File Systems, Permission Systems, Authentication and Directory Services

1
File Systems, Permission Systems, Authentication
and Directory Services

• AWPP June 2004

2
Overview

• This presentation discusses issues of networking
  in relation to the evolution of file systems,
  sharing of resources on networks, rights
  permissions, authentication and directory
  systems.
• The focus is around file sharing, but many of the
  elements apply to sharing of other resources.

3
Timeline

• 1971 First version of Unix released,
  multitasking, multi-user
• 1981 MS-DOS Single user, single tasking. Based
  around the use of floppy diskettes.
• 1983 MS-DOS support for hierarchical directories,
  and hard disks, FAT
• 1983 Domain Name System created
• 1983 Novell Netware (multi-user, multi-tasking
  server NOS) Bindery
• 1984 Apple Macintosh, inbuilt networking for
  printing
• 1985 3Com OpenServer licensed by IBM and
  Microsoft to become LAN Manager.
• 1986 First version of Microsoft Windows
• 1987 IBM/Microsoft OS/2 Single user,
  multi-tasking, HPFS
• 1987 Apple Share file server network, and peer to
  peer
• 1990 Windows 3.0 released (MS-DOS underlying
  Cooperative Multitasking)
• 1991 Microsoft IBM goes separate ways on OS/2.
• 1991 First version of Linux
• 1992 Windows NT (multi user, multi-tasking
  general purpose OS) NTFS
• 1993 Windows for Workgroups (Peer-To-Peer OS)
• 1995 Windows 95, FAT32, preemptive multitasking
• 1995 Netware Directory Services NDS
• 1999 Microsoft Active Directory

4

• file! system, n. A method for cataloguing files
  in a computer system. See Hierarchical file
  system
• hierarchical ! file! system, n. A file
  organisational method that stores file in a top
  to bottom organisation structure. Used with
  operating systems such as MS-DOS, OS/2, Windows,
  Unix, Linux, Macintosh and Netware.

5
FAT File System

• Used on MS-DOS FAT12 and FAT16 and Early Windows
  FAT16
• Single user, single tasking
• Uses the FAT (File Allocation Table) file system.
• Simple File attributes
• Directory entry
• Read Only
• Archive
• System
• Hidden
• 8 char file and folder names 8.3 format
• 12 bit FAT max 4096 clusters of 512 to 4k bytes
  (max 16Mb)
• 16 Bit FAT max 65,525 clusters of 2k to 32k
  each (max 2Gb)
• SHARE.EXE to allow multiple access to files

6
FAT Description

• Uses a linked list table
• Partitions include
• Directory table
• File allocation table
• Data
• Advantages
• Simple, most OSs support FAT
• Disadvantages
• Inefficient use of disk space
• Slow with big disks
• Leads to file fragmentation
• Unreliable, not journaled

7
FAT Structure
8
VFAT

• Windows 95 with Long file names
• Installable file systems based on FAT, plus
  CD-ROM
• Single user / multitasking
• FAT16 with file attributes as per MS-DOS
• 254 character filenames using quirk in directory
  table attributes, allowing multiple directories
  per file, underlying 8.3 format
• 2 Terabyte disk size with FAT32
• 28 Bit FAT, allows smaller cluster size, but has
  a large amount of disk to hold the FAT
• Seamless access to earlier FAT systems, and
  CD-ROM file systems

9
FAT32

• Windows 95sr2/ Windows 98
• Uses theoretical 32bit addressing for the File
  Allocation Table only 28 bits are actually used
  for the address.
• File Size up to 2 TeraByte
• Support for large disks
• By allowing many more clusters, means you can
  have smaller clusters which is less wasteful of
  disk space.

