Unix/Linux permission bits (DAC) - Run ls -l in Linux - UCI Canvas
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Unix/Linux permission bits (DAC)
• Run ls -l in Linux
Owner
2/17/2021 Zhou Li 1
How to change permissions?
• Assume you’re the owner
• Change permission (g: group, o:owner)
• chmod g(o)+(-)w(rx) filename(foldername)
• Or by bits: e.g., chmod 777 filename
• Change group
• chgrp groupname filename(foldername)
• Change owner
• chown ownername filename(foldername)
https://www.pluralsight.com/blog/it-ops/linux-file-permissions
2/17/2021 Zhou Li 2
Problem: privileged programs • Password Dilemma • Permissions of /etc/shadow File: • How would normal users change their password?
Solution: Set-UID
• Allow user to run a program with the program owner’s privilege.
• Allow users to run programs with temporary elevated privileges
• No way to deviate from pre-programmed task
• Example: the passwd program
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 41284 Sep 12 2012 /usr/bin/passwd
Set-UID Concept
• Every process has two User IDs.
• Real UID (RUID): Identifies real owner of process
• Effective UID (EUID): Identifies privilege of a process
• Access control is based on EUID
• When a normal program is executed, RUID = EUID, they
both equal to the ID of the user who runs the program
• When a Set-UID is executed, RUID ≠ EUID. RUID still equal
to the user’s ID, but EUID equals to the program owner’s ID.
• If the program is owned by root, the program runs with the root
privilege.
Turn a Program into Set-UID • Change the owner of a file to root : • Before Enabling Set-UID bit: • After Enabling the Set-UID bit :
UNIX Security Limitations
• Discretionary access control
• File owner is too powerful
• Setuid root processes
• What if the applications of Setuid has flaws?
• Network-facing daemons vulnerable
• Needs to run as root or other privileged users
• What can we do?
• Reference validation mechanism that satisfies reference monitor concept
• Complete mediation, Tamperproof and Verifiable
• Protection system with mandatory access control (mandatory protection
system)
2/17/2021 Zhou Li 7
Linux Security Modules
• Reference validation mechanism for Linux
• Upstreamed in Linux 2.6
• Support modular enforcement - you choose
• SELinux, AppArmor, POSIX Capabilities, SMACK, ...
• 150+ authorization hooks
• Mediate security-sensitive operations on
• Files, dirs/links, IPC, network, semaphores, shared memory, ...
• Variety of operations per data type
• Control access to read of file data and file metadata separately
• Hooks are restrictive
2/17/2021 Zhou Li 8
LSM • Register (install) module • Load policy (open and write to special file) • Produce authorization queries at hooks 2/17/2021 Zhou Li 9
LSM 2/17/2021 Zhou Li 10
SELinux Policy Rules
• The most comprehensive LSM is SELinux
• SELinux Rules express an MAC policies and states
• Protection state – ALLOW subject-label object-label ops
• Labeling state – Assign new objects labels on creation
• Transition state – Define how a process may change label
• All are defined explicitly
• Tens of thousands of rules are necessary for a standard
Linux distribution
• User processes are ignored (other than confining them relative to the
system)
• Enforces a Least Privilege Policy
2/17/2021 Zhou Li 11SELinux (Cond.)
• SELinux Label
• user:role:type:mls_level
• SELinux Policy
• allow domains types:classes permissions;
• Domain - A label for the process or set of processes Configure file label
• Type - A label for the object (e.g. file, socket) or set of objects.
• Class - The kind of object (e.g. file, socket) being accessed.
• Permission - The operation (e.g. read, write) being performed.
12
2/17/2021 Zhou LiAndroid access control
• Each app runs in its own sandbox.
• A unique Linux UID assigned for each app when installation
• DAC is enforced: permission bits
• Permissions are granted by user at install-time/run-time
• SELinux mode adopted by Android (since 4.3)
• Permissive mode, in which permission denials are logged but
not enforced.
• Enforcing mode, in which permissions denials are both
logged and enforced.
Install-time permissions
https://source.android.com/security/selinux/concepts
2/17/2021 Zhou Li 13Outline
• How OS regulates access to resources like files and ports?
