coursework/so04.tex
changeset 558 86334134abe5
child 560 85521d542da4
equal deleted inserted replaced
557:192d01998ebd 558:86334134abe5
       
     1 \documentclass{article}
       
     2 \usepackage{../style}
       
     3 \usepackage{../langs}
       
     4 
       
     5 \begin{document}
       
     6 
       
     7 \section*{Hints for Coursework}
       
     8 
       
     9 \begin{flushright}
       
    10 \it ``I have no special talents.\\
       
    11 I am only passionately curious.''\\
       
    12 \small--- Albert Einstein
       
    13 \end{flushright}\medskip
       
    14 
       
    15 \noindent Many students seem to have some difficulties with this coursework.
       
    16 While it can be solved with just logical
       
    17 reasoning, this seems to me like learning swimming on dry land.
       
    18 Why not trying out what an actual UNIX system has to say?
       
    19 Seems obvious isn't it? ;o)
       
    20 
       
    21 \subsection*{Environment}
       
    22 
       
    23 I know at least three ways of how to set up a testing
       
    24 environment without affecting my main computer, and which
       
    25 should work regardless of whether you have a Windows, MacOSX
       
    26 or Linux machine:
       
    27 
       
    28 \begin{enumerate}
       
    29 \item You can download Oracle's VirtualBox
       
    30 
       
    31 \begin{center}
       
    32 \url{https://www.virtualbox.org}
       
    33 \end{center} 
       
    34 
       
    35       There are binaries for Windows and MacOSX (I only tried
       
    36       out MacOSX). In addition, you need to download a Linux
       
    37       distribution. I used a recent iso-file of an Ubuntu
       
    38       distribution. All components are free.
       
    39 
       
    40 \item If you happen to have a Raspberry Pi laying around (I
       
    41       have two for playing music as well as for all sorts of
       
    42       rainy-afternoon distractions). The cheapest model of a
       
    43       Raspberry Pi costs around \pounds{7}. More expensive
       
    44       versions cost around \pounds{20}.
       
    45       You also need an
       
    46       SD memory card of at least 4GB, which can be bought for
       
    47       \pounds{5} or less. Some SD cards come pre-installed
       
    48       with Linux, but all can be easily loaded with Linux. The
       
    49       good thing about Raspberry Pi's is that despite their
       
    50       miniature size and small cost, they are full-fledged
       
    51       Linux computers\ldots{}exactly what is needed for such
       
    52       experiments. There are plenty Linux distributions on the
       
    53       Net that are tailored to work ``out of the box'' with
       
    54       Raspberry Pi's. 
       
    55       
       
    56 \item If you have a spare memory stick laying 
       
    57       around, you can try out any of the live USB-versions
       
    58       of Linux.
       
    59       
       
    60       \begin{center}
       
    61       \url{https://en.wikipedia.org/wiki/Live_USB}
       
    62       \end{center} 
       
    63    
       
    64       The idea is to upload Linux on the USB stick, you plug
       
    65       it into your computer and boot up a Linux system without
       
    66       having to download anything to your computer. A notable
       
    67       live USB version of Linux is called Tails
       
    68       
       
    69       \begin{center}
       
    70       \url{https://tails.boum.org}
       
    71       \end{center}
       
    72 
       
    73       which comes with Tor pre-installed and is for people who
       
    74       need a maximum of privacy and anonymity (whistleblowers,
       
    75       dissidents). It is being said that journalists Laura
       
    76       Poitras and Glenn Greenwald used it when talking to
       
    77       Edward Snowden. Tails gives them anonymity even if their
       
    78       main system is compromised by malicious software, for
       
    79       example installed by the NSA.
       
    80 
       
    81       However, a live USB Linux will need some support from
       
    82       the computer (BIOS) where you plug in the USB stick. I
       
    83       know Apple computers are a bit ``special'' with this and
       
    84       would need a 3rd-party boot loader for loading operating
       
    85       systems from an USB memory stick. 
       
    86       
       
    87       An alternative is to burn a CD/DVD with a live Linux
       
    88       distribution. But perhaps CDs/DVDs are already obsolete
       
    89       technology not available to everyone. The point is that
       
    90       loading an operating system from such a media is/was
       
    91       much better supported by various computers.
       