10
OS/2

• Single User, Multi-tasking
• Uses HPFS High Performance File System,
• File attributes
• As per MS-DOS plus
• Creation time and date
• Modification time and date
• Access time and date
• 256 character file names
• 2 Terabyte maximum disk size
• Cluster allocation replaced by 512 byte physical
  sector allocation, and an fnode tree for fast
  file searching, but also uses a file allocation
  table similar to DOS
• Basic hot fix

11
Network resources

• Stand alone servers
• Share Level sharing for workgroups
• Directory services
• Domains

12
Stand alone servers

• User name and password for user to access server
  resources.
• Synchronisation of passwords becomes an issue
  when additional servers required

13
Share Level sharing for Workgroups

• Peer to peer with resources (shares) being
  allocated a password
• Leads to proliferation of passwords
• Windows for Workgroups, Win95, Win98 (also
  Windows XP with Simple Sharing)

14
Microsoft workgroups with Share Level sharing

• How to share a folder
• Install server component of software, eg in
  Win95/98 Control Panel
• Select a folder in Explorer
• Share it, and give it a name
• Assign password for read and write access
• Tell other users the password
• This creates a SHARES.PWL file which store
  passwords for each resource shared

15
Microsoft workgroups with Share Level sharing
(cont)

• Log on as a Local User to a machine
• Enter Username and Password
• This creates a username.PWL file which stores the
  user passwords, plus optionally caches passwords
  for other network resources
• Log on as Remote User to a shared resource
• Use Network neighbourhood to Browse thru
  Workgroup, find a machine, and browse the
  shareable resources on machine
• Select shared resource
• Provide password to use shared resource
• Password for resource is cached in the
  username.PWL file

16
Issues with share level resources

• Each shared resources must be assigned a password
  and maybe more than one depending on access
  rights (read and read/write)
• Management of passwords is very cumbersome.
• Lack of security. Possession of a password
  enables access, but to remove access right from
  one person, requires notification to all other
  users of a password change.

17
File systems role in Share Level Security

• FAT and HPFS do not have file or folder
  attributes to assign rights and permissions, nor
  do they have list of users attached to the file
  structure as access control lists.
• Shared resources managed by the Shares.pwl (or
  similar) file rather than inbuilt into file
  system.
• Any Local user has full access to that resource.
• Even if machine secured from access with username
  password only, machine can be booted from floppy
  to access file system, and resources.

18
NTFS

• Windows NT, 2000, XP, 2003
• Various versions of NTFS latest being version 5.0
• Multi-user, multi-tasking
• NTFS is a Journaled File System
• i.e. maintains integrity of the hard disk in the
  event of crashes, by maintaining a log or journal
  of current activity, and in the event of a crash
  can recreate the before condition.
• File attributes and Permissions
• In addition to standard attributes Read Only,
  System, Hidden and Archive.
• Permissions
• Read
• Write
• Execute
• Delete
• Ownership
• Control

19
NTFS (continued)

• Other features of NTFS
• File quotas (ie restrictions to disk space a user
  may use)
• File compression
• Encryption
• Indexing service
• Drive spanning
• The machines user need not be given access
  rights to all the resources.
• Windows NT family uses installable file systems,
  so system can FAT, HPFS, CDROM volumes. Note that
  advanced permissions do not apply to these file
  systems
• Win XP Pro makes EFS (Encrypted File System) for
  NTFS worthwhile security.

20
NTFS Description

• NTFS uses a very different way of storing and
  retrieving files to FAT
• Everything is a file, the volume descriptor, the
  directory and metadata files, as well
• MetaData files are used to carry additional
  information about files.
• The main list is the Master File Table, which is
  a B-tree indexed file which contains basic
  information about every file and directory on a
  volume including the MFT itself. The data for
  small files is actually stored in the MFT when it
  will fit making rapid access to them.
• An MFT is created for every volume/partition
  created.
• The first 16 entries point to system metadata
  files, and this is so important that a backup of
  these entries is kept.

21
NTFS Structure
Master File Table
22
NTFS MFT Files and Folders

• The MFT records each file and folder on a volume,
  in inodes. If the information is small and can be
  stored within the MFT structure it is called
  Resident, if not it is stored in other Metadata
  files and is called non-resident
• The more important attributes are
• Header
• Standard Information (SI) Attribute
• File Name (FN) Attribute
• Data Attribute (which for small file can be the
  actual content of the file)
• Security Descriptor (SD) Attribute
• Bit Map Attribute describes where the file is
  stored
• There are many other attributes

