Chapter 14: Protection

1
Chapter 14 Protection
2
Protection

• Operating system consists of a collection of
  objects
• Hardware CPU, memory segments, disks, printers,
  
• Software files, semaphores,
• Each object has a name and can be accessed
  through a set of operations
• Protection problem
• Ensure that each object is accessed correctly and
  only by those processes that are allowed to do so

3
Principles of Protection

• Principle of Least Privilege
• Programs, users and systems should be given just
  enough privileges to perform their tasks

4
Domain Structure

• A process operates within a protection domain
• Domain set of access rights
• Access right ltobject-name, rights-setgt
• rights-set is a subset of all valid operations
  that can be performed on the object
• Processes can be allowed to switch from one
  domain to another to access objects or perform
  needed operations

5
Domains in UNIX

• A domain is associated with each user
• Domain user-id
• The set of objects that can be accessed depends
  on user-id
• Switch domain login as a different user

6
Access Matrix

• View protection as a matrix (access matrix)
• Rows represent domains columns represent objects
• Entry (i, j) define the set of operations that
  a process executing in domain i can invoke on
  object j

7
Access Matrix Domain Switching

• Processes should be able to switch from one
  domain to another
• A process can switch domains if it has a switch
  right on these domains
• Consider domains as objects, and add them to
  access matrix

8
Access Matrix Dynamic Protection

• Need to be able to change entries of the access
  matrix dynamically
• i.e., need to add, remove, copy access rights
• To support these operations, special access
  rights are defined
• copy of access right R on object Oi
• can copy (propagate) the access right R within
  the same column (denoted as R)
• owner of object Oi
• can add/remove access rights to Oi (change column
  j)
• control of domain Di
• can add/remove access rights to domain Di (change
  row j)

9
Access Matrix with Copy Rights
10
Access Matrix With Owner Rights
11
Access Matrix with Control Rights
A process running in D2 can change (control) the
row of D4
12
Access Matrix Policy vs. Mechanism

• Access matrix design separates mechanism from
  policy
• Mechanism
• Operating system provides access matrix rules
• It ensures that the matrix is only manipulated by
  authorized users and that rules are strictly
  enforced
• Policy
• User dictates policy
• Who can access what object and in what mode

13
Implementation of Access Matrix

• Global Table
• The matrix is large and sparse ? Large overhead
• Access Control List (ACL)
• Each column (i.e., object) has a list of domains
  that can access it and what type of access
• Example an ACL of an object may look like
• ltD1, Read, Writegt, ltD2, Readgt,
  ltD5, Read, Executegt
• Capability List
• Each row (i.e., domain) has a list of objects and
  what operations are allowed on them
• Example a Capability List of a domain may look
  like
• ltO1, Readgt, ltO4, Read, Write, Executegt

14
Protection in UNIX

• ACL can be long and time consuming to search
• To condense ACLs and accelerate access, UNIX
  defines three classes
• Owner creator of the file
• Group users sharing the file they need similar
  access (work group)
• Universe all others
• 9 bits are used for each file to provide this
  (coarse-grained) protection
• rwx rwx rwx filename
• Example
• 111 101 001 filename
• chmod 775 filename
• Protection bits have slightly different meaning
  on directories
• r can list files, x can open files
• (you could open a file even if you do not have r
  on the directory, you need to know the name
  though)

15
Protection in UNIX (contd)

• Can we achieve the following with the standard
  9-protection bits?
• Allow owner rwx on file1
• Allow his group (students) r-x on file1
• Allow specific user(s), not in students group,
  r-- on file1
• All others should have no access (---) on file1
• NO. Solutions?
• Some systems (e.g., Solaris, Linux)
• Implement Protection bits by defaults for all
  files, and
• Create ACL on demand for fine-grained access
  control
• For the above, we create an ACL on file1 and add
  the specific users to it
• On UNIX command setfacl (set file access control
  list) does that
• Check out man setfacl and man acl

16
Protection in UNIX Setuid bit

• Recall that a domain is associated with each user
• Sometimes, we need a user in one domain to
  execute a command that is allowed only in another
  domain
• Example passed command (to change password)
• passwd needs to write to /etc/passwd file only
  root can write to this file
• UNIX Solution (Temporary) domain switching
• Each file has a setuid bit associated with it
• When file is executed and setuid 1, then
  user-id is set to owner of the file being
  executed
• When execution completes user-id is reset
• Example setuid bit of the passwd command is set
  (by the root)
• ls -l /usr/bin/passwd
• -rwsr-xr-x 1 root shadow 79520 2005-09-09 1356
  /usr/bin/passwd
• (Use chmod 4755 filename to set the setuid bit)

17
Summary

• Protection allow only authorized access to
  resources
• Principle of Least Privilege grant the minimum
  needed privileges to perform a task
• Access matrix
• Domains and objects
• Access rights
• Implementation Access Control List, Capability
  List
• Unix Protection
• Protection bits
• Optional ACLs
• setuid