|
1 \documentclass{article} |
|
2 \usepackage{../style} |
|
3 \usepackage{../langs} |
|
4 |
|
5 \begin{document} |
|
6 |
|
7 \section*{Hints for Coursework} |
|
8 |
|
9 \begin{flushright} |
|
10 \it ``I have no special talents.\\ |
|
11 I am only passionately curious.''\\ |
|
12 \small--- Albert Einstein |
|
13 \end{flushright}\medskip |
|
14 |
|
15 \noindent Many students seem to have some difficulties with this coursework. |
|
16 While it can be solved with just logical |
|
17 reasoning, this seems to me like learning swimming on dry land. |
|
18 Why not trying out what an actual UNIX system has to say? |
|
19 Seems obvious isn't it? ;o) |
|
20 |
|
21 \subsection*{Environment} |
|
22 |
|
23 I know at least three ways of how to set up a testing |
|
24 environment without affecting my main computer, and which |
|
25 should work regardless of whether you have a Windows, MacOSX |
|
26 or Linux machine: |
|
27 |
|
28 \begin{enumerate} |
|
29 \item You can download Oracle's VirtualBox |
|
30 |
|
31 \begin{center} |
|
32 \url{https://www.virtualbox.org} |
|
33 \end{center} |
|
34 |
|
35 There are binaries for Windows and MacOSX (I only tried |
|
36 out MacOSX). In addition, you need to download a Linux |
|
37 distribution. I used a recent iso-file of an Ubuntu |
|
38 distribution. All components are free. |
|
39 |
|
40 \item If you happen to have a Raspberry Pi laying around (I |
|
41 have two for playing music as well as for all sorts of |
|
42 rainy-afternoon distractions). The cheapest model of a |
|
43 Raspberry Pi costs around \pounds{7}. More expensive |
|
44 versions cost around \pounds{20}. |
|
45 You also need an |
|
46 SD memory card of at least 4GB, which can be bought for |
|
47 \pounds{5} or less. Some SD cards come pre-installed |
|
48 with Linux, but all can be easily loaded with Linux. The |
|
49 good thing about Raspberry Pi's is that despite their |
|
50 miniature size and small cost, they are full-fledged |
|
51 Linux computers\ldots{}exactly what is needed for such |
|
52 experiments. There are plenty Linux distributions on the |
|
53 Net that are tailored to work ``out of the box'' with |
|
54 Raspberry Pi's. |
|
55 |
|
56 \item If you have a spare memory stick laying |
|
57 around, you can try out any of the live USB-versions |
|
58 of Linux. |
|
59 |
|
60 \begin{center} |
|
61 \url{https://en.wikipedia.org/wiki/Live_USB} |
|
62 \end{center} |
|
63 |
|
64 The idea is to upload Linux on the USB stick, you plug |
|
65 it into your computer and boot up a Linux system without |
|
66 having to download anything to your computer. A notable |
|
67 live USB version of Linux is called Tails |
|
68 |
|
69 \begin{center} |
|
70 \url{https://tails.boum.org} |
|
71 \end{center} |
|
72 |
|
73 which comes with Tor pre-installed and is for people who |
|
74 need a maximum of privacy and anonymity (whistleblowers, |
|
75 dissidents). It is being said that journalists Laura |
|
76 Poitras and Glenn Greenwald used it when talking to |
|
77 Edward Snowden. Tails gives them anonymity even if their |
|
78 main system is compromised by malicious software, for |
|
79 example installed by the NSA. |
|
80 |
|
81 However, a live USB Linux will need some support from |
|
82 the computer (BIOS) where you plug in the USB stick. I |
|
83 know Apple computers are a bit ``special'' with this and |
|
84 would need a 3rd-party boot loader for loading operating |
|
85 systems from an USB memory stick. |
|
86 |
|
87 An alternative is to burn a CD/DVD with a live Linux |
|
88 distribution. But perhaps CDs/DVDs are already obsolete |
|
89 technology not available to everyone. The point is that |
|
90 loading an operating system from such a media is/was |
|
91 much better supported by various computers. |
|
92 |
|
93 \end{enumerate} |
|
94 |
|
95 \noindent For my experiments below, I used option 2. In |
|
96 earlier versions of this module I have used option 1. I have |
|
97 not tried in a while option 3, but know that in the past I had |
|
98 a dedicated bootloader on an Apple computer just for the |
|
99 purpose of running operating systems from external disks. I |
