Overview of UNIX System Protection
UNIX System Protection focuses on ensuring security and access control mechanisms within the UNIX operating system. Developed in 1969 by Dennis Ritchie and Ken Thompson at AT&T Bell Labs, UNIX features design elements like a portable API, protection rings, kernel processes, and a trusted computing base. The system enforces protection states to regulate subjects' interactions with system objects, such as files, using access control lists. UNIX provides a robust framework for securing system resources and maintaining user privacy.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969
Design Features Written in C portable Application program interface (API) enabled programmers to write applications that are compatible with multiple platforms A small base program called kernel with a standard interface to interact
Security Security goal: A common platform that could be shared by several users Security problem becomes one of protection Common mechanisms Password storage Protection ring Access control lists
Kernel and Processes A running Unix system consists of the kernel and the processes each running a program Protection ring boundary isolates the kernel from the processes Each process has its own address space The concept of file for representing all persistent system objects
Trusted Computing Base The set of software and data upon which the system depends for correct enforcement of system security goals Consists of the kernel and processes running with root (superuser) privilege
Unix Protection System What does protection mean? An access enforcement mechanism that authorizes requests from subjects to perform operations on objects Requests: read, write, etc. Subjects: users, processes, etc. Objects: files, sockets, etc.
Unix Protection System Protection state: describes the operations that system subjects can perform on system objects UNIX protection state specification Subjects: process identities Process identities: user id (UID), group id (GID), and a set of supplementary groups. Objects: files Access: read, write, execute Protection state is specified by an access control list (ACL) associated with each file
Unix File Each file is associated with: An owner UID and an owner GID Process with the owner UID privilege can modify the protection state mode bits describe the ACL of a file {owner bits, group bits, others bits}, where each element consists of a read bit, a write bit, and an execute bit e.g., rwxr--r--
Authorization Mechanism If the process UID corresponds to the owner UID of the file, use the mode bits for the owner to authorize access. Else if the process GID or supplementary groups correspond to the file s group GID, use the mode bits for the group permissions. Otherwise, use the permissions assigned to all others.
Examples -rw-rw-r-- 1 simon faculty 14 Sep 8 03:59 file1 -rw-rw-r-- 1 user1 faculty 14 Sep 8 04:04 file2 -rw-rw-r-- 1 user2 students 14 Sep 8 04:04 file3 simon belongs to group faculty user1 , user2 belong to group students -r-------- 1 simon faculty 14 Sep 8 03:59 file1 ----r----- 1 user1 students 14 Sep 8 05:01 file2 -------r-- 1 user2 students 14 Sep 8 05:02 file3
Protection State Modification in Unix Protection state operations: enable a protection state to be modified In Unix, the protection state can be modified by any process that has the owner ID privilege This is called discretionary access control Essentially we have to trust all user-level processes to achieve the security goal of protection