Operating Systems Security II
Tom Kelliher, CS 325
Oct. 17, 2011
Read 4.5.
- Introduction.
- General object access control.
- File protection mechanisms.
- SELinux.
User authentication.
- An OS ought to provide a general protection mechanism for ``objects.''
- Goals for such a mechanism:
- Check every access -- What if access has been revoked?
- Enforce least privilege -- Grant access to the minimal number of
objects necessary for completing the task.
Examples: restricted access to hs121ps; filesystem quotas; raw disk
blocks.
- Verify acceptable usage -- Confirm that the operation applied to
an object is appropriate according to the object's type.
Examples: an attempt to delete a disk drive; executing a data file.
- The difference between a ``mechanism'' and a ``policy.''
The basic questions:
- Where do the permissions reside -- with user or object?
- The basic permissions: own, transfer, read, write, and execute.
- Ease of adding a permission, removing a permission, removing all
permissions.
- Complexity of managing permissions.
- Question: Can the user ever access the permissions directly?
- Idea: Associate permissions with the user.
- Think of the directory as a user-oriented list of what objects the user can
access and how.
- Now, the permissions reside with the object.
- Associated with each object is a list of users permitted to access it and
how.
- Additionally, a default access may be specified. Implemented via a
``wildcard'' mechanism.
Big improvement.
- Capabilities are typically associated with the user.
A set of ``keys'' carried by the user.
- They might be derived from access control lists.
Think of them as a cached form of the access control list, with a defined
lifetime. For example, for this session.
This is the formalization of the notion of only allowing appropriate
actions to be applied to an object.
The standard mechanism supplied by DOS and Windows.
- The mechanism we love and hate; provided by Unix and Linux.
- Three basic permissions: read, write, and execute.
- Three classes of user: owner, group, and world.
- The group class was added to allow sharing. For example, a project team.
Issues with the group class:
- How many groups can a user belong to at one time? HP-UX allowed only
one at a time. A shell command allowed a user to change groups.
If a user can only belong to one group total, a user would need
multiple accounts if working on multiple projects.
- If a file is created, what group is assigned to it? (The user's primary
group.)
- Root has to assign groups. Users can't create them on their own.
- How well does the group class work with project groups.
(Or, why does Tom assign group accounts?)
- Idea: assign a password in order to grant a set of permissions.
- Problems:
- Loss of the password by the owner.
- Password theft. Assignment of new password and distribution to
all legitimate users.
- Revocation. See password theft!!!
- Allows a user to temporarily take on the permissions and power of another
user or group.
- Provides controlled access to objects.
- Examples of SGID executables: write (tty), lockfile (mail; semaphore
utility for sequencing access to mail spool).
- Examples of SUID executables: su, passwd.
- NSA development project to implement Mandatory Access Control (MAC).
Originally implemented in FLASK OS. Later integrated into the Linux
kernel.
Owners are denied full control over objects they create. Instead, the
system's security policy the access rights granted.
- Standard Linux uses Discretionary Access Control. Access control is at the
discretion of the owner. If root wants to leave a world-readable copy of
/etc/shadow
in /tmp
, it can.
- MAC can prevent a privileged process from writing to a file that a
non-privileged process could read.
- Some examples of the fine-grained control allowed:
- A process can be allowed to append data to a log file, but neither
truncate the file nor re-write entries.
- A process can be allowed to create and write files, but not delete
them.
- Network programs can be granted access to bind to the ports they
need, and no others.
These permissions can be on a per-process basis.
- Consider
/etc/shadow
. Ordinarily, any root process can access it.
Under SELinux, access can be greatly restricted, blocking a hacker who has
obtained root.
- Processes run within domains; certain resources are only available from
specific domains; allowable transitions between domains can be specified.
Example: xscreensaver
has access to /etc/shadow
via
chkpwd
program. Each is in its own domain, with the appropriate
transition enabled. The privileges given to daemons are often carefully
specified.
Thomas P. Kelliher
2011-10-16
Tom Kelliher