privilege separation in unix (week 4) Flashcards
what are some separation schemes
- type of data (friend lists vs passwords)
- by user (my email vs. your email)
- by bugginess (image resizing vs everything else)
- by exposure to direct attacks (request parsing vs everything else)
unix
1st OS that wanted to support multiple users
goal: time sharing
remote access
time-sharing
thread model for unix
unix is a multi-user OS (ancestor to MacOS, Linux, BSD)
adversary: other users!
policy: other users shouldn’t access my files, mess with my applications when they are running
UNIX doesn’t reason in terms of users but rather processes
processes in UNIX
most basic UNIX tool for keeping programs/data separate
process’s user ID controls many of its privileges
process also has a set of groups GIDs used in file permissions
isolation between processes
processes with same UID can send signal, wait for exit, get status, debug, (ptrace) each other
debugging, sending signals: must have same UID
waiting / getting status: must be parent of that process
isolation between process memory
a process cannot directly access memory in another process
exeptions: debug mechanisms (ptrace), memory mapped files, shared memory
how is a process’s uid and gid set
superuser (UID 0) can call setuid(uid) and setgid(gid)
non-superuser processes can’t change their UID
UID inherited during fork(), exec()
least privilege principle
a component should only have access to what it needs and only for as long as it needs it
how does unix exercise the least privilege principle during login?
- check password in /etc/shadow (needs root privilege for this)
- find user’s UID in /etc/passwd (doesn’t need root privilege)
- find user’s GID in /etc/group (doesn’t need root privilege)
- downgrades UID and GID to user’s and spawns shell (calls fork() and exec())
how is isolation maintained whenever there’s a system call
there are checks in the kernel that make sure that you have the correct permissions
all system calls come with permission checks to make sure that you’re allowed to open that file or that you’re allowed to spawn that thing or wait…etc
central questions for privilege separation in unix for files and diretories:
- how does unix handle isolating files so that users cannot see each others’ files when not shared
- allow sharing when users do want to share?
operations for files
read, write, execute, change permissions
operations for directories
lookup, create, remove, rename, change permissions
inode: index node
data structure that describes a file system object: file or directory
metadata: size owner UID and GID times link and block counts permissions
points to data!: a bunch of pointers to file blocks
inode permissions
3 principals: owner, group, others
each inode has read, write, execute perms for each principal
rwx-rwx-r-x
first three are permissions for owner
second three are perms for group
third three are perms for others
octal representation
think of each three rwx as bits
111 = 7
101 = 5
100 = 4
What if a directory has execute access but not read?
can access files but not list them
what do you need to execute this:
open(“/etc/passwd”)
process must be able to look up “etc” in “/”, “passwd” in “/etc” (x permission)
must be able to open “/etc/passwd” (r or w permission)
why is unix RWX not very flexible?
cannot have two owners
cannot have permissions for specific users
cannot express complex policies easily
how would you set up a file “hello.txt” that can only be accessed in uid=”ubuntu” and gid=”penn”?
???
who can change file permissions
only its owner (UID)
how to change file permissions?
chmod changes permissions
chown changes uid and optionally group gid
chgrp change group (gid)
unix takeaways
unix allows one to control which users can access a specific file
hard to control the set of files that a specific process can access
setuid/setgid
when a process runs, it inherits privileges of parent
how can we run programs that raise their privilege level?
sudo, su, ping, mount, passwd, chsh
setuid/gid binaries execute with privileges of file’s owner or group
