UNIX System Protection

Unix History

• Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs

• Adapted some ideas from the Multics project in 1969

Design Features

• Written in C – portable

• Application program interface (API) – enabled programmers to write applications that are compatible with multiple platforms

• A small base program called “kernel” with a standard interface to interact

Security

• Security goal:– A common platform that could be shared by

several users– Security problem becomes one of “protection”

• Common mechanisms– Password storage– Protection ring– Access control lists

Kernel and Processes

• A running Unix system consists of the kernel and the processes each running a program– Protection ring boundary isolates the kernel from

the processes– Each process has its own address space– The concept of “file” for representing all persistent

system objects

Trusted Computing Base

• The set of software and data upon which the system depends for correct enforcement of system security goals

• Consists of the kernel and processes running with root (superuser) privilege

Unix Protection System

• What does protection mean?– An access enforcement mechanism that

authorizes requests from subjects to perform operations on objects

– Requests: read, write, etc.– Subjects: users, processes, etc.– Objects: files, sockets, etc.

Unix Protection System

• Protection state: describes the operations that system subjects can perform on system objects

• UNIX protection state specification– Subjects: process identities

• Process identities: user id (UID), group id (GID), and a set of supplementary groups.

– Objects: files – Access: read, write, execute– Protection state is specified by an access control list (ACL)

associated with each file

Unix File

• Each file is associated with:– An owner UID and an owner GID• Process with the owner UID privilege can modify the

protection state

– “mode bits” describe the ACL of a file• {owner bits, group bits, others bits}, where each

element consists of a read bit, a write bit, and an execute bit• e.g., rwxr--r--

Authorization Mechanism

• If the process UID corresponds to the owner UID of the file, use the mode bits for the owner to authorize access.

• Else if the process GID or supplementary groups correspond to the file’s group GID, use the mode bits for the group permissions.

• Otherwise, use the permissions assigned to all others.

Examples

-rw-rw-r-- 1 simon faculty 14 Sep 8 03:59 file1-rw-rw-r-- 1 user1 faculty 14 Sep 8 04:04 file2-rw-rw-r-- 1 user2 students 14 Sep 8 04:04 file3

“simon” belongs to group “faculty”“user1”, “user2” belong to group “students”

-r-------- 1 simon faculty 14 Sep 8 03:59 file1----r----- 1 user1 students 14 Sep 8 05:01 file2-------r-- 1 user2 students 14 Sep 8 05:02 file3

Protection State Modification in Unix

• Protection state operations: enable a protection state to be modified

• In Unix, the protection state can be modified by any process that has the owner ID privilege– This is called “discretionary access control”– Essentially we have to trust all user-level processes

to achieve the security goal of protection