Operating system security models Unix security model Windows security model MEELIS ROOS 1
General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects are identified by name Several concurrent names are possible for any object (because of links) Discretionary access control (DAC): each object has a owner who decides the access rights for the object MEELIS ROOS 2
Unix security model Access control subjects are users Objects belong to users Users delegate access to their objects to other subjects Users run processes to do things. Processes belong to users Processes run by user have the same privileges as the user does Internally, users are identified by numeric user ID (UID) There are no other ways for accessing objects Hardware protection Protected operating system with well-defined interface to user programs MEELIS ROOS 3
Root user Has UID 0 Can bypass access controls Has other rights in the system (capabilities) can configure devices, network stack, mount filesystems etc Can change the ownership of current process (login!) Can change file ownership Can arbitrarily change file groups Can create and remove users and groups Can install and modify any software Target for attackers gain root privileges from normal user account by some security vulnerability MEELIS ROOS 4
Setuid and setgid programs Normal users need a gateway to privileged operations (e.g. change your password in system password database) Normally processes run with the rights of executing user, independent of whoever owns the file Setuid programs run with the effective UID of the owner of the file (often root) Setgid programs run with effective GID being set to program file s group (whether ot not the user belongs to the group) "Gateways to other user accounts" security critical components Minimize the amount of setuid programs We still need some of them MEELIS ROOS 5
Permissions Fixed structure ACL there are always entries for owner, one group of users and the rest of users For each subject in ACL 3 permission bits are present: r read 4 w write 2 x execute 1 r w x r - x - - - = 0750 (octal representation!!!) ACL only protects one object no influence to objects in subdirectories, each of them has their own permission bits MEELIS ROOS 6
More permission bits 00001 world execute 00002 world write 00004 world read 00010 group execute 00020 group read 00040 group write 00100 owner execute 00200 owner read 00400 owner write 01000 "sticky" bit 02000 setgid 04000 setuid MEELIS ROOS 7
Meaning of permission bits File read, write File execute marks runnable files from data files Executable file sticky bit used to mean no swapping, unused Executable file setuid and setgid change owner of process during run Directory execute access a file or directory by name Directory read list entries (not needed for lookup by name) Directory write any namespace operation (create, rename, remove!!) Directory sticky restricts object removal to object owner Directory setgid determine the group of newly created objects MEELIS ROOS 8
umask umask bitmap of permissions that newly created files must not have Example: Process does open("file.txt", O_RDWR, 0666) If umask=000, file would have permissions rw-rw-rw- If umask=027, file would have permissions rw-r----- MEELIS ROOS 9
Process credentials Each process has UID, GID ("real UID, real GID") EUID, EGID effective UID and GID Usually the same as UID and GID Setuid/setgid programs affect these ID-s Saved UID, saved GID for switching between 2 ID-s ("drop and regain root privileges in setuid root program") At user logon, root-owned process sets group list and all the UID and GID info for the process (changing EUID last) All threads of the process share the same ownership info Credentials are inherited to subprocesses Other resources are also inherited to subprocesses (file descriptors, environment variables, umask, rlimits, priority etc) MEELIS ROOS 10
Unix and ACL-s Try to express the following with Unix permission bits: Owner has rw Group A has also rw Group B has r Others have no permissions Or, a more common example for users public_html directories Owner has rwx Web server user has --x No other users or groups have any permissions So we need more flexible ACL-s (Access Control Lists) MEELIS ROOS 11
POSIX ACL-s Halfway standardized ACL model for Unix system (POSIX dropped the standard) Mostly compatible between Unixes (setfacl, getfacl) Example: setfacl -m user:mroos:rw-,mask:rw- file.txt ACL mask for all ACL entries Default ACL-s for directories (copied into ACL-s of newly created objects) Only positive permissions, no denying ACL entries NFS version 4 network file system makes use of Windows-compatible ACL-s with negative ACL entries too and this is also used in some file systems MEELIS ROOS 12
Windows security model Subjects (users, groups, computers) are identified by SID (Security ID) S-1-5-21-2025429065-492874223-1748137768-500 SAM (Security Account Manager) keeps database of users and performs authentication On login, user s SID and SID-s of all his groups are added to his process Process security token contains user and group SID-s, SID of the logon session, list of system-wide privileges granted to user These security tokens are inherited to subprocesses Threads can have different security token (to impersonate remote users for some local services) System privileges MEELIS ROOS 13
Windows objects Each named object and some unnamed objects have security descriptor owner, group, ACL-s Lots of different object types, including Files, directories Processes, threads Windows Login sessions Named pipes, semaphores, other IPC Registry keys MEELIS ROOS 14
Windows ACL-s Two types of ACL-s: containers and objects Objects in containers inherit their ACL from container ACL is set by the user and delegates access System ACL is set by system administrator and regulates auditing Missing ACL means full access Present but empty ACL means no access ACLs can have negative entries ("no access") Inheritance flags "no ACL here, look at the parent" Directory bypass possible MEELIS ROOS 15
Windows Vista and newer: integrity levels First steps in MAC (Mandatory Access Controls) additional restrictions to the standard discretionary ACL Processes have trustworthiness level, objects have integrity level Objects: files, registry keys, windows (for sending window messages for interaction) Can isolate different processes of the same user one from another Internet Explorer protected mode Stored in system ACL MEELIS ROOS 16
Group Policy 4 levels local site domain organizational unit NOT enforced by OS kernel Voluntarily used by some applications for further restrictions MEELIS ROOS 17