|
100 also for a long time had spare CDs laying around just for the |
|
101 purpose that my (Linux) operating system got trashed enough so |
|
102 that it had to be rebooted externally. |
|
103 |
|
104 \subsection*{Setup} |
|
105 |
|
106 Once you have Linux up and running, there are a few commands |
|
107 you need to know in order to replicate the ownerships and |
|
108 permissions from the question: |
|
109 |
|
110 \begin{itemize} |
|
111 \item \texttt{useradd} creates a new user |
|
112 \item \texttt{groupadd} creates a new group |
|
113 \item \texttt{adduser} adds a user to a group |
|
114 \item \texttt{chmod} changes the permissions of a file |
|
115 \item \texttt{chown}, \texttt{chgrp} change the ownership and |
|
116 group of a file |
|
117 \end{itemize} |
|
118 |
|
119 \noindent There is also a choice to be made what to use as |
|
120 microedit. If you do not want to make your hands dirty and |
|
121 write a test program yourself, I recommended to use the |
|
122 editors \texttt{vi} or \texttt{vim}, which is available on |
|
123 pretty much every UNIX system. For a first try out, this is a |
|
124 helpful choice for solving the question. However, it has a |
|
125 disadvantage: it will always assume you have read permissions |
|
126 to a file. To use these editors, I made a copy of them |
|
127 and renamed them to \texttt{microedit}. Be careful to set the |
|
128 setuid bit for \texttt{microedit}. |
|
129 |
|
130 |
|
131 \subsection*{Permission Basics} |
|
132 |
|
133 The absolute basics is how the permissions are organised |
|
134 in essentially four blocks |
|
135 |
|
136 \begin{center} |
|
137 ${\underbrace{\huge\texttt{-}}_{\text{\makebox[0mm]{directory}}}} |
|
138 {\underbrace{\huge\texttt{-{}-{}-}}_{\text{user}}}\, |
|
139 {\underbrace{\huge\texttt{-{}-{}-}}_{\text{group}}}\, |
|
140 {\underbrace{\huge\texttt{-{}-{}-}}_{\text{other}}}$ |
|
141 \end{center} |
|
142 |
|
143 \noindent This seems to be the knowledge everybody has. But |
|
144 already difficulties arise with the following fact, which |
|
145 could easily be resolved by a little experiment: assume a file |
|
146 is owned by Bob with permissions |
|
147 |
|
148 \begin{center} |
|
149 $\texttt{-{}r-{}-{}rw-{}rwx\;\;bob\;students\;\;file\_name}$ |
|
150 \end{center} |
|
151 |
|
152 \noindent The UNIX access rules imply that Bob will only have |
|
153 read access to this file, even if he is in the group students |
|
154 and the group access permissions allow read and write. |
|
155 Similarly every member in the students group who is not Bob, |
|
156 will only have read-write access permissions, not |
|
157 read-write-execute. |
|
158 |
|
159 The question asked whether Ping, Bob and Emma can read or write |
|
160 the given files \underline{\smash{using}} the program |
|
161 microedit. This means we will call on the command line |
|
162 |
|
163 \begin{center} |
|
164 $\texttt{>}\;\;\texttt{microedit}\;\textit{file\_name}$ |
|
165 \end{center} |
|
166 |
|
167 \noindent for all files and for Bob, Ping and Emma. So if you |
|
168 want to find out whether Bob, say, can read or write a file, |
|
169 you need to find out what the access permissions with which |
|
170 \texttt{microedit} is run. This would be easy, if |
|
171 \texttt{microedit} did not have the setuid bit set. Then it |
|
172 would be just the rights of the caller (Ping, Bob or Emma). |
|
173 But your friendly lecturer arranged the question so that it |
|
174 has the setuid bit. |
|
175 |
|
176 Recall that the setuid bit gives the program the ability to |
|
177 run with the permissions of the owner \texttt{microedit} |
|
178 file, not the permissions of the caller. I wrote in the |
|
179 handout |
|
180 |
|
181 \begin{quote}\it |
|
182 ``The fundamental idea behind the setuid attribute is that a |
|
183 file will be able to run not with the callers access rights, |
|
184 but with the rights of the owner of the file.'' |
|
185 \end{quote} |
|
186 |
|
187 \noindent Something similar is written in the Wikipedia |
|
188 entry for setuid |
|
189 |
|
190 \begin{center} |
|
