| author | Christian Urban <christian dot urban at kcl dot ac dot uk> |
| Wed, 22 Oct 2014 23:38:02 +0100 | |
| changeset 257 | 9bc912fcedb6 |
| parent 252 | fa151c0a3cf4 |
| child 260 | 42bf66f0a903 |
| permissions | -rw-r--r-- |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
\usepackage{../langs}
|
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
4 |
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
5 |
\usetikzlibrary{patterns,decorations.pathreplacing}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
6 |
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
\begin{document}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
8 |
|
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
9 |
\section*{Handout 4 (Access Control)}
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
10 |
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
11 |
Access control is essentially about deciding whether to grant |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
12 |
access to a resource or deny it. Sounds easy. No? Well it |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
13 |
turns out that things are not as simple as they seem at first |
|
252
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
14 |
glance. Let us first look, as a case-study, at how access |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
15 |
control is organised in Unix-like systems (Windows systems |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
16 |
have similar access controls, although the details might be |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
17 |
quite different). |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
18 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
19 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
20 |
\subsubsection*{Unix-Style Access Control}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
21 |
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
22 |
Following the Unix-philosophy that everything is considered as |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
23 |
a file, even memory, ports and so on, access control in Unix |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
24 |
is organised around 11 Bits that specify how a file can be |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
25 |
accessed. These Bits are sometimes called the \emph{permission
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
26 |
attributes} of a file. There are typically three modes for |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
27 |
access: \underline{\textbf{r}}ead, \underline{\textbf{w}}rite
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
28 |
and e\underline{\textbf{x}}ecute. Moreover there are three
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
29 |
user groups to which the modes apply: the owner of the file, |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
30 |
the group the file is associated with and everybody else. This |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
31 |
relatively fine granularity seems to cover many useful |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
32 |
scenarios of access control. A typical example of some files |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
33 |
with permission attributes is as follows: |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
34 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
35 |
{\small\lstinputlisting[language={}]{../slides/lst}}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
36 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
37 |
\noindent The leading \pcode{d} in Lines 2 and 6 indicate that
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
38 |
the file is a directory, whereby in the Unix-tradition the |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
39 |
\pcode{.} points to the directory itself. The \pcode{..}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
40 |
points at the directory ``above'', or parent directory. The |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
41 |
second to fourth letter specify how the owner of the file can |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
42 |
access the file. For example Line 3 states that \pcode{ping}
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
43 |
can read and write \pcode{manual.txt}, but cannot execute it.
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
44 |
The next three letters specify how the group members of the |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
45 |
file can access the file. In Line 4, for example, all students |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
46 |
can read and write the file \pcode{report.txt}. Finally the
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
47 |
last three letters specify how everybody else can access a |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
48 |
file. This should all be relatively familiar and |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
49 |
straightforward. No? |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
50 |
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
51 |
There are already some special rules for directories and |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
52 |
links. If the execute attribute of a directory is \emph{not}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
53 |
set, then one cannot change into the directory and one cannot |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
54 |
access any file inside it. If the write attribute is |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
55 |
\emph{not} set, then one can change existing files (provide
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
56 |
they are changeable), but one cannot create new files. If the |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
57 |
read attribute is \emph{not} set, one cannot search inside the
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
58 |
directory (\pcode{ls -la} does not work) but one can access an
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
59 |
existing file, provided one knows its name. Links to files |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
60 |
never depend on the permission of the link, but the file they |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
61 |
are pointing to. Otherwise one could easily change access |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
62 |
rights to files. |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
63 |
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
64 |
While the above might sound already moderately complicated, |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
65 |
the real complications with Unix-style file permissions |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
66 |
involve the setuid and setgid attributes. For example the file |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
67 |
\pcode{microedit} in Line 5 has the setuid attribute set
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
68 |
(indicated by the \pcode{s} in place of the usual \pcode{x}).
