CIS 4930/6930: Systems Security Homework 1

advertisement
CIS 4930/6930: Systems Security
Homework 1
Due: Wed Sept 16, in class
Name:
Please sign the following honor pledge.
On my honor, as a student, I have neither given nor received unauthorized aid on this academic
work.
Signature:
Total Score:
Problem (10 pts)
Answer the following questions regarding the Unix file system.
1. (2 pts) In a Unix-like operating system, scripting is often used to perform automated tasks. A script is
essentially a series of commands interpreted by a program, such as a shell. For example, the following
script will print “Hello world!” on the screen when interpreted by the shell program “/bin/sh”.
simon@localhost exercises]$ ls -l hello.sh
-rwxr-xr-x
1 simon
cybersec
28 Aug 21 15:37 hello.sh
[simon@localhost exercises]$ cat hello.sh
echo Hello world!
[simon@localhost exercises]$ sh hello.sh
Hello world!
If we further indicate the shell program used to interpret it in the script file, we can also execute the
script directly from the command line.
[simon@localhost exercises]$ cat hello.sh
#!/bin/sh
echo Hello world!
[simon@localhost exercises]$ ./hello.sh
Hello world!
Here the line “#!/bin/sh” tells the operating system that this is a script file and the program that needs
to be invoked to interprete it is “/bin/sh”. Executing this file directly is equivalent to running the
commad “/bin/sh hello.sh”.
Now, if we remove the “readable” attribute from the file, and try to execute it again, it will fail, even
though the file is executable.
[simon@localhost exercises]$ ls -l hello.sh
--wx--x--x
1 simon
cybersec
18 Aug 21 15:48 hello.sh
[simon@localhost exercises]$ ./hello.sh
./hello.sh: ./hello.sh: Permission denied
However, if we run a binary program, we are able to execute it without the “readable” bit set:
[simon@localhost exercises]$ ls -l getscore
--wx--x--x
1 simon
cybersec
13587 Aug 21 16:00 getscore
[simon@localhost exercises]$ ./getscore
Usage: getscore name SSN
1
Please explain why the execution fails for hello.sh, but succeeds for getscore.
2. (2 pts) In Unix, a non-root user cannot change the owner of a file, even if he/she owns the file. For
example:
[simon@localhost exercises]$ whoami
simon
[simon@localhost exercises]$ ls -l getscore
--wx--x--x
1 simon
cybersec
13587 Aug 21 16:00 getscore
[simon@localhost exercises]$ chown daniel getscore
chown: changing ownership of ‘getscore’: Operation not permitted
While there are many reasons of this design choice, from a security perspectvie, especially the set-uid
mechanism, why do you think it is a bad idea to allow a user to change the ownership of a file to
another user?
3. (3 pts) In Unix, when a program is run by a debugger, the set-uid bit will not be effective and the
program will only have the invoker’s privilege. Why is this necessary? (Hint, when a program is run
2
under a debugger, its behavior can be changed through the debugger, e.g., by modifying the memory
content or register values.)
4. (3 pts) A Unix operating system allows a programmer to dynamically change the ruid and euid fields
through system-call API’s. Let’s define the “privilege” of a program to be the union of the sets of
resources the two uids can access in the system. The general rule of thumb for what changes are
allowed is that no change shall provide the program privileges it does not possess when it was first
invoked. For each of the following changes, please decide whether it should be allowed or not based
on this criterion. Explain your answers.
(a) Swap the two uid fields.
(b) Set one uid field to be the same as the other.
(c) Set one uid field to be another uid not the same as either of the existing values.
3
Download