191 \url{http://en.wikipedia.org/wiki/Setuid} |
|
192 \end{center} |
|
193 |
|
194 \noindent This implies for deciding whether \textit{file} is |
|
195 readable or writable is not determined by the caller, but by |
|
196 the permissions with which \texttt{microedit} runs. As you |
|
197 might know already, and can also see in the Figure~\ref{test} |
|
198 shown later, any \textit{file\_name} given on the command line |
|
199 will be handed over to microedit as string. It is the |
|
200 ``responsibility'' of \texttt{microedit} what to do with it. |
|
201 |
|
202 |
|
203 There is one caveat however: We need to find out first whether |
|
204 the caller (Bob, Ping or Emma) can actually run |
|
205 \texttt{microedit}---that is has execute permissions for |
|
206 \texttt{microedit}. Once \texttt{microedit} runs, it will |
|
207 assume the permissions of the owner of \texttt{microedit}. The |
|
208 question is now whether these permissions are sufficient to |
|
209 read or write the file \textit{file\_name}. The hints so far |
|
210 should already be useful for answering the first three |
|
211 columns. |
|
212 |
|
213 For the other two files we have to take into account that they |
|
214 are inside a directory. For directories apply special access |
|
215 rules. In the handout I wrote |
|
216 |
|
217 \begin{quote}\it |
|
218 ``There are already some special rules for directories and |
|
219 links. If the execute attribute of a directory is \emph{not} |
|
220 set, then one cannot change into the directory and one cannot |
|
221 access any file inside it. If the write attribute is |
|
222 \emph{not} set, then one can change existing files (provide |
|
223 they are changeable), but one cannot create new files. If the |
|
224 read attribute is \emph{not} set, one cannot search inside the |
|
225 directory (\texttt{ls -la} does not work) but one can access an |
|
226 existing file, provided one knows its name.'' |
|
227 \end{quote} |
|
228 |
|
229 \noindent With this also the last two columns can be filled |
|
230 in. |
|
231 |
|
232 % \subsection*{Advanced Permissions} |
|
233 |
|
234 % While all hints so far should get you very close to the |
|
235 % intended answers, there is one further complication arising |
|
236 % from the setuid bit. The question asked: |
|
237 |
|
238 % \begin{quote}\it |
|
239 % \ldots{}whether Ping, Bob, or Emma \underline{are able} to obtain |
|
240 % the right to read (R) or replace (W) its contents using |
|
241 % the editor microedit. |
|
242 % \end{quote} |
|
243 |
|
244 % \noindent Note the underlined phrase. That means we need to |
|
245 % ensure that there is no other way for Bob, Ping and Emma to |
|
246 % obtain reading or writing permissions with \texttt{microedit}. |
|
247 % Actually there is. Any file that has the setuid bit set will |
|
248 % be called with the permissions of the owner, but once it has done |
|
249 % the work, it can ``lower'' the permissions again to the |
|
250 % callers rights. This is a second possibility we have to check |
|
251 % whether the files become readable or writable when the |
|
252 % permissions of the caller are re-instated. In the handout |
|
253 % I wrote about the setuid-program \texttt{passwd}: |
|
254 |
|
255 % \begin{quote}\it |
|
256 % ``As an example consider again the \texttt{passwd} |
|
257 % program. When started by, say the user \texttt{foo}, it has at |
|
258 % the beginning the identities: |
|
259 |
|
260 % \begin{itemize} |
|
261 % \item \emph{real identity}: \texttt{foo}\\ |
|
262 % \emph{effective identity}: \texttt{foo}\\ |
|
263 % \emph{saved identity}: \texttt{root} |
|
264 % \end{itemize} |
|
265 |
|
266 % \noindent It is then allowed to change the effective |
|
267 % identity to the saved identity to have |
|
268 |
|
269 % \begin{itemize} |
|
270 % \item \emph{real identity}: \texttt{foo}\\ |
|
271 % \emph{effective identity}: \texttt{root}\\ |
|
272 % \emph{saved identity}: \texttt{root} |
|
273 % \end{itemize} |
|
274 |
|
275 % \noindent It can now read and write the file |
|
276 % \texttt{/etc/passwd}. After finishing the job it is supposed to |
|
