560 likes | 710 Views
Unit-V ACCESS CONTROL, ROOTLY POWERS AND CONTROLLING PROCESSES. *. *. One of the major challenges of operating system design. Operating systems define accounts for individual users
E N D
Unit-V ACCESS CONTROL, ROOTLY POWERS AND CONTROLLING PROCESSES * *
One of the major challenges of operating system design. Operating systems define accounts for individual users OS offer different possible operations: editing text files, logging into remote computers, setting the system’s hostname, installing new software, and so on. The access control system ruling ,whether each action is permissible ACCESS CONTROL * *
TRADITIONAL UNIX ACCESS CONTROL There was never a single point access control system Filesystem access control /dev – control and communication with most devices through files that represent them in /dev. Every file has both an owner and a group owner, owner can set the file permission . Owner of a file can be determined with ls –l filename aix$ ls -l /home/garth/todo -rw------- 1 garth staff 1258 Jun 4 18:15 /home/garth/todo Both kernel and the file system track owners and groups as number rather than text name in /etc/passwd- UID /etc/group-GID ACCESS CONTROL CONT…… * *
Process Ownership Owner of process can send the process signals and can also reduce the process’s scheduling priority . Signals are process level interrupt request. Processes have multiple identities associated with them : a real, effective, saved UID. They are used to determine file access permission. The Root Account Its Unix powerful administrative user- known as the superuser account , Username is “root”, UID is 0 We can change username or create additional user while using root account. Unix also allows superuser to perform any valid operation on any file or process. TRADITIONAL UNIX ACCESS CONTROL cont.. * *
Examples of restricted operations of superuser are Changing the root directory of a process with chroot Creating device files Setting the system clock Raising resource usage limits and process priorities Setting the system’s hostname Configuring network interfaces Opening privileged network ports (those numbered below 1,024) Shutting down the system Example of superuser power is – ability to change its GID and UID using login program Setuid and setgid upon execution – These are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively When kernel runs an executable file that has its “setuid” or “setgid” permission bits set – it changes the effective UID or GID of the resulting process to the UID or GID of the file containing the program image. Example- users must be able to change their passwords Passwords are stored in /etc/shadow file , users need a setuid passwd command. TRADITIONAL UNIX ACCESS CONTROLcont.. * *
Traditional access control has some shortcomings From a security perspective, the root account represents a potential single point of failure. The only way to subdivide the special privileges of the root account is by writing setuid programs. The security model isn’t strong enough for use on a network. Example Someone hasn’t reformatted the disk and installed their own hacked copy of Windows or Linux, with UIDs of their choosing. Many high-security environments enforce conventions that simply can’t be implemented with traditional UNIX security. ACCESS CONTROL CONT…… * *
Many access-control-related rules are embedded in the code of individual commands and daemons, you cannot redefine the system’s behaviorwithout modifying the source code and recompiling. There is minimal support for auditing. You can easily see which groups a user belongs to, but you can’t necessarily determine what those group memberships permit a user to do. * *
MODERN ACCESS CONTROL Role- based Access Control To add a layer of indirection to access control – permissions are assigned to intermediate construct . To make an access control decision, - the access control library specify the roles of the current user and checks to see if any of those roles have the appropriate permissions. Example – define “senior administrator” To split the supreme powers of the root account into many different fragments that can be separately assigned. Example Solaris uses groups (/etc/group), authorizations (/etc/security/auth_attr), profiles(/etc/security/prof_attr), and bindings among users, authorizations, and profiles (/etc/user_attr) to implement roles. ACCESS CONTROL CONT.. * *
Authorizations have names such as solaris.admin.diskmgr, solaris.admin.patchmgr and solaris.admin.printer The Solaris commands to manipulate roles are roleadd, rolemod, and roledel. MODERN ACCESS CONTROL Cont.. * *
PAM (Pluggable Authentication Modules) Its is an authentication technology, not access control technology. Example - Its asks the question “How do I know this is really user X?” In the past user passwords were checked against the /etc/shadow file . In modern world of networks , cryptography and biometric a more flexible and open system is required. PAM is a wrapper for a variety of method-specific authentication libraries. Administrators specify the authentication methods they want the system to use, along with the appropriate contexts for each one. MODERN ACCESS CONTROL Cont.. * *
Kerberos(third-party cryptographic authentication) Kerberos deals with authentication. Kerberos is a specific authentication method. PAM being the wrapper and Kerberos the actual implementation. You provide your credentials to the Kerberos service, and it issues you cryptographic credentials that you can present to other services as evidence of your identity. MODERN ACCESS CONTROL Cont.. * *
Access control lists This is addition for a generalization of the traditional user/group/other permission model that accommodates permissions for multiple users and groups at once. ACLs are part of the filesystem implementation, so they have to be explicitly supported by whatever filesystem you are using. Example For example, to give read and write permissions to user andrius: # setfacl -m u:andrius:rw /project/somefile For example, to remove all permissions from the user with UID 500: # setfacl -x u:500 /project/somefile MODERN ACCESS CONTROL Cont.. * *
getfacl mydir # file: mydir # owner: tux # group: project3 user::rwx group::r-x other::--- * *
Most sites still use the traditional root account for system administration. Choosing a root password Most important characteristics of a good password is length- eight character long . “shocking nonsense” approach- means to make up a short phrase or sentence that is both nonsensical and shocking in the culture of the user. For multiple machines – which are clones should have same password . Server should have unique passwords. Change the root password - At least every three months or so. REAL-WORLD ACCESS CONTROL * *
Logging into the root account You can log in directly to the root account and work as per your will upon the system. But it can be bad idea- it leaves no record of what operation were performed as root . Su- substitute user identity Better way to access the root is to use su command . Root privileges remain in effect until you terminate the shell by typing <Control-D> or exit command. su does create a log entry that states who became root and when. su - username REAL-WORLD ACCESS CONTROLcont.. * *
Sudo( limited su)superuser do To do one task (backups, for example) without giving that person free run of the system. Solution is the program called sudo . The /usr/local/etc/sudoers file allows listed users access to execute a subset of commands while having the privileges of the root user. Solaris’s pfexec command implements a facility similar to sudo . sudo takes as its argument a command line to be executed as root. sudo keeps a log of the command lines that were executed, the hosts on which they were run, the people who requested them, the directory from which they were run, and the times at which they were invoked. Example – $ sudo mount /dev/sda3 /mnt To get a root shell from your user account, do the following. $ sudo bash REAL-WORLD ACCESS CONTROLcont.. * *
sudoers file # Define aliases for machines in CS & Physics departments Host_Alias CS = tigger, anchor, piper, moet, sigi Host_Alias PHYSICS = eprince, pprince, icarus # Define collections of commands Cmnd_Alias DUMP = /sbin/dump, /sbin/restore Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHELLS = /bin/sh, /bin/tcsh, /bin/bash, /bin/ksh, /bin/bsh # Permissions mark, ed PHYSICS = ALL herb CS = /usr/sbin/tcpdump : PHYSICS = (operator) DUMP lynda ALL = (ALL) ALL, !SHELLS %wheel ALL, !PHYSICS = NOPASSWD: PRINTING REAL-WORLD ACCESS CONTROL cont.. * *
To modify /etc/sudoers, you use the visudo command The use of sudo has the following advantages: Operators can do tasks without unlimited root privileges. The real root password can be known to only one or two people.7It’s faster to use sudo than to use su or to log in as root. Privileges can be revoked without the need to change the root password. A canonical list of all users with root privileges is maintained. There is less chance of a root shell being left unattended. A single file can be used to control access for an entire network. REAL-WORLD ACCESS CONTROL cont.. * *
Drawbacks of sudo The major drawback of sudo-based access control is that the system remains vulnerable to terrible compromise if the root account is penetrated. REAL-WORLD ACCESS CONTROL cont.. * *
Password vault and password escrow A password vault is a piece of software (or a combination of software and hardware) that stores passwords. Need of Password vault Passwords needed for log in to computers, to access web pages, configure routers and firewalls, and administer remote services Weak passwords are easily broken. Regulations that require access to certain data to be traceable to a single person—no shared logins such as root. In some cases security requires two factor authentication example- a password or passphrase plus a challenge/response exchange. REAL-WORLD ACCESS CONTROLcont.. * *
Several password vault implementations are available. Free ones for individuals (e.g., KeePass) store passwords locally, give all-or-nothing access to the password database. Implementation of password escrow -is to store passwords in tamper evident, serial-numbered baggies of the type used by police to hold crime scene evidence. PAM Password Escrow is a Linux PAM module and a set of PostgreSQL stored procedures to capture and store encrypted passwords. It is intended to facilitate migration of credentials to different authentication systems. REAL-WORLD ACCESS CONTROLcont.. * *
