Introduction to Access Control in Operating Systems

• Introduction
• Unix permissions model
• System groups and pseudo-groups
• User Private Groups (UPG)
• Inheritance of permissions
• Process permissions
• Kernel two modes operation
• Sudo
• Chroot
• Role based permissions
• See also

Introduction

The access control is just another name for compartmentalization of resources.

It is useful to group general problems involved in making certain that files are not read or modified by unauthorized personnel under common umbrella -- access control. There are two aspect of access control:

1. Access control policies. Access control policy defined "whose data is to be protected from whom"
2. Access control mechanisms. the manner by which the operating system enforces the access control policy. Among them the following are the most important
   • Accounts security mechanisms
     • Root Security mechanisms
   • Classic Unix permissions model
   • Unix ACLs.
   • RBAC

Classic Unix systems have at least one user with right to access (privilege) any file of the system -- root user. A protection domain is defined by its UID and GID. Provided with any (UID, GID) combination it is possible to build a complete list of all objects that can be accessed and each objects rights. Two processes with the same (uid, gid) combination, have access to exactly the same set of objects. Processes with different (uid, gid) combinations, have access to a different set of files.

Additionally, in UNIX each process has two halves: the user part and the kernel part. When a process does a system call it switches from the user role to the kernel role. The kernel role has access rights to a different set of objects from the user part. A system call therefore invokes a domain switch, from user to kernel.

At every instant in time each process runs in a protection domain. Therefore, there is some collection of objects that the process can access. In addition, each object has a set of access rights. Processes can switch from domain to domain during program execution.

The UNIX process division into user and kernel parts is a legacy of a more powerful domain switching mechanism that was used in MULTICS. In the MULTICS system the hardware supported up to 64 domains for each process, not the two (kernel and user) like in UNIX or MVS. A MULTICS process could be considered as a collection of procedures, each running in a domain, called a ring. The innermost ring was the most powerful, the operating system kernel. Radically, moving outwards from the operating system kernel the rings became successively less powerful. When a procedure in one ring called a procedure in a different ring a trap occurred. Once a trap occurred the system had the option to change the protection domain for that process.

Unix permissions model

Unix introduced a simple model of file permissions in the 70's which has proven to be quite effective and easy to understand. In this model each file has three attributes for each of three access categories (owner, group and world):

• Read
• Write
• Execute

There is also one implicit attribute: the ability to delete file/directory. It is property not a file/directory in question, but the directory in which it contained. It the user has write access to the directory he/she can delete any file in it.

Moreover the execution bit on the directory can work as partial access blocker to files in this directory. It in is not set there is no way to obtain a listing of the directory althouth if you know file name you can access file that is contains in the directory.

Due to popularity of Samba, recently there was a half-baked attempt to extend Unix "xwr" model using ACLs, that are used in Windows.

The result is a mess and very few organization have adopted this approach on Unix servers due to the complexity and bad integration with classic Unix model. Not only existence of the second, by-and-large, indeoendent model  confuse administrators, it actually represents a serious security risk.

In the original Unix model, each file has three "rwx" access categories: User (u), Group (g) and Other (o). Group is essentially a role and primary group is a primary role. Any user can be a member of any number of groups, but in Unix groups are atomic -- they cannot contain other groups. This is a serious shortcoming of the classical Unix model.

System groups and pseudo-groups

There is also auxiliary concept of system groups which is similar to the concept of privileged ports. For example, all groups with GID below 100 are usually considered to be system groups. Some system groups are designed mainly for not to providing access to files for a group of users, but for partitioning of permission space. Among them are adm, sys,  daemon, lp, mail, uucp, games, ftp. nobody, etc. Typically users which have such "pseudo-group" as primary group have no legitimate shell. Instead /bin/noshell  or /bin/false  is used; the former logs the access attempts), so nobody can login as such a user. They can be called pseudo-users.

Another severe limitation of this model is that a file can only be a member of one group. That can be partially rectified by usage of "metagroups" -- groups that are just  aggregations of existing groups, but that solution requires additional efforts and discipline (in this case /etc/group needs to be automatically generated from some template using macroprocessor). If we assume that the number of group allowed is large (approximately the same as the number of files/directories) metagroup approach is as powerful as ACL model and is much simpler. It requires relatively simple modification of the /etc/group file.

User Private Groups (UPG)

One interesting step toward this model is the concept of User Private Groups (UPG) introduced in Red Hat. UPG scheme makes UNIX groups easier to use. It does not add or change anything in the standard UNIX way of handling groups. This is simply a new convention for handling classic Unix groups groups: whenever you create a new user, by default, he or she has a unique group with GID identical to UID.

One of limitations of the Unix model is that ordinary users do not have the right to make their own groups. In this way, the model shoots itself in the foot. There are ways around this, but Unix has not introduced a standard solution to the problem. We can think of the Unix model as being a coarse approximation to the model of ACLs.

For more information see User Private Groups

Inheritance of permissions

One of the most interesting aspects of file security of a particular OS is the mechanism by which security attributes are inherited by new files. Newly created files have to start out with some kind of permissions and that this "default set" of permissions is a question that is answered differently by different flavors of Unix. One advance implemented by BSD is  usage of setgid bit in directories  to inherit permissions set for the directory for all new files created in it.

Full inheritance of permissions is possible only under root account. For user account inheritance is restricted. Permissions granted are further restricted by the current value of umask variable 

Most systems are hybrid and  support BSD behavior via setgid bit in directories.

