際際滷

際際滷Share a Scribd company logo

Unit 5 access control,rootly powers & controlling processes

Bhushan Pawar -Java Trainer
Bhushan Pawar -Java Trainer

The document discusses traditional UNIX access control, including file system access control and process ownership. It describes how the root account provides unlimited administrative privileges. Modern access control methods like role-based access control and Pluggable Authentication Modules are introduced to improve security. Kerberos provides third-party cryptographic authentication across a network. Real-world access control combines traditional and modern methods, with tools like sudo allowing controlled escalation to root privileges while logging actions.

1 of 24
Download to read offline
Access Control, Rootly Powers & Controlling Processes Prepared By Prof. Bhushan Pawar www.bhushanpawar.com Prof.Bhushan Pawar www.bhushanpawar.com 1
TRADITIONAL UNIX ACCESS CONTROL Systems design: Objects (e.g., files and processes) have owners. Owners have broad (but not necessarily unrestricted) control over their objects. You own new objects that you create. The special user account called root can act as the owner of any object. Only root can perform certain sensitive administrative operations. 2 Prof.Bhushan Pawar www.bhushanpawar.com
File system access control In the traditional model, every file has both an owner and a group, sometimes referred to as the Group owner. The owner can set the permissions of the file. In particular, the owner can set them so restrictively that no one else can access it. Groups are traditionally defined in the /etc/group file, but these days group information is more commonly stored on an NIS or LDAP server on the network; 3 Prof.Bhushan Pawar www.bhushanpawar.com
Continue The owner of a file gets to specify what the group owners can do with it. This scheme allows files to be shared among members of the same project. The ownerships of a file can be determined with ls -l filename. 4 Prof.Bhushan Pawar www.bhushanpawar.com
Process ownership The owner of a process can send the process signals and can also reduce the processs scheduling priority. The root account Setuid and Setgid execution 5 Prof.Bhushan Pawar www.bhushanpawar.com
The root account The root account is UNIXs omnipotent (i.e having unlimited power) administrative user. Its also known as the super user account, although the actual username is root. Characteristic of the root account is its UID of 0 And we cant modify the UID of it. Traditional UNIX allows the superuser (that is, any process whose effective UID is 0) to perform any valid operation on any file or process. 6 Prof.Bhushan Pawar www.bhushanpawar.com
Continue Examples of restricted operations are Changing the root directory of a process with chroot Creating device files Setting the system clock Raising resource usage limits and process priorities Setting the systems hostname Configuring network interfaces Opening privileged network ports (those numbered below 1,024) 7 Prof.Bhushan Pawar www.bhushanpawar.com
Setuid and Setgid execution This mechanism lets developers and administrators set up structured ways for unprivileged users to perform privileged operations. When the kernel runs an executable file that has its setuid or setgid permission bits set, it changes the effective UID or GID of the resulting process to the UID or GID of the file containing the program image rather than the UID and GID of the user that ran the command. 8 Prof.Bhushan Pawar www.bhushanpawar.com
MODERN ACCESS CONTROL From a security perspective, the root account represents a potential single point of failure. If its compromised, the integrity of the whole system is violated. There is no limit to the damage an attacker can inflict. The only way to subdivide the special privileges of the root account is by writing setuid programs. Unfortunately, as the Internets steady stream of security updates demonstrates, its difficult to write truly secure software. 9 Prof.Bhushan Pawar www.bhushanpawar.com
Continue The security model isnt strong enough for use on a network. No computer to which an unprivileged user has physical access can be trusted to accurately represent the ownerships of the processes its running. Many high-security environments enforce conventions that simply cant be implemented with traditional UNIX security. 10 Prof.Bhushan Pawar www.bhushanpawar.com
Role-based access control Role-based access control, sometimes known as RBAC, is a theoretical model formalized in 1992 by David Ferraiolo and Rick Kuhn. The basic idea is to add a layer of indirection to access control calculations. Instead of permissions being assigned directly to users, they are assigned to intermediate constructs known as roles, and roles in turn are assigned to users. To make an access control decision, the access control library enumerates the roles of the current user and checks to see if any of those roles have the appropriate permissions. Prof.Bhushan Pawar www.bhushanpawar.com 11
PAM: Pluggable Authentication Modules PAM is an authentication technology rather than an access control technology. i.e rather than addressing the question Does user X have permission to perform operation Y?, it helps answer the precursor question How do I know this is really user X? Prof.Bhushan Pawar www.bhushanpawar.com 12
Continue In the past, user passwords were checked against the /etc/shadow file at login time so that an appropriate UID could be set for the users shell or window system. Modern world of networks cryptography ,and biometric identification devices, a more flexible and open system is required. Prof.Bhushan Pawar www.bhushanpawar.com 13
Continue PAM is a wrapper for a variety of method- specific authentication libraries. Administrator specify the authentication methods he/she want the system to use, along with the appropriate contexts for each one. Programs that want to authenticate a user simply call the PAM system rather than implementing their own forms of authentication. Prof.Bhushan Pawar www.bhushanpawar.com 14
Kerberos: third-party cryptographic authentication Kerberos deals with authentication rather than access control But whereas PAM is an authentication framework, Kerberos is a specific authentication method. Theyre generally used together, PAM being the wrapper and Kerberos the actual implementation. Prof.Bhushan Pawar www.bhushanpawar.com 15
Continue Kerberos uses a trusted third party (a server) to perform authentication for an entire network. Rather than authenticating yourself to the machine you are using Prof.Bhushan Pawar www.bhushanpawar.com 16
REAL-WORLD ACCESS CONTROL Most sites still use the traditional root account for system administration. add-on tools such as sudo go a long way toward bridging the gap between simplicity and security. Prof.Bhushan Pawar www.bhushanpawar.com 17
Choosing a root password The most important characteristic of a good password is length. The root password should be at least eight characters long. systems that use DES passwords with the help of MD5 or Blowfish encryption for passwords Prof.Bhushan Pawar www.bhushanpawar.com 18
Logging in to the root account We can log in directly to the root account and work on the system. However, this turns out to be a bad idea. Disadvantage is that the log-in-as-root scenario leaves no record of who was really doing the work. If several people have access to the root account, you wont be able to tell who used it and when. Prof.Bhushan Pawar www.bhushanpawar.com 19
su: substitute user identity Way to access the root account is to use the su command. If invoked without arguments, su prompts for the root password and then starts up a root shell. Root privileges remain in effect until you terminate the shell by typing <Control-D> or the exit command. Prof.Bhushan Pawar www.bhushanpawar.com 20
Continue The su command can also substitute identities other than root. If you know someones password, you can access that persons account directly by executing su - username. The exact implications of login mode vary by shell, but it normally changes the number or identity of the startup files that the shell reads. Prof.Bhushan Pawar www.bhushanpawar.com 21
Continue sudo takes as its argument a command line to be executed as root. sudo consults the file /etc/sudoers, which lists the people who are authorized to use sudo and the commands they are allowed to run on each host. sudos command logging can be subverted by tricks such as shell escapes from within an allowed program or by sudo sh and sudo su if you allow them Prof.Bhushan Pawar www.bhushanpawar.com 22
PSEUDO-USERS OTHER THAN ROOT Root is generally the only user that has special status of the kernel, but several other pseudo- users are defined by the system. You can identify these accounts by their low UIDs, usually less than 100. UIDs under 10 are system accounts, and UIDs between 10 and 100 are pseudo-users associated with specific pieces of software. Prof.Bhushan Pawar www.bhushanpawar.com 23
Any Question??? If you having any doubt then you can ask me question on bhushan.pawar@mescoepune.org Or contact me on (+91)-7588318728 Prof.Bhushan Pawar www.bhushanpawar.com 24

Recommended

Sistemas Operativos (Operating Systems)Sistemas Operativos (Operating Systems)
Sistemas Operativos (Operating Systems)
Pepe Rocker
Operating system 11 system calls
Operating system 11 system callsOperating system 11 system calls
Operating system 11 system calls
Vaibhav Khanna
Query optimization and processing for advanced database systems
Query optimization and processing for advanced database systemsQuery optimization and processing for advanced database systems
Query optimization and processing for advanced database systems
meharikiros2
12 process control blocks
12 process control blocks12 process control blocks
12 process control blocks
myrajendra
Sistemas Operacionais - Gnu/Linux Gerenciamento de ArquivosSistemas Operacionais - Gnu/Linux Gerenciamento de Arquivos
Sistemas Operacionais - Gnu/Linux Gerenciamento de Arquivos
Luiz Arthur
Introduction to distributed file systems
Introduction to distributed file systemsIntroduction to distributed file systems
Introduction to distributed file systems
Viet-Trung TRAN
Processes in unix
Processes in unixProcesses in unix
Processes in unix
miau_max
Query-porcessing-& Query optimization
Query-porcessing-& Query optimizationQuery-porcessing-& Query optimization
Query-porcessing-& Query optimization
Saranya Natarajan
DeadLock in Operating-Systems
DeadLock in Operating-SystemsDeadLock in Operating-Systems
DeadLock in Operating-Systems
Venkata Sreeram
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files
Ahmed El-Arabawy
Secondary storage structure-Operating System Concepts
Secondary storage structure-Operating System ConceptsSecondary storage structure-Operating System Concepts
Secondary storage structure-Operating System Concepts
Arjun Kaimattathil
Rdbms
RdbmsRdbms
Rdbms
Muhammad Adeel Rajput
Pipes in Windows and Linux.
Pipes in Windows and Linux.Pipes in Windows and Linux.
Pipes in Windows and Linux.
Junaid Lodhi
Virtual memory
Virtual memoryVirtual memory
Virtual memory
Dr. Shashank Shetty
Deadlock- Operating System
Deadlock- Operating SystemDeadlock- Operating System
Deadlock- Operating System
Rajan Shah
Ger棚ncia de Mem坦riaGer棚ncia de Mem坦ria
Ger棚ncia de Mem坦ria
elliando dias
PostgreSQLPostgreSQL
PostgreSQL
Thiago De Abreu Lima
Modelos de banco de dadosModelos de banco de dados
Modelos de banco de dados
Edgar Stuart
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System Calls
Vandana Salve
Storage management in operating system
Storage management in operating systemStorage management in operating system
Storage management in operating system
DeepikaT13
Sistemas Operacionais Modernos - Gerenciamento de Mem坦riaSistemas Operacionais Modernos - Gerenciamento de Mem坦ria
Sistemas Operacionais Modernos - Gerenciamento de Mem坦ria
Wellington Oliveira
Tutorial - Criando Banco com MySQL WorkbenchTutorial - Criando Banco com MySQL Workbench
Tutorial - Criando Banco com MySQL Workbench
Daniel Brand達o
PostgreSQL: Performance TuningPostgreSQL: Performance Tuning
PostgreSQL: Performance Tuning
Fernando Ike
File System in Operating System
File System in Operating SystemFile System in Operating System
File System in Operating System
Meghaj Mallick
Kernels and its types
Kernels and its typesKernels and its types
Kernels and its types
ARAVIND18MCS1004
Data and database administration(database)
Data and database administration(database)Data and database administration(database)
Data and database administration(database)
welcometofacebook
System calls
System callsSystem calls
System calls
Bernard Senam
Advanced Operating System Lecture Notes
Advanced Operating System Lecture NotesAdvanced Operating System Lecture Notes
Advanced Operating System Lecture Notes
Anirudhan Guru
Unit 1 introduction to operating system
Unit 1 introduction to operating systemUnit 1 introduction to operating system
Unit 1 introduction to operating system
Bhushan Pawar -Java Trainer
Unit 6 adding new users and storage
Unit 6 adding new users and storageUnit 6 adding new users and storage
Unit 6 adding new users and storage
Bhushan Pawar -Java Trainer

More Related Content

What's hot (20)

