Upload
bhushan-pawar
View
33
Download
1
Embed Size (px)
Citation preview
Access Control, Rootly Powers &
Controlling Processes
Prepared By
Prof. Bhushan Pawar
www.bhushanpawar.com
Prof.Bhushan Pawar www.bhushanpawar.com
1
TRADITIONAL UNIX ACCESS CONTROL• System’s design:
– Objects (e.g., files and processes) have
owners. Owners have broad (but not
necessarily unrestricted) control over their
objects.
– You own new objects that you create.
– The special user account called “root” can act
as the owner of any object.
– Only root can perform certain sensitive
administrative operations.
2Prof.Bhushan Pawar
www.bhushanpawar.com
File system access control• In the traditional model, every file has both an owner
and a group, sometimes referred to as the “Groupowner.”
• The owner can set the permissions of the file.
• In particular, the owner can set them so restrictivelythat no one else can access it.
• Groups are traditionally defined in the /etc/groupfile, but these days group information is morecommonly stored on an NIS or LDAP server on thenetwork;
3Prof.Bhushan Pawar
www.bhushanpawar.com
Continue…
• The owner of a file gets to specify what thegroup owners can do with it. This schemeallows files to be shared among members ofthe same project.
• The ownerships of a file can be determinedwith
ls -l filename.
4Prof.Bhushan Pawar
www.bhushanpawar.com
Process ownership
• The owner of a process can send the processsignals and can also reduce the process’sscheduling priority.
– The root account
– Setuid and Setgid execution
5Prof.Bhushan Pawar
www.bhushanpawar.com
The root account
• The root account is UNIX’s omnipotent (i.e havingunlimited power) administrative user. It’s also knownas the super user account, although the actualusername is “root”.
• Characteristic of the root account is its UID of 0 Andwe cant modify the UID of it.
• Traditional UNIX allows the superuser (that is, anyprocess whose effective UID is 0) to perform anyvalid operation on any file or process.
6Prof.Bhushan Pawar
www.bhushanpawar.com
Continue…
• Examples of restricted operations are• Changing the root directory of a process with chroot
• Creating device files
• Setting the system clock
• Raising resource usage limits and process priorities
• Setting the system’s hostname
• Configuring network interfaces
• Opening privileged network ports (those numbered below 1,024)
7Prof.Bhushan Pawar
www.bhushanpawar.com
Setuid and Setgid execution
• This mechanism lets developers and administratorsset up structured ways for unprivileged users toperform privileged operations.
• When the kernel runs an executable file that has its“setuid” or “setgid” permission bits set, it changesthe effective UID or GID of the resulting process tothe UID or GID of the file containing the programimage rather than the UID and GID of the user thatran the command.
8Prof.Bhushan Pawar
www.bhushanpawar.com
MODERN ACCESS CONTROL
• From a security perspective, the root accountrepresents a potential single point of failure. If it’scompromised, the integrity of the whole system isviolated. There is no limit to the damage an attackercan inflict.
• The only way to subdivide the special privileges ofthe root account is by writing setuid programs.Unfortunately, as the Internet’s steady stream ofsecurity updates demonstrates, it’s difficult to writetruly secure software.
9Prof.Bhushan Pawar
www.bhushanpawar.com
Continue…• The security model isn’t strong enough for use on a
network. No computer to which an unprivileged userhas physical access can be trusted to accuratelyrepresent the ownerships of the processes it’srunning.
• Many high-security environments enforceconventions that simply can’t be implemented withtraditional UNIX security.
10Prof.Bhushan Pawar
www.bhushanpawar.com
Role-based access control
• Role-based access control, sometimes known as RBAC,is a theoretical model formalized in 1992 by DavidFerraiolo and Rick Kuhn.
• The basic idea is to add a layer of indirection to accesscontrol calculations. Instead of permissions beingassigned directly to users, they are assigned tointermediate constructs known as “roles,” and roles inturn are assigned to users.
• To make an access control decision, the access controllibrary enumerates the roles of the current user andchecks to see if any of those roles have the appropriatepermissions.
