3.0 KiB
Lecture Topic: UNIX file access control
Unix file access control
Each Unix user is assigned a UUID, a user is also a member of a primary group, and possibly a number of other groups, each identified by a group ID
When a file is created, it is designed as owned by a particular user and marked with that users id, It also belongs to a specific group, which initially is is either its creators primary group or the group of its parents directory that has SETGID permission set
Associated with each file is a set of 12 protection bits
Table of Unix permissions goes here
Superuser
One particular user ID is designated as "super user"
This user is exempt from the usual file access control constraints and has systemwide accesses.
Any program that is owned by, and SetUID to, the superuser potentially grants unrestricted access to the system. Great care must be taken when running or making programs which run as the superuser
Access Control Lists in Unix
Many modern unix and unix based OS, support access control lists, including FreeBSD, OpenBSD and Solaris, often called the "extended access control list" while the traditional Unix system is called the "minimal access control list"
Mandatory access control
In this nondiscretionary model, people are granted access based on information clearance.
A central authority regulates access rights based on different security levels
Policies are set by the administrator, the users cannot able to interact with permissions.
This model is common in military or government.
MAC puts strict controls on users and information being accessed
Role-based access control
In RBAC, permissions are based on roles that users assume, rather than identity.
This is typically a job function within an organization.
Users are often given roles either statically or dynamically according to their responsibilities.
The relationship of users to roles is many to many, as is the relationship to roles to resources or system objects
The set of users changes, and the assignment of roles can often be dynamic
The set of roles is often static, usually only adding or deleting occasionally
Each role will often have access rights to one or more given resources. The set of resources that a role can access often does not change frequently as well.
Insert RBAC table example here
RBAC reference models
- RBAC0: This is the minimum for a RBAC system
- RBAC1: This is RBAC0 with the addition of role hierarchies, which enables role inheritance
- RBAC2: This is RBAC0 which adds constraints, which restrict the way in which componants of an RBAC system can be configured (ex, only x times a day)
- RBAC3: Is RBAC0, RBAC1 and RBAC2
Attribute based access control
ABAC is a dynamic, context based policy that defines access based on policies granted by users. The system is used in identity and access management frameworks.
An ABAC model can define authorizations that express conditions on properties of both the resources and the subject
Long ass list in the slides