DeadLock in Operating-Systems
DeadLock in Operating-SystemsDeadLock in Operating-Systems
DeadLock in Operating-Systems
Venkata Sreeram
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files
Ahmed El-Arabawy
Secondary storage structure-Operating System Concepts
Secondary storage structure-Operating System ConceptsSecondary storage structure-Operating System Concepts
Secondary storage structure-Operating System Concepts
Arjun Kaimattathil
Rdbms
RdbmsRdbms
Rdbms
Muhammad Adeel Rajput
Pipes in Windows and Linux.
Pipes in Windows and Linux.Pipes in Windows and Linux.
Pipes in Windows and Linux.
Junaid Lodhi
Virtual memory
Virtual memoryVirtual memory
Virtual memory
Dr. Shashank Shetty
Deadlock- Operating System
Deadlock- Operating SystemDeadlock- Operating System
Deadlock- Operating System
Rajan Shah
Ger棚ncia de Mem坦riaGer棚ncia de Mem坦ria
Ger棚ncia de Mem坦ria
elliando dias
PostgreSQLPostgreSQL
PostgreSQL
Thiago De Abreu Lima
Modelos de banco de dadosModelos de banco de dados
Modelos de banco de dados
Edgar Stuart
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System Calls
Vandana Salve
Storage management in operating system
Storage management in operating systemStorage management in operating system
Storage management in operating system
DeepikaT13
Sistemas Operacionais Modernos - Gerenciamento de Mem坦riaSistemas Operacionais Modernos - Gerenciamento de Mem坦ria
Sistemas Operacionais Modernos - Gerenciamento de Mem坦ria
Wellington Oliveira
Tutorial - Criando Banco com MySQL WorkbenchTutorial - Criando Banco com MySQL Workbench
Tutorial - Criando Banco com MySQL Workbench
Daniel Brand達o
PostgreSQL: Performance TuningPostgreSQL: Performance Tuning
PostgreSQL: Performance Tuning
Fernando Ike
File System in Operating System
File System in Operating SystemFile System in Operating System
File System in Operating System
Meghaj Mallick
Kernels and its types
Kernels and its typesKernels and its types
Kernels and its types
ARAVIND18MCS1004
Data and database administration(database)
Data and database administration(database)Data and database administration(database)
Data and database administration(database)
welcometofacebook
System calls
System callsSystem calls
System calls
Bernard Senam
Advanced Operating System Lecture Notes
Advanced Operating System Lecture NotesAdvanced Operating System Lecture Notes
Advanced Operating System Lecture Notes
Anirudhan Guru
DeadLock in Operating-Systems
DeadLock in Operating-SystemsDeadLock in Operating-Systems
DeadLock in Operating-Systems
Venkata Sreeram
Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files Course 102: Lecture 24: Archiving and Compression of Files
Course 102: Lecture 24: Archiving and Compression of Files
Ahmed El-Arabawy
Secondary storage structure-Operating System Concepts
Secondary storage structure-Operating System ConceptsSecondary storage structure-Operating System Concepts
Secondary storage structure-Operating System Concepts
Arjun Kaimattathil
Rdbms
RdbmsRdbms
Rdbms
Muhammad Adeel Rajput
Pipes in Windows and Linux.
Pipes in Windows and Linux.Pipes in Windows and Linux.
Pipes in Windows and Linux.
Junaid Lodhi
Virtual memory
Virtual memoryVirtual memory
Virtual memory
Dr. Shashank Shetty
Deadlock- Operating System
Deadlock- Operating SystemDeadlock- Operating System
Deadlock- Operating System
Rajan Shah
Ger棚ncia de Mem坦riaGer棚ncia de Mem坦ria
Ger棚ncia de Mem坦ria
elliando dias
PostgreSQLPostgreSQL
PostgreSQL
Thiago De Abreu Lima
Modelos de banco de dadosModelos de banco de dados
Modelos de banco de dados
Edgar Stuart
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System Calls
Vandana Salve
Storage management in operating system
Storage management in operating systemStorage management in operating system
Storage management in operating system
DeepikaT13
Sistemas Operacionais Modernos - Gerenciamento de Mem坦riaSistemas Operacionais Modernos - Gerenciamento de Mem坦ria
Sistemas Operacionais Modernos - Gerenciamento de Mem坦ria
Wellington Oliveira
Tutorial - Criando Banco com MySQL WorkbenchTutorial - Criando Banco com MySQL Workbench
Tutorial - Criando Banco com MySQL Workbench
Daniel Brand達o
PostgreSQL: Performance TuningPostgreSQL: Performance Tuning
PostgreSQL: Performance Tuning
Fernando Ike
File System in Operating System
File System in Operating SystemFile System in Operating System
File System in Operating System
Meghaj Mallick
Kernels and its types
Kernels and its typesKernels and its types
Kernels and its types
ARAVIND18MCS1004
Data and database administration(database)
Data and database administration(database)Data and database administration(database)
Data and database administration(database)
welcometofacebook
System calls
System callsSystem calls
System calls
Bernard Senam
Advanced Operating System Lecture Notes
Advanced Operating System Lecture NotesAdvanced Operating System Lecture Notes
Advanced Operating System Lecture Notes
Anirudhan Guru

Similar to Unit 5 access control,rootly powers & controlling processes (20)