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
69 |
The purpose of setuid and setgid is to solve the following |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
70 |
puzzle: The program \pcode{passwd} allows users to change
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
71 |
their passwords. Therefore \pcode{passwd} needs to have write
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
72 |
access to the file \pcode{/etc/passwd}. But this file cannot
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
73 |
be writable for every user, otherwise anyone can set anyone |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
74 |
else's password. So changing securely passwords cannot be |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
75 |
achieved with the simple Unix access rights discussed so far. |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
76 |
While this situation might look like an anomaly, it is in fact |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
77 |
an often occurring problem. For example looking at current |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
78 |
active processes with \pcode{/bin/ps} requires access to
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
79 |
internal data structures of the operating system, which only |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
80 |
root should be allowed to. In fact any of the following |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
81 |
actions cannot be configured for single users, but need |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
82 |
privileged root access |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
83 |
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
84 |
\begin{itemize}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
85 |
\item changing system databases (users, groups, routing tables |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
86 |
and so on) |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
87 |
\item opening a network port below 1024 |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
88 |
\item interacting with peripheral hardware, such as printers, |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
89 |
harddisk etc |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
90 |
\item overwriting operating system facilities, like |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
91 |
process scheduling and memory management |
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
92 |
\end{itemize}
|
|
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
93 |
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
94 |
\noindent This will typically involve quite a lot of programs |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
95 |
on a Unix system. I counted 90 programs with the setuid |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
96 |
attribute set on my bog-standard Mac OSX system (including the |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
97 |
program \pcode{/usr/bin/login} for example). The problem is
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
98 |
that if there is a security problem with only one of them, be |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
99 |
it a buffer overflow for example, then malicious users can |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
100 |
gain root access (and for outside attackers it is much easier |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
101 |
to take over a system). Unfortunately it is rather easy to |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
102 |
cause a security problem since the handling of elevating and |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
103 |
dropping access rights in such programs rests entirely with |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
104 |
the programmer. |
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
105 |
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
106 |
The fundamental idea behind the setuid attribute is that a |
|
252
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
107 |
file will be able to run not with the callers access rights, |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
108 |
but with the rights of the owner of the file. So |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
109 |
\pcode{/usr/bin/login} will always be running with root access
|
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
110 |
rights, no matter who invokes this program. The problem is |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
111 |
that this entails a rather complicated semantics of what the |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
112 |
identity of a process (that runs the program) is. One would |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
113 |
hope there is only one such ID, but in fact Unix distinguishes |
|
fa151c0a3cf4
updated slides
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
251
diff
changeset
|
114 |
three(!): |
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
115 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
116 |
\begin{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
117 |
\item \emph{real identity}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
118 |
This is the ID of the user who creates |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
119 |
the process; can only be changed to something else by root. |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
120 |
\item \emph{effective identity}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
121 |
This is the ID that is used to |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
122 |
grant or deny access to a resource; can be changed to either |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
123 |
the real identity or saved identity by users, can be changed |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
124 |
to anything by root. |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
125 |
\item \emph{saved identity}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
126 |
If the setuid bit set in a file then the process is started |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
127 |
with the real identity of the user who started the program, |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
128 |
and the identity of the owner of the program as effective and |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
129 |
saved identity. If the setuid bit is not set, then the |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
130 |
saved identity will be the real identity. |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
131 |
\end{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
132 |
|
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
133 |
\noindent As an example consider again the \pcode{passwd}
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
134 |
program. When started by, say the user \pcode{foo}, it has at
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
135 |
the beginning the identities: |
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
136 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
137 |
\begin{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
138 |
\item \emph{real identity}: \pcode{foo}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
139 |
\emph{effective identity}: \pcode{foo}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
140 |
\emph{saved identity}: \pcode{root}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
141 |
\end{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
142 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
143 |
\noindent It is then allowed to change the effective |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
144 |
identity to the saved identity to have |
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
145 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
146 |
\begin{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
147 |
\item \emph{real identity}: \pcode{foo}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
148 |
\emph{effective identity}: \pcode{root}\\
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
149 |
\emph{saved identity}: \pcode{root}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
150 |
\end{itemize}
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
151 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
152 |
\noindent It can now read and write the file |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
153 |
\pcode{/etc/passwd}. After finishing the job it is supposed to
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
154 |
drop the effective identity back to \pcode{foo}. This is the
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
155 |
responsibility of the programmers who wrote \pcode{passwd}.
