Week 4 Flashcards
Say there is an apache server where it spins off processes for each new user to access a given website, and that process has access to the full database of the site along with the disk.
Is this a safe design? Why or why not.
This is problematic because if an adversary finds and exploits a bug, the attacker gets access to the entire address space of the apache process and it inherits all the permissions of that process, so ability to see databases and disks.
Instead, we design sites/systems like government, with separation of powers.
What does separation of powers mean in systems?
It means breaking up the different components of the site so that not all of them can be comprimised.
Maybe it should be the case that the login function should only have access to passwords and nothing else. This limits the kinds of resources that people can access. Maybe video segments of the site should only have access to video databases.
What is Access Control?
This is when we implement technical mechanisms to prevent one entity from accessing resources that they don’t have permission to access.
What is the goal of privilege separation?
To separate functionality from data.
You can separate types of data, you can separate data based on types of uses, you can separate programs based on which parts of a program are more likely to be buggy so that the buggy program doesn’t jeopardize the rest of the program and its data.
You can also separate based on what parts of the program are most likely to experience an attack.
What is Unix?
The predecessor of linux. The first OS to support multiple users.
The goal was time sharing. It was designed with the idea of closed communication between programs. Programs should be able to talk to each other and pass inputs to and from each other.
What is the threat model for a system where programs can talk to each other?
The adversary here is other users.
We share the machine with others, so we need to make sure their programs are not buggty or malicious and cause problems for other things.
We need to make sure that other users can’t mess with your files, so there must be integrity and confidentiality in the data. Also, no one else should be able to crash your program when it’s running.
How does Unix reason?
It reasons in terms of Processes, NOT users.
In Unix, what are the following things?
- Principal
- Subjects
- Resources
- Principal: the user which is represented by UID.
- Subjects: the processes.
- Resources: whatever is on the machine.
How does Unix separatye/isolate processes?
It checks the UID. This controls most of the privileges that a process has. Superuser 0 (or root) will bypass most of the permission checks that Unix will perform.
A process is also associated with a group or groups, and has a GID/GIDs.
When can processes in Unix talk to each other?
If they have the same UID they can signal, wait for, exit, get the status of, debug, and ptrace each other.
The child of a parent inherits the UID. It will have its own process ID though. It can change the UID if it has permission to do so.
What is one element of access that having the same a UID may not allow?
Memory access. Even if two processes have the same UID, they can’t access each other’s memory usually. This is allowed in some cases like in debugging and memory mapping, but it’s usually not possible.
How are a process’ UID and GID set?
When a process is born under the user ID 0, the superuser can lwoer its privilege using setuid(uid) and setgid(gid).
Remember that a process can have more than one GID.
Non-superuser processes cannot change their UIDs.
When you fork or exec, you inherit the userID of your parent.
What is the Least Privilege Principle?
It states that a component should only have access to what it needs and only for as long as it needs it.
Think of a login process that needs access to all usernames and passwords to validate a login. Once login is done, it should give up its privilege.
What happens at a login in Unix?
- The app is run by superuser since it needs login to be able to check our password against a file that only superuser has access to.
- Superuser opens etc/shadow file that can only be opened by superuser. It contains all passwords of users. It only shows the hashes.
- The pogram then needs to find the user’s UID in etc/passwd.
- It then needs to find the user’s GID in etc/group. This shows which groups the user belongs to.
- Once login has checked the password, it no longer needs root access for using etc/passwd and etc/group, but it needs root access to call setuid and setgid.
- Then it downgrades from root to your particular UID and GID.
- It then forks, and then exec. This spawns a shell with the with the user’s privileges, not root.
What are the 4 things you can do with Files?
- Read
- Write
- Execute
- Change permissions
What are the 5 things you can do with Directories?
- Lookup
- Create
- Remove
- Rename
- Change permissions
Who checks permissions when someone is trying to do something?
The OS.
How are permissions encoded?
In a datastructure called an inode (index node).
What information do inodes hold?
What are the principles in an inode?
- Owner
- Group
- Everyone else
What is the format for permissions on a file?
How do we interpret the permissions listed in an inode?
First three characters: represent the permissions of the owner. rwx means read, write, execute.
Second three characters: represent the permissions of the group. This one is again read, write, execute.
Last three characters: represent the permissions for anyone else. r-x means read and execute, no write access.
How do we more easily represent permissions?
Using the Octal Representation. For example, an octal representation might be 754.
How do you find the Octal Representation of a given permission sequence?
Read Permission = 4 points
Write Permission = 2 points
Execute Permission = 1 point
Maximum you can have is 7. The three digits in Octal Representation represet:
Add up the total points for each party and concatenate the numbers for octal representation.
OWNER | GROUP | EVERYONE_ELSE |
What does it mean for a directory to have execute access?
It means you can look up specific files, but you cannot list contents of the directory.
What is read access in the context of a directory?
It means you can list the contents of a directory.
What happens if we have execute access for a directory but not read?
It means we can find the file but not read it.