Exercise 4: Access Control and Filesystem Security

Transcription

1 Exercise 4: Access Control and Filesystem Security Introduction Duration: 90 min Maximum Points: 30 Note: The solutions of theorethical assignments should be handed out before the practical part in the Lab starts! Access Control Concepts in Unix-Like Systems Users and Groups Like most other operating systems, Unix-like (e.g. Solaris [1], OpenBSD [2], GNU/Linux [3] etc.) systems are designed for multiple users and groups. A group on a Unix-like system is simply a set of users. A single user may be member of multiple groups. Read, Write and Execute Flags Files and directories in Unix-like systems can have zero to three of the following flags: Read - The user or group may read the contents of a file Write - The user or group may change the contents Execute - The user or group may execute the file Furthermore, access to files and directories is divided into three differnt levels: User (Owner) Group Everybody (others) A file or directory always belongs to one group and one user. Unlike on Windows, files cannot be owned by multiple groups or users. Flags in Detail When we sum up the amount of possible access flags above, we can see that there may be 2 3 different possibilities for the read, write and execute flags. The flags are actually translated into a bitwise representation as follows: Bit 0 Execute flag 1

2 Bit 1 Write flag Bit 2 Read flag These bits can be interpreted as a octal number. The flags for user, group and others can be concatenated into a 3-digit representation. E.g. the number 754 means that the owner has the rights to read, write and execute, the group has permission to execute and read, and everyone else may only read the file. Because the octal representation of access flags may be difficult to handle for many users, it has become common to use the letters r, w and x as representation for access rights. If more than one user has to access a file, users can be assigned to groups. That means if the two users U 0 and U 1 need to write to the file example.txt, one has to create a new group for these two users and set the group permissions for the file accordingly. Utilities The programs chmod, chgrp and chown can be used to modify access rights on most Unix-like systems. chmod changes the access flags of a file or directory, chgrp is used to change the group and chown changes the owner of a file. Examples chown user1 file.txt - Change the ownership of file.txt to the user user1. chmod 600 file.txt - Make the file file.txt read- and writeable exclusively to its owner (the digitwise binary representation of 600 is ). chmod 640 file.txt - Owner can read and write; members of the group can read the file file.txt and allow its owner to read and write (The digitwise binary representation of 640 is ). chgrp students file.txt - Change the group of file.txt to the group students. The setuid and setgid bits are special bits to change the user or group of an executable during runtime. When set, they allows other users to execute a program with the rights of its owner and or group. Access Control Lists The traditional access control model does not scale well on systems with a large amount of users. The so-called Access Control Lists (ACL) provide an extension to the traditional filesystem access model. Access control lists allow more fine-grained setups of access rights in contrast to the traditional Unix access control model. 2

3 Utilities The utilities setfacl and getfacl can be used to set and print the access control rights of a file. They have the following syntax: setfacl -m accessrights filename Modifies the permissions accessrights for a file or directory filename getfacl filename prints the permissions for a file or directory When using setfacl, the accessrights field must have a certain format which is described in the setfacl manpage 1. Enabling Access Control Lists Most of the GNU/Linux systems don t have ACL support enabled by default. You need to invoke mount with the additional argument (-o acl) to enable ACLs for a certain mountpoint. Access Control on Windows Vista In Windows environments, Active Directory (AD) [4] is used to arrange the networked entities such as accounts (users, groups), system resources (e.g. computers, servers, printers), and services (e.g. ) in a hierarchical structure. It is based on a central database which stores information and settings to control the working environment. AD provides flexible access control on the entities, which are also referred to as objects, and establishes security using rules and policies. To identify an object, Microsoft Windows allocates Security Identifiers (SIDs). SIDs allow unique identification of users and their group memberships. They are used by the access control lists (ACLs), which define the rights to the resources to be accessed. For any user action that requires a permissions check, Windows checks the SID to see if the action allowed. The SID is equivalent to the UID in UNIX. Objects for which access must be controlled are called securable objects. The security information for securable objects is contained in an associated security descriptor. Its structure is shown in Figure 1. The security descriptor can contain two types of ACLs: A discretionary access control list (DACL): specifies the access rights for a particular user or group, and a system access control list (SACL) that specifies which operations should be logged in the security audit log. The security descriptor also includes the SID for the owner and primary group of an object. If a new object is created, a security descriptor can be assigned to it. Otherwise the object gets assigned the same security desriptor as its parent object. If the security 1 man 1 setfacl 3