23
NTFS - Access Control Lists

• The MFT Security Descriptor Attribute for a file
  or folder contains two tables of lists
• SACL System Access Control List, which records
  auditing information
• DACL Discretionary Access Control List which
  maintains list (of Access Control Entities) i.e.
  users SID and list of permissions for that file
  or folder
• Win NT uses static inheritance model
• When a folder is created it inherits permission
  from the parent folder, but if changes are later
  made to the parent the subfolders do not change
  unless you select to Apply the changes to
  subfolders, which can act as a sledgehammer
  overwriting individually set subfolder
  permissions
• Win 2000 uses dynamic inheritance model
• As parent folder change, permissions are
  inherited to the subfolders dynamically.
• Win 2000 offers more flexible control over
  inheritance
• ACLs can be resident in the MFT or stored as
  separate Metadata

24
NTFS Data Streams

• NTFS provides a means to have alternate streams
  of data within the one file, using the syntax
  filestream
• e.g.
• Echo Hello gt test.txtAWPP
• Echo GoodBye gtgt test.txt
• More lt test.txt
• More lttest.txtAWPP

25
File systems role in User Level Security in NTFS

• NTFS has extended attributes to support secure
  multi-user access.
• Access Control List, ACL, maintains list of User,
  Groups (or Computers) with rights allowed or
  denied to a resource.
• Cannot access Local machines data, without valid
  user account with rights to do so.

26
Local User Accounts

• Give users access to resources on a single
  machine, whether that user logs in locally or
  remotely
• These accounts reside in the Security Access
  Manager (SAM) located as a file on the machine.
• SAM maintains passwords and permissions for the
  user, and each user is given a Security
  Identified SID
• SIDs are used in Access Control Lists on files
  and folders
• Local Groups can be created to group similar user
  permissions.
• Built in accounts include Administrator and Guest
• Built in groups include Administrators, Power
  Users, User, Everyone
• Standard Permission make the bewildering array of
  choices easier to work with
• Only the Administrator or members of the
  Administrator Group can manage the full set of
  information for users and groups.
• The Guest account can represent a security
  weakness, or can be used to implement Share Level
  type security for systems not requiring high
  security

27
Issues with User Level security in workgroups or
standalone

• Each user and or group must be setup on each
  local and remote machine that user need to
  access, management is complex
• Passwords can get out of sync very easily, users
  may not be set up identically through the system.
• Verifying a users access rights across a large
  organisation is an impossibly daunting task
• System is generally very secure, which can be a
  problem if users forget passwords, especially to
  Administrator user account on Local machine. You
  forget - You regret.
• In many cases you need administrator rights to
  install software, or configure the machine

28
Workgroups or stand alone with User Level sharing

• Each machine (server or workstation peer ton peer
  server) that a user wishes to remotely log on to
  must have that user set up in the database of
  users for that machine.
• Each user is generally defined with a password.
• Users can be added as members to groups to
• Any of the pre-defined standard groups, eg User,
  Everyone, Power Users, Administrators
• or groups can created on the machine.
• You must have an Administrator account or someone
  of that equivalence.

29
Workgroups or stand alone with User Level sharing
(cont)

• How to share a Folder
• Set Permissions

30
Workgroups or stand alone with User Level sharing

• How to share a Folder
• Browse to folder
• On Share Tab on
• Properties box
• check Share Folder
• Permissions and
• security

31
Workgroups or stand alone with User Level sharing
(cont)

• How to share a Folder (cont)
• Use Security for
• Control of inherited
• rights
• Fine control of
• advanced security

32
Workgroups or stand alone with User Level sharing
(cont)

• Log on as a Local User to a machine
• Enter Username and Password
• This username must match a user already setup on
  this machine, and how has permission to log on as
  a local user
• Log on as Remote User to a shared resource
• Use Network neighbourhood to Browse thru
  Workgroup, find a machine, and browse the
  shareable resources on machine
• Select shared resource
• If username and password on local machine match
  then you are granted access, otherwise you must
  enter the login name and password.
• The username password pair must be setup on
  remote machine

33
Win XP Simple File Sharing

• Simple File Sharing allows you to access shared
  files using the Guest Account (which by default
  has no password) and comes close to the sort of
  file sharing of Win95/98/ME
• There is little or no security using this and is
  best turned off
• From with My Computer Tools Folder Options
  from View Tab click Advanced Sharing and
  Security.

34
Windows Domains

• Organises servers and computers into
  administrative and physical structures, and users
  log on to the Domain rather than the individual
  machines.
• Where networks are large enough to have several
  domains, Trust relationships can be used to
  verify the identity of a user logged on to one
  domain to another domain. Users still need to be
  created and managed in each domain, the Trust
  only authenticates the user
• A domain has one SAM (Security Account Manager)
  for the Domain, consolidating management
• The SAM is managed and stored on a machine known
  as the PDC (Primary Domain Controller), only one
  machine in a domain can act in this role, it is
  always advisable to have a Backup Domain
  Controller (BDC) which has a read only replica of
  the SAM

35
Directory Services

• Used to organise large networks by centralising
  administration.
• Generally requires formal planning, and user is
  generally unaware which server holds a resource
• Windows 2000 Active Directory, Novell Netware
  NDS, X.500, LDAP, DNS

36
Active Directory

• Uses DNS (Domain Name Services) to provide
  bridging between Windows Domain into a
  hierarchical global directory.
• Windows Domains tend to proliferate, AD
  consolidates these domains and reduces the need
  for a PDC and BDCs for each domain, making the
  network more scaleable. All domain controllers
  act as peers and multimaster replication
  distributes the SAM to other DCs. Partial
  synchronisations keep WAN traffic down
• Active Directory enables a hierarchy of Trusts
  between domains, and so can catalog large
  multi-domain networks.

37
CD and DVD File Systems

• ISO-9660 also called CDFS
• UFS Universal File System
• Includes advanced features such as
• Long and Unicode filenames
• 64 bit file sizes
• File symbolic links
• ACL Access Control Lists
• Alternate Data Streams
• UFS is constantly evolving

38
Novell Netware Up to v3.xx

• Was originally designed as stand alone servers.
• NFS Netware File System is a journaled file
  system and has many attributes and permissions
  for files and directories
• Create date, owner, last accessed, last modified,
  archived,
• Shareable, Non-shareable, Indexed, Transactional,
  Delete Inhibit
• Read, File Scan, Write, Modify, Erase, Change,
  Control
• Uses many systems to optimise multiuser
  performance
• Uses Name spaces to allow the appearance of a
  native drive to Unix, Macintosh, DOS, Long file
  names. Name spaces can be added as reqd
• Netware provides server functions and does not
  provide client workstation services
• Uses a flat database similar to Windows SAM for
  users and groups called the Bindery. Users and
  Groups are assigned as Trustees to files or
  folders with various rights and permissions,
  similarly to ACLs

39
Novell Netware 4-6

• Uses NSS (Netware Storage Services) file system
• up to 8 exabytes (8 million gigabytes)
• Dynamic sizing, pooling, off-line and near-line
  migration
• Similar file attributes and permission as NFS
• Uses NDS Netware Directory Services or eDirectory
  (based on X.500) for authentication across
  network, with support for replicas and partial
  replicas of DS database. NDS is journaled for
  integrity of large database. It has an extensible
  schema with 3rd party add-ons, and can
  communicate with other systems using XML, as well
  as ODBC, JBDC
• eDirectory supports Netware servers, Windows
  2000, Linux, Sun, IBM and HP AIX servers, as well
  as Windows, Macintosh, Linux workstations as
  integrated authentication.

40
NDS and Novell eDirectory

• Whereas Microsoft Active Directory is a Win2000
  application NDS is a service that will run and
  manage Netware, Windows NT, Win 2000, Win Tru64,
  various flavours of Unix and Linux etc
• NDS uses a concept of container objects and leaf
  objects, with simplified visibility called
  Context
• Container objects can include
• Organisation
• Country
• Organisation units
• Container objects can contain other containers or
  leaf objects
• Leaf Objects include
• Computers
• Users and groups of users
• Servers, volumes etc
• Alias allows objects to exist in various Contexts
• When managing Microsoft Networks seamlessly
  replaces the SAM Domain database

