Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access...
Transcript of Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access...
![Page 1: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/1.jpg)
Case Study: Access Control
Steven M. Bellovin October 3, 2010 1
![Page 2: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/2.jpg)
Case Studies in Access Control
• Joint software development
Steven M. Bellovin October 3, 2010 2
![Page 3: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/3.jpg)
Situations
• Small team on a single machine
• Medium-to-large team on a LAN
• Large, distributed team, spread among several organizations
Steven M. Bellovin October 3, 2010 3
![Page 4: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/4.jpg)
Roles
• Developer (i.e., can commit changes)
• Tester
• Code reviewer
Steven M. Bellovin October 3, 2010 4
![Page 5: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/5.jpg)
Permissions
• We want the technical mechanisms to reflect the organizational roles
• The real challenge: mapping the organizational structure to OSprimitives
• Why?
Steven M. Bellovin October 3, 2010 5
![Page 6: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/6.jpg)
Why Enforce Access Controls?
• Protect software from outsiders reading/stealing it
• Protect against unauthorized changes
+ That can include internal rivalries
• Know who made certain changes?
Steven M. Bellovin October 3, 2010 6
![Page 7: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/7.jpg)
Classic Unix Setup
• Assume you just have user/group/other permissions, with no ACLs.How would you set things up?
• Put all developers in a certain group
• Make files and directories group readable/writable
• Decision to turn off “other” read access is site-dependent
Steven M. Bellovin October 3, 2010 7
![Page 8: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/8.jpg)
ACL Setup
• Could add each developer individually
• Bad idea — if a developer leaves or joins the group, many ACLs mustbe updated
• Still want to use groups; vary group membership instead
• Advantage: can have multiple sets of group permissions — why?
Steven M. Bellovin October 3, 2010 8
![Page 9: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/9.jpg)
Reviewer/Tester Access
• Reviewers and testers need read access
• They do not need write access
• No good, built-in solution on classic Unix
• With ACLs, one group can have r/w permissions; another can have r
permissions
Steven M. Bellovin October 3, 2010 9
![Page 10: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/10.jpg)
Medium-Size Group
• No longer on single machine with simple file permissions
• More need for change-tracking
• More formal organizational structure
Steven M. Bellovin October 3, 2010 10
![Page 11: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/11.jpg)
Basic Structure
• Basic permission structure should be the same
• Again: use group permissions as the fundamental permission unit
• Limits of non-ACL systems become more critical
Steven M. Bellovin October 3, 2010 11
![Page 12: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/12.jpg)
Version Control Systems
• For medium-size projects, use of a version control system (i.e., CVS,Subversion, Mercurial, RCS, etc.) is mandatory
• (Why?)
• What are the permission implications of a version control system?
Steven M. Bellovin October 3, 2010 12
![Page 13: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/13.jpg)
Why use a VCS?
• Auditability — who made which change?
• When was a given change made?
• Can you roll back to a known-clean version of the codebase?
• What patches have been applied to which versions of the system?
Steven M. Bellovin October 3, 2010 13
![Page 14: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/14.jpg)
Note Well
• All of those features are important just for manageability
• Security needs are strictly greater — we have to deal with activemalfeasance as well as ordinary bugs and failures
Steven M. Bellovin October 3, 2010 14
![Page 15: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/15.jpg)
Structure of a VCS
Repository Master copy; records all changes, versions, etc.
Working copies Zero or more working copies. Developers check out aversion from the repository, make changes, and commit the changes
Steven M. Bellovin October 3, 2010 15
![Page 16: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/16.jpg)
Permission Structure
Here are the Unix client commands for RCS, CVS, Mercurial, andSubversion. What are the security implications?
$ ls -l /usr/bin/ci /usr/bin/cvs \/usr/pkg/bin/hg /usr/pkg/bin/svn
-r-xr-xr-x 1 root wheel /usr/bin/ci-r-xr-xr-x 1 root wheel /usr/bin/cvs-rwxr-xr-x 1 root wheel /usr/pkg/bin/hg-rwxr-xr-x 1 root wheel /usr/pkg/bin/svn
Steven M. Bellovin October 3, 2010 16
![Page 17: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/17.jpg)
They’re Not SetUID!
• They execute with the permissions of the invoker
• They could try to do access control, but it’s meaningless — anyoneelse could write code to do the same things
• The permission structure of the repository is what’s important
Steven M. Bellovin October 3, 2010 17
![Page 18: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/18.jpg)
The Repository
• Essential feature: developers must have write permission on thedirectories
• File permissions are irrelevant; old files can be renamed and unlinkedinstead of being overwritten
• (Potential for annoyance if new directories are created with the wrongpermission — must set umask properly)
• But — what prevents a developer with write permission on therespository from doing nasty things?
• Nothing. . .
Steven M. Bellovin October 3, 2010 18
![Page 19: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/19.jpg)
Repository Security Without Privilege
• Create a repository directory with mode 711
• Create a subdirectory with random characters in the name; make itmode 777.
• The random characters must be kept secret, to protect the actualrepository data
• To do that, the working copy directories should be mode 700
Steven M. Bellovin October 3, 2010 19
![Page 20: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/20.jpg)
Large Organization
• Use client/server model for repository access
• Most users (including developers) have no direct access to the VCSrepository
• Either build access control into VCS server or layer on top ofunderlying OS permissions
• But — must restrict what commands can be executed on repositoryby developers
Steven M. Bellovin October 3, 2010 20
![Page 21: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/21.jpg)
Complications
• If you rely on OS permissions, something has to have root
privileges, to let the repository part of the process run as that user
• If the VCS itself has a root component, is it trustable?
• If you use, say, ssh, is the command restriction mechanism trustable?