Prof.Bhushan Pawar www.bhushanpawar.com
11
PAM: Pluggable Authentication Modules
• PAM is an authentication technology ratherthan an access control technology. i.e ratherthan addressing the question “Does user Xhave permission to perform operation Y?”, ithelps answer the precursor question “How doI know this is really user X?”
Prof.Bhushan Pawar www.bhushanpawar.com
12
Continue…
• In the past, user passwords were checkedagainst the /etc/shadow file at login time sothat an appropriate UID could be set for theuser’s shell or window system.
• Modern world of networks cryptography ,andbiometric identification devices, a moreflexible and open system is required.
Prof.Bhushan Pawar www.bhushanpawar.com
13
Continue…• PAM is a wrapper for a variety of method-
specific authentication libraries. Administratorspecify the authentication methods he/shewant the system to use, along with theappropriate contexts for each one. Programsthat want to authenticate a user simply callthe PAM system rather than implementingtheir own forms of authentication.
Prof.Bhushan Pawar www.bhushanpawar.com
14
Kerberos: third-party cryptographic authentication
• Kerberos deals with authentication ratherthan access control But whereas PAM is anauthentication framework, Kerberos is aspecific authentication method.
• They’re generally used together, PAM beingthe wrapper and Kerberos the actualimplementation.
Prof.Bhushan Pawar www.bhushanpawar.com
15
Continue…• Kerberos uses a trusted third party (a server)
to perform authentication for an entirenetwork. Rather than authenticating yourselfto the machine you are using
Prof.Bhushan Pawar www.bhushanpawar.com
16
REAL-WORLD ACCESS CONTROL
• Most sites still use the traditional rootaccount for system administration.
• add-on tools such as sudo go a long waytoward bridging the gap between simplicityand security.
Prof.Bhushan Pawar www.bhushanpawar.com
17
Choosing a root password
• The most important characteristic of a goodpassword is length. The root password shouldbe at least eight characters long.
• systems that use DES passwords with the helpof MD5 or Blowfish encryption for passwords
Prof.Bhushan Pawar www.bhushanpawar.com
18
Logging in to the root account
• We can log in directly to the root account andwork on the system. However, this turns outto be a bad idea.
• Disadvantage is that the log-in-as-rootscenario leaves no record of who was reallydoing the work.
• If several people have access to the rootaccount, you won’t be able to tell who used itand when.
Prof.Bhushan Pawar www.bhushanpawar.com
19
su: substitute user identity
• Way to access the root account is to use thesu command.
• If invoked without arguments, su prompts forthe root password and then starts up a rootshell.
• Root privileges remain in effect until youterminate the shell by typing <Control-D> orthe exit command.
Prof.Bhushan Pawar www.bhushanpawar.com
20
Continue…
• The su command can also substitute identitiesother than root.
• If you know someone’s password, you canaccess that person’s account directly byexecuting su - username. The exactimplications of login mode vary by shell, but itnormally changes the number or identity ofthe startup files that the shell reads.
Prof.Bhushan Pawar www.bhushanpawar.com
21
Continue…• sudo takes as its argument a command line to be
executed as root.
• sudo consults the file /etc/sudoers, which liststhe people who are authorized to use sudo andthe commands they are allowed to run on eachhost.
• sudo’s command logging can be subverted bytricks such as shell escapes from within anallowed program or by sudo sh and sudo su ifyou allow them
Prof.Bhushan Pawar www.bhushanpawar.com
22
PSEUDO-USERS OTHER THAN ROOT
• Root is generally the only user that has specialstatus of the kernel, but several other pseudo-users are defined by the system.
• You can identify these accounts by their lowUIDs, usually less than 100.
• UIDs under 10 are system accounts, and UIDsbetween 10 and 100 are pseudo-usersassociated with specific pieces of software.
Prof.Bhushan Pawar www.bhushanpawar.com
23
Any Question???• If you having any doubt then you can ask me
question on
Or
contact me on (+91)-7588318728
Prof.Bhushan Pawar www.bhushanpawar.com
24