Traditional Unix Access Control

File system access control




User and group
Each file has an owner and a group owner
Read, write, execute
Process ownership




Real uid - accounting
Effective uid – access control
Real gid
Effective gid
1
Traditional Unix Access Control

The root acccount



Uid:0
Can perform any valid operation on any file or
process
Setuid and setgid execution

Kernel changes effective uid/gid to be the
owner/group of the file if setuid/setgid is on
2
1
Modern Access Control

Role-based access control

Similar to group



Supported on Solaris, HP, AIX etc.
Security-enhanced Linux – SeLinux



Plus the hierarchical relations between roles
MAC – mandatory access control
Administrator controls different level of access,
each user can not control
Access control lists

Permission for multiple users and groups per
file
3
Modern Access Control

Pluggable Authentication Modules (PAM)


A wrapper to enable use different
authentication modules other than password
Kerberos

A specific authentication method



Can authentication user with user credentials are
used only locally
Can authorize the services as well
Can be used with PAM
4
2
Rootly Powers

Superuser root


Has almost unrestricted access
How to become a superuser

Log in as root on terminal


Terminal access control /etc/securetty
Use /bin/su or /bin/su –

Inherits the env from current shell
Creates a log entry
BSD – only users to group 0 ( the wheel group)

Use full path – why?


5
Rootly Powers

Cautions


Only use super user when it is needed
Lock your screen when you leave your desk


Use xlock
Run a single command with su

su root –c “command”
 Example: su root –c “mount /dev/cd0 /mnt”

Change root password when



Employment status changes for SA
Suspects unauthorized access
Change root password periodically
6
3
Sudo

Facility sudo


Selective access
Allow some user to run specific commands as root
(or another user) without having to know the root
(or another user’s) password
 RUN “sudo command”
 Type in user’s own password
 Good for a configurable time, default 5
minutes
 Example:
%sudo /sbin/shutdown
7
Sudo

Configuration file /etc/sudoers


Specify which Users and do what Commands
at where as who
Basic format
Users host=commands
Users host=(who) commands


Only readable by root
Editor visudo


Lock
Syntax checking
8
4
Sudo

Let’s take a look a typical sudoers example file.
#Define aliases for machines in CS & Physics departments
Host_Alias
CS = tigger, anchor, piper, moet, sigi
Host_Alias
PHYSICS = eprince, pprince, icarus
#define collections of commands
Cmnd_Alias DUMP = /usr/sbin/dump, /usr/sbin/restore
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHELLS = /bin/sh, /bin/tcsh, /bin/csh
#Permissions
mark, ed
PHYSICS = ALL
herb
CS = /usr/local/bin/tcpdump: PHYSICS =
(operator)DUMP
lynda
ALL= (ALL) ALL, !SHELLS
%wheel
ALL, !PHYSICS = NOPASSWD: PRINTING
9
Sudo – pros and cons

Advantages







Command logging - accountabilities
Operators can do chores
Hide the real root password
Revoke the privilege without change root
password
A list is maintained
Less chance of root shell left unattended
A single file can use used to control access for
an entire network
10
5
Sudo – pros and cons

Disadvantage


Breach in security of a personal account = root
account
Logging can be subverted



sudo csh
sudo su
Select the commands for sudo with care



No shell scripts
No utility which provides shell escapes
No “ all commands except … “
11
pseudo-users

Pseudo-users can not login directly




daemon: Owner of unprivileged system
software
Bin: owner of system commands
Sys: owner of the kernel and memory images
Nobody: the generic NFS user
12
6