CS 513 System Security -- Lecture Notes: 19

CS 513 - System Security
Lecture 19

Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 4/6/00

Today's Topics

Preventing Unauthorized Access
ACM Storage
Access Control Lists
Access Control in UNIX

Preventing Unauthorized Access:
A mechanism that uses an ACM to regulate access rights must:

protect the integrity of the ACM
authenticate requests
Without these provisions, a subject could change the ACM or impersonate another subject to gain unauthorized access.
ACM Storage:
To conserve space, only the non-zero elements of the matrix are stored. (The ACM is typically sparse since most subjects can only access a few objects.)
The ACM can be stored as a set of rows where each row, called a capability list (C-list), is maintained by the relevant subject. Alternatively, the ACM can be stored as a set of columns where each column, called an access control list (ACL), is maintained by the relevant object.

Access Control Lists:
Each object, o, maintains a list of the form:
((subject i, i's rights to o), (subject j, j's rights to o), ..., (subject s, s's rights to o))
The time to add, remove, or verify rights is linear with respect to the length of the list.
This time can be reduced by combining subjects with the same rights into a single group.
Example:
ACL = ((i, r_ijk), (j, r_ijk), (k, r_ijk), (m, r_mn), (n, r_mn)) becomes
ACL = ((group_ijk, r_ijk), (group_mn, r_mn)), group_ijk = (i, j, k), group_mn = (m, n)
The time could also be reduced by caching portions of the list. This approach, however, would have to insure cache consistency.
Access Control in UNIX:
UNIX uses access control lists with the following support structure:

The system maintains 2 files, /etc/password and /etc/groups.

/etc/password maintains an entry for each user. A sample entry with the required fields is given below. uid and gid refer to the user and group ids, respectively. Any salt used to encrypt the password would also be kept here.

/etc/groups maintains an entry for each group. A sample entry with the required fields is given below. If the encrypted password field contains *, then no password is required for login.

Each user stores his/her username, uid, and a list of groups to which he/she belongs. (Originally, a user could only belong to 1 group, but this has changed.)
Each process stores the username, uid, and gid of the user that started it. Processes also maintain an effective uid. Child processes inherit these values.
All requests are made by processes.
Most objects are treated as files. Each file maintains an ACL in the form of 12 protection bits which can be modified by the owner. The first 9 bits determine the read (R), write (W), and execute (X) rights for the user/owner (u), owner's group (g), and other users (o). The last 3 bits support domain changes by allowing the uid and gid to be changed from the caller and caller's group to the file owner and file owner's group. (1 of the last 3 bits was not discussed in lecture.)
A subject's access to a file may be restricted by the directories that contain the file.
Example 1:

Subject has R, W, and X rights to the file /usr/file.txt

Subject also has X (but not R or W) right to the directory /usr

Subject can only access /usr/file.txt, if the subject knows the file's name.
Example 2:

Subject has R, W, and X rights to the file /usr/file.txt

Subject also has R (but not W or X) right to the directory /usr

Subject can learn the name of usr/file.txt, but cannot access the file.

CS 513 - System Security Lecture 19

Today's Topics

Preventing Unauthorized Access:

ACM Storage:

Access Control Lists:

Access Control in UNIX:

CS 513 - System Security
Lecture 19