    92 
       
    93 \end{enumerate}
       
    94 
       
    95 \noindent For my experiments below, I used option 2. In
       
    96 earlier versions of this module I have used option 1. I have
       
    97 not tried in a while option 3, but know that in the past I had
       
    98 a dedicated bootloader on an Apple computer just for the
       
    99 purpose of running operating systems from external disks. I
       
   100 also for a long time had spare CDs laying around just for the
       
   101 purpose that my (Linux) operating system got trashed enough so
       
   102 that it had to be rebooted externally.
       
   103 
       
   104 \subsection*{Setup}
       
   105 
       
   106 Once you have Linux up and running, there are a few commands
       
   107 you need to know in order to replicate the ownerships and
       
   108 permissions from the question: 
       
   109 
       
   110 \begin{itemize}
       
   111 \item \texttt{useradd} creates a new user
       
   112 \item \texttt{groupadd} creates a new group
       
   113 \item \texttt{adduser} adds a user to a group
       
   114 \item \texttt{chmod} changes the permissions of a file
       
   115 \item \texttt{chown}, \texttt{chgrp} change the ownership and 
       
   116 group of a file
       
   117 \end{itemize}
       
   118 
       
   119 \noindent There is also a choice to be made what to use as
       
   120 microedit. If you do not want to make your hands dirty and
       
   121 write a test program yourself, I recommended to use the
       
   122 editors \texttt{vi} or \texttt{vim}, which is available on
       
   123 pretty much every UNIX system. For a first try out, this is a
       
   124 helpful choice for solving the question. However, it has a
       
   125 disadvantage: it will always assume you have read permissions
       
   126 to a file. To use these editors, I made a copy of them
       
   127 and renamed them to \texttt{microedit}. Be careful to set the
       
   128 setuid bit for \texttt{microedit}.
       
   129 
       
   130 
       
   131 \subsection*{Permission Basics}
       
   132 
       
   133 The absolute basics is how the permissions are organised
       
   134 in essentially four blocks
       
   135 
       
   136 \begin{center}
       
   137 ${\underbrace{\huge\texttt{-}}_{\text{\makebox[0mm]{directory}}}}
       
   138  {\underbrace{\huge\texttt{-{}-{}-}}_{\text{user}}}\,
       
   139  {\underbrace{\huge\texttt{-{}-{}-}}_{\text{group}}}\,
       
   140  {\underbrace{\huge\texttt{-{}-{}-}}_{\text{other}}}$
       
   141 \end{center}
       
   142 
       
   143 \noindent This seems to be the knowledge everybody has. But
       
   144 already difficulties arise with the following fact, which
       
   145 could easily be resolved by a little experiment: assume a file
       
   146 is owned by Bob with permissions
       
   147 
       
   148 \begin{center}
       
   149 $\texttt{-{}r-{}-{}rw-{}rwx\;\;bob\;students\;\;file\_name}$
       
   150 \end{center}
       
   151 
       
   152 \noindent The UNIX access rules imply that Bob will only have
       
   153 read access to this file, even if he is in the group students
       
   154 and the group access permissions allow read and write.
       
   155 Similarly every member in the students group who is not Bob,
       
   156 will only have read-write access permissions, not
       
   157 read-write-execute.
       
   158 
       
   159 The question asked whether Ping, Bob and Emma can read or write
       
   160 the given files \underline{\smash{using}} the program
       
   161 microedit. This means we will call on the command line 
       
   162 
       
   163 \begin{center}
       
   164 $\texttt{>}\;\;\texttt{microedit}\;\textit{file\_name}$
       
   165 \end{center}
       
   166 
       
   167 \noindent for all files and for Bob, Ping and Emma. So if you
       
   168 want to find out whether Bob, say, can read or write a file,
       
   169 you need to find out what the access permissions with which
       
   170 \texttt{microedit} is run. This would be easy, if
       
   171 \texttt{microedit} did not have the setuid bit set. Then it
       
   172 would be just the rights of the caller (Ping, Bob or Emma).
       
   173 But your friendly lecturer arranged the question so that it
       
   174 has the setuid bit. 
       
   175 
       
   176 Recall that the setuid bit gives the program the ability to 
       
   177 run with the permissions of the owner \texttt{microedit}
       
   178 file, not the permissions of the caller. I wrote in the
       
   179 handout
       
   180 
       
   181 \begin{quote}\it
       
   182 ``The fundamental idea behind the setuid attribute is that a
       
   183 file will be able to run not with the callers access rights,
       
   184 but with the rights of the owner of the file.''
       
