case study: access control - department of computer ...smb/classes/f09/l08.pdf · structure of a...

1 / 39

Case Study: Access control

Case Studies in Access Control

Case Studies inAccess Control

Joint SoftwareDevelopment

Mailers

2 / 39

■ Joint software development

■ Mail

Joint Software Development



Situations

Roles

PermissionsWhy Enforce AccessControls?

Classic Unix Setup

ACL Setup

Reviewer/TesterAccess

Medium-Size Group

Basic StructureVersion ControlSystems

Why use a VCS?

Note Well

Structure of a VCS

Permission Structure

They’re Not SetUID!

The Repository

Large Organization

Complications

Mailers

3 / 39

Situations



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

4 / 39

■ Small team on a single machine

■ Medium-to-large team on a LAN

■ Large, distributed team, spread among severalorganizations

Roles



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

5 / 39

■ Developer (i.e., can commit changes)

■ Tester

■ Code reviewer

Permissions



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

6 / 39

■ We want the technical mechanisms to reflectthe organizational roles

■ The real challenge: mapping theorganizational structure to OS primitives

■ Why?

Why Enforce Access Controls?



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

7 / 39

■ Protect software from outsidersreading/stealing it

■ Protect against unauthorized changes

⇒ That can include internal rivalries

■ Know who made certain changes?

Classic Unix Setup



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

8 / 39

■ Assume you just have user/group/otherpermissions, with no ACLs. How would youset things up?

■ Put all developers in a certain group

■ Make files and directories groupreadable/writable

■ Decision to turn off “other” read access issite-dependent

ACL Setup



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

9 / 39

■ Could add each developer individually

■ Bad idea — if a developer leaves or joins thegroup, many ACLs must be updated

■ Still want to use groups; vary groupmembership instead

■ Advantage: can have multiple sets of grouppermissions — why?

Reviewer/Tester Access



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

10 / 39

■ Reviewers and testers need read access

■ They do not need write access

■ No good, built-in solution on classic Unix

■ With ACLs, one group can have r/w

permissions; another can have r permissions

Medium-Size Group



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

11 / 39

■ No longer on single machine with simple filepermissions

■ More need for change-tracking

■ More formal organizational structure

Basic Structure



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

12 / 39

■ Basic permission structure should be the same

■ Again: use group permissions as thefundamental permission unit

■ Limits of non-ACL systems become morecritical

Version Control Systems



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

13 / 39

■ For medium-size projects, use of a versioncontrol system (i.e., CVS, Subversion,Mercurial, RCS, etc.) is mandatory

■ (Why?)

■ What are the permission implications of aversion control system?

Why use a VCS?



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

14 / 39

■ Auditability — who made which change?

■ When was a given change made?

■ Can you roll back to a known-clean version ofthe codebase?

■ What patches have been applied to whichversions of the system?

Note Well



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

15 / 39

■ All of those features are important just formanageability

■ Security needs are strictly greater — we haveto deal with active malfeasance as well asordinary bugs and failures

Structure of a VCS



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

16 / 39

Repository Master copy; records all changes,versions, etc.

Working copies Zero or more working copies.Developers check out a version from therepository, make changes, and commit thechanges




Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

17 / 39

Here are the Unix client commands for RCS, CVS,Mercurial, and Subversion. What are the securityimplications?

$ ls -l /usr/bin/ci /usr/bin/cvs \

/usr/pkg/bin/hg /usr/pkg/bin/svn

-r-xr-xr-x 1 root wheel /usr/bin/ci

-r-xr-xr-x 1 root wheel /usr/bin/cvs

-rwxr-xr-x 1 root wheel /usr/pkg/bin/hg

-rwxr-xr-x 1 root wheel /usr/pkg/bin/svn




Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

18 / 39

■ They execute with the permissions of theinvoker

■ They could try to do access control, but it’smeaningless — anyone else could write codeto do the same things

■ The permission structure of the repository iswhat’s important

The Repository



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

19 / 39

■ Essential feature: developers must have writepermission on the directories

■ File permissions are irrelevant; old files can berenamed and unlinked instead of beingoverwritten

■ (Potential for annoyance if new directories arecreated with the wrong permission — mustset umask properly)

■ But — what prevents a developer with writepermission on the respository from doingnasty things?

■ Nothing. . .

Large Organization



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

20 / 39

■ Use client/server model for repository access

■ Most users (including developers) have nodirect access to the VCS repository

■ Either build access control into VCS server orlayer on top of underlying OS permissions

■ But — must restrict what commands can beexecuted on repository by developers

Complications



Situations

Roles


Classic Unix Setup

ACL Setup


Medium-Size Group


Why use a VCS?

Note Well

Structure of a VCS



The Repository

Large Organization

Complications

Mailers

21 / 39

■ If you rely on OS permissions, something hasto have root privileges, to let the repositorypart of the process run as that user

■ If the VCS itself has a root component, is ittrustable?

■ If you use, say, ssh, is the commandrestriction mechanism trustable?

■ If you rely on VCS permissions, you need toimplement a reliable authentication and ACLmechanism

■ All of this is possible — but is it secure?