Unit 1 introduction to operating system
Unit 1 introduction to operating systemUnit 1 introduction to operating system
Unit 1 introduction to operating system
Bhushan Pawar -Java Trainer
Unit 6 adding new users and storage
Unit 6 adding new users and storageUnit 6 adding new users and storage
Unit 6 adding new users and storage
Bhushan Pawar -Java Trainer
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
Gene Kartavtsev
14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt
14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt
14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt
singingalka
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
SouvikRoy114738
interprocess communation and security in linux.pptx
interprocess communation and security in linux.pptxinterprocess communation and security in linux.pptx
interprocess communation and security in linux.pptx
paathuu04
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & Applications
Maulen Bale
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
Linux remote
Linux remoteLinux remote
Linux remote
yarden hanan
Unit_2_CSE111.pptx computer orientation project
Unit_2_CSE111.pptx computer orientation projectUnit_2_CSE111.pptx computer orientation project
Unit_2_CSE111.pptx computer orientation project
FutureLegends
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
Linux
Linux Linux
Linux
Patruni Chidananda Sastry
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
Linux local
Linux localLinux local
Linux local
yarden hanan
LinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuIntervLinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuInterv
AbhishekKumar66407
Ex200 objectives
Ex200 objectivesEx200 objectives
Ex200 objectives
jorg_marq
亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"
亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"
亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
How to build an admin guy
How to build an admin guyHow to build an admin guy
How to build an admin guy
Mohamed Aboul-Fotouh
Unit 1 introduction to operating system
Unit 1 introduction to operating systemUnit 1 introduction to operating system
Unit 1 introduction to operating system
Bhushan Pawar -Java Trainer
Unit 6 adding new users and storage
Unit 6 adding new users and storageUnit 6 adding new users and storage
Unit 6 adding new users and storage
Bhushan Pawar -Java Trainer
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
Gene Kartavtsev
14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt
14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt
14_526_topicgjjfgjgryyvhjgyhjyghgi08.ppt
singingalka
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
SouvikRoy114738
interprocess communation and security in linux.pptx
interprocess communation and security in linux.pptxinterprocess communation and security in linux.pptx
interprocess communation and security in linux.pptx
paathuu04
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & Applications
Maulen Bale
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
Linux remote
Linux remoteLinux remote
Linux remote
yarden hanan
Unit_2_CSE111.pptx computer orientation project
Unit_2_CSE111.pptx computer orientation projectUnit_2_CSE111.pptx computer orientation project
Unit_2_CSE111.pptx computer orientation project
FutureLegends
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
Linux
Linux Linux
Linux
Patruni Chidananda Sastry
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
Linux local
Linux localLinux local
Linux local
yarden hanan
LinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuIntervLinuInterviewQALinuInterviewQALinuInterv
LinuInterviewQALinuInterviewQALinuInterv
AbhishekKumar66407
Ex200 objectives
Ex200 objectivesEx200 objectives
Ex200 objectives
jorg_marq
亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"
亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"
亠仍舒于 舒弍舒从 "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
How to build an admin guy
How to build an admin guyHow to build an admin guy
How to build an admin guy
Mohamed Aboul-Fotouh

Recently uploaded (20)

