Scribd
Upload
61 views18 pages

Unix and Windows Access Control

The document discusses access control in Unix and Windows. In Unix, each file has an access control list that grants permissions to user IDs. Processes can change their effective user ID through the setuid bit or system calls. Windows uses security identifiers and access tokens associated with processes and security descriptors associated with objects to control access. It allows impersonation tokens so a process can temporarily adopt another's security context.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
61 views18 pages

Unix and Windows Access Control

The document discusses access control in Unix and Windows. In Unix, each file has an access control list that grants permissions to user IDs. Processes can change their effective user ID through the setuid bit or system calls. Windows uses security identifiers and access tokens associated with processes and security descriptors associated with objects to control access. It allows impersonation tokens so a process can temporarily adopt another's security context.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Module 4.

3
Unix and Windows Access Control
Summary
Unix access control File 1 File 2

User 1 read write -


Process has user id User 2 write write -
Inherit from creating process User 3 - - read
Process can change id
Restricted set of options User m Read write write
Special root id
All access allowed
File has access control list (ACL)
Grants permission to user ids
Owner, group, other
Unix file access control list
Each file has owner and group
Permissions set by owner setid
Read, write, execute - rwx rwx rwx
Owner, group, other ownr grp othr
Represented by vector of
four octal values
Only owner, root can change permissions
This privilege cannot be delegated or shared
Setid bits Discuss in a few slides
Process effective user id
(EUID)
Each process has three Ids (+ more under Linux)
Real user ID (RUID)
same as the user ID of parent (unless changed)
used to determine which user started the process
Effective user ID (EUID)
from set user ID bit on the file being executed, or sys call
determines the permissions for process
file access and port binding
Saved user ID (SUID)
So previous EUID can be restored

Real group ID, effective group ID, used similarly


Process Operations and IDs
Root
ID=0 for superuser root; can access any file
Fork and Exec
Inherit three IDs, except exec of file with setuid bit
Setuid system call
seteuid(newid) can set EUID to
Real ID or saved ID, regardless of current EUID
Any ID, if EUID=0

Details are actually more complicated


Several different calls: setuid, seteuid, setreuid
Setid bits on executable
Unix file
Three setid bits
Setuid set EUID of process to ID of file owner
Setgid set EGID of process to GID of file
Sticky
Off: if user has write permission on directory, can
rename or remove files, even if not owner
On: only file owner, directory owner, and root can
rename or remove file in the directory
Example
Owner 18
RUID 25 SetUID
; program
;
exec( );
Owner 18
-rw-r--r-- ;
file read/write ; RUID 25
i=getruid EUID 18
()
Owner 25
-rw-r--r-- read/write setuid(i); RUID 25
; EUID 25
file
;
Unix summary
Good things
Some protection from most users
Flexible enough to make things possible
Main limitation
Too tempting to use root privileges
No way to assume some root privileges
without all root privileges
Weakness in isolation,
privileges
Network-facing Daemons
Root processes with network ports open to all remote
parties, e.g., sshd, ftpd, sendmail,
Rootkits
System extension via dynamically loaded kernel
modules
Environment Variables
System variables such as LIBPATH that are shared state
across applications. An attacker can change LIBPATH to
load an attacker-provided file as a dynamic library
Weakness in isolation,
privileges
Shared Resources
Since any process can create files in /tmp directory, an
untrusted process may create files that are used by
arbitrary system processes
Time-of-Check-to-Time-of-Use (TOCTTOU)
Typically, a root process uses system call to determine if
initiating user has permission to a particular file, e.g. /tmp/X.
After access is authorized and before the file open, user may
change the file /tmp/X to a symbolic link to a target file
/etc/shadow.
Access control in Windows
Some basic functionality similar to Unix
Specify access for groups and users
Read, modify, change owner, delete

Some additional concepts


Tokens
Security attributes
Generally
More flexible than Unix
Can define new permissions
Can give some but not all administrator privileges
Identify subject using SID
Security ID (SID)
Identity (replaces UID)
SID revision number
48-bit authority value
variable number of Relative
Identifiers (RIDs), for
uniqueness
Users, groups, computers,
domains, domain
members all have SIDs
Process has set of tokens
Security context
Privileges, accounts, and groups associated with the process
or thread
Presented as set of tokens
Impersonation token
Used temporarily to adopt a different security context, usually
of another user
Security Reference Monitor
Uses tokens to identify the security context of a process or
thread
Object has security
descriptor
Security descriptor associated with an object
Specifies who can perform what actions on the object
Several fields
Header
Descriptor revision number
Control flags, attributes of the descriptor
E.g., memory layout of the descriptor
SID of the object's owner
SID of the primary group of the object
Two attached optional lists:
Discretionary Access Control List (DACL) users, groups,
System Access Control List (SACL) system logs, ..
Example access request
User:
Group1:Mark
Access token Access request: write
Administrators
Group2: Writers Action: denied
Revision
User Mark requests write permission
Number
Control flags Descriptor denies permission to group
Owner SID
Group SID Reference Monitor denies request
DACL Pointer (DACL for access, SACL for audit and logging)
Security SACL Pointer
descriptor Deny Priority:
Writers Explicit Deny
Read, Write Explicit Allow
Allow
Mark Inherited
Read, Write Deny
Impersonation Tokens (compare to setuid)
Process adopts security attributes of another
Client passes impersonation token to server
Client specifies impersonation level of server
Anonymous
Token has no information about the client
Identification
Obtain the SIDs of client and client's privileges, but server cannot impersonate the
client
Impersonation
Impersonate the client
Delegation
Lets server impersonate client on local, remote systems

You might also like