• BSD: New files are owned by the creator of the file, default group set as primary group for the owner of of the file (from password file). Permissions are determined from the value of umask.
• SysV: New files are owned by the creator of the file, default group set either from a password file or inherited from the group of the parent directory (if setgid bit set on parent directory). Permissions are determined from the value of umask. So it contains one easily understood extension of BSD model.
• POSIX ACLs: This model is almost impossible to understand. It is badly integrated with classic Unix permissions as as such is more or the source of additional security vulnerabilities then additional security. Directories work as in classic Unix, but files with ACLs inherit the ACLs of their parent directory. The default permissions set on files are set from umask, but the effective permissions are calculated from combination of the Unix permissions, the ACL permissions and an internal ACL mask. That's very confusing. Only the owner of a file can modify the ACL. Not even root can modify another user's ACL.
• NTFS ACLs: ACLs are inherited from parent objects unless overidden. New files with no ACL are open to everyone. The exact inheritance mechanism is not well-documented. The NTFS filesystem the whole access model is based on ACLs. Each file is owned by a specific user. Each user may belong to any number of groups. Each file has an ACL in which access can be granted or denied to any named list of users and/or groups (i.e. we can either code a rule or an exception to a rule). The access rights of each group or user are taken from the set:
  • Read
  • Write
  • Execute
  • Delete
  • Change permission
  • Change ownership
  Note that some of the permissions restrict functionality (execute permission), others restrict access. The means that read permissions to a certain extent overwrite the execute permission: the execute permission protection is limited to a particular copy of a file. Any new copy created due to availability of read permissions can have execute permissions for the domain associated with the current owner. In other words protection against execution presuppose absence of read attribute.

  Windows ACLs are closer to the original Multix implementation. Windows 2000 and later provides 14 ACL attributes (In the table below, the # character means this flag is selected only when the Full Control flag is set.):

  ACL	Attribute
  Full Control	#
  Traverse Folder/Execute File	x
  List Folder/Read Data	r
  Read Attributes	r
  Read Extended Attributes	r
  Create Files/Write Data	w
  Create Folders/Append Data	w
  Write Attributes	w
  Write Extended Attributes	w
  Delete Subfolders and Files	w
  Delete	#
  Read Permissions	all
  Change Permissions	#
  Take Ownership	#

Process permissions

Access rights apply not only to secondary storage but to any resource. In particular, the right to communicate with, control or request services from a process. The same basic ideas apply, but access controls usually have different attributes. Process permissions are usually set by access control lists, or on the basis of understood protocols, such as passwords, keys, or cookies (the message in a fortune cookie).

Unix processes have an owner and a group membership. These are normally inherited from the the user who starts the process and from the group attribute of the program file respectively (though see below about setuid/setgid programs). Each process has the privileges afforded to it by these labels.

Kernel two modes operation

The basic security of multiuser operating systems lies in the ability to restrict privilege. One of our design criteria was to try to prevent malicious users from circumventing security mechanisms. In some operating systems this has been possible by accidental or deliberate memory corruption. Since software is often buggy, we should not rely on software to behave properly. Stronger measures are needed to protect the system. This was the idea behind two-mode operation (see the operating system course notes). By having system protection hard-coded in hardware, the system is more secure. The Multics operating system generalized this idea to more than two-modes. A series of protection levels or rings was used, each of which encapsulated the inner rings. A typical use of protection rings would be the following:

• Ring 0: Operating system kernel
• Ring 1: Operating system
• Ring 2: Utilities
• Ring 3: User processes

In Unix's two-mode operation, only rings 0 (kernel) and 3 (user processes) are used. This has made it easy to port Unix to a variety of architectures which support 2-mode operation (e.g PC's including and later than i386).

Role based permissions

In a dynamical, interactive situation we could generalize the notion of access to allow users to use different permissions depending on what they are doing. This increase complexity of the model and can be done in several different ways: 

• By asking a service to carry out an operation to run under user account whose abilities have the appropriate privileges for the task (e.g. oracle account, ftp, www, java accounts).  This approach is limited by severe limitations that regular Unix account have.
• By introducing umask or permissions for key files and or directories on per process basis.

If you think about it global static permission used in Unix are anachronism. There should be a mechanism that prevent process from accessing files in, say, /etc directory even if part of the process is running under the root privileges. This can be done in several different ways:

• You can separate certain parts of the tree using concept of disk partitions. This approach which is very transparent and pretty powerful is called "protective partitioning". By using mounting command restrictions you can also prohibit setting setuid/setgid attributes and even executable permissions on the files in this partition.
• You can use invented by FreeBSD concept of immutable files (which is now available in Linux too).
• You can use more complex dynamic approaches  such as Solaris RBAC, Suse Apparmor and RHEL CElinux. But here the key problem is the complexity of the approach. They dramatically increase complexity of the model often putting it beyond typical sysadmin ability to comprehend the model. Based on complexity we can define two group of such approaches:
  • Models, which a regular sysadmin can with effort still understand and use (albeit with difficulties and errors) such as  Solaris RBAC and Suse AppArmor. The latter is a rather elegant model of extending the concept of umask to per directory and per file basis. It used regular expression for determining "effective permissions" for the process. Along with Suse this scheme is used in Ubuntu since April of 2007.
  • Approaches which regular sysadmin typically can't understand and is inclined never use such as RHEL SElinux

• By setting some attribute which increases the allowed permissions for a given task. (e.g Unix setuid programs). Unix setuid programs are an example where the privileges of a program can be changed (typically increased) by the superuser. They grant a specific program the right to operate with a different user-identity and thus privileges without authentication. The setgid is a corresponding mechanism for setting a different group ownership of a process. Note that typically setuid programs acquire more privileges than is necessary (acquiring root privileges is the most common usage of setuid/setgid attributes) and because of that have been the major cause of security problems on Unix platforms.  See SUID/SGID attributes for more information.
• Use of OO language-style inheritance models (e.g. polymorphic methods in object oriented languages)

See also

• News
• Recommended Links

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019