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
156 |
Notice that the effective identity is not automatically |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
157 |
elevated to \pcode{root}, but the program itself must make
|
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
158 |
this change. After it has done the work, the effective |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
159 |
identity should go back to the real identity. |
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
160 |
|
|
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
161 |
|
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
162 |
Despite this complicated semantics, Unix-style access control |
|
251
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
163 |
is of no use in a number of situations. For example it cannot |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
164 |
be used to exclude some subset of people, but otherwise have |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
165 |
files readable by everybody else (say you want to restrict |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
166 |
access to a file such that your office mates cannot access |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
167 |
a file). You could try setting the group of the file to this |
|
64e62d636737
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
249
diff
changeset
|
168 |
subset and then restrict access accordingly. But this does not |
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
169 |
help, because users can drop membership in groups. If one |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
170 |
needs such fine-grained control over who can access a file, |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
171 |
one needs more powerful \emph{mandatory access controls}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
172 |
as described next. |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
173 |
|
|
248
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
174 |
|
|
247
95e14b2dbc94
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
245
diff
changeset
|
175 |
\subsubsection*{Secrecy and Integrity}
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
176 |
|
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
177 |
Often you need to keep information secret within a system or |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
178 |
organisation, or secret to the ``outside world''. An example |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
179 |
would be to keep information secret such that insiders cannot |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
180 |
leak information to competitors. A very good instance of such |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
181 |
an access control system is the secrecy levels used in the |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
182 |
military. There you distinguish four secrecy levels: |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
183 |
|
|
257
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
184 |
\begin{itemize}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
185 |
\item top secret |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
186 |
\item secret |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
187 |
\item confidential |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
188 |
\item unclassified |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
189 |
\end{itemize}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
190 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
191 |
The idea is that the secrets classified as top-secret are most |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
192 |
closely guarded and only accessible to people who have a |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
193 |
special clearance. The unclassified category is the lowest |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
194 |
level not needing any clearance. While the idea behind these |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
195 |
security levels is quite straightforward, there are some |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
196 |
interesting implications for when you want to realise such a |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
197 |
system. To begin the access control needs to be |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
198 |
\emph{mandatory} as opposed to \emph{discretionary}. With
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
199 |
discretionary access control, the users can decide how to |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
200 |
restrict or grant access to resources. With mandatory access |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
201 |
control, the access to resources is enforced ``system-wide'' |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
202 |
and cannot be controlled by the user. There are also some |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
203 |
interesting rules for reading and writing an object that |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
204 |
need to be enforced: |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
205 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
206 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
207 |
\begin{itemize}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
208 |
\item {\bf Read Rule}: a principal $P$ can read an object $O$
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
209 |
provided $P$'s security level is at least as high as $O$'s |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
210 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
211 |
\item {\bf Write Rule}: a principal $P$ can write an object $O$
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
212 |
provided $O$'s security level is at least as high as $P$'s |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
213 |
\end{itemize}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
214 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
215 |
\noindent The first rule says that a principal with secret |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
216 |
clearance can read secret documents or lower, but not |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
217 |
documents classified top-secret. The second rule for writing |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
218 |
needs to be the other way around: someone with secret |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
219 |
clearance can write secret or top-secret documents---no |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
220 |
information is leaked. In contrast it cannot write |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
221 |
confidential documents, because then information can be leaked |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
222 |
to lower levels. These rules about enforcing secrecy with |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
223 |
mult-level clearances is often called \emph{Bell/LaPudela}
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
224 |
model, named after two people who studied such systems. |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
225 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
226 |
A problem with this access control system is when two people |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
227 |
want to talk to each other but having different security |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
228 |
clearances, say secret and confidential. In these situations, |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
229 |
the people with the higher clearance have to lower their |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
230 |
security level and are not allowed to take any document |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
231 |
from the higher level with them (otherwise again information |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
232 |
could be leaked). In actual systems this might mean that |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
233 |
people need to log out and log into the system again---this |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
234 |
time with credentials for the lower level. |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
235 |
|
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
236 |
While secrecy is one property you often want to enforce, |
|
9bc912fcedb6
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
252
diff
changeset
|
237 |
integrity is another. This property ensures that no |
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
238 |
|
|
248
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
239 |
\subsubsection*{Further Information}
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
240 |
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
241 |
If you want to know more about the intricacies of the |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
242 |
``simple'' Unix access control system you might find the |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
243 |
relatively readable paper about ``Setuid Demystified'' |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
244 |
useful. |
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
245 |
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
246 |
\begin{center}\small
|
|
249
31a749eba8c1
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
248
diff
changeset
|
247 |
\url{http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf}
|
|
248
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
248 |
\end{center}
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
249 |
|
|
51fa0549fc8f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
247
diff
changeset
|
250 |
|
|
245
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
251 |
\end{document}
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
252 |
|
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
253 |
%%% Local Variables: |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
254 |
%%% mode: latex |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
255 |
%%% TeX-master: t |
|
630a3dd1efda
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
256 |
%%% End: |