• If you rely on VCS permissions, you need to implement a reliableauthentication and ACL mechanism
• All of this is possible — but is it secure?
Steven M. Bellovin October 3, 2010 21
![Page 22: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/22.jpg)
Mailers
• Issue of interest: local mail delivery and retrieval
• Surprisingly enough, network email doesn’t add (too much) securitycomplexity
Steven M. Bellovin October 3, 2010 22
![Page 23: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/23.jpg)
Issues
• Email must be reliable
• Users must be able to send email to any other users
• The system should reliably identify the sender of each message
• All emails should be logged
• Locking is often necessary to prevent race conditions when readingand writing a mailbox
• Authentication
Steven M. Bellovin October 3, 2010 23
![Page 24: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/24.jpg)
Accepting Mail
• Must accept mail from users
• Copy it, either to protected spool directory for network delivery ordirectly to recipient’s mailbox
Steven M. Bellovin October 3, 2010 24
![Page 25: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/25.jpg)
Spool Directory
• If the mailer is setuid, it can copy the email to a protected directorywith no trouble
• If the directory is world-writable but not world-readable, you don’teven need setuid — add a random component to the filenames toprevent overwriting
• (Homework submission script does this)
• File owner is automatically set correctly, for use in generating From:
line
Steven M. Bellovin October 3, 2010 25
![Page 26: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/26.jpg)
However. . .
• Cannot securely write metadata for such directories — others couldoverwrite the metadata file
• Cannot prevent users from overwriting their own pending email
• Listing the mail queue still requires privilege
Steven M. Bellovin October 3, 2010 26
![Page 27: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/27.jpg)
Local Access or Client/Server?
• For client/server, issues are similar to VCS: authentication, rootprograms, restricting actions, etc
• For local access, must confront permission issues
• This is complicated by the many different versions of Unix over theyears
Steven M. Bellovin October 3, 2010 27
![Page 28: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/28.jpg)
Client/Server
• Standardized, (relatively) simple access protocols, POP and IMAP
• For ISP or large enterprise, neither need nor want general shell-typeaccess to mail server
• Large system mailers have their own authentication database
• Does not rely on OS permissions
• But — a mail server bug exposes the entire mail repository
• Also — how do users change their passwords?
Steven M. Bellovin October 3, 2010 28
![Page 29: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/29.jpg)
Bug Containment
• Separate programs into two sections:
– Small, simple section that does authentication and changes uid(must run as root)
– Large section that runs as that user
• Major advantage: security holes in large section don’t matter, since ithas no special privileges
• Much more on program structure later in the semester
Steven M. Bellovin October 3, 2010 29
![Page 30: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/30.jpg)
Local Mail Storage
• Where is mail stored? Central mailbox directory or user’s homedirectory?
• Note that mail delivery program must be able to (a) create, and (b)write to mailboxes
• If mailbox is in the user’s directory, mail delivery program must haveroot permissions
Steven M. Bellovin October 3, 2010 30
![Page 31: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/31.jpg)
Central Mail Directory
• We can put all mailboxes in, say, /var/mail
• What are the permissions on it?
• If it’s writable by group mail, delivery daemon can create newmailboxes
• Make mailboxes writable by group mail, and owned by the recipient?
• Permits non-root delivery — but how do new mailboxes get createdand owned by the user?
Steven M. Bellovin October 3, 2010 31
![Page 32: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/32.jpg)
Dangers of User-Writable Mailbox DirectoriesPermissionescalation
ln -s /etc/passwd /var/mail/me
Vandalism rm /var/mail/youDenial ofservice
touch /var/mail/does-not-exist-yet
Steven M. Bellovin October 3, 2010 32
![Page 33: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/33.jpg)
Defending Against These Attacks
Escalation Check mailbox permissions and ownership before writing(note: watch for race conditions)
Vandalism Set “sticky bit” on directory
DoS Remove (or change ownership of) mailboxes with wrong ownership
Note well: most of these are trickier than they seem
Steven M. Bellovin October 3, 2010 33
![Page 34: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/34.jpg)
Delivering Mail to a Program
• Most mail systems permit delivery of email to a program
• Must execute that program as the appropriate user
• (Who is the “appropriate” user? Note that on Solaris, you may(depending on system configuration) be able to give away files)
• Implies the need for root privileges by the local delivery program
Steven M. Bellovin October 3, 2010 34
![Page 35: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/35.jpg)
Privileged Programs
• What must be privileged?
• What privileges?
• Local delivery needs some privileges, frequently root
• Delivery to a program always requires root
• The mail reader?
Steven M. Bellovin October 3, 2010 35
![Page 36: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/36.jpg)
Privileged Mail Readers
• The System V mail reader was setgid to group mail
• Could delete empty mailboxes
• More importantly, could create lock files by linking in the mailboxdirectory
• But — note the danger if the mailer was buggy“You don’t give privileges to a whale” (about 21K lines of code. . . )
Steven M. Bellovin October 3, 2010 36
![Page 37: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/37.jpg)
Many More Subtleties
• Writing a mailer is hard
• I’ve barely scratched the surface of the design decisions, even thepermission-related ones
• Complicated by varying system semantics
Steven M. Bellovin October 3, 2010 37
![Page 38: Case Study: Access Control - Columbia Universitysmb/classes/f10/case-acl.pdf · Case Study: Access Control ... Case Studies in Access Control Joint software development Mail Steven](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee45940ad6a402d666d80ce/html5/thumbnails/38.jpg)
Why is it Hard?
• Mailers cross protection boundaries
• That is, they copy data from one permission context to another
• Both can be arbitrary userids
• Simply importing data to a userid is a lot easier
• In addition, a lot of functionality is needed
• Not surprisingly, mailers have a very poor security record
Steven M. Bellovin October 3, 2010 38