Presentation is loading. Please wait.

Presentation is loading. Please wait.

O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.

Published byNathan Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system."— Presentation transcript:

1 O.S security Ge Zhang Karlstad University

2 Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system

3 Why O.S. security is important? Application security can be bypassed from lower layer Hardware layer is too narrow and inflexible Application layer is too broad Hardware: memory, CPU, HD, etc Operating system: Linux SUSE Applications: my sql, apache, open office, firefox, etc

4 Security schemes in Unix/Linux Account security –User authentication File system security –File access control Management issues –Audit log –Environment variables –Manage the superuser

5 Account security (1) User Accounts (/etc/passwd) –User name: a string up to 8 characters –User identities (UIDs) and group identities (GIDs) [Superuser (Root, UID=0)] –Unix does not distinguish between users with the same UID!!!! –Home directory –Shell root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash jim:x:500:100:Jim Smith:/home/jim:/bin/bash

6 Account security (2) Shadow file (/etc/shadow) (only readable to the users with root privilege) –User name –Password (algorithm, salt, hashed password) *: login is disabled Empty: no password is required –Last password change –Minimum: the number of days left before the user is allowed to change his/her password –Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password) root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7::: bin:*:10933:0:99999:7::: jim::10933:0:99999:7:::

7 Account security (3) root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7::: bin:*:10933:0:99999:7::: jim::10933:0:99999:7::: One-way function saltPassword (plaintext) Password (encrypted)

8 Account security (4) Groups –Users belong to one or more groups –To share files or other resource with a small number of users –Ease of user management (give privilege) Group file (/etc/group) –Group name –Password –Group ID (GID) –Group list: members student:x:24:alice, bob, raj teacher:x:12:raj, nick

9 File system (1) The inode: each file entry in a directory is a pointer to a data structure –mode: types of file and access rights –uid: who is the owner –gid: group which owns the file –atime: access time –mtime: modification time –itime: inode alteration time –block count: size of file –physical location

10 File system (2) The type of the file: ‘-’ for regular file, ‘d’ for directory File permissions Link counter Name of the owner and the group - rw-r--r-- 1 nick staff 1617 Oct 28 11:01 test.txt drwx------ 2 nick staff 512 Oct 25 17:55 tmp/

11 File system (3) Owner (r, w, x), group (r, w, x), other (r, w, x) Two ways to represent –String: rwxr--r-- –Octal number: 744 Default permissions: 666 or 777 (umask): a three-digit number specifying the rights that should be withheld –Default permissions AND NOT umask For example: umask 777 (denies all)

12 File system (4) Permission for directories –Read: find which files are in the directory (e.g., ls) –Write: add files or remove files –Execute: enter the directory and open files inside the directory (even for your own files)

13 File system (5) “a real pain if you try and install a permanent file in someone’s directory.” Sticky bit: restrict the right to delete a file. only the file's owner, the directory's owner, or the root can rename or delete files. drwxrwxrwx 4 root sys 485 Nov 10 06:01 /tmp drwxrwxrwt 4 root sys 485 Nov 10 06:01 /tmp

14 File system (6) Unix requires higher privilege temporarily to execute some operations –Change password –Open a port (0-123) SUID (set userID), SGID (set groupID) A user who is executing this program will get the privilege of the owner temporarily -rws--x--x 3 root root 16384 Nov 16 1996 passwd*

15 Processes Each process has a process ID (PID) Two pairs of UID/GID for each process –A real UID/GID –An effective UID/GID The login process processReal UIDEffective UIDReal GIDEffective GID /bin/loginroot system /bin/loginnick staff /bin/bashnick staff /bin/lsnick staff /bin/passwdnickrootstaffroot

16 File system (7) To change the attributes chmod –who: u, g, o, a –Permission: r, w, x, s, t –chmod 777 file –chmod o+r file chown chgrp

17 File system (8) How to set? Need a fourth number –4??? set user ID on execution –2??? set group ID on execution –1??? set sticky bit

18 File system (9) How to remove a file in a secure way? Links You removed the original file from its directory, but… ncheck: list all links to a file Furthermore, the file is not really deleted! –User wipe

19 File system (9) Protection of devices Unix treats devices like files Devices commonly found in the /dev is: –/dev/console –/dev/men –/dev/kmem Devices should be world-unreadable and world-unwritable

20 Changing the root of the filesystem Sandbox: access to objects outside the sandbox is prevented chroot Changes the root directory from / to when executes For example, a web server

21 Search path Shell: a command line interpreter For easy-to-use: user input command without specifying the full pathname Searchpath in the.profile PATH=.:$HOME/bin:/usr:/bin:/usr/bin:/usr/l ocal:/usr/new:/usr/hosts

22 Audit logs /usr/adm/lastlog: records the last time a user has logged in /usr/adm/utmp: records a list of users who are currently logged into a computer /var/adm/wtmp: records every time a user logs in or logs out /var/adm/acct: records all executed commands Others: ps…

23 Manage the superuser Superuser is the major weakness Compromise the account –Weak password –Change UID to 0 –Crash the process with root privillege Presentation –Admin should not use root as their personal account (using SU, SUDO) –Strong password protection

24 Windows security Separation between user mode (ring 3) and kernel mode (ring 0) User programs make API calls to invoke operating system services Device drivers are running in kernel mode Security subsystem –Log-on process (winlogon): the authentication process (winlogon.exe) –Local Security Authority (LSA): verification and auditing (lsass.exe) –Security Account Manager (SAM): user account database

25 Domains Domains: to facilitate single sign-on and centralized security administration A domain is a collection of machines sharing a common user accounts database and security policy DC: domain controller

26 User authentication: interactive logon Secure attention sequence CTRL+ALT+DEL Winlogon.exe Lsass.exe: verification Start a shell (explorer.exe)

27 Local Security settings

28 Event viewer

29 Key points (1) The mechanism of user authentication in Unix. Where are the user’s account and password stored? Root account What is salt? How to use it and why it is important? What is the “group” in Unix? Why to use it? /etc/passwd, /etc/shadow, /etc/group What are the A real UID/GID and An effective UID/GID? What is an inode? The permissions to access a file or a directory umask Sticky bit, SUID, SGID

30 Key points (2) chmod How to delete a file in a secure way? Protection of devices Search path Audit logs in windows and unix Security subsystem in windows Why users should press CTRL+ALT+DEL to get a logon window in windows?

Download ppt "O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system."

Similar presentations

Unix permissions, ownership and setuid File security and ownership The chmod(1) command Process Ownership Setuid, Setgid and the Sticky bit Writing setuid.

Unix permissions, ownership and setuid File security and ownership The chmod(1) command Process Ownership Setuid, Setgid and the Sticky bit Writing setuid.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Passwords in Unix/Linux Systems.

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Passwords in Unix/Linux Systems.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
User Accounts and Permissions Chapter IV / Part II.

User Accounts and Permissions Chapter IV / Part II.
Linux Linux File System.

Linux Linux File System.
UNIX Chapter 08 File Security Mr. Mohammad Smirat.

UNIX Chapter 08 File Security Mr. Mohammad Smirat.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Lecture 7 Access Control

Lecture 7 Access Control
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Getting Started with Linux Linux System Administration Permissions.

Getting Started with Linux Linux System Administration Permissions.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Introduction to Linux Installing Linux User accounts and management Linux’s file system.

Introduction to Linux Installing Linux User accounts and management Linux’s file system.
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.

Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
Files & Directories Objectives –to be able to describe and use the Unix file system model and concepts Contents –directory structure –file system concepts.

Files & Directories Objectives –to be able to describe and use the Unix file system model and concepts Contents –directory structure –file system concepts.
Mid 1960 ’ s - Multics - proposed by AT&T, Honeywell, GE & MIT; funded by DARPA 1969 - Thompson & Ritchie create Unix 1978 to 84 - Bill Joy & Chuck Haley.

Mid 1960 ’ s - Multics - proposed by AT&T, Honeywell, GE & MIT; funded by DARPA Thompson & Ritchie create Unix 1978 to 84 - Bill Joy & Chuck Haley.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
File Permissions. What are the three categories of users that apply to file permissions? Owner (or user) Group All others (public, world, others)

File Permissions. What are the three categories of users that apply to file permissions? Owner (or user) Group All others (public, world, others)
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2011 by the Trustees of Indiana University except as noted.

Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2011 by the Trustees of Indiana University except as noted.

Similar presentations

Ads by Google