chapter 7 unix security
play

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the - PowerPoint PPT Presentation

Dec 07, 2022 •129 likes •733 views

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

  1. Chapter 7: Unix Security Chapter 7: 1

  2. Objectives  Understand the security features provided by a typical operating system.  Introduce the basic Unix security model.  See how general security principles are implemented in an actual operating system. Chapter 7: 2

  3. Introduction  Some guidelines when assessing security of an operating system:  Which security features have been implemented?  How can these security features be managed?  What assurances are there that the security features will be effective?  Security not only deals with the prevention of unauthorized actions but also with their detection (e.g. audit logs) Chapter 7: 3

  4. Unix Preliminaries  Unix (like the Internet) was developed for friendly environments like research labs or universities.  Security features added whenever the necessity arose; original security mechanism were quite weak and elementary.  Several flavours of Unix; vendor versions differ in the way some security controls are managed & enforced.  Unix designed originally for small multi-user computers in a network environment; later scaled up to commercial servers and down to PCs. Chapter 7: 4

  5. Unix Design Philosophy  Security managed by skilled administrator, not by user.  Intensive use of command line tools and scripting.  Focus on:  protecting users from each other.  protecting against attacks from the network.  Discretionary access control with a granularity of owner, group, other. Chapter 7: 5

  6. Principals  Principals: user identifiers (UIDs) and group identifiers (GIDs).  A UID (GID) is a 16-32 bit number; examples: root user 0: root will always 1: bin have UID == 0 2: daemon 8: mail 9: news 261: sergio  UID values differ from system to system Chapter 7: 6

  7. User Accounts  Information about principals is stored in user accounts and home directories.  User accounts stored in the /etc/passwd file  User account format: username:password:UID:GID:name:homedir:shell  Example : dieter:RT.QsZEEsxT92:1026:53:Dieter Gollmann:/home/dieter:/bin/sh Chapter 7: 7

  8. User Account Details  username: up to eight characters long  password: stored “encrypted” (really a hash)  UID: user identifier for access control  GID: user’s primary group (the user can be at the same time memember of different groups)  name: user’s full name  homedir: user’s home directory  shell: program started after the user has successful logged in Chapter 7: 8

  9. Superuser  The superuser is a special privileged principal with UID 0 and usually the user name root.  There are few restrictions on the superuser:  The superuser can become any other user.  The superuser can change the system clock.  The superuser can shutdown the system.  All security checks are turned off for superuser, who can do almost everything. Superuser cannot write to a read-only file system, but can ● remount it as writeable. Superuser cannot decrypt passwords but can reset them. ● Chapter 7: 9

  10. Groups  Users belong to one or more groups.  /etc/group contains all groups; file entry format: groupname:password:GID:list of users  Example: infosecwww:*:209:carol,al  Every user belongs to a primary group; group ID (GID) of the primary group stored in /etc/passwd.  Collecting users in groups is a convenient basis for access control decisions.  For example, put all users allowed to access email in a group called mail or put all operators in a group operator. Chapter 7: 10

  11. Subjects  The subjects in Unix are processes; a process has a process ID (PID).  New processes generated with exec or fork.  Processes have a real UID/GID and an effective UID/GID.  Real UID/GID: inherited from the parent; typically UID/GID of the user logged in.  Effective UID/GID: inherited from the parent process or from the file being executed. Chapter 7: 11

  12. Example UID GID Process real ef f ective real ef f ective /bin/login root root system system User dieter logs on; the login process verif i es the password and changes its UID and GID: /bin/login dieter dieter staff staff The login process executes the user’s login shell: /bin/bash dieter dieter staff staff From the shell, the user executes a command, e.g. ls /bin/ls dieter dieter staff staff The User executes command su to start a new shell as root: /bin/bash dieter root staff system Chapter 7: 12

  13. Passwords  Users are identified by user name and authenticated by password.  Passwords ( were ) stored in /etc/passwd “encrypted” with the algorithm crypt(3).  crypt(3) is really a one-way function: slightly modified DES algorithm repeated 25 times with all-zero block as start value and the password as key.  Salting: password encrypted together with a 12-bit random “salt” that is stored in the clear. Chapter 7: 13

  14. Passwords  Passwords can be modified with the passwd command  When the password field for a user is empty, the user does not need a password to log in.  To disable a user account, let the password field starts with an asterisk; applying the one-way function to a password can never result in an asterisk.  /etc/passwd is world-readable as many programs require data from user accounts; makes password-guessing attacks easy.  Shadow password files: passwords are not stored in /etc/passwd but in a shadow file that can only be accessed by root. Chapter 7: 14

  15. /etc/shadow  Also used for password aging and automatic account locking; file entries have nine fields: 1)username 2)user's password ( encoded with crypt ) 3)#days since password was changed 4)#days left before user may change password 5)#days left before user is forced to change password 6)#days to “change password” warning 7)#days left before password is disabled 8)#days since the account has been disabled 9)reserved Chapter 7: 15

  16. Objects  Files, directories, memory devices, I/O devices are uniformly treated as resources.  These resources are the objects of access control.  Resources organized in a tree- structured file system.  Each file entry in a directory is a pointer to a data structure called inode. Chapter 7: 16

  17. Inode mode type of f i le and access rights uid username of the owner gid owner group atime access time mtime modif i cation time itime inode alteration time block count size of f i le physical location Fields in the inode relevant for access control Chapter 7: 17

  18. Information about Objects  Example: directory listing with ls -la drwxrwxrwx 12 dieter staff 7288 Oct 13 10:51 . drw-rw-rw- 23 root root 4096 Oct 17 11:32 .. -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/  File type: first character ‘-’ file ‘d’ directory ‘s’ socket ‘b’ block device file ‘l’ symbolic link ‘c’ character device file  File permissions: next nine characters  Link counter: the number of links (i.e. directory entries pointing to) the file Chapter 7: 18

  19. Information about Objects -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/  Username of the owner: usually the user that has created the file.  Group: depending on the version of Unix, a newly created file belongs to its creator’s group or to its directory’s group.  File size, modification time, filename.  Filename stored in the directory, not in inode. Chapter 7: 19

  20. File Permissions  Permission bits are grouped in three triples that define r ead , w rite , and e x ecute access for owner, group, and other.  A ‘-’ indicates that a right is not granted.  rw-r--r-- read and write access for the owner, read access for group and other.  rwx------ read, write, and execute access for the owner, no rights to group and other. . Chapter 7: 20

  21. Octal Representation  Three bit range is 0-7 => octal numbers are sufficient.  Examples:  rw-r--r-- is equivalent to 644 Owner Read/Write; Group, Any: Read  rwxrwxrwx is equivalent to 777 Owner, Group, Any: Read/Write/Exec  Conversion table for four character octal numbers: 040 read by group 020 write by group 010 execute by group 004 read by other 400 read by owner 002 write by other 200 write by owner 001 execute by other 100 execute by owner Chapter 7: 21

  22. Default Permissions  Unix utilities typically use default permissions 666 when creating a new file and permissions 777 when creating a new program.  Permissions can be further adjusted by the umask: a three-digit octal number specifying the rights that should be withheld. :  umask 777 denies all accesses  umask 000 adds no further restrictions  umask 022 grants all permissions to the owner and just read an execute for group and world  Actual default permission is derived by masking the given default permissions with the umask: compute the logical AND of the bits in the default permission and of the inverse of the bits in the umask. Chapter 7: 22

  23. Default Permissions  Example:  default permission: 666  umask: 077  Invert 077: gives 700, then AND:  Owner of the file has read and write access, all other access is denied. Chapter 7: 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter 7: Unix Security Chapter 7: 2 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix

667 views • 62 slides
Delving more deeply into UNIX Bualo Chapter 3 1 / 21 Overview 1) A Little Review 2) Unix

Delving more deeply into UNIX Bualo Chapter 3 1 / 21 Overview 1) A Little Review 2) Unix

Delving more deeply into UNIX Bualo Chapter 3 1 / 21 Overview 1) A Little Review 2) Unix Exercise and Tutorials 3) New UNIX material: Standard Out and Standard Error Creating and navigating through directories Using wildcards The Pipe

458 views • 22 slides
Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or- http://www.cs.rpi.edu/~hollingd/unix -or- Unix in a Nutshell (an OReilly book). 1 Unix Accounts To access a Unix system you need to have an account . Unix

1.05k views • 84 slides
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component

480 views • 35 slides
Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

1/19/2010 Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix: tak, the Whitehead Scientific Linux server t k th Whit h d S i tifi Li most important/useful commands & Apply

259 views • 8 slides
Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1 Agenda A short history of Unix Login and user accounts access control Instances of general security principles Audit configuration

641 views • 38 slides
Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future classes Unix history The Unix family of operating systems have been in existence since around 1969. Most folks agree the system that Ken

1.13k views • 57 slides
UNIX Data Tools Bualo Chapter 7 1 / 37 Overview In Chapter 3 we learned the basic operations

UNIX Data Tools Bualo Chapter 7 1 / 37 Overview In Chapter 3 we learned the basic operations

UNIX Data Tools Bualo Chapter 7 1 / 37 Overview In Chapter 3 we learned the basic operations within the Unix shell: standard out and standard error streams of data how to redirect our data streams how to efficiently run a series of

598 views • 38 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTML + HTTP CSS data request web server backend systems Chapter 18: 3 Web 1.0 Shorthand

1.09k views • 91 slides
Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Introduction A model for Unix Why We Should Take a Second What do we learn from Look at Access Control in Unix this? Concluding remarks Jason Crampton Information Security Group Royal Holloway, University of London NordSec 2008

590 views • 27 slides
CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Unix security model Table of Contents Unix

463 views • 28 slides
Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

1.08k views • 42 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives

839 views • 38 slides
Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

553 views • 39 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 18: Web

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 18: Web

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTML + HTTP CSS data request web server backend systems Chapter 18: 3 Web 1.0 Shorthand for web

465 views • 29 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec SSL/TLS EAP

695 views • 48 slides
Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar

Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar

Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar Chandra SRI University of Notre Dame 1 INTRODUCTION : Heterogeneous Applications Name resolution - CoDNS Scientific citations - OverCite

441 views • 17 slides
Semidefinite Approximations of Reachable Sets for Discrete-time Polynomial Systems Victor Magron ,

Semidefinite Approximations of Reachable Sets for Discrete-time Polynomial Systems Victor Magron ,

Semidefinite Approximations of Reachable Sets for Discrete-time Polynomial Systems Victor Magron , CNRS VERIMAG Joint work with Pierre-Loc Garoche (ONERA) Didier Henrion (LAAS) Xavier Thirioux (IRIT) SMAI-MODE 23 March 2016 Victor Magron

912 views • 61 slides
MAT2345 Discrete Math The Course Propositional Logic Dr. Van Cleave Propositional

MAT2345 Discrete Math The Course Propositional Logic Dr. Van Cleave Propositional

MAT2345 Discrete Math Dr. Van Cleave Guidelines MAT2345 Discrete Math The Course Propositional Logic Dr. Van Cleave Propositional Equivalences Predicates & Quantifiers Fall 2013 Nested Quantifiers Dr. Van Cleave MAT2345

757 views • 54 slides
Fuzzy geometry via noncommutative frames: fuzzy de Sitter space Maja Buri c University of

Fuzzy geometry via noncommutative frames: fuzzy de Sitter space Maja Buri c University of

Fuzzy geometry via noncommutative frames: fuzzy de Sitter space Maja Buri c University of Belgrade ESI Vienna July 2018 Outline Introduction 1 Frame formalism 2 SO(1,4) algebra 3 Representations 4 Maja Buri c (University of

605 views • 28 slides
Security and Authorization Access to large databases is generally selective: Distinct users

Security and Authorization Access to large databases is generally selective: Distinct users

Security and Authorization Access to large databases is generally selective: Distinct users have distinct privileges. The process of defining and granting these privileges is called authorization. Authorization is generally a positive

514 views • 22 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook <keescook@google.com> (pronounced Case) Who is

474 views • 33 slides
Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos dservos5@uwo.ca Department of Computer Science Topics Survey/Proposal Daniel Servos TSP: ABAC February 10th 1 / 31 1. Talk Outline Outline 1 Background

1.23k views • 90 slides
Markov Decision Process Assumption: agent gets to observe the state [Drawing from Sutton and

Markov Decision Process Assumption: agent gets to observe the state [Drawing from Sutton and

Discretization Pieter Abbeel UC Berkeley EECS Markov Decision Process Assumption: agent gets to observe the state [Drawing from Sutton and Barto, Reinforcement Learning: An Introduction, 1998] Markov Decision Process (S, A, T, R, H) Given S:

381 views • 26 slides

More recommend