Several other pseudo-users are defined by the system. You can identify these user accounts by their low UIDs, usually less than 100 It’s customary to replace the encrypted password field of these special users in /etc/shadow with a star so that their accounts cannot be logged in to. Files and processes that are part of the OS but that need not be owned by root are sometimes given to the users example bin or daemon. Example The Network File System (NFS) uses the nobody account to represent root on other systems. This convention would help avoid the security hazards associated with ownership by root. PSEUDO-USERS OTHER THAN ROOT * *
A process is the abstraction used by UNIX and Linux to represent a running program. It’s the object through which a program’s use of memory, processor time, and I/O resources can be managed and monitored. System and user processes all follow the same rules Controlling Processes * *
A process consists of an address space and a set of data structures within the kernel. The address space is a set of memory pages . It contains the code and libraries that the process is executing, the process’s variables, its stacks, and various extra information needed by the kernel while the process is running. COMPONENTS OF A PROCESS * *
The kernel’s internal data structures record various pieces of information about each process. The process’s address space map The current status of the process (sleeping, stopped, runnable, etc.) The execution priority of the process Information about the resources the process has used Information about the files and network ports the process has opened The process’s signal mask (a record of which signals are blocked) The owner of the process COMPONENTS OF A PROCESS cont… * *
Parameters that are most important from system administrators point of view PID( process ID number) The kernel assigns a unique ID number to every process. Most commands and system calls that manipulate processes require you to specify a PID to identify the target of the operation. * *
PPID (parent PID) Neither UNIX nor Linux has a system call that initiates a new process running a particular program. An existing process must clone itself to create a new process. The PPID attribute of a process is the PID of the parent from which it was cloned. PPID is useful when you’re confronted with an unrecognized (and possibly misbehaving) process. Tracing the process back to its origin. COMPONENTS OF A PROCESS cont… * *
UID and EUID( real and effective user ID) Process’s UID is the user identification number of the person who created it or it is a copy of the UID value of the parent process. The EUID is the “effective” user ID, an extra UID used to determine what resources and files a process has permission to access. These two identification are used to maintain a distinction between identity and permission . Linux also defines a nonstandard FSUID process parameter that controls the determination of filesystem permissions. COMPONENTS OF A PROCESS cont… * *
GID and EGID( real and effective group ID) The GID is the group identification number of a process. The EGID is related to the GID in the same way that the EUID is related to the UID. A process can be a member of many groups at once. GID play its role when a process creates new files. * *
When the system boots, the kernel autonomously creates and installs several processes. The most notable of these is init, which is always process number 1. All processes other than the ones the kernel creates are descendants of init. init also plays another important role in process management. To create a new process, a process copies itself with the fork system call. Fork creates a copy of the original process, new process has a distinct PID and has its own accounting information. fork has the unique property of returning two different values, zero to the child process and PID of newly created process to the parent process. After a fork, the child process will often use one of the exec family of system calls to begin the execution of a new program. When a process completes, it calls a routine named _exit to notify the kernel that it is ready to die. THE LIFE CYCLE OF A PROCESS * *
Signals are used to notify a process or thread of a particular event. Signals are process-level interrupt requests. They’re used in a variety of ways: They can be sent among processes as a means of communication.-exit by child They can be sent by the terminal driver to kill, interrupt, or suspend processes when keys such as <Control-C> and <Control-Z> are typed. They can be sent by an administrator (with kill) to achieve various ends. They can be sent by the kernel when a process commits an infraction such as division by zero. They can be sent by the kernel to notify a process of an “interesting” condition such as the death of a child process or the availability of data on an I/O channel. SIGNALS * *
When a signal is received, one of two things can happen. First is the, receiving process called a handler routine for that particular signal Second is the ,kernel takes some default action on behalf of the process. Specifying a handler routine for a signal within a program is referred to as catching the signal. Blocking of the signal- programs can request that signal can be either ignored or blocked. Ignored signal is simply discarded and has no effect on the process. A blocked signal is queued for delivery, but the kernel doesn’t require the process to act on it until the signal has been explicitly unblocked. SIGNALS * *
SIGNALS * *
