SlideShare a Scribd company logo

Unit 5 access control,rootly powers & controlling processes

Bhushan Pawar -Java Trainer
Bhushan Pawar -Java Trainer

The document discusses traditional UNIX access control, including file system access control and process ownership. It describes how the root account provides unlimited administrative privileges. Modern access control methods like role-based access control and Pluggable Authentication Modules are introduced to improve security. Kerberos provides third-party cryptographic authentication across a network. Real-world access control combines traditional and modern methods, with tools like sudo allowing controlled escalation to root privileges while logging actions.

1 of 24
Download to read offline
Access Control, Rootly Powers & Controlling Processes Prepared By Prof. Bhushan Pawar www.bhushanpawar.com Prof.Bhushan Pawar www.bhushanpawar.com 1
TRADITIONAL UNIX ACCESS CONTROL • System’s design: – Objects (e.g., files and processes) have owners. Owners have broad (but not necessarily unrestricted) control over their objects. – You own new objects that you create. – The special user account called “root” can act as the owner of any object. – Only root can perform certain sensitive administrative operations. 2 Prof.Bhushan Pawar www.bhushanpawar.com
File system access control • In the traditional model, every file has both an owner and a group, sometimes referred to as the “Group owner.” • The owner can set the permissions of the file. • In particular, the owner can set them so restrictively that no one else can access it. • Groups are traditionally defined in the /etc/group file, but these days group information is more commonly stored on an NIS or LDAP server on the network; 3 Prof.Bhushan Pawar www.bhushanpawar.com
Continue… • The owner of a file gets to specify what the group owners can do with it. This scheme allows files to be shared among members of the same project. • The ownerships of a file can be determined with ls -l filename. 4 Prof.Bhushan Pawar www.bhushanpawar.com
Process ownership • The owner of a process can send the process signals and can also reduce the process’s scheduling priority. – The root account – Setuid and Setgid execution 5 Prof.Bhushan Pawar www.bhushanpawar.com
The root account • The root account is UNIX’s omnipotent (i.e having unlimited power) administrative user. It’s also known as the super user account, although the actual username is “root”. • Characteristic of the root account is its UID of 0 And we cant modify the UID of it. • Traditional UNIX allows the superuser (that is, any process whose effective UID is 0) to perform any valid operation on any file or process. 6 Prof.Bhushan Pawar www.bhushanpawar.com
Continue… • Examples of restricted operations are • Changing the root directory of a process with chroot • Creating device files • Setting the system clock • Raising resource usage limits and process priorities • Setting the system’s hostname • Configuring network interfaces • Opening privileged network ports (those numbered below 1,024) 7 Prof.Bhushan Pawar www.bhushanpawar.com
Setuid and Setgid execution • This mechanism lets developers and administrators set up structured ways for unprivileged users to perform privileged operations. • When the kernel runs an executable file that has its “setuid” or “setgid” permission bits set, it changes the effective UID or GID of the resulting process to the UID or GID of the file containing the program image rather than the UID and GID of the user that ran the command. 8 Prof.Bhushan Pawar www.bhushanpawar.com
MODERN ACCESS CONTROL • From a security perspective, the root account represents a potential single point of failure. If it’s compromised, the integrity of the whole system is violated. There is no limit to the damage an attacker can inflict. • The only way to subdivide the special privileges of the root account is by writing setuid programs. Unfortunately, as the Internet’s steady stream of security updates demonstrates, it’s difficult to write truly secure software. 9 Prof.Bhushan Pawar www.bhushanpawar.com
Continue… • The security model isn’t strong enough for use on a network. No computer to which an unprivileged user has physical access can be trusted to accurately represent the ownerships of the processes it’s running. • Many high-security environments enforce conventions that simply can’t be implemented with traditional UNIX security. 10 Prof.Bhushan Pawar www.bhushanpawar.com
Role-based access control • Role-based access control, sometimes known as RBAC, is a theoretical model formalized in 1992 by David Ferraiolo and Rick Kuhn. • The basic idea is to add a layer of indirection to access control calculations. Instead of permissions being assigned directly to users, they are assigned to intermediate constructs known as “roles,” and roles in turn are assigned to users. • To make an access control decision, the access control library enumerates the roles of the current user and checks to see if any of those roles have the appropriate permissions. Prof.Bhushan Pawar www.bhushanpawar.com 11
PAM: Pluggable Authentication Modules • PAM is an authentication technology rather than an access control technology. i.e rather than addressing the question “Does user X have permission to perform operation Y?”, it helps answer the precursor question “How do I know this is really user X?” Prof.Bhushan Pawar www.bhushanpawar.com 12
Continue… • In the past, user passwords were checked against the /etc/shadow file at login time so that an appropriate UID could be set for the user’s shell or window system. • Modern world of networks cryptography ,and biometric identification devices, a more flexible and open system is required. Prof.Bhushan Pawar www.bhushanpawar.com 13
Continue… • PAM is a wrapper for a variety of method- specific authentication libraries. Administrator specify the authentication methods he/she want the system to use, along with the appropriate contexts for each one. Programs that want to authenticate a user simply call the PAM system rather than implementing their own forms of authentication. Prof.Bhushan Pawar www.bhushanpawar.com 14
Kerberos: third-party cryptographic authentication • Kerberos deals with authentication rather than access control But whereas PAM is an authentication framework, Kerberos is a specific authentication method. • They’re generally used together, PAM being the wrapper and Kerberos the actual implementation. Prof.Bhushan Pawar www.bhushanpawar.com 15
Continue… • Kerberos uses a trusted third party (a server) to perform authentication for an entire network. Rather than authenticating yourself to the machine you are using Prof.Bhushan Pawar www.bhushanpawar.com 16
REAL-WORLD ACCESS CONTROL • Most sites still use the traditional root account for system administration. • add-on tools such as sudo go a long way toward bridging the gap between simplicity and security. Prof.Bhushan Pawar www.bhushanpawar.com 17
Choosing a root password • The most important characteristic of a good password is length. The root password should be at least eight characters long. • systems that use DES passwords with the help of MD5 or Blowfish encryption for passwords Prof.Bhushan Pawar www.bhushanpawar.com 18
Logging in to the root account • We can log in directly to the root account and work on the system. However, this turns out to be a bad idea. • Disadvantage is that the log-in-as-root scenario leaves no record of who was really doing the work. • If several people have access to the root account, you won’t be able to tell who used it and when. Prof.Bhushan Pawar www.bhushanpawar.com 19
su: substitute user identity • Way to access the root account is to use the su command. • If invoked without arguments, su prompts for the root password and then starts up a root shell. • Root privileges remain in effect until you terminate the shell by typing <Control-D> or the exit command. Prof.Bhushan Pawar www.bhushanpawar.com 20
Continue… • The su command can also substitute identities other than root. • If you know someone’s password, you can access that person’s account directly by executing su - username. The exact implications of login mode vary by shell, but it normally changes the number or identity of the startup files that the shell reads. Prof.Bhushan Pawar www.bhushanpawar.com 21
Continue… • sudo takes as its argument a command line to be executed as root. • sudo consults the file /etc/sudoers, which lists the people who are authorized to use sudo and the commands they are allowed to run on each host. • sudo’s command logging can be subverted by tricks such as shell escapes from within an allowed program or by sudo sh and sudo su if you allow them Prof.Bhushan Pawar www.bhushanpawar.com 22
PSEUDO-USERS OTHER THAN ROOT • Root is generally the only user that has special status of the kernel, but several other pseudo- users are defined by the system. • You can identify these accounts by their low UIDs, usually less than 100. • UIDs under 10 are system accounts, and UIDs between 10 and 100 are pseudo-users associated with specific pieces of software. Prof.Bhushan Pawar www.bhushanpawar.com 23
Any Question??? • If you having any doubt then you can ask me question on bhushan.pawar@mescoepune.org Or contact me on (+91)-7588318728 Prof.Bhushan Pawar www.bhushanpawar.com 24

Recommended

Security Concepts - Linux
Security Concepts - LinuxSecurity Concepts - Linux
Security Concepts - Linux
Henry Osborne
 
Linux remote
Linux remoteLinux remote
Linux remote
yarden hanan
 
Linux Security
Linux SecurityLinux Security
Linux Security
Mahdi Cherif
 
Linux automated tasks
Linux automated tasksLinux automated tasks
Linux automated tasks
yarden hanan
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitation
yarden hanan
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
 
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Circling Cycle
 
File windows local
File windows localFile windows local
File windows local
yarden hanan
 

Recommended

Security Concepts - Linux
Security Concepts - LinuxSecurity Concepts - Linux
Security Concepts - Linux
Henry Osborne
 
Linux remote
Linux remoteLinux remote
Linux remote
yarden hanan
 
Linux Security
Linux SecurityLinux Security
Linux Security
Mahdi Cherif
 
Linux automated tasks
Linux automated tasksLinux automated tasks
Linux automated tasks
yarden hanan
 
Windows post exploitation
Windows post exploitationWindows post exploitation
Windows post exploitation
yarden hanan
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
 
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Circling Cycle
 
File windows local
File windows localFile windows local
File windows local
yarden hanan
 
Unit 1 introduction to operating system
Unit 1 introduction to operating systemUnit 1 introduction to operating system
Unit 1 introduction to operating system
Bhushan Pawar -Java Trainer
 
Unit 6 adding new users and storage
Unit 6 adding new users and storageUnit 6 adding new users and storage
Unit 6 adding new users and storage
Bhushan Pawar -Java Trainer
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
Gene Kartavtsev
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
SouvikRoy114738
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & Applications
Maulen Bale
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Linux
Linux Linux
Linux
Patruni Chidananda Sastry
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
Linux local
Linux localLinux local
Linux local
yarden hanan
 
LinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuIntervLinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuInterv
AbhishekKumar66407
 
Ex200 objectives
Ex200 objectivesEx200 objectives
Ex200 objectives
jorg_marq
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
 
How to build an admin guy
How to build an admin guyHow to build an admin guy
How to build an admin guy
Mohamed Aboul-Fotouh
 
Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)
Gaurav Aggarwal
 
Chapter 1: Introduction to Unix / Linux Kernel
Chapter 1: Introduction to Unix / Linux KernelChapter 1: Introduction to Unix / Linux Kernel
Chapter 1: Introduction to Unix / Linux Kernel
Dr.Ashvini Chaudhari Bhongade
 
Linux.pdf
Linux.pdfLinux.pdf
Linux.pdf
denizbayraktar4
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
Dr Ramhari Poudyal
 
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMTIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
HODECEDSIET
 

More Related Content

Similar to Unit 5 access control,rootly powers & controlling processes

Unit 1 introduction to operating system
Unit 1 introduction to operating systemUnit 1 introduction to operating system
Unit 1 introduction to operating system
Bhushan Pawar -Java Trainer
 
Unit 6 adding new users and storage
Unit 6 adding new users and storageUnit 6 adding new users and storage
Unit 6 adding new users and storage
Bhushan Pawar -Java Trainer
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
Gene Kartavtsev
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
SouvikRoy114738
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & Applications
Maulen Bale
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Linux
Linux Linux
Linux
Patruni Chidananda Sastry
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
Linux local
Linux localLinux local
Linux local
yarden hanan
 
LinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuIntervLinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuInterv
AbhishekKumar66407
 
Ex200 objectives
Ex200 objectivesEx200 objectives
Ex200 objectives
jorg_marq
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
 
How to build an admin guy
How to build an admin guyHow to build an admin guy
How to build an admin guy
Mohamed Aboul-Fotouh
 
Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)
Gaurav Aggarwal
 
Chapter 1: Introduction to Unix / Linux Kernel
Chapter 1: Introduction to Unix / Linux KernelChapter 1: Introduction to Unix / Linux Kernel
Chapter 1: Introduction to Unix / Linux Kernel
Dr.Ashvini Chaudhari Bhongade
 
Linux.pdf
Linux.pdfLinux.pdf
Linux.pdf
denizbayraktar4
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 

Similar to Unit 5 access control,rootly powers & controlling processes (20)

Unit 1 introduction to operating system
Unit 1 introduction to operating systemUnit 1 introduction to operating system
Unit 1 introduction to operating system
 
Unit 6 adding new users and storage
Unit 6 adding new users and storageUnit 6 adding new users and storage
Unit 6 adding new users and storage
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & Applications
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Linux
Linux Linux
Linux
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
 
Linux local
Linux localLinux local
Linux local
 
LinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuIntervLinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuInterv
 
Ex200 objectives
Ex200 objectivesEx200 objectives
Ex200 objectives
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
 
How to build an admin guy
How to build an admin guyHow to build an admin guy
How to build an admin guy
 
Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)
 
Chapter 1: Introduction to Unix / Linux Kernel
Chapter 1: Introduction to Unix / Linux KernelChapter 1: Introduction to Unix / Linux Kernel
Chapter 1: Introduction to Unix / Linux Kernel
 
Linux.pdf
Linux.pdfLinux.pdf
Linux.pdf
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 

Recently uploaded

Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
Dr Ramhari Poudyal
 
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMTIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
HODECEDSIET
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
IJECEIAES
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Sinan KOZAK
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
MDSABBIROJJAMANPAYEL
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
IJECEIAES
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
Rahul
 
