OSA Unit - V: Access Control, Rootly Powers and Controlling Processes

Views:
 
Category: Education
     
 

Presentation Description

Access Control, Rootly Powers and Controlling Processes

Comments

Presentation Transcript

Unit V: Access Control, Rootly Powers and Controlling Processes:

Reference: UNIX AND LINUX SYSTEM ADMINISTRATION HANDBOOK Authors: Evi Nemeth Garth Snyder Trent R. Hein Ben Whaley Unit V: Access Control, Rootly Powers and Controlling Processes

Index:

Index Traditional UNIX access control, Modern Access Control, Real-world Access Control, Pseudo-users other than root. Components of a process, the lifecycle of a process, Signals, Dynamic monitoring with top, prstat and topas, The /proc file system, strace, truss and tusc, runaway processes. 2

Traditional UNIX access control:

Traditional UNIX access control Even in earliest and simplest versions of UNIX, there was never a single-point access control system. There were, however, some general rules that shaped the system’s design: Objects (e.g., files and processes) have owners. Owners have broad (but not necessarily unrestricted) control over their objects. You own new objects that you create. The special user account called “root” can act as the owner of any object. Only root can perform certain sensitive administrative operations. Certain system calls (e.g., settimeofday ) are restricted to root; the system call implementation simply checks the identity of the current user and rejects the operation if the user is not root. 3

Filesystem access control:

Filesystem access control In the traditional model, every file has both an owner and a group, sometimes referred to as the “group owner.” Although the owner of a file is always a single person, many people can be group owners of the file, as long as they are all part of a single group. Groups are traditionally defined in the /etc/group file. The owner of a file gets to specify what the group owners can do with it. UIDs are mapped to usernames in the /etc/ passwd file, and GIDs are mapped to group names in /etc/group. 4

Process ownership:

Process ownership The owner of a process can send the process signals and Can also reduce (degrade) the process’s scheduling priority. Processes actually have multiple identities: a real, effective, and saved UID; a real, effective, and saved GI. under Linux, a “filesystem UID” that is used only to determine file access permissions. Broadly speaking, the real numbers are used for accounting and the effective numbers are used for the determination of access permissions. Saved IDs have no direct effect. They allow programs to park an inactive ID for later use, 5

The root account:

The root account The root account is UNIX’s omnipotent administrative user. It’s also known as the superuser account, although the actual username is “root”. The defining characteristic of the root account is its UID of 0. Traditional UNIX allows the superuser (that is, any process whose effective UID is 0) to perform any valid operation on any file or process. 6

cntd..:

cntd.. Examples of restricted operations are Changing the root directory of a process with chroot Creating device files Setting the system clock Raising resource usage limits and process priorities Setting the system’s hostname Configuring network interfaces Opening privileged network ports (those numbered below 1,024) Shutting down the system 7

MODERN ACCESS CONTROL:

MODERN ACCESS CONTROL Shortcomings of Traditional Access Control the root account represents a potential single point of failure. If it’s compromised, the integrity of the whole system is violated. The security model isn’t strong enough for use on a network. There is minimal support for auditing. You can easily see which groups a user belongs to, but you can’t necessarily determine what those group memberships permit a user to do. 8

Role-based access control:

Role-based access control known as RBAC, is a theoretical model formalized in 1992 by David Ferraiolo and Rick Kuhn. The basic idea is to add a layer of indirection to access control calculations. Instead of permissions being assigned directly to users, they are assigned to intermediate constructs known as “roles,” and roles in turn are assigned to users. To make an access control decision, the access control library enumerates the roles of the current user and checks to see if any of those roles have the appropriate permissions. you might define a “senior administrator” role that has all the permissions of an “administrator” plus the additional permissions X, Y, and Z. 9

SELinux: security-enhanced Linux:

SELinux: security-enhanced Linux The primary focus of SELinux is to enable “mandatory access control,” aka MAC, an access control system in which all permissions are assigned by administrators. Under MAC, users cannot delegate their access or set access control parameters on the objects they own. SELinux can also be used to implement a form of role-based access control, although this was not a primary objective of the system. 10

POSIX capabilities (Linux):

POSIX capabilities (Linux) Linux systems—even those that do not make use of the SELinux extensions— are theoretically capable of subdividing the privileges of the root account according to the POSIX standard for “capabilities.” Capability specifications can also be assigned to executable programs. The programs then acquire the specified capabilities. 11

PAM: Pluggable Authentication Modules:

PAM: Pluggable Authentication Modules PAM is an authentication technology rather than an access control technology. That is, rather than addressing the question “Does user X have permission to perform operation Y?”, it helps answer the precursor question “How do I know this is really user X?” 12

Kerberos: third-party cryptographic authentication:

