1. Karlstad University Operating System security Ge Zhang ge.zhang@kau.se Karlstad University

2. Outline Operating system Basic access control schemes Examples: Unix/Linux

3. Karlstad University Operating systems Process management File access Memory management Security (authentication, authorization,…) Hardware: memory, CPU, HD, etc Operating system: windows, linux, unix User Applications: my sql, apache, calc, firefox, etc

4. Karlstad University Objects and Subjects Subject –Active entity in a computer system User, process Object –Passive entity or resource in a computer system Files, network devices, printers In defining access controls, you can either specify what a subject is allowed to do or what may be done with an object

5. Karlstad University Who can define the permissions Discretionary - the owner of the resource decides who is allowed to have access Mandatory - the system-wide policy decides who is allowed to have access

6. Karlstad University Permissions Permissions for files may include read write execute append delete change permission change ownership

7. Karlstad University Access Control Matrix Subjects: Alice, Bob Objects: bill.doc, edit.exe, fun.bat Operations: read (r),,write (w),execute (e) Not suitable for direct implementation –The matrix is likely to be extremely sparse and therefore implementation is inefficient –Management of the matrix is likely to be extremely difficult if there are 10,000 of files and 100 of users (resulting in 1,000,000 of matrix entries)

8. Karlstad University Capabilities Access rights are kept with the subjects i.e., – Alice’s capability: edit.exe: execute; fun.com: execute, read Problem –It is difficult to get an overview of who has permission to access a given object –It is difficult to revoke a capability

9. Karlstad University Access Control Lists Access rights can be kept with the objects (Access Control Lists). i.e. ACL for fun.com Alice: execute, read; Bill: execute, read, write A fitting concept for O.S. But… problem?

10. Karlstad University Image such a ACL ACL for exam11.txt Alice: read, write; Bill: read, write; Charlie: read, write; Dan: read, write; Eva: read, write; Frank: read, write; …. (another 200+ students)

11. Karlstad University Intermediate Controls: Groups Groups and Negative permissions ACL for exam11.txt Student_group: read, write;

12. Karlstad University Protection rings A simple intermediate layer of hardware based access control –2 bit field in status register (0-3) –Defines 4 privilege levels (protection rings) –Each subject (process) and each object is assigned a number It is mainly for integrity protection for operating system kernel

13. Karlstad University Now we take Unix/Linux system as an example

14. Karlstad University Security schemes in Unix/Linux Account security –User authentication File system security –File access control Management issues –Audit log –Environment variables –Manage the superuser

15. Karlstad University Account security (1) User Accounts (/etc/passwd) –User name: a string up to 8 characters –User identities (UIDs) and group identities (GIDs) [Superuser (Root, UID=0)] –Unix does not distinguish between users with the same UID!!!! –Home directory –Shell root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash jim:x:500:100:Jim Smith:/home/jim:/bin/bash

16. Karlstad University Account security (2) Shadow file (/etc/shadow) (only accessable to the users with root privilege) –User name –Password (algorithm, salt, hashed password) *: login is disabled Empty: no password is required –Last password change –Minimum: the number of days left before the user is allowed to change his/her password –Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password) root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7::: bin:*:10933:0:99999:7::: jim::10933:0:99999:7:::

17. Karlstad University Account security (3) root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7::: bin:*:10933:0:99999:7::: jim::10933:0:99999:7::: One-way function saltPassword (plaintext) Password (encrypted)

18. Karlstad University Account security (4) Groups –Users belong to one or more groups –To share files or other resource with a small number of users –Ease of user management (give privilege) Group file (/etc/group) –Group name –Password –Group ID (GID) –Group list: members student:x:24:alice, bob, raj teacher:x:12:raj, nick

19. Karlstad University File system (1) The inode: each file entry in a directory is a pointer to a data structure –mode: types of file and access rights –uid: the owner’s id –gid: the owner’s group id –atime: last access time –mtime: last modification time –itime: last inode alteration time –block count: size of file –physical location

20. Karlstad University File system (2) The type of the file: ‘-’ for regular file, ‘d’ for directory File permissions Link counter Name of the owner and the group - rw-r--r-- 1 nick staff 1617 Oct 28 11:01 test.txt drwx------ 2 nick staff 512 Oct 25 17:55 tmp/

21. Karlstad University File system (3) Owner (r, w, x), group (r, w, x), other (r, w, x) Two ways to represent –String: rwxr--r-- –Octal number: 744 System default permissions: 666 or 777 (umask): a three-digit number specifying the rights that should be withheld –System default permissions AND NOT umask For example: umask 777 (denies all)

22. Karlstad University File system (4) Permission for directories –Read: find which files are in the directory (e.g., ls) –Write: add files, remove, or rename files in the directory –Execute: enter the directory and open files in the directory (even for your own files)

23. Karlstad University File system (5) “a real pain if you try and install a permanent file in someone’s directory.” Sticky bit: restrict the right to delete a file. Only the file's owner, the directory's owner, or the root can rename or delete files. drwxrwxrwx 4 root sys 485 Nov 10 06:01 /tmp drwxrwxrwt 4 root sys 485 Nov 10 06:01 /tmp

24. Karlstad University File system (6) Unix requires higher privilege temporarily to execute some operations –e.g., change password SUID (set userID), SGID (set groupID) A user who is executing this program will get the privilege of the owner temporarily -rws--x--x 3 root root 16384 Nov 16 1996 passwd*

25. Karlstad University Processes Each process has a process ID (PID) Two pairs of UID/GID for each process –A real UID/GID –An effective UID/GID The login process processReal UIDEffective UIDReal GIDEffective GID /bin/bashnick staff /bin/passwdnickrootstaffroot /bin/lsnick staff

26. Karlstad University File system (7) To change the attributes chmod –who: u, g, o, a –Permission: r, w, x, s, t –chmod 777 file –chmod o+r file

27. Karlstad University File system (8) How to set sticky bit, SUID, SGID? Need a fourth number –4??? set user ID on execution –2??? set group ID on execution –1??? set sticky bit

28. Karlstad University File system (9) How to remove a file in a secure way? Links You removed the original link to the file, but… ncheck: list all links to a file Furthermore, the file is not really deleted! –User wipe

29. Karlstad University Changing the root of the filesystem Sandbox: access to objects outside the sandbox is prevented chroot Changes the root directory from / to when executes For example, a web server

30. Karlstad University Search path Shell: a command line interpreter For easy-to-use: user input command without specifying the full pathname Searchpath in the.profile PATH=.:$HOME/bin:/usr:/bin:/usr/bin:/usr/local:/usr/ new:/usr/hosts

31. Karlstad University Manage the superuser Superuser is the major weakness Compromise the account –Weak password –Change UID to 0 –Crash the process with root privillege Presentation –Admin should not use root as their personal account (using SU, SUDO) –Strong password protection

32. Karlstad University Questions