Unit 5 access control,rootly powers & controlling processes

Access Control, Rootly Powers &

Controlling Processes

Prepared By

Prof. Bhushan Pawar

www.bhushanpawar.com

Prof.Bhushan Pawar www.bhushanpawar.com

1

TRADITIONAL UNIX ACCESS CONTROL• System’s design:

– Objects (e.g., files and processes) have

owners. Owners have broad (but not

necessarily unrestricted) control over their

objects.

– You own new objects that you create.

– The special user account called “root” can act

as the owner of any object.

– Only root can perform certain sensitive

administrative operations.

2Prof.Bhushan Pawar


File system access control• In the traditional model, every file has both an owner

and a group, sometimes referred to as the “Groupowner.”

• The owner can set the permissions of the file.

• In particular, the owner can set them so restrictivelythat no one else can access it.

• Groups are traditionally defined in the /etc/groupfile, but these days group information is morecommonly stored on an NIS or LDAP server on thenetwork;

3Prof.Bhushan Pawar


Continue…

• The owner of a file gets to specify what thegroup owners can do with it. This schemeallows files to be shared among members ofthe same project.

• The ownerships of a file can be determinedwith

ls -l filename.

4Prof.Bhushan Pawar


Process ownership

• The owner of a process can send the processsignals and can also reduce the process’sscheduling priority.

– The root account

– Setuid and Setgid execution

5Prof.Bhushan Pawar


The root account

• The root account is UNIX’s omnipotent (i.e havingunlimited power) administrative user. It’s also knownas the super user account, although the actualusername is “root”.

• Characteristic of the root account is its UID of 0 Andwe cant modify the UID of it.

• Traditional UNIX allows the superuser (that is, anyprocess whose effective UID is 0) to perform anyvalid operation on any file or process.

6Prof.Bhushan Pawar


Continue…

• Examples of restricted operations are• Changing the root directory of a process with chroot

• Creating device files

• Setting the system clock

• Raising resource usage limits and process priorities

• Setting the system’s hostname

• Configuring network interfaces

• Opening privileged network ports (those numbered below 1,024)

7Prof.Bhushan Pawar


Setuid and Setgid execution

• This mechanism lets developers and administratorsset up structured ways for unprivileged users toperform privileged operations.

• When the kernel runs an executable file that has its“setuid” or “setgid” permission bits set, it changesthe effective UID or GID of the resulting process tothe UID or GID of the file containing the programimage rather than the UID and GID of the user thatran the command.

8Prof.Bhushan Pawar


MODERN ACCESS CONTROL

• From a security perspective, the root accountrepresents a potential single point of failure. If it’scompromised, the integrity of the whole system isviolated. There is no limit to the damage an attackercan inflict.

• The only way to subdivide the special privileges ofthe root account is by writing setuid programs.Unfortunately, as the Internet’s steady stream ofsecurity updates demonstrates, it’s difficult to writetruly secure software.

9Prof.Bhushan Pawar


Continue…• The security model isn’t strong enough for use on a

network. No computer to which an unprivileged userhas physical access can be trusted to accuratelyrepresent the ownerships of the processes it’srunning.

• Many high-security environments enforceconventions that simply can’t be implemented withtraditional UNIX security.

10Prof.Bhushan Pawar


Role-based access control

• Role-based access control, sometimes known as RBAC,is a theoretical model formalized in 1992 by DavidFerraiolo and Rick Kuhn.

• The basic idea is to add a layer of indirection to accesscontrol calculations. Instead of permissions beingassigned directly to users, they are assigned tointermediate constructs known as “roles,” and roles inturn are assigned to users.

• To make an access control decision, the access controllibrary enumerates the roles of the current user andchecks to see if any of those roles have the appropriatepermissions.


11

PAM: Pluggable Authentication Modules

• PAM is an authentication technology ratherthan an access control technology. i.e ratherthan addressing the question “Does user Xhave permission to perform operation Y?”, ithelps answer the precursor question “How doI know this is really user X?”


12

Continue…

• In the past, user passwords were checkedagainst the /etc/shadow file at login time sothat an appropriate UID could be set for theuser’s shell or window system.

• Modern world of networks cryptography ,andbiometric identification devices, a moreflexible and open system is required.


13

Continue…• PAM is a wrapper for a variety of method-

specific authentication libraries. Administratorspecify the authentication methods he/shewant the system to use, along with theappropriate contexts for each one. Programsthat want to authenticate a user simply callthe PAM system rather than implementingtheir own forms of authentication.


14

Kerberos: third-party cryptographic authentication

• Kerberos deals with authentication ratherthan access control But whereas PAM is anauthentication framework, Kerberos is aspecific authentication method.

• They’re generally used together, PAM beingthe wrapper and Kerberos the actualimplementation.


15

Continue…• Kerberos uses a trusted third party (a server)

to perform authentication for an entirenetwork. Rather than authenticating yourselfto the machine you are using


16

REAL-WORLD ACCESS CONTROL

• Most sites still use the traditional rootaccount for system administration.

• add-on tools such as sudo go a long waytoward bridging the gap between simplicityand security.


17

Choosing a root password

• The most important characteristic of a goodpassword is length. The root password shouldbe at least eight characters long.

• systems that use DES passwords with the helpof MD5 or Blowfish encryption for passwords


18

Logging in to the root account

• We can log in directly to the root account andwork on the system. However, this turns outto be a bad idea.

• Disadvantage is that the log-in-as-rootscenario leaves no record of who was reallydoing the work.

• If several people have access to the rootaccount, you won’t be able to tell who used itand when.


19

su: substitute user identity

• Way to access the root account is to use thesu command.

• If invoked without arguments, su prompts forthe root password and then starts up a rootshell.

• Root privileges remain in effect until youterminate the shell by typing <Control-D> orthe exit command.


20

Continue…

• The su command can also substitute identitiesother than root.

• If you know someone’s password, you canaccess that person’s account directly byexecuting su - username. The exactimplications of login mode vary by shell, but itnormally changes the number or identity ofthe startup files that the shell reads.


21

Continue…• sudo takes as its argument a command line to be

executed as root.

• sudo consults the file /etc/sudoers, which liststhe people who are authorized to use sudo andthe commands they are allowed to run on eachhost.

• sudo’s command logging can be subverted bytricks such as shell escapes from within anallowed program or by sudo sh and sudo su ifyou allow them


22

PSEUDO-USERS OTHER THAN ROOT

• Root is generally the only user that has specialstatus of the kernel, but several other pseudo-users are defined by the system.

• You can identify these accounts by their lowUIDs, usually less than 100.

• UIDs under 10 are system accounts, and UIDsbetween 10 and 100 are pseudo-usersassociated with specific pieces of software.


23

Any Question???• If you having any doubt then you can ask me

question on

[email protected]

Or

contact me on (+91)-7588318728


24

mailto:[email protected]

Engineering

Unit 5 access control,rootly powers & controlling processes