specified as a character string, they follow the format that is used by the UNIX ls(1) command; for example, rw-rw-rw-. When permissions are specified as an octal integer, they follow the format used for arguments to the UNIX chmod(1) command; for example, 666.
Note: You can specify only read/write permissions for a RADIUS file. You cannot specify execute permissions for RADIUS files.
The value of each LogFilePermissions parameter is read when the RSA RADIUS server is started or restarted.
• If you enter a valid value for a LogfilePermissions parameter, the ownership and permissions of the controlled log file are set as specified whenever the file is opened or created.
• If you do not enter a value for a LogfilePermissions parameter, the ownership and permissions of the controlled file are not changed. The controlled file is created using the ownership of the account that is executing the server and the
permissions that are derived from the default RADIUSMASK value or from the ambient umask setting. If the file already exists, new information is appended without changing the existing ownership and permissions of the controlled file.
• If you enter an invalid value for a LogfilePermissions setting, then the ownership of the controlled log file defaults to the effective user or group ID of the server process (normally root:other on Solaris and root:root on Linux), and the permissions for the controlled file default to 0600 (-rw---). This ensures that the affected log file can always be opened without any escalation of file access privileges. Messages similar to the following are logged whenever an explicit file access control is misconfigured:
Invalid LogfilePermissions specified in radius.ini [Configuration]: -rwx---Server log file permissions defaulted to 0:0 0600
Controlled Files Configuration File
Server Diagnostics log (RADIUS log) radius.ini Accounting Library logs and header check-point
logs
account.ini