277 % drop the effective identity back to \texttt{foo}. This is the |
|
278 % responsibility of the programmers who wrote \texttt{passwd}. |
|
279 % Notice that the effective identity is not automatically |
|
280 % elevated to \texttt{root}, but the program itself must make |
|
281 % this change. After it has done the work, the effective |
|
282 % identity should go back to the real identity. |
|
283 % '' |
|
284 % \end{quote} |
|
285 |
|
286 % \noindent It was hoped by your friendly lecturer that any of |
|
287 % the students would have consciously considered this |
|
288 % possibility, but alas nobody did\ldots{} |
|
289 |
|
290 \subsection*{A Program in C} |
|
291 |
|
292 I suggested above to use a copy of the editors \texttt{vm} or |
|
293 \texttt{vim} for \texttt{microedit}. This works reasonably |
|
294 well, except for one instance: if a file is not readable, then |
|
295 these editors will not be helpful for checking whether the |
|
296 file is writable. Giving out such a permission is a perfectly |
|
297 ``normal'' situation in many large UNIX systems. A user might |
|
298 be allowed to write into central log files, but should not be |
|
299 able to read them (otherwise they can find out what other |
|
300 users did). To get around this problem, I brushed up my C |
|
301 knowledge from school days and googled around for how to read |
|
302 and write files. Typing in ``read write in C'' in the |
|
303 all-knowing search engine, I obtained the link |
|
304 |
|
305 \begin{center} |
|
306 \url{https://www.cs.bu.edu/teaching/c/file-io/intro/} |
|
307 \end{center} |
|
308 |
|
309 \noindent which tells you pretty much everything what there is |
|
310 about opening a file in C for reading and writing. (There are |
|
311 certainly more and better sources for finding out how to read |
|
312 and write files. This was just at my finger tips.) A little |
|
313 bit more googling helped me to display the user that |
|
314 determines the access permissions. Being lazy, I did not spend |
|
315 a thought of refactoring the file to be as small as possible, |
|
316 and also did not go the extra mile to convert the ID of the |
|
317 user into a clear name. |
|
318 |
|
319 The resulting little C program is shown in Figure~\ref{test}. |
|
320 It explicitly checks for readability and writability of files. |
|
321 The \pcode{main} function is organised into two parts: the |
|
322 first checks readability and writability with the permissions |
|
323 according to a potential setuid bit, and the second (starting |
|
324 in Line 34) when the permissions are lowered to the caller. |
|
325 Note that this program has one problem as well: it only gives |
|
326 a reliable answer in cases a file is {\bf not} readable or |
|
327 {\bf not} writable. In these cases it returns an error code 13 |
|
328 (permission denied). It sometimes claims a file is not |
|
329 writable, say, but with an error code 26 (text file busy). |
|
330 This is unrelated to the permissions of the file. |
|
331 |
|
332 \begin{figure}[t] |
|
333 \small\mbox{}\\[-14mm] |
|
334 \lstinputlisting[language=C]{../progs/read.c}\mbox{}\\[-13mm] |
|
335 \caption{A read/write test program in C. It returns errno = 13 |
|
336 in cases when permission is denied.\label{test}} |
|
337 \end{figure} |
|
338 |
|
339 %\subsection*{Solution} |
|
340 % |
|
341 %\begin{center} |
|
342 %\begin{tabular}{r|c|c|c|c|c} |
|
343 % & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline |
|
344 %ping & R- & R- & RW & -- & --\\\hline |
|
345 %bob & R- & R- & RW & -- & --\\\hline |
|
346 %emma & -- & -- & -- & -- & --\\ |
|
347 %\end{tabular} |
|
348 %\end{center} |
|
349 % |
|
350 %\begin{center} |
|
351 %\begin{tabular}{r|c|c|c|c|c} |
|
352 % & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline |
|
353 %ping & RW & -W & RW & R- & --\\\hline |
|
354 %bob & R- & R- & RW & -- & --\\\hline |
|
355 %emma & -- & -- & -- & -- & --\\ |
|
356 %\end{tabular} |
|
357 %\end{center} |
|
358 |
|
359 |
|
360 \end{document} |
|
361 |
|
362 %%% Local Variables: |
|
363 %%% mode: latex |
|
364 %%% TeX-master: t |
|
365 %%% End: |