• DAC
• MAC (CPU rings, LSM, SELinux)
• How OS regulates access to memory?
• Page table, MMU, Virtual memory
• OS Virtualization
• How OS enables trusted and confidential computing?
• TCB and TEE
• They are only part of OS security features…
2/17/2021 Zhou Li 14Basic memory protection • Need to censure that a process can access only access those addresses in it address space. • We can provide this protection by using a pair of base and limit registers define the logical address space of a process 2/17/2021 Zhou Li 15
Hardware Address Protection • CPU must check every memory access generated in user mode to be sure it is between base and limit for that user • The instructions to loading the base and limit registers are privileged 2/17/2021 Zhou Li 16
Logical vs. Physical Address Space
• The concept of a logical address space that is bound to a separate
physical address space is central to proper memory management
• Logical address – generated by the CPU; also referred to as virtual address
• Physical address – address seen by the memory unit
• Logical and physical addresses are the same in compile-time and
load-time address-binding schemes; logical (virtual) and physical
addresses differ in execution-time address-binding scheme
• Logical address space is the set of all logical addresses generated
by a program
• Physical address space is the set of all physical addresses
generated by a program
2/17/2021 Zhou Li 17Memory-Management Unit (MMU)
• Hardware device that at run time maps virtual to physical address
• Base (relocation) register + logical address => physical address
Segmentation Unit Paging Unit
2/17/2021 Zhou Li 18Relocation and Limit Registers 2/17/2021 Zhou Li 19
Segmentation Hardware
• Registers (Intel CPU)
• CS: code segment
• DS: data segment
• SS: stack segment
• ES: extra segment
• FS and GS
2/17/2021 Zhou Li 20Paging
• Physical address space of a process can be noncontiguous; process
is allocated physical memory whenever the latter is available
• Avoids external fragmentation -> avoid for compacting
• Avoids problem of varying sized memory chunks
• Basic methods
• Divide physical memory into fixed-sized blocks called frames
• Size is power of 2, between 512 bytes and 16 Mbytes
• Divide logical memory into blocks of same size called pages
• Keep track of all free frames
• To run a program of size N pages, need to find N free frames and load
program
• Set up a page table to translate logical to physical addresses
• Backing store likewise split into pages
• Still have Internal fragmentation
2/17/2021 Zhou Li 21Paging: Address Translation
• A logical address is divided into:
• page number (p)
• used as an index into a page table
• page table entry contains the corresponding physical frame number
• page offset (d)
• offset within the page/frame
• combined with frame number to get the physical address
2/17/2021 Zhou Li 22Paging Hardware 2/17/2021 Zhou Li 23
Paging Example 2/17/2021 Zhou Li 24
Memory Protection
• Accomplished by protection bits with each frame
• Each page table entry has a present (aka. valid) bit
• present: the page has a valid physical frame (block of same size as
page in memory), thus can be accessed
• Each page table entry contains some protection bits
• kernel/user, read/write, execution?, kernel-execution?
• Any violations of memory protection result in a trap to the kernel
2/17/2021 Zhou Li 25Memory Protection 2/17/2021 Zhou Li 26
Memory Protection (more)
• NX bit
• Learnt in the lecture of software defenses
• segregate areas of memory for use by either storage of processor
instructions (code) or for storage of data
• Intel: XD(execute disable), AMD: EVP (enhanced virus protection),
ARM: XN (execute never)
• PXN: Privileged Execute Never (intel: SMEP)
• A Permission fault is generated if the processor is executing at
PL1(kernel) and attempts to execute an instruction fetched from the
corresponding memory region when this PXN bit is 1 (usually user
space memory)
2/17/2021 Zhou Li 27Virtualization
• Isolation between multiple OSes
• With virtualization, the OS presents each user
with just the resources that user should see
• The user has access to a virtual machine (VM),
which contains those resources
• The user cannot directly access resources that
are outside the VM (sandbox)
• A hypervisor, or VM monitor, is the software that
hosts VM
• Translates access requests between the VM and the OS
• Can support multiple OSs in VMs simultaneously
2/17/2021 Zhou Li 28You can also read
