Protection

10.6 Protection

  • Files must be kept safe for reliability ( against accidental damage ), and protection ( against deliberate malicious access. ) The former is usually managed with backup copies. This section discusses the latter.
  • One simple protection scheme is to remove all access to a file. However this makes the file unusable, so some sort of controlled access must be arranged.

10.6.1 Types of Access

  • The following low-level operations are often controlled:
    • Read - View the contents of the file
    • Write - Change the contents of the file.
    • Execute - Load the file onto the CPU and follow the instructions contained therein.
    • Append - Add to the end of an existing file.
    • Delete - Remove a file from the system.
    • List -View the name and other attributes of files on the system.
  • Higher-level operations, such as copy, can generally be performed through combinations of the above.

10.6.2 Access Control

  • One approach is to have complicated Access Control Lists, ACL, which specify exactly what access is allowed or denied for specific users or groups.
    • The AFS uses this system for distributed access.
    • Control is very finely adjustable, but may be complicated, particularly when the specific users involved are unknown. ( AFS allows some wild cards, so for example all users on a certain remote system may be trusted, or a given username may be trusted when accessing from any remote system. )
  • UNIX uses a set of 9 access control bits, in three groups of three. These correspond to R, W, and X permissions for each of the Owner, Group, and Others. ( See "man chmod" for full details. ) The RWX bits control the following privileges for ordinary files and directories:
bitFilesDirectories
RRead ( view ) file contents.Read directory contents. Required to get a listing of the directory.
WWrite ( change ) file contents.Change directory contents. Required to create or delete files.
XExecute file contents as a program.Access detailed directory information. Required to get a long listing, or to access any specific file in the directory. Note that if a user has X but not R permissions on a directory, they can still access specific files, but only if they already know the name of the file they are trying to access.
  • In addition there are some special bits that can also be applied:
    • The set user ID ( SUID ) bit and/or the set group ID ( SGID ) bits applied to executable files temporarily change the identity of whoever runs the program to match that of the owner / group of the executable program. This allows users running specific programs to have access to files ( while running that program ) to which they would normally be unable to access. Setting of these two bits is usually restricted to root, and must be done with caution, as it introduces a potential security leak.
    • The sticky bit on a directory modifies write permission, allowing users to only delete files for which they are the owner. This allows everyone to create files in /tmp, for example, but to only delete files which they have created, and not anyone else's.
    • The SUID, SGID, and sticky bits are indicated with an S, S, and T in the positions for execute permission for the user, group, and others, respectively. If the letter is lower case, ( s, s, t ), then the corresponding execute permission is not also given. If it is upper case, ( S, S, T ), then the coresponding execute permission IS given.
    • The numeric form of chmod is needed to set these advanced bits.

    Figure 10.16
    •  
  • Windows adjusts files access through a simple GUI:

Figure 10.15

10.6.3 Other Protection Approaches and Issues

  • Some systems can apply passwords, either to individual files, or to specific sub-directories, or to the entire system. There is a trade-off between the number of passwords that must be maintained ( and remembered by the users ) and the amount of information that is vulnerable to a lost or forgotten password.
  • Older systems which did not originally have multi-user file access permissions ( DOS and older versions of Mac ) must now be retrofitted if they are to share files on a network.
  • Access to a file requires access to all the files along its path as well. In a cyclic directory structure, users may have different access to the same file accessed through different paths.
  • Sometimes just the knowledge of the existence of a file of a certain name is a security ( or privacy ) concern. Hence the distinction between the R and X bits on UNIX directories.
Subscribe to: Posts (Atom)