Overview of UNIX System Protection

UNIX System Protection

Unix History

•

Developed by

Dennis Ritchie and

Ken Thompson at

AT&T Bell Labs

•

Adapted some ideas

from the Multics

project in 1969

Design Features

•

Written in C – portable

•

Application program interface (API) – enabled

programmers to write applications that are

compatible with multiple platforms

•

A small base program called

“kernel”

 with a

standard interface to interact

Security

•

Security goal:

–

A common platform that could be shared by

several users

–

Security problem becomes one of “protection”

•

Common mechanisms

–

Password storage

–

Protection ring

–

Access control lists

Kernel and Processes

•

A running Unix system consists of the

kernel

and the

processes

 each running a program

–

Protection ring boundary isolates the

kernel

 from

the processes

–

Each process has its own address space

–

The concept of “file” for representing all

persistent system objects

Trusted Computing Base

•

The set of software and data upon which the

system depends for correct enforcement of

system security goals

•

Consists of the kernel and processes running

with root (superuser) privilege

Unix Protection System

•

What does protection mean?

–

An access enforcement mechanism that

authorizes requests from subjects to perform

operations on objects

–

Requests: read, write, etc.

–

Subjects: users, processes, etc.

–

Objects: files, sockets, etc.

Unix Protection System

•

Protection state: describes the operations that

system subjects can perform on system objects

•

UNIX protection state specification

–

Subjects: process identities

•

Process identities: user id (UID), group id (GID), and a set of

supplementary groups.

–

Objects: files

–

Access: read, write, execute

–

Protection state is specified by an

access control list

(ACL) associated with each file

Unix File

•

Each file is associated with:

–

An owner UID and an owner GID

•

Process with the owner UID privilege can modify the

protection state

–

“mode bits” describe the ACL of a file

•

{owner bits, group bits, others bits}, where each

element consists of a read bit, a write bit, and an

execute bit

•

e.g., rwxr--r--

Authorization Mechanism

•

If the process UID corresponds to the owner

UID of the file, use the mode bits for the

owner to authorize access.

•

Else if the process GID or supplementary

groups correspond to the file’s group GID, use

the mode bits for the group permissions.

•

Otherwise, use the permissions assigned to all

others.

Examples

-rw-rw-r--    1 simon    faculty        14 Sep  8 03:59 file1

-rw-rw-r--    1 user1    faculty        14 Sep  8 04:04 file2

-rw-rw-r--    1 user2    students       14 Sep  8 04:04 file3

“simon” belongs to group “faculty”

“user1”, “user2” belong to group “students”

-r--------    1 simon    faculty        14 Sep  8 03:59 file1

----r-----    1 user1    students       14 Sep  8 05:01 file2

-------r--    1 user2    students       14 Sep  8 05:02 file3

Protection State Modification in Unix

•

Protection state operations: enable a

protection state to be modified

•

In Unix, the protection state can be modified

by any process that has the owner ID privilege

–

 This is called “discretionary access control”

–

Essentially we have to trust all user-level processes

to achieve the security goal of protection

Slide Note

Embed Share

Download

UNIX System Protection focuses on ensuring security and access control mechanisms within the UNIX operating system. Developed in 1969 by Dennis Ritchie and Ken Thompson at AT&T Bell Labs, UNIX features design elements like a portable API, protection rings, kernel processes, and a trusted computing base. The system enforces protection states to regulate subjects' interactions with system objects, such as files, using access control lists. UNIX provides a robust framework for securing system resources and maintaining user privacy.

bkre Follow

Uploaded on Sep 20, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

UNIX System Protection

Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969

Design Features Written in C portable Application program interface (API) enabled programmers to write applications that are compatible with multiple platforms A small base program called kernel with a standard interface to interact

Security Security goal: A common platform that could be shared by several users Security problem becomes one of protection Common mechanisms Password storage Protection ring Access control lists

Kernel and Processes A running Unix system consists of the kernel and the processes each running a program Protection ring boundary isolates the kernel from the processes Each process has its own address space The concept of file for representing all persistent system objects

Trusted Computing Base The set of software and data upon which the system depends for correct enforcement of system security goals Consists of the kernel and processes running with root (superuser) privilege

Unix Protection System What does protection mean? An access enforcement mechanism that authorizes requests from subjects to perform operations on objects Requests: read, write, etc. Subjects: users, processes, etc. Objects: files, sockets, etc.

Unix Protection System Protection state: describes the operations that system subjects can perform on system objects UNIX protection state specification Subjects: process identities Process identities: user id (UID), group id (GID), and a set of supplementary groups. Objects: files Access: read, write, execute Protection state is specified by an access control list (ACL) associated with each file

Unix File Each file is associated with: An owner UID and an owner GID Process with the owner UID privilege can modify the protection state mode bits describe the ACL of a file {owner bits, group bits, others bits}, where each element consists of a read bit, a write bit, and an execute bit e.g., rwxr--r--

Authorization Mechanism If the process UID corresponds to the owner UID of the file, use the mode bits for the owner to authorize access. Else if the process GID or supplementary groups correspond to the file s group GID, use the mode bits for the group permissions. Otherwise, use the permissions assigned to all others.

Examples -rw-rw-r-- 1 simon faculty 14 Sep 8 03:59 file1 -rw-rw-r-- 1 user1 faculty 14 Sep 8 04:04 file2 -rw-rw-r-- 1 user2 students 14 Sep 8 04:04 file3 simon belongs to group faculty user1 , user2 belong to group students -r-------- 1 simon faculty 14 Sep 8 03:59 file1 ----r----- 1 user1 students 14 Sep 8 05:01 file2 -------r-- 1 user2 students 14 Sep 8 05:02 file3

Protection State Modification in Unix Protection state operations: enable a protection state to be modified In Unix, the protection state can be modified by any process that has the owner ID privilege This is called discretionary access control Essentially we have to trust all user-level processes to achieve the security goal of protection

Overview of UNIX System Protection

Download Presentation

Presentation Transcript

Related

More Related Content