access control lists in linux windows
play

Access Control Lists in Linux & Windows Vasudevan Nagendra - PowerPoint PPT Presentation

Feb 28, 2023 •663 likes •1k views

Fall 2014:: CSE 506:: Section 2 (PhD) Access Control Lists in Linux & Windows Vasudevan Nagendra & Yaohui Chen Fall 2014:: CSE 506:: Section 2 (PhD) Categorization: Access Control Mechanisms Discretionary Access Control (DAC): Owner

  1. Fall 2014:: CSE 506:: Section 2 (PhD) Access Control Lists in Linux & Windows Vasudevan Nagendra & Yaohui Chen

  2. Fall 2014:: CSE 506:: Section 2 (PhD) Categorization: Access Control Mechanisms • Discretionary Access Control (DAC): Owner of object specifies who can access object (files/directories) - Control access on discretion of owner - Access privileges decided when file created - Ex: Windows, Linux, Mac, Unix • Mandatory Access Control (MAC): system specifies which subjects(users/processes) can access which objects. - Based on security labels mechanism - Subjects are given clearance - Objects are given security classification - Matches clearance of subject with classification of object. - Examples: secret, top secret, confidential

  3. Fall 2014:: CSE 506:: Section 2 (PhD) Access Control List (ACLs) • Filesystem Access Control mechanisms: - ACLs - Role Based Access (RBAC) - Can be Implemented as either DAC/MAC • ACL: Fine-grained discretionary access rights given to files & directories. - Specifies, which users/processes are granted access to objects. - Access rights tied with objects. • RBACs: System access on basis of authorization - specific roles are permitted to perform certain operations - Access rights not tied to objects - Example: Roles created for various job functions. - Consider multiuser systems with users of different roles are accessing.

  4. Fall 2014:: CSE 506:: Section 2 (PhD) ACLs Continued.. • Network Access Control Mechanism: – Netfilter • Netfilter (NACL): network traffic filtering framework for Linux - Set of hooks in kernel to handle packets. - Intercept calls, events or messages - Between s/w components of OS or Applications. - Registers callbacks with n/w stack, called for every packet. - Access Controls / Filtering rules applied here.

  5. Fall 2014:: CSE 506:: Section 2 (PhD) Background: 9 bit permission Model • Every file system is associated with: - 3 set of user groups(classes), - 3 set of permissions - 9 bits are used to determine the characteristics - Also called as base/ minimal ACLs. • Example: ls -la file.txt - rwxrw-r-- 1 root cse506 2 Nov 19 05:55 file.txt - Owner class with read, write & execution access - Group class with read & write access - Others class with read only access. - For changing the file permissions we use the chmod.

  6. Fall 2014:: CSE 506:: Section 2 (PhD) Background: Other Access Control Options • Setuid : Allows subjects to run executable with permission of file owner. - When subject doesn’t have adequate permission - Examples: passwd/gpasswd/sudo/chsh/mount/ping/su/umount • Setgid : Equivalent (as setuid) property for groups. - No matter which user starts it, program runs under group ID - All files & directories created in the setgid directory, will belong to the group owning the setgid directory. • Sticky bit : Assigned to directories, prevents users from deleting each other’s files. - Example: /tmp where any user can store files, but only owner of file has rights to modify or delete the file.

  7. Fall 2014:: CSE 506:: Section 2 (PhD) UMASK • Consider default behavior of file and directory creation – 666 & 777 respectively. – To change this default behavior – use umask • Defines the permissions to be masked while object is created. • Examples: umask 002 – File creation: (666 - 002= 664) = rw- rw- r-- – Directory creation: (777 - 002= 775) = rwx rwx r-x

  8. Fall 2014:: CSE 506:: Section 2 (PhD) Drawbacks & Limitations of 9 bit permission model The price of playing tricks with this permission model: • Setuid-root - Allows even ordinary users to perform administrative tasks. – Buggy application easily compromises system – Increase complexity of system configurations. • Limitations of the base/9 bit permission model: – No fine grained control access to non-class users

  9. Fall 2014:: CSE 506:: Section 2 (PhD) Extended ACLs for finer-grain control • Extended ACLs provides: - beyond simple user/group/other ownership. - more than 3 base classes - contains any number of named user & groups - contains mask entry. Utilities/Library functions: • getfacl: Check the current state of ACL on file/directory. getfacl test-dir • setfacl: Modify/add ACL to additional user or group. setfacl -m user:student1:rwx,group:osclass:rwx test-file • chacl: changes the ACL of file or directory chacl u::rwx,g::r-x,o::r – test-file

  10. Fall 2014:: CSE 506:: Section 2 (PhD) Access Control Entries (ACE) • Set of entries that defines permissions for user or groups Example of an ACL Entry in Linux system: Type | TextForm owner user::rw- owning group group:rw- /*Base Class*/ other other::-- named user user::vasu:rwx named group group:vasu_grp:rwx /*Extended Class*/ mask mask::rw- default:user::rwx default:group::r-x default:group:vasu_grp2:r-x /*Default class*/ default:mask::r-x default:other::---

  11. Fall 2014:: CSE 506:: Section 2 (PhD) More details of Extended ACLs • Default ACL: - defined for a directory - the objects in directory inherits it. • Extended ACLs contains entries for additional users or groups. – What If permissions are not contained with in owning group? – Solution: Solved by virtue of Mask entry. • Mask Entry: maximum access rights that can be granted for users and groups. – Mask applicable on: • Named user, • Named group & • Owning Group

  12. Fall 2014:: CSE 506:: Section 2 (PhD) Extended Attributes (EAs) • Typically stored in separate datablock, referenced from inodes. – Attributes: Defines Properties of files Examples: 1. For ext4 fs in linux, - inode has a field i_file_acl (type ext4_fsblk_t), - i_file_acl -> references to filesystem block with EAs stored 2. For Solaris with UFS file system, - inode has a field i_shadow - References to file system block with EAs stored - files with same ACL points to same shadow inode. - Implementation dependent optimization.

  13. Fall 2014:: CSE 506:: Section 2 (PhD) ACL Implementations • How ACLs passed between user and kernel space? - FreeBSD, Solaris, Irix & HP-UX have separate ACL system calls. - Linux: Uses Extended Attributes. - Huge Performance degrade for file access at first. - ACL Caching is provided by some file system. - some filesystems limits # of ACEs. (Implementation Dependent) http://users.suse.com/~agruen/acl/linux-acls/online/

  14. Fall 2014:: CSE 506:: Section 2 (PhD) Access Check Algorithm • Subject’s access request to object – Step 1: Select ACL entry that closely matches requesting process - ACL Entries Looked up in following order: • owner • named users • (owning or named) groups • Only single entry determines the access. Step 2: checks if matching entry contains sufficient permissions.

  15. Fall 2014:: CSE 506:: Section 2 (PhD) Netfilter - Network ACLs for Linux. • Packet filtering framework inside Linux kernel. • Enables following main functions: - Packet filtering: ACCEPT/ Drop / Log & other actions - NAT: Changing IP/Port (Source & Destination) - Mangling: Changing packet contents, ToS, Labeling, etc., • Support: Both stateless & stateful packet filtering - stateless: No track of the state of packets - stateful: Keeps track of packets • Supports both IPv4 & IPv6

  16. Fall 2014:: CSE 506:: Section 2 (PhD) Netfilter Architecture for Network ACLs. • Hooks & Custom Functions: – provided at several points of kernel network stack – Hooks: exploited to define custom functions - Manipulating Packets headers & data. - Actions on packets itself. • Purpose of Hooks: – Debugging – Extending functionality • Intercepting keyboard/mouse events • Monitor system calls to analyze system behavior

  17. Fall 2014:: CSE 506:: Section 2 (PhD) Architecture: Netfilter Architecture • PREROUTING : Functions Local processes triggered before routing decision INPUT OUTPUT • POSTROUTING : triggered after routing decision. Routing decision FORWARD Routing decision • FORWARD : Action on forwarded packets - “ACLs”. PREROUTING POSTROUTING • INPUT : Action on Incoming packets ethX ethY Incoming packets outgoing packets • OUTPUT : Actions on Kernel path for Incoming packets Outgoing packets. Figure : Netfilter Architecture

  18. Fall 2014:: CSE 506:: Section 2 (PhD) Improving the Granularity of Access Control in Windows NT Yaohui Chen

  19. Fall 2014:: CSE 506:: Section 2 (PhD) Access Control In Windows NT • Access Control Model – SubjectObject *Storage Resource Management (SRM) Graph from http://windowsitpro.com/security/q-windows-authorization- process-what-do-terms-access-token-security-descriptor-and-imperson

  20. Fall 2014:: CSE 506:: Section 2 (PhD) Access Control In Windows NT -- Explained NO!!! One of the access control entry in the Security Descriptor says you as user Chen should be denied to read this file. Hello mate, I want to read the Hold on, let SRM password file, here’s my access me check.. token Password file User SID: Chen Security Group SID: Black hats Descriptor Process ACL Check Entry1 : SID: Chen Type: Access deny Access Mask: Read

  21. Fall 2014:: CSE 506:: Section 2 (PhD) Access Control Entry (ACE) Type Inherit Flag Access Mask SID Allow Inherit_only Read Users (Chen) Deny No_Propagate Write Groups (admin) Audit Object_inherit Execute Directory_inherit Create……

  22. Fall 2014:: CSE 506:: Section 2 (PhD) Types of ACEs • Access-denied  Used in an ACL to deny access • Access-allowed  Used in an ACL to allow access • System-audit  Used in an ACL to log attempts to access.

Recommend

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides
Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file

Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file

Access Control Lists Don Porter CSE 506 Background (1) If everything in Unix is a file Everything in Windows is an object Why not files? Not all OS abstractions make sense as a file Examples: Eject button on an optical drive

908 views • 22 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Access Control Lists Don Porter 1 COMP 790: OS Implementation Background (1) If everything

Access Control Lists Don Porter 1 COMP 790: OS Implementation Background (1) If everything

COMP 790: OS Implementation Access Control Lists Don Porter 1 COMP 790: OS Implementation Background (1) If everything in Unix is a file Everything in Windows is an object Why not files? Not all OS abstractions make sense as

622 views • 22 slides
Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Access Control Lists Not all OS abstractions make sense as a file Examples: Don Porter

Access Control Lists Not all OS abstractions make sense as a file Examples: Don Porter

12/6/12 Background (1) If everything in Unix is a file Everything in Windows is an object Why not files? Access Control Lists Not all OS abstractions make sense as a file Examples: Don Porter Eject

801 views • 4 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
of Services VINCE Agenda definitions services for Windows and Linux breaks?

of Services VINCE Agenda definitions services for Windows and Linux breaks?

The Wonderful World of Services VINCE Agenda definitions services for Windows and Linux breaks? auditing Linux logs for Linux useful tools Goals develop a better understanding of Linux and Windows services (How

742 views • 63 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
signin.ritlug.com sign in! Windows Subsystem For Linux RITlug - Week 4! Solomon Rubin Hold up.

signin.ritlug.com sign in! Windows Subsystem For Linux RITlug - Week 4! Solomon Rubin Hold up.

Dont forget to signin.ritlug.com sign in! Windows Subsystem For Linux RITlug - Week 4! Solomon Rubin Hold up. Linux... on windows? Overview What is it? Literally, Linux on Windows Allows for actual ELF Binaries to be executed

502 views • 15 slides
Mass roll out of Linux with Windows Mass roll out of Linux with Windows as a VM Guest as a VM

Mass roll out of Linux with Windows Mass roll out of Linux with Windows as a VM Guest as a VM

Mass roll out of Linux with Windows Mass roll out of Linux with Windows as a VM Guest as a VM Guest Steven Sykes Systems Admin Department of Computer Science and Software Engineering University of Canterbury steven.sykes@canterbury.ac.nz

386 views • 12 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
virtual machines 1 last time access control lists user ID and group ID tracking IDs in kernel

virtual machines 1 last time access control lists user ID and group ID tracking IDs in kernel

virtual machines 1 last time access control lists user ID and group ID tracking IDs in kernel delegating naming, authentication to user programs set-user-ID programs: controlled access to priv. functions extremely tricky to write securely

1.3k views • 109 slides
AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and

AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and

AOS Linux Tutorial Remote Access and Transferring Files Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University September 28, 2010 Outline 1 Remote Access SSH From Linux or OS X SSH from Windows Transferring Files SSH

394 views • 20 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Linux for the Frugal HAM Linux: A computer operating system like Windows or IOS (Mac/Apple)

Linux for the Frugal HAM Linux: A computer operating system like Windows or IOS (Mac/Apple)

Linux for the Frugal HAM Linux: A computer operating system like Windows or IOS (Mac/Apple) Frugal: Nicer word for cheap HAM: Us! Why Linux ? Because were frugal and HAMs Frugal? Yeah. I havent bought a new computer except a

414 views • 13 slides
virtual machines 1 last time access control lists user and group IDs in processes set-user-ID

virtual machines 1 last time access control lists user and group IDs in processes set-user-ID

virtual machines 1 last time access control lists user and group IDs in processes set-user-ID programs briefmy: time-of-check-to-time-of-use errors capabilities: token to address = permission token might allow getting other tokens can pass

1.24k views • 105 slides
Replacing CONFIG_VT/linux-console David Herrmann FOSDEM 2013 What is CONFIG_VT? access control

Replacing CONFIG_VT/linux-console David Herrmann FOSDEM 2013 What is CONFIG_VT? access control

Replacing CONFIG_VT/linux-console David Herrmann FOSDEM 2013 What is CONFIG_VT? access control to graphics/input devices VT102 terminal emulator VGACON + FBCON What is it used-for? session dispatcher lightweight UI with little hardware

592 views • 21 slides
CM40212 HTTP/SMTP Primer Terminal access The examples are best run from a unix (linux) machine:

CM40212 HTTP/SMTP Primer Terminal access The examples are best run from a unix (linux) machine:

CM40212 HTTP/SMTP Primer Terminal access The examples are best run from a unix (linux) machine: From the windows desktop open Putty Connect to lcpu.bath.ac.uk Log in with your BUCS username and password. Simple HTTP 1.0 get We

780 views • 5 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
Mandatory Access Control for Carrier-Grade Linux Clusters (as part of the DSI project)

Mandatory Access Control for Carrier-Grade Linux Clusters (as part of the DSI project)

Mandatory Access Control for Carrier-Grade Linux Clusters (as part of the DSI project) Miroslaw.Zakrzewski@Ericsson.ca Ericsson Research Canada Open System Lab Montral Canada http://www.risq.ericsson.ca Rev PA1 2002-05-22 1 Ericsson

841 views • 42 slides
10 Things I Hate About You: Manage Windows like Linux with Ansible Matt Davis Senior Principal

10 Things I Hate About You: Manage Windows like Linux with Ansible Matt Davis Senior Principal

10 Things I Hate About You: Manage Windows like Linux with Ansible Matt Davis Senior Principal Software Engineer, Ansible Core Who am I? I LOVE WINDOWS Not SSH WinRM (HTTP-based remote shell protocol) Non-interactive logon

579 views • 26 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix,

Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix,

File Content Based Access Control Casey Schaufler August 2010 Casey Schaufler Trusted Solaris, Trusted Irix, Linux LSM Various Government Efforts Trusix, CMM, CHATS Standards P1003.1e/2c, TSIG Smack Linux Security Module

497 views • 30 slides

More recommend