# HG changeset patch # User Christian Urban # Date 1413670070 -3600 # Node ID 95e14b2dbc94e6380268aed9aa34f52d2328eefb # Parent 16cbb47ce0b9fc91daa6fba736fe1015e3cf2df0 updated diff -r 16cbb47ce0b9 -r 95e14b2dbc94 handouts/ho04.pdf Binary file handouts/ho04.pdf has changed diff -r 16cbb47ce0b9 -r 95e14b2dbc94 handouts/ho04.tex --- a/handouts/ho04.tex Sat Oct 18 02:17:51 2014 +0100 +++ b/handouts/ho04.tex Sat Oct 18 23:07:50 2014 +0100 @@ -1,25 +1,99 @@ \documentclass{article} \usepackage{../style} \usepackage{../langs} + \usetikzlibrary{patterns,decorations.pathreplacing} \begin{document} -\section*{Handout 4 (Unix-Style Access Control)} +\section*{Handout 4 (Access Control)} Access control is essentially about deciding whether to grant -access to a resource or deny it. This sounds easy. Right? Well -it turns out that things are not as simple as seem at first. -Let us study as a case how access is organised in Unix-like -systems (Windows systems have generally similar access -control, although the details might be quite different). - +access to a resource or deny it. Sounds easy. No? Well it +turns out that things are not as simple as they seem at first +glance. Let us first look as a case-study at how access +control is organised in Unix-like systems (Windows systems +have similar access controls, although the details might be +quite different). + + +\subsubsection*{Unix-Style Access Control} + Following the Unix-philosophy that everything is considered as -a file, even memory or ports, access control is organised -around 11 Bits that specify how a file can be accessed. There -are three modes for access \textbf{r}ead, \textbf{w}rite and -e\textbf{x}ecute. Moreover there are .... owner, group and -everybody else. +a file, even memory, ports and so on, access control in Unix +is organised around 11 Bits that specify how a file can be +accessed. These Bits are sometimes called the \emph{permission +attributes} of a file. There are typically three modes for +access: \textbf{r}ead, \textbf{w}rite and e\textbf{x}ecute. +Moreover there are three user groups to which the modes apply: +the owner of the file, the group the file is associated with +and everybody else. A typical example of some files with +permission attributes is as follows: + +{\small\lstinputlisting[language={}]{../slides/lst}} + +\noindent The leading \pcode{d} in Lines 2 and 6 indicate that +the file is a directory, whereby in the Unix-tradition the +\pcode{.} points to the directory itself. The \pcode{..} +points at the directory ``above'', or parent directory. The +second to fourth letter specify how the owner of the file can +access the file. For example Line 3 states that \pcode{ping} +can read and write the \pcode{manual.txt}, but cannot execute +it. The next three letters specify how the group members of +the file can access the file. In Line 4, for example, all +students can read and write the file \pcode{report.txt}. +Finally the last three letters specify how everybody else can +access a file. This should all be relatively familiar and +straightforward. No? + +There are already some special rules for directories. If the +execute attribute of a directory is \emph{not} set, then one +cannot change into the directory and one cannot access any +file inside it. If the write attribute is not set, then one +can change existing files (provide they are changeable), but +one cannot create new files. If the read attribute is not set, +one cannot search inside the directory (\pcode{ls -la} does +not work) but one can access an existing file, provided one +knows its name. + +While the above might sound moderately complicated, the real +complications with Unix-style file permissions involve the +setuid and setgid attributes. For example the file +\pcode{microedit} in Line 5 has the setuid attribute set +(indicated by the \pcode{s} in place of the usual \pcode{x}). +The purpose of setuid and setgid is to solve the following +puzzle: The program \pcode{passwd} allows users to change +their passwords. Therefore \pcode{passwd} needs to have write +access to the file \pcode{/etc/passwd}. But this file cannot +be writable for every user, otherwise anyone can set anyone +else's password. So changing securely passwords cannot be +achieved with the simple Unix access rights discussed so far. +While this situation might look like an anomaly, it is in fact +an often occurring problem. For example looking at current +active processes with \pcode{/bin/ps} requires access to +internal data structures of the operating system. In fact any +of the following actions cannot be configured for single +users, but need privileged root access + +\begin{itemize} +\item changing system databases (users, groups, routing tables +and so on) +\item opening a network port below 1024 +\item interacting with peripheral hardware, such as printers, +harddisk etc +\item overwriting operating system facilities, like +process scheduling and memory management +\end{itemize} + +\noindent This will typically involve quite a lot of +programs on a Unix system. I counted 87 programs with the +setuid attribute set on my bog-standard MacOSX system +(including the program \pcode{/usr/bin/login}). +The problem is that if there is a security problem with +one of them, then malicious users (or outside attackers) +can gain root access. + +\subsubsection*{Secrecy and Integrity} diff -r 16cbb47ce0b9 -r 95e14b2dbc94 hws/hw04.pdf Binary file hws/hw04.pdf has changed diff -r 16cbb47ce0b9 -r 95e14b2dbc94 hws/hw04.tex --- a/hws/hw04.tex Sat Oct 18 02:17:51 2014 +0100 +++ b/hws/hw04.tex Sat Oct 18 23:07:50 2014 +0100 @@ -27,10 +27,8 @@ \item What does it mean that the program \texttt{passwd} has the \texttt{setuid} bit set? Why is this necessary? - -\item In the context of which information flow should be protected, explain briefly the -differences between the {\it read rule} of the Bell-LaPadula access -policy and the Biba access policy. Do the same for the {\it write rule}. +\item With which permissions does the program \texttt{login} +normally have and why is this needed? \item A Unix directory might look as follows: @@ -70,6 +68,9 @@ \end{tabular} \end{center} +\item In the context of which information flow should be protected, explain briefly the +differences between the {\it read rule} of the Bell-LaPadula access +policy and the Biba access policy. Do the same for the {\it write rule}. \end{enumerate}