Dijkstra Shortest Path Algorithm in Network.ppt
Dijkstra Shortest Path Algorithm in Network.pptDijkstra Shortest Path Algorithm in Network.ppt
Dijkstra Shortest Path Algorithm in Network.ppt
RAJASEKARAN G
eng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfdddddddddddddddddddddddeng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfddddddddddddddddddddddd
aayushkumarsinghec22
Helium Boosting & Decanting With Hydro Test Machine
Helium Boosting & Decanting With Hydro Test MachineHelium Boosting & Decanting With Hydro Test Machine
Helium Boosting & Decanting With Hydro Test Machine
Paskals Fluid Systems Pvt. Ltd.
Soil Properties and Methods of Determination
Soil Properties and Methods of DeterminationSoil Properties and Methods of Determination
Soil Properties and Methods of Determination
Rajani Vyawahare
-PPT-5-Wind-Energy conversion slides contents
-PPT-5-Wind-Energy conversion slides contents-PPT-5-Wind-Energy conversion slides contents
-PPT-5-Wind-Energy conversion slides contents
senthilkumarmamse
Wireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdfWireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdf
AbhinandanMishra30
Design of cannal by Kennedy Theory full problem solved
Design of cannal by Kennedy Theory full problem solvedDesign of cannal by Kennedy Theory full problem solved
Design of cannal by Kennedy Theory full problem solved
Er. Gurmeet Singh
AO Star Algorithm in Artificial Intellligence
AO Star Algorithm in Artificial IntellligenceAO Star Algorithm in Artificial Intellligence
AO Star Algorithm in Artificial Intellligence
vipulkondekar
ESIT135 Problem Solving Using Python Notes of Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-3ESIT135 Problem Solving Using Python Notes of Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-3
prasadmutkule1
INTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
INTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptxINTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
INTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
bmit1
Biases, our brain and software development
Biases, our brain and software developmentBiases, our brain and software development
Biases, our brain and software development
Matias Iacono
Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...
Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...
Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...
SnehPrasad2
AI ppt on water jug problem by shivam sharma
AI ppt on water jug problem by shivam sharmaAI ppt on water jug problem by shivam sharma
AI ppt on water jug problem by shivam sharma
ShivamSharma588604
The Golden Gate Bridge a structural marvel inspired by mother nature.pptx
The Golden Gate Bridge a structural marvel inspired by mother nature.pptxThe Golden Gate Bridge a structural marvel inspired by mother nature.pptx
The Golden Gate Bridge a structural marvel inspired by mother nature.pptx
AkankshaRawat75
Unit 1- Review of Basic Concepts-part 1.pptx
Unit 1- Review of Basic Concepts-part 1.pptxUnit 1- Review of Basic Concepts-part 1.pptx
Unit 1- Review of Basic Concepts-part 1.pptx
SujataSonawane11
Designing Flex and Rigid-Flex PCBs to Prevent Failure
Designing Flex and Rigid-Flex PCBs to Prevent FailureDesigning Flex and Rigid-Flex PCBs to Prevent Failure
Designing Flex and Rigid-Flex PCBs to Prevent Failure
Epec Engineered Technologies
Turbocor Product and Technology Review.pdf
Turbocor Product and Technology Review.pdfTurbocor Product and Technology Review.pdf
Turbocor Product and Technology Review.pdf
Totok Sulistiyanto
Improving Surgical Robot Performance Through Seal Design.pdf
Improving Surgical Robot Performance Through Seal Design.pdfImproving Surgical Robot Performance Through Seal Design.pdf
Improving Surgical Robot Performance Through Seal Design.pdf
BSEmarketing
ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3
prasadmutkule1
Failover System in Cloud Computing System
Failover System in Cloud Computing SystemFailover System in Cloud Computing System
Failover System in Cloud Computing System
Hitesh Mohapatra
Dijkstra Shortest Path Algorithm in Network.ppt
