1© David Morgan 2008-13AuthorizationAuthorizationDavid Morgan© David Morgan 2008-13ReviewReview Authentication: proving the identity of someone Authorization: allowing a user to access certain resources, the technical means of access control2© David Morgan 2008-13Access controlAccess control administrative– organizational policy who should access what technical– cyber mechanisms, our focus physical– building and room access© David Morgan 2008-13Government authorizationGovernment authorization documents have “classifications” employees have “clearances”– confidential– secret– top secretaccess decision = = f ( document’s classification, clearance )z = f ( x , y )3© David Morgan 2008-13Computer auth not so different Computer auth not so different  linux– files have permissions for particular user accounts– processes (the true file “users”)carry a user account identity Windows– resource security policies– processes carry user and group affiliationaccess decision = = f ( file’s permissions, user )© David Morgan 2008-13Linux usersLinux users system keeps a list of user accounts system usage demands a user identification– supplied at login… no login, no usage a user id is implicit in all session activities– all session activities are performed by processes– every process has some user id as an attribute– helps determine access to resources by that process users can be grouped4© David Morgan 2008-13The files of recordThe files of record /etc/passwd – holds list of recognized users /etc/shadow – holds their passwords /etc/group – holds list of recognized groups,names of member users for each© David Morgan 2008-13/etc//etc/passwdpasswdentries holdentries holduser informationuser informationcraig:x:507:507:Craig Smith:/home/craig:/bin/bashofficialnamepassword(placeholder)UID GID realnamehomedirectoryloginshell5© David Morgan 2008-13/etc/shadow entries hold/etc/shadow entries holdancillary user informationancillary user informationcraig:$1$2YL52jhL$:11992:60:75:3:14:12417:134550548usernamehashedpasswordvarious values all relating to password agingreserved© David Morgan 2008-13/etc/group entries hold/etc/group entries holdgroup informationgroup informationchildren:x:522:hansel, pinochio,gretel,heidiofficialnamepassword(not used)GIDmemberlist6© David Morgan 2008-13Adding and deleting usersAdding and deleting users adding– “useradd” command– then set password with “passwd” command deleting– “userdel -r” command( -r removes home directory )© David Morgan 2008-13Adding users in 2 stepsAdding users in 2 steps[root@EMACH1 /root]# useradd charlie[root@EMACH1 /root]# passwd charlieChanging password for user charlieNew UNIX password:Retype new UNIX password:passwd: all authentication tokens updated successfully[root@EMACH1 /root]# su charlie[charlie@EMACH1 /root]$ cd[charlie@EMACH1 charlie]$ pwd/home/charlie[charlie@EMACH1 charlie]$ ls -a. .Xdefaults .bash_profile .kde .screenrc.. .bash_logout .bashrc .kderc Desktop[charlie@EMACH1 charlie]$ cat /etc/passwd | grep charliecharlie:x:531:539::/home/charlie:/bin/bashstep 1become charliestep 2enter his home directoryidentify home directorydirectory is populatedcharlie’s in the list alrightNow find out what happened!7© David Morgan 2008-13Deleting usersDeleting users[root@EMACH1 /root]# userdel -r charlie[root@EMACH1 /root]# su charliesu: user charlie does not exist[root@EMACH1 /root]# ls -a /home/charliels: /home/charlie: No such file or directory[root@EMACH1 /root]# cat /etc/passwd | grep charlie[root@EMACH1 /root]#gone. really!doesn’t live here anymorehome directory who??© David Morgan 2008-13GroupsGroups Purpose– Let a set of users share files by extending common permissions to them Mechanism– Files have a group affiliation– Users have group memberships– Separate access to a file can be extended to members of its group8© David Morgan 2008-13There are groupsThere are groups..administrators:x:542:socrates,royteachers:x:543:platostudents:x:544:aristotle..Groups are defined in /etc/groupfile /etc/groupGroups© David Morgan 2008-13Composing a groupComposing a group assign groups to users– use usermodusermod -G employees,salesmen willie or, assign users to groups– use gpasswdgpasswd –a willie employeesgpasswd –a willie salesmengpasswd –M willie,billy,milly foolssameresult9© David Morgan 2008-13Files have (1) a user affiliationFiles have (1) a user affiliation[root@EMACH1 schools]# ls -ltotal 12-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades-rw-r----- 1 root administ 95 Dec 8 17:10 salariesFilesTheir affiliated usersFiles’ user affiliations are shown by the ls –l command:© David Morgan 2008-13Files have (2) a group affiliationFiles have (2) a group affiliation[root@EMACH1 schools]# ls -ltotal 12-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades-rw-r----- 1 root administ 95 Dec 8 17:10 salariesFilesTheir affiliated groupsFiles’ group affiliations are shown by the ls –l command:10© David Morgan 2008-13Files have (3) a permissions settingFiles have (3) a permissions setting[root@EMACH1 schools]# ls -ltotal 12-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades-rw-r----- 1 root administ 95 Dec 8 17:10 salariesFilesTheir permissions settingsFiles’ permissions settings are shown by the ls –l command:© David Morgan 2008-13Where? : Where? : inodeinodestructure of a filestructure of a filefound in found in inodeinodetable of an ext2 table of an ext2 filesystemfilesystemfieldsize start end Item2 1 2 File type and access rights2 3 4 Owner identification4 5 8 File length in bytes4 9 12 Time of last file access4 13 16 Time that inode last changed4 17 20 Time that file contents last changed4 21 24 Time of file deletion2 25 26 Group identifier2 27 28 Hard links counter4 29 32 Number of data blocks of the file4 33 36 File flags4 37 40 Specific operating system information4 41 44 Pointer to first data block56 45 100 14 more pointers to data blocks4 101 104 File version (for NFS)4 105 108 File access control list4 109 112 Directory access control