Access Control (Lecture 8 p2)

Question 1

What is the definition of computer security?

Answer 1

RFC 4949 defines computer security as
‘measures that implement and assure security services in a computer system, particularly those that assure access control service’

Question 2

Explain access control

Answer 2

Policy: Who+What+How=Y es/No

Person = Who
Mode of access = How
Object = What

Question 3

What are the goals of Access policies?

Answer 3

Check every access

Enforce least privilege

Verify acceptable usage

Track users’ access

Appropriate granularity

Use audit logging to track accesses

Question 4

What is Discretionary Access Control (DAC)?

Answer 4

Controls access based on the identity of the requestor and on access rules (authorisations) stating what requesters are (or are not) allowed to do

Scheme in which an entity may enable another entity to access some resource

Often provided using an access matrix (one dimension consists of identified subjects that may attempt data access to the resources and the other dimension lists the objects that may be accessed

Each entry in the matrix indicates the access rights of a particular subject for a particular object

Question 5

What is Mandatory Access Control (MAC)?

Answer 5

Controls access based on comparing security labels with security clearances

Question 6

What is Role-based Access Control (RBAC)

Answer 6

Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles

Question 7

What is Attribute-Based Access Control (ABAC)?

Answer 7

Controls access based on the attributes of the user, the resource to be accessed, and the current environmental conditions (where it’s being accessed from)

Question 8

Explain an Access Control Directory

Answer 8

There is a directory for each user. It lists files, access rights and a file pointer. The files sit independent of the users directory and the file pointer and access rights say what controls you have over it (ORW - owner read write, OX - Owner execute)

Question 9

Explain an Access Control Matrix

Answer 9

Shows clearly what items you have and what users there are and shows what access each user has to each file

Question 10

Explain an Access Control List

Answer 10

There is a directory with the files and an access list pointer which points to the Access Lists. The Access Lists is for that particular file and contain the users and what access rights they have. The file itself is separate again

Question 11

What is a subject?

Answer 11

An entity capable of accessing objects

There are 3 classes: Owner, Group, World

Question 12

What is an object?

Answer 12

A resource to which access is controlled. An entity used to contain and/or receive information

File, database

Question 13

What are access rights?

Answer 13

It describes the way in which a subject may access an object and could include

• Read
• Write
• Execute
• Delete
• Create
• Search

Question 14

What are UNIX files?

Answer 14

UNIX files are administered using inodes (index nodes)

File attributes, permissions and control information are sorted in the inode.

On the disk there is an inode table, or list, that contains the inodes of all the files in the file system

When a file is opened its inode is brought into main memory and stored in a memory resident inode table so it can be accessed quickly

Directories structured in a hierarchical tree. May contain files or other directories

Contains file names plus pointers to associated inodes

Question 15

Explain UNIX File Access Control

Answer 15

Unique user identification number (user ID)

Member of a primary group identified by a group ID

Belongs to a specific group

12 protection bits
-Specifies read, write, and execute permissions for the owner of the file, members of the group and all other users

From there we get a minimum access control list

Question 16

Explain ‘Set user ID’ in UNIX File Access Control

Answer 16

(SetUID) - Special type of file permission in UNIX and other operating systems. Security tool that permits users to run certain programs with escalated privileges. When an executable file ‘Set user ID’ permission is set they may execute that program with a level of access that matches the user that owns that file

The user is granted temporary access

Question 17

Explain ‘Set group ID in UNIX File Access Control

Answer 17

System temporarily uses rights of the file owner/group in addition to the real user’s rights when making access control decisions. It enables privileged programs to access files/resources not generally accessible

Question 18

What is a Sticky bit?

Answer 18

A sticky bit is a permission that is set on a file or directory that lets only the owner of that file or directory to delete or rename the file

Question 19

What is a Superuser?

Answer 19

Complete unrestricted access - exempt from usual access control restrictions and has system wide access (root access)

They can also grant and remove any permissions for other users

Question 20

Explain UNIX Access Control Lists (ACLs)

Answer 20

Modern UNIX systems support ACL’s (Linux, Solaris, Open BSD,
-FreeBSD

Setfacl command assigns a list of UNIX user ID’s and groups
Any number of users and groups can be associated with a file

Read, write, execute protection bits
A file does not need to have an ACL

Includes an additional protection bit that indicates whether the file has an extended ACL

When a process requests access to a file system object two steps are performed
1- selects the most appropriate ACL
2- checks if the matching entry contains sufficient permissions