4 descriptor of an object contains no DACL, everyone has full access rights to the object. Figure 1: Example of an Access Request Windows uses access tokens to identify the security context of a process or thread when it interacts with a securable object or tries to perform a system task that requires elevated privileges. The security context stores information on the privileges, accounts and groups the process is associated with. Depending on the ordering of the access control entries (ACE) in the object s DACL that are compared with the user s access token, access is permitted or not. An example for granting or denying access to a file is shown in Figure 1. When a file is created within a directory having a set of access rights, these access rights are also applied (inherited) to the file. In contrast to GNU/Linux, there are more than 3 flags for access control rights. These flags are (at least) as follows: modify: read write execute full control Like Unix ACLs, these flags can be assigned to more than one user and/or group. For full list of possible access control flags and explanations see [5] Filesystems and Devices mount In contrast to Windows, filesystems in Unix-like systems are bound to a directory instead of special drive letters. This connection is called mount, the directory where a device or 4

5 partition is mounted is called mountpoint. The mount command can be used to show the current list of mounted devices and to mount or unmount partitions or whole devices. Example: The command mount /dev/hda1 /mnt/foobar mounts partition 1 of device hda to directory /mnt/foobar. Loop Devices A loop device is a virtual device that is on one hand connected to a file and on the other hand provides a device node (usually /dev/loopn) which then can be mounted like any other physical device or partition. In order to mount filesystem images 2, a loop device must be used. For using the mount command on filesystem images, you need to add a special option to the command s invocation -o loop. Example: The command mount -o loop /some/file /mnt/mountpoint mounts the filesystem image in /some/file to /mnt/mountpoint. Help on Commands Most standard distributions of Unix-like systems provide manuals for almost every command. These manuals are called manpages [6] and can be accessed with the command man. Example: The command man mount gives information about the mount command and all of its features. 2 Files that contain a filesystem structure 5

6 1 Theoretical Assignments (10 Points) 1.1 Access Control on Unix-Like Systems 1. Consider the following szenario: A company has some server with 100 users on it. All these users work in groups of two users per group. One day a manager decides to form groups with four users each. How many groups do you have in the end (assuming that the old groups are retained)? 2. (Bonus) Why is transferring the ownership right to another user not allowed for a normal user? 3. Write down the representation for the following access flag combinations in both octal form and with abbrevation letters (r,w,x): Read and Write No rights at all Read, Write and Execute 4. What is the meaning of the write-right if the object is a directory? 1.2 Access Control on Windows 1. Is there a flag that can be set in order to set some permissions for a file for every other user on the system? If not, explain what has to be done in order to allow every user on the system to access a file. 2. Explain the difference between the rights modify and write! 3. What right(s) is (are) neccessary in order to modify access control to a file or directory? 1.3 Disk Encryption 1. Block ciphers can be used in the so-called Cipher Block Chaining (CBC) mode. Explain the advantages and disadvantages of this mode. 2. Let a disk image be encrypted in CBC mode. The size of the disk fits into 100 blocks. What happens if a single bit in block 51 accidently flips? Can you recover all 99 other blocks? 3. (Bonus) Does the CBC mode have an impact on the performance of journaled filesystems? If so, why? 4. (Bonus) Why would it still be a good idea to prefer the CBC mode for filesystems? 6

