privilege separation in unix (week 4) Flashcards

1
Q

what are some separation schemes

A
  • type of data (friend lists vs passwords)
  • by user (my email vs. your email)
  • by bugginess (image resizing vs everything else)
  • by exposure to direct attacks (request parsing vs everything else)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

unix

A

1st OS that wanted to support multiple users
goal: time sharing
remote access
time-sharing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

thread model for unix

A

unix is a multi-user OS (ancestor to MacOS, Linux, BSD)
adversary: other users!
policy: other users shouldn’t access my files, mess with my applications when they are running
UNIX doesn’t reason in terms of users but rather processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

processes in UNIX

A

most basic UNIX tool for keeping programs/data separate

process’s user ID controls many of its privileges

process also has a set of groups GIDs used in file permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

isolation between processes

A

processes with same UID can send signal, wait for exit, get status, debug, (ptrace) each other

debugging, sending signals: must have same UID

waiting / getting status: must be parent of that process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

isolation between process memory

A

a process cannot directly access memory in another process

exeptions: debug mechanisms (ptrace), memory mapped files, shared memory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

how is a process’s uid and gid set

A

superuser (UID 0) can call setuid(uid) and setgid(gid)

non-superuser processes can’t change their UID

UID inherited during fork(), exec()

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

least privilege principle

A

a component should only have access to what it needs and only for as long as it needs it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

how does unix exercise the least privilege principle during login?

A
  1. check password in /etc/shadow (needs root privilege for this)
  2. find user’s UID in /etc/passwd (doesn’t need root privilege)
  3. find user’s GID in /etc/group (doesn’t need root privilege)
  4. downgrades UID and GID to user’s and spawns shell (calls fork() and exec())
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

how is isolation maintained whenever there’s a system call

A

there are checks in the kernel that make sure that you have the correct permissions
all system calls come with permission checks to make sure that you’re allowed to open that file or that you’re allowed to spawn that thing or wait…etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

central questions for privilege separation in unix for files and diretories:

A
  1. how does unix handle isolating files so that users cannot see each others’ files when not shared
  2. allow sharing when users do want to share?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

operations for files

A

read, write, execute, change permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

operations for directories

A

lookup, create, remove, rename, change permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

inode: index node

A

data structure that describes a file system object: file or directory

metadata:
size
owner UID and GID
times
link and block counts
permissions

points to data!: a bunch of pointers to file blocks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

inode permissions

A

3 principals: owner, group, others

each inode has read, write, execute perms for each principal

rwx-rwx-r-x
first three are permissions for owner
second three are perms for group
third three are perms for others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

octal representation

A

think of each three rwx as bits
111 = 7
101 = 5
100 = 4

17
Q

What if a directory has execute access but not read?

A

can access files but not list them

18
Q

what do you need to execute this:

open(“/etc/passwd”)

A

process must be able to look up “etc” in “/”, “passwd” in “/etc” (x permission)
must be able to open “/etc/passwd” (r or w permission)

19
Q

why is unix RWX not very flexible?

A

cannot have two owners
cannot have permissions for specific users
cannot express complex policies easily

20
Q

how would you set up a file “hello.txt” that can only be accessed in uid=”ubuntu” and gid=”penn”?

A

???

21
Q

who can change file permissions

A

only its owner (UID)

22
Q

how to change file permissions?

A

chmod changes permissions
chown changes uid and optionally group gid
chgrp change group (gid)

23
Q

unix takeaways

A

unix allows one to control which users can access a specific file
hard to control the set of files that a specific process can access

24
Q

setuid/setgid

A

when a process runs, it inherits privileges of parent

how can we run programs that raise their privilege level?
sudo, su, ping, mount, passwd, chsh

setuid/gid binaries execute with privileges of file’s owner or group