Transcript Document 7782320

Access Control Lists
CSCI283-172 Fall 2008
GWU
Sources:
Memon’s notes, Brooklyn Poly
Bishop’s Text, Chapter 15
Bishop’s slides, Chapter 15
Text by Pfleeger and Pfleeger, Chapter 4
Access Control Mechanisms
•
•
•
•
•
Access Control Matrix
Access Control List
Capability based access control
Lock and Key based access control.
Rings-based access control
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
2
Access Control Lists
• Instead of using ACM, Access Control List (ACL). Essentially
store each column of ACM with the object it represents.
• Definition: Let S be set of subjects and R the set of rights of a
system. An access control list l is a set of pairs
l = {(s, r): s S, r  R}
Let acl be a function that determines the access control list
associated with a particular object o.
Acl(o) = {(si, ri) : 1  i  n}
means that subject si may access o using any right in ri.
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
3
Access Control Lists: example
Columns of access control matrix
file1
file2
file3
Andy
rx
r
rwo
Betty
rwxo
r
Charlie
rx
rwo
w
ACLs:
• file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) }
• file2: { (Andy, r) (Betty, r) (Charlie, rwo) }
• file3: { (Andy, rwo) (Charlie, w) }
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
4
Abbreviated ACL’s
• Although same amount of storage, it is now
distributed.
• To further reduce storage, one can abbreviate ACL’s
as in UNIX.
• One can also assign default access to groups of
subjects as well as specific rights to individual
subjects.
– Two ways of doing this: 1) What is not prohibited is permitted
2) What is not permitted is prohibited. Latter always better!!
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
5
Default Permissions
• Normal: if not named, no rights over file
– Principle of Fail-Safe Defaults
• If many subjects, may use groups or
wildcards in ACL
– UNICOS: entries are (user, group, rights)
• If user is in group, has rights over file
• ‘*’ is wildcard for user, group
– (holly, *, r): holly can read file regardless of her group
– (*, gleep, w): anyone in group gleep can write file
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
6
Accessing Files
• User not in file’s ACL nor in any group named
in file’s ACL: deny access
• ACL entry denies user access: deny access
• Take union of rights of all ACL entries giving
user access: user has this set of rights over
file
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
7
Example - File Protection in Unix
UNIX - allow read, write, execute, delete to each of the
individual groups - owner, group, world.
Difficult for users in different groups to share files, since
each file may belong to exactly one group.
rwx rwx rwx
owner group rest
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
8
Temporary Privilege Elevation: UNIX
Unix set userid (suid) allows another user to
temporarily acquire the protection level of a file’s
owner.
– While executing the program to change their own password,
Unix users actually acquire temporary modify access to the
systems password file, but in a controlled way using suid.
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
9
Unix special users
• Special user with extra privileges –root.
– UID is 0.
– Can do (almost) anything!!
– Holy grail of hackers!
• Other special users
–
–
–
–
–
–
5/26/2016
daemon or sys – handles some network services
ftp – used for anonymous FTP access.
uucp – manages UUCP (Unix to Unix Copy) system.
guest – used for site visitors.
lp - used by printer system
Etc.
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
10
Unix Groups
• Every user belongs to one or more groups.
• The GID of primary group the user belongs to is
stored in passwd file.
• Groups useful for access control features.
• /etc/groups contains a list of all groups in the system
along with GID’s.
• Some special groups –
– wheel - group of administrators
– uucp, lp, etc. – groups corresponding to special users.
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
11
Unix file access control
• Each file entry in a directory is a pointer to a data structure
called inode.
mode
Type of file and access rights
uid
User who owns the file
gid
Group which owns the file
atime
Access time
mtime
Modification time
itime
Inode alteration
Block count
Size of file
Pointer to physical location
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
12
Unix file permission bits
• Two examples of file permissions obtained by ls –l
command
– -rw------– drwxr-xr-x
• First character indicates type of file
–
–
–
–
–
–
5/26/2016
- plain file
d directory
c character device (tty or printer)
b block device
l symbolic link
Etc.
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
13
File permission bits (contd.)
• Next nine characters taken in groups of three indicate
who can do what with the file
– R – Permission to read
– W – Permission to write
– X – Permission to execute
• The three classes of permission correspond
respectively to
– Owner
– Group
– Other
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
14
File permission bits – special cases
• File permission bits do not apply to symbolic links.
• If you have x access but no r access you can execute
the program without reading it (not on linux).
• Execute permission in a directory means you can
change to the directory. Secret Files!