Kerberos: third-party cryptographic authentication Like PAM, Kerberos deals with authentication rather than access control per se. But whereas PAM is an authentication framework, Kerberos is a specific authenticationmethod . They’re generally used together, PAM being the wrapper and Kerberos the actual implementation. Kerberos uses a trusted third party (a server) to perform authentication for an entire network. Rather than authenticating yourself to the machine you are using, you provide your credentials to the Kerberos service, and it issues you cryptographic credentials that you can present to other services as evidence of your identity. 13

Access control lists:

Access control lists Since filesystem access control is so central to UNIX and Linux, The most common addition has been support for access control lists (ACLs), a generalization of the traditional user/group/other permission model that accommodates permissions for multiple users and groups at once. 14

REAL-WORLD ACCESS CONTROL:

REAL-WORLD ACCESS CONTROL Choosing a root password the most secure type of password consists of a random sequence of letters, punctuation, and digits. But because this type of password is hard to remember and usually difficult to type. Logging in to the root account you can log in directly to the root account and work it leaves no record of what operations were performed as root. su: substitute user identity Root privileges remain in effect until you terminate the shell by typing <Control-D> or the exit command. su doesn’t record the commands executed as root, but it does create a log entry that states who became root and when. 15

cntd..:

cntd.. sudo: sudo consults the file /etc/sudoers , which lists the people who are authorized to use sudo and the commands they are allowed to run on each host. sudo commands can be executed without the “sudoer” having to type a password until a five-minute period (configurable) has elapsed with no further sudo activity. sudo keeps a log of the command lines that were executed, the hosts on which they were run, the people who requested them, the directory from which they were run, and the times at which they were invoked. Password vaults and password escrow A password vault is a piece of software (or a combination of S/W & H/W) that stores passwords for your organization in a more secure fashion. A low-tech way to implement password escrow is to store passwords in tamper evident, serial- numbered baggies. As long as a baggie is present and unopened, you know that no one has accessed the password inside. 16

PSEUDO-USERS OTHER THAN ROOT:

PSEUDO-USERS OTHER THAN ROOT Root is generally the only user that has special status in the eyes of the kernel, but several other pseudo-users are defined by the system. You can identify these sham accounts by their low UIDs, usually less than 100. Most often, UIDs under 10 are system accounts, and UIDs between 10 and 100 are pseudo-users associated with specific pieces of software. 17

Controlling Processes:

Controlling Processes 18

COMPONENTS OF A PROCESS:

COMPONENTS OF A PROCESS The kernel’s internal data structures record various pieces of information about each process. Here are some of the more important of these: The process’s address space map, The current status of the process (sleeping, stopped, runnable, etc.) , The execution priority of the process, Information about the resources the process has used, Information about the files and network ports the process has opened, The process’s signal mask (a record of which signals are blocked), The owner of the process. 19

COMPONENTS OF A PROCESS:

PID: process ID number The kernel assigns a unique ID number to every process. Most commands and system calls that manipulate processes require you to specify a PID to identify the target of the operation. PIDs are assigned in order as processes are created. PPID: parent PID Neither UNIX nor Linux has a system call that initiates a new process running a particular program. Instead, an existing process must clone itself to create a new process. The clone can then exchange the program it’s running for a different one. When a process is cloned, the original process is referred to as the parent, and the copy is called the child. The PPID attribute of a process is the PID of the parent from which it was cloned. 20 COMPONENTS OF A PROCESS

COMPONENTS OF A PROCESS:

UID and EUID: real and effective user ID A process’s UID is the user identification number of the person who created it. Usually, only the creator (aka the “owner”) and the superuser can manipulate a process. The EUID is the “effective” user ID, an extra UID used to determine what resources and files a process has permission to access at any given moment. GID and EGID: real and effective group ID The GID is the group identification number of a process. The EGID is related to the GID. 21 COMPONENTS OF A PROCESS

COMPONENTS OF A PROCESS:

Niceness A process’s scheduling priority determines how much CPU time it receives. The kernel uses a dynamic algorithm to compute priorities, allowing for the amount of CPU time that a process has recently consumed and the length of time it has been waiting to run. The kernel also pays attention to an administratively set value that’s usually called the “nice value” or “niceness,” so called because it tells how nice you are planning to be to other users of the system. 22 COMPONENTS OF A PROCESS

THE LIFE CYCLE OF A PROCESS:

To create a new process, a process copies itself with the fork system call. Fork creates a copy of the original process; that copy is largely identical to the parent. The new process has a distinct PID and has its own accounting information. fork has the unique property of returning two different values. From the child’s point of view, it returns zero. The parent receives the PID of the newly created child. 23 THE LIFE CYCLE OF A PROCESS

THE LIFE CYCLE OF A PROCESS:

