File PermissionsFile PermissionsWhat Do We Protect?Unix File PermissionsClassical Unix File PermissionsPermission-Checking AlgorithmExecute PermissionDirectory PermissionsExample: Owner PermissionsExample: Directory PermissionsDeleting FilesWhen Are Permissions Checked?Access Control ListsAccess Control ListsSample ACLOrder is SignificantSome Other Possible PermissionsSetting File PermissionsUnix Initial File PermissionsMultics Initial File PermissionsOther Access ControlsMAC versus DACPrivileged UsersComplex Access ControlTemporal Access ControlImplementing Temporal Access ControlAccess Control MatricesAccess Control MatrixSample Access Control MatrixAccess Control Matrix OperationsConditional ACM ChangesSafety versus SecurityUndecidable QuestionLinux File SystemsVirtual File SystemA Common ModelVFS ObjectsVFS OperationsCreating Ownership and PermissionsSample Operation: LookupDentry CacheLookupPermissionsExtended AttributesSpecial File SystemsSpecial File SystemsImplementing Special File SystemsFile Permissions 1 / 41File Permissions■ Besides user authentication, the most visible aspect of OS security■ Read protect ion — provide confidentiality■ Write protection — provide integrity protection■ Other permissions as well1 / 41What Do We Protect?■ Most obvious — files■ That can be done in non-hierarchic al file systems■ In hierarchical file systems, must protect directories, too■ Often, other things protec ted via similar mechanisms, such as shared memorysegments2 / 411Unix File Permissions 3 / 41Classical Unix File Permissions■ All files have “owners”■ All files belong to a “group”■ Users, when logged in, have one userid and several groupids.■ 3 sets of 3 bits: read, write, execute, for user, group, other■ (512 possible settings. Do they all make sense?)■ Writt en rwxrwxrwx■ 111 101 001 (751 octal): User has read/write/exec; group has read/exec;other has exec-only■ Some counter-intuitive settings are very usefu l3 / 41Permission-Checking Algorithmif curr_user.uid == file.uidcheck_owner_permissions();else if curr_user.gid == file.gidcheck_group_permissions();elsecheck_other_permissions();fiNote the else clauses — if you own a file, “group” and “other” permissionsaren’ t checked4 / 412Execute Permission■ Why is it separate from “read”?■ To permit only execution■ Cannot copy th e file■ Readable only by the OS, for specific purposes5 / 41Directory Permissions■ “write”: create a file in the directory■ “read”: list the directory■ “execute”: trace a path through a directory6 / 413Example: Owner Permissions$ iduid=54047(smb) gid=54047(smb) groups=0(wheel),3(sys),54047(smb)$ ls -l notme----r--r-- 1 smb wheel 29 Sep 12 01:35 notme$ cat notmecat: notme: Permission deniedI own the file but don’t have read permission on it7 / 41Example: Directory Permissions$ ls -ld oddballdr--r--r-- 2 smb wheel 512 Sep 12 01:36 oddball$ ls oddballcannotget at$ ls -l oddballls: cannot_get_at: Permission denied$ cat oddball/cannotget atcat: oddball/cannotget at: Permission deniedI can read the directory, but not trace a path through it tooddball/cannotget at8 / 414Deleting Files■ What permissions are needed to delete files?■ On Unix, you need write permission on the p arent directory■ You can delete files that you can’t write. You can also write to files that youcan neither create nor dele te■ Other systems make this choice differently9 / 41When Are Permissions Checked?■ Most of the time, permissions are che cked only at file open time■ Changing permissions on an open file usually does not block further access■ Better for efficien cy — no need to check each time■ But for some file systems, such as NFS, file permission ch anges do take effec timmediately10 / 415Access Control Lists 11 / 41Access Control Lists■ 9-bit model not always flexible enough■ Many systems (Multics, Windows XP, Solaris, some Linux) have more generalAccess Control Lists■ ACLs are explicit lists of permissions for different parties■ Wildcards are often used11 / 41Sample ACLsmb.* rwx4118-ta.* rwx*.faculty rx*.* xUsers “smb” and ‘4118-ta” have read/write/executepermission. Anyone in group “faculty” can read or execute the file. Others canonly execute it.12 / 416Order is SignificantWith this ACL:*.faculty rxsmb.* rwx4118-ta.* rwx*.* xI would not have write access to the file13 / 41Some Other Possible Permiss ionsAppend: Append to a file, but not overwrite itDelete: Delete file from directoryOwn: Own the file; can change its permissions14 / 417Setting File Permissions■ Where do initial file permssions come from?■ Who can change file permissions?15 / 41Unix Initial File Permissions■ Unix uses “umask” — a set of bits to turn off when a program creates a file■ Example: if umask is 022 and a program tries to create a file with permissions0666 (rw for user, group, and other), th e actual permissions will be 0644.■ Default system umask setting has a great effect on system file security■ Set your own value in startup script; value inherited by child processes16 / 418Multics Initial File Permissions■ Directories contain “initial access control list” — values set by default for newfiles■ Common setting:smb.faculty rw*.sysdaemon r*.* -■ If group “sysdaemon” doesn’t have read permission, the file can’t be backedup!17 / 41Other Access Controls 18 / 41MAC versus DAC■ Who has the right to set file permissions?■ Discretionary Access Control — t he file owner can set permissions■ Mandatory Access Control — only the security officer can set permissions■ Enforce site security rules■ Note: viruses and other malware change change DAC permissions, but notMAC pe rmissions18 / 419Privileged Users■ Root or Administrator can override file permissions■ This is a serious security risk — there is no protection if a privileged accounthas been compromised■ There is also no protection against a rogue superuser. . .■ Secure operating systems do not have the concept of superusers19 / 41Complex Access Control■ Simple user/group/other or simple ACLs don’t always suffice■ Some situations need more complex mech anisms20 / 4110Temporal Access Control■ Permit access only at certain times■ Model: time-locks on bank vaults21 / 41Implementing Temporal Access Control■ Obvious way: add extra fields to ACL■ Work-around: timer-based automatic job that changes ACLs dynamically22 /