   185 \end{quote}
       
   186 
       
   187 \noindent Something similar is written in the Wikipedia
       
   188 entry for setuid
       
   189 
       
   190 \begin{center}
       
   191 \url{http://en.wikipedia.org/wiki/Setuid}
       
   192 \end{center} 
       
   193  
       
   194 \noindent This implies for deciding whether \textit{file} is
       
   195 readable or writable is not determined by the caller, but by
       
   196 the permissions with which \texttt{microedit} runs. As you
       
   197 might know already, and can also see in the Figure~\ref{test}
       
   198 shown later, any \textit{file\_name} given on the command line
       
   199 will be handed over to microedit as string. It is the
       
   200 ``responsibility'' of \texttt{microedit} what to do with it.
       
   201 
       
   202 
       
   203 There is one caveat however: We need to find out first whether
       
   204 the caller (Bob, Ping or Emma) can actually run
       
   205 \texttt{microedit}---that is has execute permissions for
       
   206 \texttt{microedit}. Once \texttt{microedit} runs, it will
       
   207 assume the permissions of the owner of \texttt{microedit}. The
       
   208 question is now whether these permissions are sufficient to
       
   209 read or write the file \textit{file\_name}. The hints so far
       
   210 should already be useful for answering the first three
       
   211 columns.
       
   212 
       
   213 For the other two files we have to take into account that they
       
   214 are inside a directory. For directories apply special access
       
   215 rules. In the handout I wrote
       
   216 
       
   217 \begin{quote}\it
       
   218 ``There are already some special rules for directories and
       
   219 links. If the execute attribute of a directory is \emph{not}
       
   220 set, then one cannot change into the directory and one cannot
       
   221 access any file inside it. If the write attribute is
       
   222 \emph{not} set, then one can change existing files (provide
       
   223 they are changeable), but one cannot create new files. If the
       
   224 read attribute is \emph{not} set, one cannot search inside the
       
   225 directory (\texttt{ls -la} does not work) but one can access an
       
   226 existing file, provided one knows its name.''
       
   227 \end{quote}
       
   228 
       
   229 \noindent With this also the last two columns can be filled 
       
   230 in.
       
   231 
       
   232 % \subsection*{Advanced Permissions}
       
   233 
       
   234 % While all hints so far should get you very close to the
       
   235 % intended answers, there is one further complication arising
       
   236 % from the setuid bit. The question asked:
       
   237 
       
   238 % \begin{quote}\it 
       
   239 % \ldots{}whether Ping, Bob, or Emma \underline{are able} to obtain 
       
   240 % the right to read (R) or replace (W) its contents using 
       
   241 % the editor microedit.
       
   242 % \end{quote} 
       
   243  
       
   244 % \noindent Note the underlined phrase. That means we need to
       
   245 % ensure that there is no other way for Bob, Ping and Emma to
       
   246 % obtain reading or writing permissions with \texttt{microedit}.
       
   247 % Actually there is. Any file that has the setuid bit set will
       
   248 % be called with the permissions of the owner, but once it has done
       
   249 % the work, it can ``lower'' the permissions again to the
       
   250 % callers rights. This is a second possibility we have to check
       
   251 % whether the files become readable or writable when the 
       
   252 % permissions of the caller are re-instated. In the handout
       
   253 % I wrote about the setuid-program \texttt{passwd}:
       
   254 
       
   255 % \begin{quote}\it 
       
   256 % ``As an example consider again the \texttt{passwd}
       
   257 % program. When started by, say the user \texttt{foo}, it has at
       
   258 % the beginning the identities:
       
   259 
       
   260 % \begin{itemize}
       
   261 % \item \emph{real identity}: \texttt{foo}\\
       
   262 % \emph{effective identity}: \texttt{foo}\\ 
       
   263 % \emph{saved identity}: \texttt{root}
       
   264 % \end{itemize}
       
   265 
       
   266 % \noindent It is then allowed to change the effective
       
   267 % identity to the saved identity to have
       
   268 
       
   269 % \begin{itemize}
       
   270 % \item \emph{real identity}: \texttt{foo}\\
       
   271 % \emph{effective identity}: \texttt{root}\\ 
       
   272 % \emph{saved identity}: \texttt{root}
       
   273 % \end{itemize}
       
   274 
       
   275 % \noindent It can now read and write the file
       
   276 % \texttt{/etc/passwd}. After finishing the job it is supposed to
       
   277 % drop the effective identity back to \texttt{foo}. This is the
       
   278 % responsibility of the programmers who wrote \texttt{passwd}.
       