7 2 Practical Assignments (20 Points) 2.1 Filesystem Images Create a file of 100 megabytes in size with the command head -c 100m /dev/zero > fsimage0. Create an ext3 filesystem in that file with the command mkfs.ext3 fsimage0. The program mkfs will warn you about creating a filesystem in a file, but you can answer that question with yes. Now mount the newly created image into the directory /mnt/fsimage0. Create the directory if neccessary. Create a file with the contents confidential information and write it to /mnt/fsimage0. Force the operating system to commit all changes to filesystems to the disk by invoking the command sync. Delete the file. Unmount the filesystem. Check if the contents of the file are still there utilizing a hex editor or any other program (for example grep). Questions 1. What was the output of the last step? Could you recover the file s contents? 2. Give a short explanation for this behavior and the output. 2.2 Device Encryption The program losetup can be used to create encrypted loop devices, meaning the data is en- or decrypted before it is written to or read from the file connected with the loop device. Losetup needs an additional parameter to function for our purpose: We need to specify the cipher with the option -e. The cipher can basically be any cipher that the Linux kernel provides. In this experiment we ll use AES with a keysize of 128 bits. Load the cryptoloop kernel module. Create a file of 100 megabytes in size with the command head -c 100m /dev/zero > fsimage1. Tell losetup to use fsimage1 as encrypted loop device with the command losetup -e aes /dev/loop4 fsimage1 Losetup will prompt for a passphrase. Remember that passphrase! 7

8 Create an ext3 filesystem in the loop device you just created. Mount the device in /mnt/cryptoimage. Create the directory if neccessary. Create again a file with the contents confidential information in /mnt/cryptoimage. Unmount /mnt/cryptoimage. See if you can read the contents of the created file as you did in the last step of exercise 1. Questions 1. What did you find after the last step? 2.3 Filesystem Forensics The tool foremost is one of many that tries to recover files from corrupted disks and can be used for forensic analysis. Foremost creates a directory named output and several subdirectories wherein it puts the recovered files. For example the directory output/png will contain files that were recognized as.png graphic files. We have placed a filesystem image from a used usbstick we bought in an internet auction into your home directory. That image is named usbstickimage. Please follow these instructions: Mount the image to /mnt/usbstick. Create the directory if neccessary. List the contents of that directory with ls -al /mnt/usbstick Unmount the image again Use foremost to analyze the image (foremost usbstickimage) Questions 1. What was (seemingly) on the usbstick after listing the files? Write down all file names (if any). 2. What else did you find after the last step? (You don t have to write down file names (if any), just give a short summary instead.) 8

9 2.4 Access Control Lists in UNIX 1. Write down the commands to Create a group named team0 Add the users user0 and user1 to that group Change the group of the file example.txt to the newly created group 2. Let G 0 be a group consisting of the users U 0 and U 1. Over time, the users U 0 and U 1 have created many files to which only they have access. One day a third user U 2 needs to have write access to a directory which is owned by the group G 0, but must not have access to other directories owned by the group (therefore adding the user to G 0 is not an option). Describe the steps neccessary to give U 2 write access to the directory without utilizing ACLs! 3. Describe the steps neccessary to give U 2 write access to the directory using ACLs: 4. Have a look at the access rights set for the program /bin/ping on your local system. What is different compared to other binaries like /bin/sleep for example? (use ls -l) 5. Who is the owner of /bin/ping? 6. Suppose there is an exploitable buffer-overflow in the ping program. What implications does this have on system security? 7. - Create a new (ext3) filesystem image as you did in the previous exercises and mount it with the additional argument for ACLs (mount -o acl...). - Add the user user2. - Create a file named example.txt in your newly created filesystem image. Use setfacl to grant write permissions to the user user2. - Create the group team0, add the users user0 and user1 to that group and change the group of the file to team0. - Run ls -l example.txt and then execute getfacl example.txt. What are the differences between the two outputs? Give a short explanation for the different behavior! 9

10 Appendix/Bibliography References [1] OpenSolaris [2] OpenBSD [3] Linux [4] Windows Active Directory technologies/directory/activedirectory/default.mspx [5] Windows Permissions Understanding-Windows-NTFS-Permissions.html [6] Linux Man Pages 10