• File permission bits also commonly specified in octal
notation. 0777 mean -rwxrwxrwx, 0600 means -r_x-----, etc.
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
15
Umask and default permissions
• umask (User file creation mode mask) is a four digit
octal number used to determine file permissions for
newly created files.
• It defines permission you do not want to be given (the
bit-wise complement of the permission you want a file
to have by default).
• 0666 – default mode means 0222 umask.
• 0077 umask means … 0022 means …
• Set up at log in time in environment variables.
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
16
The suid bit
• Sometimes unprivileged users must perform tasks
that are privileged.
– Change password thereby modify /etc/passwd.
• UNIX allows certain programs to change UID to their
owner when executed.
– SUID programs – change UID to owner.
– SGID programs – change GID to owners group.
• ls –l command indicates if SUID or SGID
– -rwsr-xr-x indicates SUID
– -rwxr-sr-x indicates SGID
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
17
Limitations of UNIX file permission system
• Abbreviated ACL’s in general and UNIX in particular
may not be flexible enough for many circumstances.
• Consider the following example:
– 5 users, Anne, Beth, Caroline, Della and Elizabeth.
– Anne wants Beth to read her file and nothing else.
– She wants Caroline to write
– Della to only read and write
– Elizabeth to only execute
Above not possible with Unix file permission bits!!
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
18
ACLs + Abbreviations
• Augment abbreviated lists with ACLs
– Intent is to shorten ACL
• ACLs override abbreviations
– Exact method varies
• Example: IBM AIX
– Base permissions are abbreviations, extended
permissions are ACLs with user, group
– ACL entries can add rights, but on deny, access is
denied
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
19
Augmenting abbreviated ACL’s
AIX (IBM Unix) uses extended permissions to augment base
permissions.
attributes:
base permissions:
owner (bishop): rwgroup (sys): r—
others: --extended permissions enabled
permit
-wu:nelson, g=sys
permit
rwu:levitt
deny
-wu:heberlei, g=faculty
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
20
Issues to consider while designing an ACL
based system
•
•
•
•
•
Which subject can modify an object in ACL?
Does ACL apply to privileged user (root), if any?
Does ACL support groups or wildcards?
How are contradictory permissions handled?
If default permissions allowed, do ACL’s modify it? Or
is default used only when subject not explicitly
mentioned in ACL?
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
21
ACL Modification
• Who can do this?
– Creator is given own right that allows this
– Some systems provide a grant modifier (like a
copy flag) allowing a right to be transferred, so
ownership not needed
• Transferring right to another modifies ACL
• Do ACLs apply to privileged users (root)?
– Solaris: abbreviated lists do not, but full-blown ACL entries
do
– Other vendors: varies
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
22
Groups and Wildcards
Classic form: no; in practice, usually
– AIX: base perms gave group sys read only
permit
-w-
u:heidi, g=sys
line adds write permission for heidi when in that group
– UNICOS:
• holly : gleep : r
– user holly in group gleep can read file
• holly : * : r
– user holly in any group can read file
• * : gleep : r
– any user in group gleep can read file
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
23
Conflicts
• Deny access if any entry would deny access
– AIX: if any entry denies access, regardless of
rights given so far, access is denied
• Apply first entry matching subject
– Cisco routers: run packet through access control
rules (ACL entries) in order; on a match, stop, and
forward the packet; if no matches, deny
• Note default is deny so honors principle of fail-safe
defaults
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
24
Handling Default Permissions
• Apply ACL entry, and if none use defaults
– Cisco router: apply matching access control rule, if
any; otherwise, use default rule (deny)
• Augment defaults with those in the
appropriate ACL entry
– AIX: extended permissions augment base
permissions
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
25
Revocation Question
• How do you remove subject’s rights to a file?
– Owner deletes subject’s entries from ACL, or
rights from subject’s entry in ACL
• What if ownership not involved?
– Depends on system
– System R: restore protection state to what it was
before right was given
• May mean deleting descendent rights too …
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
26
Windows NT ACLs
Different sets of rights
– Basic: read, write, execute, delete, change
permission, take ownership
– Generic: no access, read (read/execute), change
(read/write/execute/delete), full control (all),
special access (assign any of the basics)
– Directory: no access, read (read/execute files in
directory), list, add, add and read, change (create,
add, read, execute, write files; delete
subdirectories), full control, special access
5/26/2016
CS283-172/Fall08/GW/Vora
Many slides from Matt Bishop's slide set
27