   279 % Notice that the effective identity is not automatically
       
   280 % elevated to \texttt{root}, but the program itself must make
       
   281 % this change. After it has done the work, the effective
       
   282 % identity should go back to the real identity.
       
   283 % ''
       
   284 % \end{quote}
       
   285 
       
   286 % \noindent It was hoped by your friendly lecturer that any of
       
   287 % the students would have consciously considered this
       
   288 % possibility, but alas nobody did\ldots{} 
       
   289 
       
   290 \subsection*{A Program in C}
       
   291 
       
   292 I suggested above to use a copy of the editors \texttt{vm} or
       
   293 \texttt{vim} for \texttt{microedit}. This works reasonably
       
   294 well, except for one instance: if a file is not readable, then
       
   295 these editors will not be helpful for checking whether the
       
   296 file is writable. Giving out such a permission is a perfectly
       
   297 ``normal'' situation in many large UNIX systems. A user might
       
   298 be allowed to write into central log files, but should not be
       
   299 able to read them (otherwise they can find out what other
       
   300 users did). To get around this problem, I brushed up my C
       
   301 knowledge from school days and googled around for how to read
       
   302 and write files. Typing in ``read write in C'' in the
       
   303 all-knowing search engine, I obtained the link
       
   304 
       
   305 \begin{center}
       
   306 \url{https://www.cs.bu.edu/teaching/c/file-io/intro/}
       
   307 \end{center}
       
   308 
       
   309 \noindent which tells you pretty much everything what there is
       
   310 about opening a file in C for reading and writing. (There are
       
   311 certainly more and better sources for finding out how to read
       
   312 and write files. This was just at my finger tips.) A little
       
   313 bit more googling helped me to display the user that
       
   314 determines the access permissions. Being lazy, I did not spend
       
   315 a thought of refactoring the file to be as small as possible,
       
   316 and also did not go the extra mile to convert the ID of the
       
   317 user into a clear name.
       
   318 
       
   319 The resulting little C program is shown in Figure~\ref{test}.
       
   320 It explicitly checks for readability and writability of files.
       
   321 The \pcode{main} function is organised into two parts: the
       
   322 first checks readability and writability with the permissions
       
   323 according to a potential setuid bit, and the second (starting
       
   324 in Line 34) when the permissions are lowered to the caller.
       
   325 Note that this program has one problem as well: it only gives
       
   326 a reliable answer in cases a file is {\bf not} readable or
       
   327 {\bf not} writable. In these cases it returns an error code 13
       
   328 (permission denied). It sometimes claims a file is not
       
   329 writable, say, but with an error code 26 (text file busy).
       
   330 This is unrelated to the permissions of the file.
       
   331 
       
   332 \begin{figure}[t]
       
   333 \small\mbox{}\\[-14mm]
       
   334 \lstinputlisting[language=C]{../progs/read.c}\mbox{}\\[-13mm]
       
   335 \caption{A read/write test program in C. It returns errno = 13 
       
   336 in cases when permission is denied.\label{test}}
       
   337 \end{figure}
       
   338 
       
   339 %\subsection*{Solution}
       
   340 %
       
   341 %\begin{center}
       
   342 %\begin{tabular}{r|c|c|c|c|c}
       
   343 %      & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline
       
   344 %ping  & R-         & R-         & RW        & --         & --\\\hline
       
   345 %bob   & R-         & R-         & RW        & --         & --\\\hline
       
   346 %emma  & --         & --         & --        & --         & --\\
       
   347 %\end{tabular}
       
   348 %\end{center}
       
   349 %
       
   350 %\begin{center}
       
   351 %\begin{tabular}{r|c|c|c|c|c}
       
   352 %      & manual.txt & report.txt & microedit & src/code.c & src/code.h \\\hline
       
   353 %ping  & RW         & -W         & RW        & R-         & --\\\hline
       
   354 %bob   & R-         & R-         & RW        & --         & --\\\hline
       
   355 %emma  & --         & --         & --        & --         & --\\
       
   356 %\end{tabular}
       
   357 %\end{center}
       
   358 
       
   359 
       
   360 \end{document}
       
   361 
       
   362 %%% Local Variables: 
       
   363 %%% mode: latex
       
   364 %%% TeX-master: t
       
   365 %%% End: