privilege separation in unix (week 4) Flashcards
what are some separation schemes
- type of data (friend lists vs passwords)
- by user (my email vs. your email)
- by bugginess (image resizing vs everything else)
- by exposure to direct attacks (request parsing vs everything else)
unix
1st OS that wanted to support multiple users
goal: time sharing
remote access
time-sharing
thread model for unix
unix is a multi-user OS (ancestor to MacOS, Linux, BSD)
adversary: other users!
policy: other users shouldn’t access my files, mess with my applications when they are running
UNIX doesn’t reason in terms of users but rather processes
processes in UNIX
most basic UNIX tool for keeping programs/data separate
process’s user ID controls many of its privileges
process also has a set of groups GIDs used in file permissions
isolation between processes
processes with same UID can send signal, wait for exit, get status, debug, (ptrace) each other
debugging, sending signals: must have same UID
waiting / getting status: must be parent of that process
isolation between process memory
a process cannot directly access memory in another process
exeptions: debug mechanisms (ptrace), memory mapped files, shared memory
how is a process’s uid and gid set
superuser (UID 0) can call setuid(uid) and setgid(gid)
non-superuser processes can’t change their UID
UID inherited during fork(), exec()
least privilege principle
a component should only have access to what it needs and only for as long as it needs it
how does unix exercise the least privilege principle during login?
- check password in /etc/shadow (needs root privilege for this)
- find user’s UID in /etc/passwd (doesn’t need root privilege)
- find user’s GID in /etc/group (doesn’t need root privilege)
- downgrades UID and GID to user’s and spawns shell (calls fork() and exec())
how is isolation maintained whenever there’s a system call
there are checks in the kernel that make sure that you have the correct permissions
all system calls come with permission checks to make sure that you’re allowed to open that file or that you’re allowed to spawn that thing or wait…etc
central questions for privilege separation in unix for files and diretories:
- how does unix handle isolating files so that users cannot see each others’ files when not shared
- allow sharing when users do want to share?
operations for files
read, write, execute, change permissions
operations for directories
lookup, create, remove, rename, change permissions
inode: index node
data structure that describes a file system object: file or directory
metadata: size owner UID and GID times link and block counts permissions
points to data!: a bunch of pointers to file blocks
inode permissions
3 principals: owner, group, others
each inode has read, write, execute perms for each principal
rwx-rwx-r-x
first three are permissions for owner
second three are perms for group
third three are perms for others