SIGNALS: Signals are process-level interrupt requests. About thirty different kinds are defined, They can be sent among processes as a means of communication. They can be sent by the terminal driver to kill, interrupt, or suspend processes. They can be sent by an administrator (with kill) to achieve various ends. They can be sent by the kernel when a process commits an infraction such as division by zero. They can be sent by the kernel to notify a process of an “interesting” condition such as the death of a child process or the availability of data on an I/O channel. 24 THE LIFE CYCLE OF A PROCESS

THE LIFE CYCLE OF A PROCESS:

When a signal is received, one of two things can happen. If the receiving process has designated a handler routine for that particular signal, the handler is called with information about the context in which the signal was delivered. Otherwise, the kernel takes some default action on behalf of the process. The default action varies from signal to signal. Many signals terminate the process; some also generate a core dump. 25 THE LIFE CYCLE OF A PROCESS

KILL: SEND SIGNALS:

As its name implies, the kill command is most often used to terminate a process. kill can send any signal, but by default it sends a TERM. kill can be used by normal users on their own processes or by root on any process. The syntax is kill [- signal] pid Use kill -9 only if a polite request fails. 26 KILL: SEND SIGNALS

PROCESS STATES:

A process is not automatically eligible to receive CPU time just because it exists. You need to be aware of the four execution states listed in Table. 27 PROCESS STATES

PROCESS STATES:

Process States A runnable process is ready to execute whenever CPU time is available. It has acquired all the resources it needs and is just waiting for CPU time to process its data. As soon as the process makes a system call that cannot be immediately completed , the kernel puts it to sleep. A sleeping processes are waiting for a specific event to occur. Interactive shells and system daemons spend most of their time sleeping, waiting for terminal input or network connections. Since a sleeping process is effectively blocked until its request has been satisfied, it will get no CPU time unless it receives a signal or a response to one of its I/O requests. 28 PROCESS STATES

PROCESS STATES:

Process States Zombies are processes that have finished execution but have not yet had their status collected. If you see zombies hanging around, check their PPIDs with ps to find out where they’re coming from. Stopped processes are administratively forbidden to run. Processes are stopped on receipt of a STOP or TSTP signal and are restarted with CONT. Being stopped is similar to sleeping, but there’s no way for a process to get out of the stopped state other than having some other process wake it up (or kill it). 29 PROCESS STATES

NICE AND RENICE:

The “niceness” of a process is a numeric hint to the kernel about how the process should be treated in relation to other processes contending for the CPU. A high nice value means a low priority for your process: you are going to be nice. A low or negative value means high priority: you are not very nice. The most common range is -20 to +19. Unless the user takes special action, a newly created process inherits the nice value of its parent process. A process’s nice value can be set at the time of creation with the nice command and adjusted later with the renice command. nice takes a command line as an argument, and renice takes a PID or (sometimes) a username. 30 NICE AND RENICE

NICE AND RENICE:

31 NICE AND RENICE

DYNAMIC MONITORING WITH TOP, PRSTAT, AND TOPAS:

top is a free utility that runs on many systems and provides a regularly updated summary of active processes and their use of resources. By default, the display updates every 10 seconds. The most CPU-consumptive processes appear at the top. On AIX, an equivalent utility is topas, and on Solaris the analogous tool is prstat. 32 DYNAMIC MONITORING WITH TOP, PRSTAT, AND TOPAS

DYNAMIC MONITORING WITH TOP, PRSTAT, AND TOPAS:

33 DYNAMIC MONITORING WITH TOP, PRSTAT, AND TOPAS

THE /PROC FILESYSTEM:

proc: The Linux versions of ps and top read their process status information from the /proc directory, a pseudo-filesystem in which the kernel exposes a variety of interesting information about the system’s state. Despite the name /proc, the information is not limited to process information—a variety of status information and statistics generated by the kernel are represented here. Process-specific information is divided into subdirectories named by PID. For example, /proc/1 is always the directory that contains information about init . 34 THE /PROC FILESYSTEM

THE /PROC FILESYSTEM:

35 THE /PROC FILESYSTEM

STRACE, TRUSS, AND TUSC::

It can sometimes be hard to figure out what a process is actually doing. Linux lets you directly observe a process with the strace command, which shows every system call the process makes and every signal it receives. A similar command for Solaris and AIX is truss. The HP-UX equivalent is tusc; however, tusc must be separately installed. 36 STRACE, TRUSS, AND TUSC:

STRACE, TRUSS, AND TUSC::

37 STRACE, TRUSS, AND TUSC:

RUNAWAY PROCESSES:

Runaway processes come in two flavors: user processes that consume excessive amounts of a system resource, such as CPU time or disk space, and system processes that suddenly go berserk and exhibit wild behavior. The first type of runaway is not necessarily malfunctioning; it might simply be a resource hog. System processes are always supposed to behave reasonably. 38 RUNAWAY PROCESSES

authorStream Live Help