Dijkstra Shortest Path Algorithm in Network.pptDijkstra Shortest Path Algorithm in Network.ppt
Dijkstra Shortest Path Algorithm in Network.ppt
RAJASEKARAN G
eng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfdddddddddddddddddddddddeng funda notes.pdfddddddddddddddddddddddd
eng funda notes.pdfddddddddddddddddddddddd
aayushkumarsinghec22
Helium Boosting & Decanting With Hydro Test Machine
Helium Boosting & Decanting With Hydro Test MachineHelium Boosting & Decanting With Hydro Test Machine
Helium Boosting & Decanting With Hydro Test Machine
Paskals Fluid Systems Pvt. Ltd.
Soil Properties and Methods of Determination
Soil Properties and Methods of DeterminationSoil Properties and Methods of Determination
Soil Properties and Methods of Determination
Rajani Vyawahare
-PPT-5-Wind-Energy conversion slides contents
-PPT-5-Wind-Energy conversion slides contents-PPT-5-Wind-Energy conversion slides contents
-PPT-5-Wind-Energy conversion slides contents
senthilkumarmamse
Wireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdfWireless-Charger presentation for seminar .pdf
Wireless-Charger presentation for seminar .pdf
AbhinandanMishra30
Design of cannal by Kennedy Theory full problem solved
Design of cannal by Kennedy Theory full problem solvedDesign of cannal by Kennedy Theory full problem solved
Design of cannal by Kennedy Theory full problem solved
Er. Gurmeet Singh
AO Star Algorithm in Artificial Intellligence
AO Star Algorithm in Artificial IntellligenceAO Star Algorithm in Artificial Intellligence
AO Star Algorithm in Artificial Intellligence
vipulkondekar
ESIT135 Problem Solving Using Python Notes of Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-3ESIT135 Problem Solving Using Python Notes of Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-3
prasadmutkule1
INTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
INTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptxINTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
INTERNET OF THINGSSSSSSSSSSSSSSSSSSSSSSSSS.pptx
bmit1
Biases, our brain and software development
Biases, our brain and software developmentBiases, our brain and software development
Biases, our brain and software development
Matias Iacono
Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...
Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...
Common Network Architecture:X.25 Networks, Ethernet (Standard and Fast): fram...
SnehPrasad2
AI ppt on water jug problem by shivam sharma
AI ppt on water jug problem by shivam sharmaAI ppt on water jug problem by shivam sharma
AI ppt on water jug problem by shivam sharma
ShivamSharma588604
The Golden Gate Bridge a structural marvel inspired by mother nature.pptx
The Golden Gate Bridge a structural marvel inspired by mother nature.pptxThe Golden Gate Bridge a structural marvel inspired by mother nature.pptx
The Golden Gate Bridge a structural marvel inspired by mother nature.pptx
AkankshaRawat75
Unit 1- Review of Basic Concepts-part 1.pptx
Unit 1- Review of Basic Concepts-part 1.pptxUnit 1- Review of Basic Concepts-part 1.pptx
Unit 1- Review of Basic Concepts-part 1.pptx
SujataSonawane11
Designing Flex and Rigid-Flex PCBs to Prevent Failure
Designing Flex and Rigid-Flex PCBs to Prevent FailureDesigning Flex and Rigid-Flex PCBs to Prevent Failure
Designing Flex and Rigid-Flex PCBs to Prevent Failure
Epec Engineered Technologies
Turbocor Product and Technology Review.pdf
Turbocor Product and Technology Review.pdfTurbocor Product and Technology Review.pdf
Turbocor Product and Technology Review.pdf
Totok Sulistiyanto
Improving Surgical Robot Performance Through Seal Design.pdf
Improving Surgical Robot Performance Through Seal Design.pdfImproving Surgical Robot Performance Through Seal Design.pdf
Improving Surgical Robot Performance Through Seal Design.pdf
BSEmarketing
ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3
ESIT135 Problem Solving Using Python Notes of Unit-2 and Unit-3
prasadmutkule1
Failover System in Cloud Computing System
Failover System in Cloud Computing SystemFailover System in Cloud Computing System
Failover System in Cloud Computing System
Hitesh Mohapatra

