--- a/slides/slides03.tex Tue Oct 08 11:57:05 2013 +0100
+++ b/slides/slides03.tex Tue Oct 08 13:01:59 2013 +0100
@@ -192,6 +192,196 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Process Ownership}
+
+\begin{itemize}
+\item access control in Unix is very coarse
+\end{itemize}\bigskip\bigskip\bigskip
+
+\begin{center}
+\begin{tabular}{c}
+root\\
+\hline
+
+user$_1$ user$_2$ \ldots www, mail, lp
+\end{tabular}
+\end{center}\bigskip\bigskip\bigskip
+
+
+\textcolor{gray}{\small root has UID $=$ 0}\\\pause
+\textcolor{gray}{\small you also have groups that can share access to a file}\\
+\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
+
+
+\begin{itemize}
+\item privileges are specified by file access permissions (``everything is a file'')
+\item there are 9 (plus 2) bits that specify the permissions of a file
+
+\begin{center}
+\begin{tabular}{l}
+\texttt{\$ ls - la}\\
+\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
+\end{tabular}
+\end{center}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Login Process}
+
+
+\begin{itemize}
+\item login processes run under UID $=$ 0\medskip
+\begin{center}
+\texttt{ps -axl | grep login}
+\end{center}\medskip
+
+\item after login, shells run under UID $=$ user (e.g.~501)\medskip
+\begin{center}
+\texttt{id cu}
+\end{center}\medskip\pause
+
+\item non-root users are not allowed to change the UID --- would break
+access control
+\item but needed for example for \texttt{passwd}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Setuid and Setgid}
+
+The solution is that unix file permissions are 9 + \underline{2 Bits}:
+\alert{Setuid} and \alert{Setgid} Bits
+
+\begin{itemize}
+\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file.
+\item This enables users to create processes as root (or another user).\bigskip
+
+\item Essential for changing passwords, for example.
+\end{itemize}
+
+\begin{center}
+\texttt{chmod 4755 fobar\_file}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
+ \draw (4.7,1) node {Internet};
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
+ \draw (0.6,1.7) node {\footnotesize Slave};
+ \draw (0.6,0.6) node {\footnotesize Slave};
+ \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+ \draw (-2.9,1.7) node {\footnotesize Monitor};
+
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
+ \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+
+ \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item pre-authorisation slave
+\item post-authorisation\bigskip
+\item 25\% codebase is privileged, 75\% is unprivileged
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Network Applications}
+
+ideally network application in Unix should be designed as follows:
+
+\begin{itemize}
+\item need two distinct processes
+\begin{itemize}
+\item one that listens to the network; has no privilege
+\item one that is privileged and listens to the latter only (but does not trust it)
+
+\end{itemize}
+
+\item to implement this you need a parent process, which forks a child process
+\item this child process drops privileges and listens to hostile data\medskip
+
+\item after authentication the parent forks again and the new child becomes the user
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws\\[-1mm] in Unix\end{tabular}}
+
+
+\begin{itemize}
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
+\end{itemize}
+
+\only<5->{
+\begin{textblock}{1}(3,7)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+Only failure makes us experts.
+ -- Theo de Raadt (OpenBSD, OpenSSH)
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{