Access ControlAccess Control

privilege

How does your code manage whohas access to what?

authorization

permission

Two OS models:

Unix

Windows

Access Control in Unix/LinuxAccess Control in Unix/Linux

can ____ resources (files)

Every user …

has a unique UID (positive integer)

belongs to one or more groups

Every file/resource …

other possibilities:sticky bit, setUID, setGID

stores permissions for owner, group & world

potential permissions are _______

User 0 -- ______

The sticky bitThe sticky bitOne bit of file/dir permission is dedicated as the sticky bit.

Such bits are no longer used for files

Some directories have the “sticky bit” property

Example:

Any user can write to such a directory.If you create new files, you are the owner andhave wr permission and the world has r permission.

Processes in UnixProcesses in UnixExecuting a file initiates process execution.

process permissions normally derive from the owner

any created file has permissions determined by umask

To ______ permissions …

execute a process from an owner with lesser privilege

A forked process/thread inherits permissions.

To ________ permissions …

setUID, setGIDsetUID, setGIDIf the setUID bit is set on an executable file, then when

the file executes it assumes the permissions of thefile’s owner for the duration of this file’s execution.

The rule is not to elevate privilege any more than necessary.

EUID executing file’s owner

Access Control in WindowsAccess Control in WindowsWhen a user is authenticated, Windows produces

an access token containing: the user’s _____

a list of group SIDs – one _____ per group

A special kind of token (impersonation token) can be grantedto services when they are authorized.

A copy of the access token is attached to every processand thread the user executes.

Windows ResourcesWindows ResourcesMany objects are thought of as resources:

files / directories

registry keys

Permissions vary by resource type.

shared memory

job objects (processes)

mutexes, named pipes, semaphores

printers

active directory objects

ACLsACLsDiscretionary Access Control List (DACL)

– every resource has one- DACL is a list of Access Control Entry (ACE)

Access Control Entry (ACE) contains1) 2) 3)

An object can have both explicit and inherited ACEs.

Algorithm for authorizing:follow the DACL for the first ACE to ALLOW or DENYmatching one of the SIDs in the access token

ACEs are ordered by explicit collection before inherited andfollowing inheritance tree.Within each collection all DENY precede all ALLOW

Example

Authorization requests:

xFile

xParent

xGParent

inherits from

inherits from

SID2X-DENY

SID2R-DENY

SID5R-DENY

SID5X-DENY

SID3W-ALLOW

SID2R-ALLOW

SID4W-ALLOW

SID3W-DENY

SID4X-ALLOW

Write to xFile access token: SID3 & SID4Write to xFile access token: SID2 & SID4Read from xFile access token: SID2 & SID5

Execute from xFile access token: SID2, SID3, SID4 & SID5

File Permissions in WindowsFile Permissions in WindowsFull control – read, write, modify, execute,

change attributes/permissionsand/or take ownership

Modify– read, write, modify, execute and/orchange attributes

Read & execute – display file content, viewattributes/owner/permissions and/orexecute

Read – display file content and/or viewattributes/owner/permissions

Write – write file content, append to file and/orread/change file attributes

Windows advantages: - finer user granularity (Administrator & operator groups) - ACE’s can specify many groups, not just one - allows for variation in permissions by object type

Windows disadvantage: - complexity

Other Access Control SystemsOther Access Control Systems

Programming languages may or may not provide full access

network security – see CS455

Web access control?

cookies