Unit 5 access control,rootly powers & controlling processes

  • 1. Access Control, Rootly Powers & Controlling Processes Prepared By Prof. Bhushan Pawar www.bhushanpawar.com Prof.Bhushan Pawar www.bhushanpawar.com 1
  • 2. TRADITIONAL UNIX ACCESS CONTROL Systems design: Objects (e.g., files and processes) have owners. Owners have broad (but not necessarily unrestricted) control over their objects. You own new objects that you create. The special user account called root can act as the owner of any object. Only root can perform certain sensitive administrative operations. 2 Prof.Bhushan Pawar www.bhushanpawar.com
  • 3. File system access control In the traditional model, every file has both an owner and a group, sometimes referred to as the Group owner. The owner can set the permissions of the file. In particular, the owner can set them so restrictively that no one else can access it. Groups are traditionally defined in the /etc/group file, but these days group information is more commonly stored on an NIS or LDAP server on the network; 3 Prof.Bhushan Pawar www.bhushanpawar.com
  • 4. Continue The owner of a file gets to specify what the group owners can do with it. This scheme allows files to be shared among members of the same project. The ownerships of a file can be determined with ls -l filename. 4 Prof.Bhushan Pawar www.bhushanpawar.com
  • 5. Process ownership The owner of a process can send the process signals and can also reduce the processs scheduling priority. The root account Setuid and Setgid execution 5 Prof.Bhushan Pawar www.bhushanpawar.com
  • 6. The root account The root account is UNIXs omnipotent (i.e having unlimited power) administrative user. Its also known as the super user account, although the actual username is root. Characteristic of the root account is its UID of 0 And we cant modify the UID of it. Traditional UNIX allows the superuser (that is, any process whose effective UID is 0) to perform any valid operation on any file or process. 6 Prof.Bhushan Pawar www.bhushanpawar.com
  • 7. Continue Examples of restricted operations are Changing the root directory of a process with chroot Creating device files Setting the system clock Raising resource usage limits and process priorities Setting the systems hostname Configuring network interfaces Opening privileged network ports (those numbered below 1,024) 7 Prof.Bhushan Pawar www.bhushanpawar.com
  • 8. Setuid and Setgid execution This mechanism lets developers and administrators set up structured ways for unprivileged users to perform privileged operations. When the kernel runs an executable file that has its setuid or setgid permission bits set, it changes the effective UID or GID of the resulting process to the UID or GID of the file containing the program image rather than the UID and GID of the user that ran the command. 8 Prof.Bhushan Pawar www.bhushanpawar.com
  • 9. MODERN ACCESS CONTROL From a security perspective, the root account represents a potential single point of failure. If its compromised, the integrity of the whole system is violated. There is no limit to the damage an attacker can inflict. The only way to subdivide the special privileges of the root account is by writing setuid programs. Unfortunately, as the Internets steady stream of security updates demonstrates, its difficult to write truly secure software. 9 Prof.Bhushan Pawar www.bhushanpawar.com
  • 10. Continue The security model isnt strong enough for use on a network. No computer to which an unprivileged user has physical access can be trusted to accurately represent the ownerships of the processes its running. Many high-security environments enforce conventions that simply cant be implemented with traditional UNIX security. 10 Prof.Bhushan Pawar www.bhushanpawar.com
  • 11. Role-based access control Role-based access control, sometimes known as RBAC, is a theoretical model formalized in 1992 by David Ferraiolo and Rick Kuhn. The basic idea is to add a layer of indirection to access control calculations. Instead of permissions being assigned directly to users, they are assigned to intermediate constructs known as roles, and roles in turn are assigned to users. To make an access control decision, the access control library enumerates the roles of the current user and checks to see if any of those roles have the appropriate permissions. Prof.Bhushan Pawar www.bhushanpawar.com 11
  • 12. PAM: Pluggable Authentication Modules PAM is an authentication technology rather than an access control technology. i.e rather than addressing the question Does user X have permission to perform operation Y?, it helps answer the precursor question How do I know this is really user X? Prof.Bhushan Pawar www.bhushanpawar.com 12
  • 13. Continue In the past, user passwords were checked against the /etc/shadow file at login time so that an appropriate UID could be set for the users shell or window system. Modern world of networks cryptography ,and biometric identification devices, a more flexible and open system is required. Prof.Bhushan Pawar www.bhushanpawar.com 13
  • 14. Continue PAM is a wrapper for a variety of method- specific authentication libraries. Administrator specify the authentication methods he/she want the system to use, along with the appropriate contexts for each one. Programs that want to authenticate a user simply call the PAM system rather than implementing their own forms of authentication. Prof.Bhushan Pawar www.bhushanpawar.com 14
  • 15. Kerberos: third-party cryptographic authentication Kerberos deals with authentication rather than access control But whereas PAM is an authentication framework, Kerberos is a specific authentication method. Theyre generally used together, PAM being the wrapper and Kerberos the actual implementation. Prof.Bhushan Pawar www.bhushanpawar.com 15
  • 16. Continue Kerberos uses a trusted third party (a server) to perform authentication for an entire network. Rather than authenticating yourself to the machine you are using Prof.Bhushan Pawar www.bhushanpawar.com 16
  • 17. REAL-WORLD ACCESS CONTROL Most sites still use the traditional root account for system administration. add-on tools such as sudo go a long way toward bridging the gap between simplicity and security. Prof.Bhushan Pawar www.bhushanpawar.com 17
  • 18. Choosing a root password The most important characteristic of a good password is length. The root password should be at least eight characters long. systems that use DES passwords with the help of MD5 or Blowfish encryption for passwords Prof.Bhushan Pawar www.bhushanpawar.com 18
  • 19. Logging in to the root account We can log in directly to the root account and work on the system. However, this turns out to be a bad idea. Disadvantage is that the log-in-as-root scenario leaves no record of who was really doing the work. If several people have access to the root account, you wont be able to tell who used it and when. Prof.Bhushan Pawar www.bhushanpawar.com 19
  • 20. su: substitute user identity Way to access the root account is to use the su command. If invoked without arguments, su prompts for the root password and then starts up a root shell. Root privileges remain in effect until you terminate the shell by typing <Control-D> or the exit command. Prof.Bhushan Pawar www.bhushanpawar.com 20
  • 21. Continue The su command can also substitute identities other than root. If you know someones password, you can access that persons account directly by executing su - username. The exact implications of login mode vary by shell, but it normally changes the number or identity of the startup files that the shell reads. Prof.Bhushan Pawar www.bhushanpawar.com 21
  • 22. Continue sudo takes as its argument a command line to be executed as root. sudo consults the file /etc/sudoers, which lists the people who are authorized to use sudo and the commands they are allowed to run on each host. sudos command logging can be subverted by tricks such as shell escapes from within an allowed program or by sudo sh and sudo su if you allow them Prof.Bhushan Pawar www.bhushanpawar.com 22
  • 23. PSEUDO-USERS OTHER THAN ROOT Root is generally the only user that has special status of the kernel, but several other pseudo- users are defined by the system. You can identify these accounts by their low UIDs, usually less than 100. UIDs under 10 are system accounts, and UIDs between 10 and 100 are pseudo-users associated with specific pieces of software. Prof.Bhushan Pawar www.bhushanpawar.com 23
  • 24. Any Question??? If you having any doubt then you can ask me question on bhushan.pawar@mescoepune.org Or contact me on (+91)-7588318728 Prof.Bhushan Pawar www.bhushanpawar.com 24
AboutCopyright
息 2025 際際滷