KILL is unblockable and terminates a process at the kernel level. A process can never actually receive this signal. INT is sent by the terminal driver when you type <Control-C>. It’s a request to terminate the current operation. Simple programs should quit (if they catch the signal) or simply allow themselves to be killed TERM is a request to terminate execution completely. It’s expected that the receiving process will clean up its state and exit. HUP has two common interpretations. First, it’s understood as a reset request by many daemons. Second, HUP signals are sometimes generated by the terminal driver in an attempt to “clean up” (i.e., kill) the processes attached to a particular terminal. SIGNALS * *
QUIT is similar to TERM, except that it defaults to producing a core dump if not caught.(core dump consists of the recorded state of the working memory of a computer program at a specific time) The signals USR1 and USR2 have no set meaning. They’re available for programs to use in whatever way they’d like. For example, the Apache web server interprets the USR1 signal as a request to gracefully restart. SIGNALS * *
kill command is most often used to terminate a process. kill can send any signal, but by default it sends a TERM. kill can be used by normal users on their own processes or by root on any process. The syntax is kill [-signal] pid Example kill -9 pid. Under Linux, killall kills processes by name. ubuntu$ sudo killall httpd UNIX killall command that ships with Solaris, HP-UX, and AIX takes no arguments and simply kills all the current user’s processes. The pgrep and pkill commands for Solaris, HP-UX, and Linux search for processes by name , example- $ sudo pkill -u ben KILL :SEND SIGNALS * *
A process is not automatically eligible to receive CPU time just because it exists. You need to be aware of the four execution states listed below. PROCESS STATES * *
The “niceness” of a process is a numeric hint to the kernel about how the process should be treated in relation to other processes contending for the CPU. That value determine how nice you are going to be to other users of the system . A high nice value means a low priority for your process: you are going to be nice. A low or negative value means high priority: you are not very nice. The most common range is -20 to +19 The superuser may set nice values arbitrarily. Today , the scheduler does a good job of servicing all processes. NICE AND RENICE: INFLUENCE SCHEDULING PRIORITY * *
A process’s nice value can be set at the time of creation with the nice command and adjusted later with the renice command. $ nice -n 5 ~/bin/longtask // Lowers priority (raise nice) by 5 $ sudo renice -5 8829 // Sets nice value to -5 $ sudo renice 5 -u boggs // Sets nice value of boggs’s procs to 5 The most commonly niced process in the modern world is ntpd, the clock synchronization daemon * *
ps is the system administrator’s main tool or commad for monitoring processes. ps can show the PID, UID, priority, and control terminal of processes. It also gives information about how much memory a process is using, how much CPU time it has consumed, and its current status (running, stopped, sleeping, etc.) PS: MONITOR PROCESSES * *
Example : redhat$ ps aux The a option means to show all processes, x means toshow even processes that don’t have a control terminal, and u selects the “useroriented” output format. * *
* *
Field Contents USER Username of the process’s owner PID Process ID %CPU Percentage of the CPU this process is using %MEM Percentage of real memory this process is using VSZ Virtual size of the process RSS Resident set size (number of pages in memory) TTY Control terminal ID STAT Current process status: R = Runnable D= In uninterruptible sleep S = Sleeping (< 20 sec) T = Traced or stopped Z = Zombie Additio`nal flags: W= Process is swapped out < = Process has higher than normal priority N= Process has lower than normal priority L = Some pages are locked in core s = Process is a session leader TIME CPU time the process has consumed COMMAND Command name and arguments * *
redhat$ ps lax * *
* *
ps offer only a one-time snapshot of your system, it is often difficult to grasp the big picture of what’s really happening. top is a free utility that runs on many systems and provides a regularly updated summary of active processes and their use of resources. On AIX, an equivalent utility is topas, and on Solaris the analogous tool is prstat. By default, the display updates every 10 seconds. The most CPU-consumptive processes appear at the top. DYNAMIC MONITORING WITH TOP, PRSTAT, AND TOPAS * *
* *
The Linux versions of ps and top read their process status information from the /proc directory. Pseudo-filesystem in which the kernel exposes a variety of interesting information about the system’s state. The information is not limited to process information—a variety of status information and statistics generated by the kernel are represented here. kernel creates the contents of /proc files on the fly(as they are read) most appear to be empty when listed with ls -l. /proc/1 is always the directory that contains information about init THE /PROC FILESYSTEM * *
* *
The fd subdirectory represents open files in the form of symbolic links. File descriptors that are connected to pipes or network sockets don’t have an associated filename. Solaris and AIX also have a /proc filesystem, but it does not include the extrastatus and statistical information found on Linux * *