41
Linux File Systems

• Being a late operating system it not only has
  support for Unix roots file systems, but also for
  most other file systems.
• Common Linux specific File Systems include
• Ext2 (Extended File System )
• Is the usual native file system for Linux
• Uses inodes and allocation bitmaps (like NTFS)
• Ext3
• Adds journalling to Ext2
• Reiser
• Uses balanced tree indexing, is very efficient
  with large directories of small files (64k block
  size)
• Provides metadata journalling (like NTFS)
• JFS
• A journaled file system based on an IBM file
  systems from OS/2 Warp
• XFS
• Each of the above support ACLs. ACLs which were
  introduced in the Linux Kernel 2.5.46

42
Linux File Systems (cont)

• Storage Device Naming eg /dev/hda2
• The first two letter of a devicename are the
  type, eg hd IDE hard disk controller, sd for SCSI
  disk controller, fd for floppy disk,
• The next letter is the unit number eg had refers
  to the first disk drive
• The next number refer to the partition number
  starting at 1
• To access a file system under Linux it is
  necessary to mount the device and filesystem onto
  a certain directory.
• e.g. if you wished to mount an ntfs filesystem on
  the device hda2 to the directory /mtn
• mount t ntfs /dev/hda2 /mnt

43
Linux Permission Systems

• Traditionally Linux (and Unix) offer 3 sets of
  permissions for files and directories
• Read Write and Execute for the three groups
  Owner, Group and Others
• This can be very restrictive, being only one
  owner, and one group per file or directory.
• Additional control of permissions is provided
  with ACLs (like the Windows ACLs)
• Support for ACLs was first brought about for
  support for Samba (Microsoft file sharing
  support)
• Managed through the Getfacl and Setfacl programs,
  whereas traditional permissions are managed thru
  Chmod

44
Simple Linux Sharing

• For any administration of users permission etc
  you need to be logged in as the Super User named
  root
• To add a user
• useradd username
• To set a password
• passwd username
• To create a group
• groupadd groupname
• Add user to an initial login group
• usermod g groupname username
• Add user to a supplementary group
• usermod G groupname username
• Change permissions on a file or directory
• chown to change owner
• chgrp to change group
• chmod to set permissions for own, group and others

45
Linux Samba

• So that Linux can coexist with Windows users the
  Samba client and server services are used.
• The Samba client smbclient is used to access
  Windows servers
• The Samba server smb is used to create a Windows
  look-alike server.
• Samba servers user ACLs in configuration files,
  to simulate the ACLs of Windows servers

46
Linux Directory Services - NIS

• Linux machines are generally administered
  individually, with users, groups and permissions
  set on each machine
• NIS, Network Information Service, (also called
  Yellow Pages) allows machines to be placed in
  domains and centrally administered
• You can have multiple NIS server each serving
  different domains or
• You can have cooperating NIS servers with a
  master and slave servers (like Windows PDC and
  BDC)
• To use NIS client machines must have use a NIS
  client to login

47
NFS Network File Services

• NFS allows Linux / Unix Machines to mount remote
  file systems as directories in the local file
  system
• NIS is often used to help locate shared resources.

48
Macintosh File Systems

• A file on the Macintosh HFS (hierarchical file
  system) consists of two parts called forks
• The Data Fork is the contents of the file
• The Resource Fork contains information in the
  form of a database, such as the icon, the code of
  the program eg how it is executed (equivalent
  concept would be the extension in a FAT file),
  and other attributes
• In NTFS this concept is implemented as Alternate
  Data Streams, and like the ADS data and resource
  form associations are lost when transferring to
  other file systems. When transferring files
  across file systems BinHex and MacBinary systems
  are used.
• Permissions are similar to traditional Unix
  permissions ie R-ead, W-rite, e-X-ecute for
  Owner, Group and Others

49
Macintosh Sharing

• Sharing is very easy with the Macintosh. From the
  Apple Menu, Control Panel, Sharing and turn
  sharing on.
• Add users or groups Apple Menu, Users and Groups
• On the Mac drive select the folder and share it,
  and set permissions for a user or group of users.
• Apple computers are shown on the network in
  Zones, which is similar to a Windows workgroup
• The file system only allows simple Unix style
  permissions