Mailers



Mailers

Mailers

Issues

Accepting Mail

Spool Directory

However. . .Local Access orClient/Server?

Client/Server

Bug Containment

Local Mail Storage

Central MailDirectory

Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram

Privileged Programs

Privileged MailReadersMany MoreSubtleties

Why is it Hard?

22 / 39

Mailers



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

23 / 39

■ Issue of interest: local mail delivery andretrieval

■ Surprisingly enough, network email doesn’tadd (too much) security complexity

Issues



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

24 / 39

■ Email must be reliable

■ Users must be able to send email to any otherusers

■ The system should reliably identify the senderof each message

■ All emails should be logged

■ Locking is often necessary to prevent raceconditions when reading and writing a mailbox

■ Authentication

Accepting Mail



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

25 / 39

■ Must accept mail from users

■ Copy it, either to protected spool directory fornetwork delivery or directly to recipient’smailbox

Spool Directory



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

26 / 39

■ If the mailer is setuid, it can copy the email toa protected directory with no trouble

■ If the directory is world-writable but notworld-readable, you don’t even need setuid —add a random component to the filenames toprevent overwriting

■ (Homework submission script does this)

■ File owner is automatically set correctly, foruse in generating From: line

However. . .



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

27 / 39

■ Cannot securely write metadata for suchdirectories — others could overwrite themetadata file

■ Cannot prevent users from overwriting theirown pending email

■ Listing the mail queue still requires privilege

Local Access or Client/Server?



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

28 / 39

■ For client/server, issues are similar to VCS:authentication, root programs, restrictingactions, etc

■ For local access, must confront permissionissues

■ This is complicated by the many differentversions of Unix over the years

Client/Server



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

29 / 39

■ Standardized, (relatively) simple accessprotocols, POP and IMAP

■ For ISP or large enterprise, neither need norwant general shell-type access to mail server

■ Large system mailers have their ownauthentication database

■ Does not rely on OS permissions

■ But — a mail server bug exposes the entiremail repository

■ Also — how do users change their passwords?

Bug Containment



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

30 / 39

■ Separate programs into two sections:

◆ Small, simple section that doesauthentication and changes uid (must runas root)

◆ Large section that runs as that user

■ Major advantage: security holes in largesection don’t matter, since it has no specialprivileges

■ Much more on program structure later in thesemester

Local Mail Storage



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

31 / 39

■ Where is mail stored? Central mailboxdirectory or user’s home directory?

■ Note that mail delivery program must be ableto (a) create, and (b) write to mailboxes

■ If mailbox is in the user’s directory, maildelivery program must have root permissions

Central Mail Directory



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

32 / 39

■ We can put all mailboxes in, say, /var/mail

■ What are the permissions on it?

■ If it’s writable by group mail, deliverydaemon can create new mailboxes

■ Make mailboxes writable by group mail, andowned by the recipient?

■ Permits non-root delivery — but how do newmailboxes get created and owned by the user?

Dangers of User-Writable Mailbox

DirectoriesCase Studies inAccess Control


Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

33 / 39

Permissionescalation

ln -s /etc/passwd /var/mail/me

Vandalism rm /var/mail/you

Denial ofservice

touch /var/mail/does-not-exist-yet

Defending Against These Attacks



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

34 / 39

Escalation Check mailbox permissions andownership before writing (note: watch for raceconditions)

Vandalism Set “sticky bit” on directory

DoS Remove (or change ownership of) mailboxeswith wrong ownership

Note well: most of these are trickier than theyseem

Delivering Mail to a Program



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

35 / 39

■ Most mail systems permit delivery of email toa program

■ Must execute that program as the appropriateuser

■ (Who is the “appropriate” user? Note that onSolaris, you may (depending on systemconfiguration) be able to give away files)

■ Implies the need for root privileges by thelocal delivery program

Privileged Programs



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

36 / 39

■ What must be privileged?

■ What privileges?

■ Local delivery needs some privileges,frequently root

■ Delivery to a program always requires root

■ The mail reader?

Privileged Mail Readers



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

37 / 39

■ The System V mail reader was setgid togroup mail

■ Could delete empty mailboxes

■ More importantly, could create lock files bylinking in the mailbox directory

■ But — note the danger if the mailer wasbuggy“You don’t give privileges to a whale” (about21K lines of code. . . )

Many More Subtleties



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

38 / 39

■ Writing a mailer is hard

■ I’ve barely scratched the surface of the designdecisions, even the permission-related ones

■ Complicated by varying system semantics

Why is it Hard?



Mailers

Mailers

Issues

Accepting Mail

Spool Directory


Client/Server

Bug Containment

Local Mail Storage



Privileged Programs


Why is it Hard?

39 / 39

■ Mailers cross protection boundaries

■ That is, they copy data from one permissioncontext to another

■ Both can be arbitrary userids

■ Simply importing data to a userid is a loteasier

■ In addition, a lot of functionality is needed

■ Not surprisingly, mailers have a very poorsecurity record

case study: access control - department of computer ...smb/classes/f09/l08.pdf · structure of a...

Documents