1 / 13

Sharing Files Richard Newman based on Smith “Elementary Information Security”

This article explores the considerations and best practices for implementing tailored file sharing policies, including isolation, privacy, and shared reading. It covers file sharing on Windows, Unix, and Mac systems, as well as access control lists (ACLs) and permissions. Learn how to optimize file sharing for different user groups and individual needs.

gaona
Download Presentation

Sharing Files Richard Newman based on Smith “Elementary Information Security”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sharing FilesRichard Newmanbased on Smith “Elementary Information Security”

  2. File Sharing Policies Generic • Isolation • Share everything Tailored • Privacy • Shared Reading • Shared Updating

  3. Tailored File Sharing Policy Considerations Which objects are involved • By owner • By project • By type Which users are granted new rights • Individual • Group • Role • Role relative to X Default access • Deny or allow? What access rights to enforce • R, W, X, ... • Conditions?

  4. File Sharing on Windows Default: Isolation Per folder file sharing • Chose people to share with • Permission level Permission levels • Owner – full access, owns folder • Co-owner – full access, doesn't own folder • Contributor (not in Windows 7) – create files, modify own files • Reader – read files in folder

  5. User Groups Unix, “professional” Windows Implementation of group access • File has group owner attribute, and group access rights • Group named on ACL with access rights Implementation of groups • Special file – edited • System file accessed through utilities • Built-in groups • Administrators, wheel group, per-user group • Associate user ID with group upon login • Allows more precise audit

  6. Least Privilege Administrator access • Log in as admin • Log in as user with admin rights (in group) • Log in as regular user, but ability to authenticate as admin for specific programs, actiions (sudo, etc.) • Switch mode as needed (setuid) • UAC – User Account Control - “permission to continue”

  7. Posix File Permissions Three classes of entity relative to a file • User (Owner) – one uid per file • Group – one gid per file • Other (World) • Of course, there is always root.... Access permission bits – rwx • r – read file or directory listing • w – write/modify file or create/rename/delete files in directory • x – execute file or use directory in path Changing permissions • chmod • chown • chgrp

  8. Rights Ambiguity Conflicting rights bits • e.g, group allowed to write but user not allowed to write • e.g. other allowed to read but group not allowed to read • Any user attempting access belongs to “all” and zero, one, or two other categories How are conflicting rights bits treated • OpenVMS - “OR” bits of all applicable classes • Unix – use bits of most specific applicable class – explicit denial • Root • User • Group • Other

  9. Access Control Lists (ACLs) Need for ACLs • Policy with read access for group A, read/write access for group B • Can't do it in Unix rwx bits Multics • Pioneered ACLs • Subject matched to a.b.c with wildcards • a is user name, b is project name, c is compartment • rew rights Modern systems • Posix.1e • Apple Macintosh OS-X • MS Windows • NFSv4

  10. Posix.1e ACLs Classes • User – user::rwx • Group – group::rwx • World – other::rwx • Specific user – user:user-name:rwx • Specific group – group:group-name:rwx • Mask applied to specific users/groups – mask::rwx

  11. Windows/Mac ACLs Per file/directory • Owner rights • Everyone rights • Specific user rights • Selection of no access/read only/read-write Special considerations: Must have admin rights on Mac

  12. Apple OS/X ACLs Entities • Owner • Everyone • Specific individuals • Groups Access rights • No access • Read-only • Read-write • “OR” of rights apply to requester Groups • Created under “System Preferences -> User Accounts” • Requires admin access

  13. Windows ACLs Entities • Owner • Everyone • Specific individuals • Groups Access rights • “Full Control” • Modify • Read & Execute • Read • Write • Special Permissions • Allow and deny flags • Apply deny first, then check for allow

More Related