\documentclass{article}\usepackage{../style}\usepackage{../langs}\usetikzlibrary{patterns,decorations.pathreplacing}\begin{document}\section*{Handout 4 (Access Control)}Access control is essentially about deciding whether to grantaccess to a resource or deny it. Sounds easy. No? Well itturns out that things are not as simple as they seem at firstglance. Let us first look, as a case-study, at how accesscontrol is organised in Unix-like systems (Windows systemshave similar access controls, although the details might bequite different).\subsubsection*{Unix-Style Access Control}Following the Unix-philosophy that everything is considered asa file, even memory, ports and so on, access control in Unixis organised around 11 Bits that specify how a file can beaccessed. These Bits are sometimes called the \emph{permissionattributes} of a file. There are typically three modes foraccess: \underline{\textbf{r}}ead, \underline{\textbf{w}}riteand e\underline{\textbf{x}}ecute. Moreover there are threeuser groups to which the modes apply: the owner of the file,the group the file is associated with and everybody else. Thisrelatively fine granularity seems to cover many usefulscenarios of access control. A typical example of some fileswith permission attributes is as follows:{\small\lstinputlisting[language={}]{../slides/lst}}\noindent The leading \pcode{d} in Lines 2 and 6 indicate thatthe file is a directory, whereby in the Unix-tradition the\pcode{.} points to the directory itself. The \pcode{..}points at the directory ``above'', or parent directory. Thesecond to fourth letter specify how the owner of the file canaccess the file. For example Line 3 states that \pcode{ping}can read and write \pcode{manual.txt}, but cannot execute it.The next three letters specify how the group members of thefile can access the file. In Line 4, for example, all studentscan read and write the file \pcode{report.txt}. Finally thelast three letters specify how everybody else can access afile. This should all be relatively familiar andstraightforward. No?There are already some special rules for directories andlinks. If the execute attribute of a directory is \emph{not}set, then one cannot change into the directory and one cannotaccess any file inside it. If the write attribute is not set,then one can change existing files (provide they arechangeable), but one cannot create new files. If the readattribute is not set, one cannot search inside the directory(\pcode{ls -la} does not work) but one can access an existingfile, provided one knows its name. Links to files never dependon the permission of the link, but the file they are pointingto.While the above might sound already moderately complicated,the real complications with Unix-style file permissionsinvolve the setuid and setgid attributes. For example the file\pcode{microedit} in Line 5 has the setuid attribute set(indicated by the \pcode{s} in place of the usual \pcode{x}).The purpose of setuid and setgid is to solve the followingpuzzle: The program \pcode{passwd} allows users to changetheir passwords. Therefore \pcode{passwd} needs to have writeaccess to the file \pcode{/etc/passwd}. But this file cannotbe writable for every user, otherwise anyone can set anyoneelse's password. So changing securely passwords cannot beachieved with the simple Unix access rights discussed so far.While this situation might look like an anomaly, it is in factan often occurring problem. For example looking at currentactive processes with \pcode{/bin/ps} requires access tointernal data structures of the operating system, which onlyroot should be allowed to. In fact any of the followingactions cannot be configured for single users, but needprivileged root access\begin{itemize}\item changing system databases (users, groups, routing tablesand so on)\item opening a network port below 1024\item interacting with peripheral hardware, such as printers, harddisk etc\item overwriting operating system facilities, likeprocess scheduling and memory management\end{itemize}\noindent This will typically involve quite a lot of programson a Unix system. I counted 90 programs with the setuidattribute set on my bog-standard Mac OSX system (including theprogram \pcode{/usr/bin/login} for example). The problem isthat if there is a security problem with only one of them, beit a buffer overflow for example, then malicious users can gain root access (and for outside attackers it is mucheasier to take over a system). Unfortunately it is rather easy to make errors since the handling of elevating and dropping access rights in such programs rests entirely with the programmer.The fundamental idea behind the setuid attribute is that afile will be able to run not with the callers access rights,but with the rights of the owner of the file. So\pcode{/usr/bin/login} will always be running with root accessrights, no matter who invokes this program. The problem isthat this entails a rather complicated semantics of what theidentity of a process (that runs the program) is. One wouldhope there is only one such ID, but in fact Unix distinguishesthree(!):\begin{itemize}\item \emph{real identity}\\ This is the ID of the user who creates the process; can only be changed to something else by root. \item \emph{effective identity}\\ This is the ID that is used to grant or deny access to a resource; can be changed to eitherthe real identity or saved identity by users, can be changed to anything by root.\item \emph{saved identity}\\If the setuid bit set in a file then the process is startedwith the real identity of the user who started the program,and the identity of the owner of the program as effective andsaved identity. If the setuid bit is not set, then thesaved identity will be the real identity. \end{itemize}\noindent As an example consider again the \pcode{passwd}program. When started by, say the user \pcode{foo}, it has atthe beginning the identities:\begin{itemize}\item \emph{real identity}: \pcode{foo}\\\emph{effective identity}: \pcode{foo}\\ \emph{saved identity}: \pcode{root}\end{itemize}\noindent It is then allowed to change the effectiveidentity to the saved identity to have\begin{itemize}\item \emph{real identity}: \pcode{foo}\\\emph{effective identity}: \pcode{root}\\ \emph{saved identity}: \pcode{root}\end{itemize}\noindent It can now read and write the file\pcode{/etc/passwd}. After finishing the job it is supposed todrop the effective identity back to \pcode{foo}. This is theresponsibility of the programmers who wrote \pcode{passwd}.Notice that the effective identity is not automaticallyelevated to \pcode{root}, but the program itself must makethis change. After it has done the work, the effectiveidentity should go back to the real identity.Despite these complicated semantics, Unix-style access controlis of no use in a number of situations. For example it cannotbe used to exclude some subset of people, but otherwise havefiles readable by everybody else (say you want to restrictaccess to a file such that your office mates cannot access a file). You could try setting the group of the file to thissubset and then restrict access accordingly. But this does nothelp, because users can drop membership in groups. \subsubsection*{Secrecy and Integrity}\subsubsection*{Further Information}If you want to know more about the intricacies of the``simple'' Unix access control system you might find therelatively readable paper about ``Setuid Demystified'' useful.\begin{center}\small\url{http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf}\end{center}\end{document}%%% Local Variables: %%% mode: latex%%% TeX-master: t%%% End: