Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Introduction to Access Control in Operating Systems

News Recommended Links Rainbow Books Unix Access Control Lists Unix permissions model The umask PAM Primary Group User private groups
Group administration The su Command Sudo Root Account Root Security System Accounts Accounts security /etc/passwd File Shadow Passwords

Introduction

The access control is just another name for compartmentalization of resources.

It is useful to group general problems involved in making certain that files are not read or modified by unauthorized personnel under common umbrella -- access control. There are two aspect of access control:

  1. Access control policies. Access control policy defined "whose data is to be protected from whom"
  2. Access control mechanisms. the manner by which the operating system enforces the access control policy. Among them the following are the most important

Classic Unix systems have at least one user with right to access (privilege) any file of the system -- root user. A protection domain is defined by its UID and GID. Provided with any (UID, GID) combination it is possible to build a complete list of all objects that can be accessed and each objects rights. Two processes with the same (uid, gid) combination, have access to exactly the same set of objects. Processes with different (uid, gid) combinations, have access to a different set of files.

Additionally, in UNIX each process has two halves: the user part and the kernel part. When a process does a system call it switches from the user role to the kernel role. The kernel role has access rights to a different set of objects from the user part. A system call therefore invokes a domain switch, from user to kernel.

At every instant in time each process runs in a protection domain. Therefore, there is some collection of objects that the process can access. In addition, each object has a set of access rights. Processes can switch from domain to domain during program execution.

The UNIX process division into user and kernel parts is a legacy of a more powerful domain switching mechanism that was used in MULTICS. In the MULTICS system the hardware supported up to 64 domains for each process, not the two (kernel and user) like in UNIX or MVS. A MULTICS process could be considered as a collection of procedures, each running in a domain, called a ring. The innermost ring was the most powerful, the operating system kernel. Radically, moving outwards from the operating system kernel the rings became successively less powerful. When a procedure in one ring called a procedure in a different ring a trap occurred. Once a trap occurred the system had the option to change the protection domain for that process.

Unix permissions model

Unix introduced a simple model of file permissions in the 70's which has proven to be quite effective and easy to understand. In this model each file has three attributes for each of three access categories (owner, group and world):

There is also one implicit attribute: the ability to delete file/directory. It is property not a file/directory in question, but the directory in which it contained. It the user has write access to the directory he/she can delete any file in it.

Moreover the execution bit on the directory can work as partial access blocker to files in this directory. It in is not set there is no way to obtain a listing of the directory althouth if you know file name you can access file that is contains in the directory.

Due to popularity of Samba, recently there was a half-baked attempt to extend Unix "xwr" model using ACLs, that are used in Windows.

The result is a mess and very few organization have adopted this approach on Unix servers due to the complexity and bad integration with classic Unix model. Not only existence of the second, by-and-large, indeoendent model  confuse administrators, it actually represents a serious security risk.

In the original Unix model, each file has three "rwx" access categories: User (u), Group (g) and Other (o). Group is essentially a role and primary group is a primary role. Any user can be a member of any number of groups, but in Unix groups are atomic -- they cannot contain other groups. This is a serious shortcoming of the classical Unix model.

System groups and pseudo-groups

There is also auxiliary concept of system groups which is similar to the concept of privileged ports. For example, all groups with GID below 100 are usually considered to be system groups. Some system groups are designed mainly for not to providing access to files for a group of users, but for partitioning of permission space. Among them are adm, sys,  daemon, lp, mail, uucp, games, ftp. nobody, etc. Typically users which have such "pseudo-group" as primary group have no legitimate shell. Instead /bin/noshell  or /bin/false  is used; the former logs the access attempts), so nobody can login as such a user. They can be called pseudo-users.

Another severe limitation of this model is that a file can only be a member of one group. That can be partially rectified by usage of "metagroups" -- groups that are just  aggregations of existing groups, but that solution requires additional efforts and discipline (in this case /etc/group needs to be automatically generated from some template using macroprocessor). If we assume that the number of group allowed is large (approximately the same as the number of files/directories) metagroup approach is as powerful as ACL model and is much simpler. It requires relatively simple modification of the /etc/group file.

User Private Groups (UPG)

One interesting step toward this model is the concept of User Private Groups (UPG) introduced in Red Hat. UPG scheme makes UNIX groups easier to use. It does not add or change anything in the standard UNIX way of handling groups. This is simply a new convention for handling classic Unix groups groups: whenever you create a new user, by default, he or she has a unique group with GID identical to UID.

One of limitations of the Unix model is that ordinary users do not have the right to make their own groups. In this way, the model shoots itself in the foot. There are ways around this, but Unix has not introduced a standard solution to the problem. We can think of the Unix model as being a coarse approximation to the model of ACLs.

For more information see User Private Groups

Inheritance of permissions

One of the most interesting aspects of file security of a particular OS is the mechanism by which security attributes are inherited by new files. Newly created files have to start out with some kind of permissions and that this "default set" of permissions is a question that is answered differently by different flavors of Unix. One advance implemented by BSD is  usage of setgid bit in directories  to inherit permissions set for the directory for all new files created in it.

Full inheritance of permissions is possible only under root account. For user account inheritance is restricted. Permissions granted are further restricted by the current value of umask variable 

Most systems are hybrid and  support BSD behavior via setgid bit in directories.

Process permissions

Access rights apply not only to secondary storage but to any resource. In particular, the right to communicate with, control or request services from a process. The same basic ideas apply, but access controls usually have different attributes. Process permissions are usually set by access control lists, or on the basis of understood protocols, such as passwords, keys, or cookies (the message in a fortune cookie).

Unix processes have an owner and a group membership. These are normally inherited from the the user who starts the process and from the group attribute of the program file respectively (though see below about setuid/setgid programs). Each process has the privileges afforded to it by these labels.

Kernel two modes operation

The basic security of multiuser operating systems lies in the ability to restrict privilege. One of our design criteria was to try to prevent malicious users from circumventing security mechanisms. In some operating systems this has been possible by accidental or deliberate memory corruption. Since software is often buggy, we should not rely on software to behave properly. Stronger measures are needed to protect the system. This was the idea behind two-mode operation (see the operating system course notes). By having system protection hard-coded in hardware, the system is more secure. The Multics operating system generalized this idea to more than two-modes. A series of protection levels or rings was used, each of which encapsulated the inner rings. A typical use of protection rings would be the following:

In Unix's two-mode operation, only rings 0 (kernel) and 3 (user processes) are used. This has made it easy to port Unix to a variety of architectures which support 2-mode operation (e.g PC's including and later than i386).

Role based permissions

In a dynamical, interactive situation we could generalize the notion of access to allow users to use different permissions depending on what they are doing. This increase complexity of the model and can be done in several different ways: 

If you think about it global static permission used in Unix are anachronism. There should be a mechanism that prevent process from accessing files in, say, /etc directory even if part of the process is running under the root privileges. This can be done in several different ways:

See also



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019