CSM Cloud Service Management Presentarion
CSM Cloud Service Management PresentarionCSM Cloud Service Management Presentarion
CSM Cloud Service Management Presentarion
rpskprasana
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
Victor Morales
 
Casting-Defect-inSlab continuous casting.pdf
Casting-Defect-inSlab continuous casting.pdfCasting-Defect-inSlab continuous casting.pdf
Casting-Defect-inSlab continuous casting.pdf
zubairahmad848137
 
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball playEric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
enizeyimana36
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
co23btech11018
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
RadiNasr
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
bijceesjournal
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
gerogepatton
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
NidhalKahouli2
 

Recently uploaded (20)

Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
 
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMTIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
 
CSM Cloud Service Management Presentarion
CSM Cloud Service Management PresentarionCSM Cloud Service Management Presentarion
CSM Cloud Service Management Presentarion
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
 
Casting-Defect-inSlab continuous casting.pdf
Casting-Defect-inSlab continuous casting.pdfCasting-Defect-inSlab continuous casting.pdf
Casting-Defect-inSlab continuous casting.pdf
 
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball playEric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
 

Unit 5 access control,rootly powers & controlling processes

  • 1. Access Control, Rootly Powers & Controlling Processes Prepared By Prof. Bhushan Pawar www.bhushanpawar.com Prof.Bhushan Pawar www.bhushanpawar.com 1
  • 2. TRADITIONAL UNIX ACCESS CONTROL • System’s design: – Objects (e.g., files and processes) have owners. Owners have broad (but not necessarily unrestricted) control over their objects. – You own new objects that you create. – The special user account called “root” can act as the owner of any object. – Only root can perform certain sensitive administrative operations. 2 Prof.Bhushan Pawar www.bhushanpawar.com
  • 3. File system access control • In the traditional model, every file has both an owner and a group, sometimes referred to as the “Group owner.” • The owner can set the permissions of the file. • In particular, the owner can set them so restrictively that no one else can access it. • Groups are traditionally defined in the /etc/group file, but these days group information is more commonly stored on an NIS or LDAP server on the network; 3 Prof.Bhushan Pawar www.bhushanpawar.com
  • 4. Continue… • The owner of a file gets to specify what the group owners can do with it. This scheme allows files to be shared among members of the same project. • The ownerships of a file can be determined with ls -l filename. 4 Prof.Bhushan Pawar www.bhushanpawar.com
  • 5. Process ownership • The owner of a process can send the process signals and can also reduce the process’s scheduling priority. – The root account – Setuid and Setgid execution 5 Prof.Bhushan Pawar www.bhushanpawar.com
  • 6. The root account • The root account is UNIX’s omnipotent (i.e having unlimited power) administrative user. It’s also known as the super user account, although the actual username is “root”. • Characteristic of the root account is its UID of 0 And we cant modify the UID of it. • Traditional UNIX allows the superuser (that is, any process whose effective UID is 0) to perform any valid operation on any file or process. 6 Prof.Bhushan Pawar www.bhushanpawar.com
  • 7. Continue… • Examples of restricted operations are • Changing the root directory of a process with chroot • Creating device files • Setting the system clock • Raising resource usage limits and process priorities • Setting the system’s hostname • Configuring network interfaces • Opening privileged network ports (those numbered below 1,024) 7 Prof.Bhushan Pawar www.bhushanpawar.com
  • 8. Setuid and Setgid execution • This mechanism lets developers and administrators set up structured ways for unprivileged users to perform privileged operations. • When the kernel runs an executable file that has its “setuid” or “setgid” permission bits set, it changes the effective UID or GID of the resulting process to the UID or GID of the file containing the program image rather than the UID and GID of the user that ran the command. 8 Prof.Bhushan Pawar www.bhushanpawar.com
  • 9. MODERN ACCESS CONTROL • From a security perspective, the root account represents a potential single point of failure. If it’s compromised, the integrity of the whole system is violated. There is no limit to the damage an attacker can inflict. • The only way to subdivide the special privileges of the root account is by writing setuid programs. Unfortunately, as the Internet’s steady stream of security updates demonstrates, it’s difficult to write truly secure software. 9 Prof.Bhushan Pawar www.bhushanpawar.com
  • 10. Continue… • The security model isn’t strong enough for use on a network. No computer to which an unprivileged user has physical access can be trusted to accurately represent the ownerships of the processes it’s running. • Many high-security environments enforce conventions that simply can’t be implemented with traditional UNIX security. 10 Prof.Bhushan Pawar www.bhushanpawar.com
  • 11. Role-based access control • Role-based access control, sometimes known as RBAC, is a theoretical model formalized in 1992 by David Ferraiolo and Rick Kuhn. • The basic idea is to add a layer of indirection to access control calculations. Instead of permissions being assigned directly to users, they are assigned to intermediate constructs known as “roles,” and roles in turn are assigned to users. • To make an access control decision, the access control library enumerates the roles of the current user and checks to see if any of those roles have the appropriate permissions. Prof.Bhushan Pawar www.bhushanpawar.com 11
  • 12. PAM: Pluggable Authentication Modules • PAM is an authentication technology rather than an access control technology. i.e rather than addressing the question “Does user X have permission to perform operation Y?”, it helps answer the precursor question “How do I know this is really user X?” Prof.Bhushan Pawar www.bhushanpawar.com 12
  • 13. Continue… • In the past, user passwords were checked against the /etc/shadow file at login time so that an appropriate UID could be set for the user’s shell or window system. • Modern world of networks cryptography ,and biometric identification devices, a more flexible and open system is required. Prof.Bhushan Pawar www.bhushanpawar.com 13
  • 14. Continue… • PAM is a wrapper for a variety of method- specific authentication libraries. Administrator specify the authentication methods he/she want the system to use, along with the appropriate contexts for each one. Programs that want to authenticate a user simply call the PAM system rather than implementing their own forms of authentication. Prof.Bhushan Pawar www.bhushanpawar.com 14
  • 15. Kerberos: third-party cryptographic authentication • Kerberos deals with authentication rather than access control But whereas PAM is an authentication framework, Kerberos is a specific authentication method. • They’re generally used together, PAM being the wrapper and Kerberos the actual implementation. Prof.Bhushan Pawar www.bhushanpawar.com 15
  • 16. Continue… • Kerberos uses a trusted third party (a server) to perform authentication for an entire network. Rather than authenticating yourself to the machine you are using Prof.Bhushan Pawar www.bhushanpawar.com 16
  • 17. REAL-WORLD ACCESS CONTROL • Most sites still use the traditional root account for system administration. • add-on tools such as sudo go a long way toward bridging the gap between simplicity and security. Prof.Bhushan Pawar www.bhushanpawar.com 17
  • 18. Choosing a root password • The most important characteristic of a good password is length. The root password should be at least eight characters long. • systems that use DES passwords with the help of MD5 or Blowfish encryption for passwords Prof.Bhushan Pawar www.bhushanpawar.com 18
  • 19. Logging in to the root account • We can log in directly to the root account and work on the system. However, this turns out to be a bad idea. • Disadvantage is that the log-in-as-root scenario leaves no record of who was really doing the work. • If several people have access to the root account, you won’t be able to tell who used it and when. Prof.Bhushan Pawar www.bhushanpawar.com 19
  • 20. su: substitute user identity • Way to access the root account is to use the su command. • If invoked without arguments, su prompts for the root password and then starts up a root shell. • Root privileges remain in effect until you terminate the shell by typing <Control-D> or the exit command. Prof.Bhushan Pawar www.bhushanpawar.com 20
  • 21. Continue… • The su command can also substitute identities other than root. • If you know someone’s password, you can access that person’s account directly by executing su - username. The exact implications of login mode vary by shell, but it normally changes the number or identity of the startup files that the shell reads. Prof.Bhushan Pawar www.bhushanpawar.com 21
  • 22. Continue… • sudo takes as its argument a command line to be executed as root. • sudo consults the file /etc/sudoers, which lists the people who are authorized to use sudo and the commands they are allowed to run on each host. • sudo’s command logging can be subverted by tricks such as shell escapes from within an allowed program or by sudo sh and sudo su if you allow them Prof.Bhushan Pawar www.bhushanpawar.com 22
  • 23. PSEUDO-USERS OTHER THAN ROOT • Root is generally the only user that has special status of the kernel, but several other pseudo- users are defined by the system. • You can identify these accounts by their low UIDs, usually less than 100. • UIDs under 10 are system accounts, and UIDs between 10 and 100 are pseudo-users associated with specific pieces of software. Prof.Bhushan Pawar www.bhushanpawar.com 23
  • 24. Any Question??? • If you having any doubt then you can ask me question on bhushan.pawar@mescoepune.org Or contact me on (+91)-7588318728 Prof.Bhushan Pawar www.bhushanpawar.com 24