case study: access control - department of computer ...smb/classes/f09/l08.pdf · structure of a...
TRANSCRIPT
Case Studies in Access Control
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
2 / 39
■ Joint software development
Joint Software Development
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
3 / 39
Situations
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
4 / 39
■ Small team on a single machine
■ Medium-to-large team on a LAN
■ Large, distributed team, spread among severalorganizations
Roles
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
5 / 39
■ Developer (i.e., can commit changes)
■ Tester
■ Code reviewer
Permissions
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
6 / 39
■ We want the technical mechanisms to reflectthe organizational roles
■ The real challenge: mapping theorganizational structure to OS primitives
■ Why?
Why Enforce Access Controls?
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
7 / 39
■ Protect software from outsidersreading/stealing it
■ Protect against unauthorized changes
⇒ That can include internal rivalries
■ Know who made certain changes?
Classic Unix Setup
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
8 / 39
■ Assume you just have user/group/otherpermissions, with no ACLs. How would youset things up?
■ Put all developers in a certain group
■ Make files and directories groupreadable/writable
■ Decision to turn off “other” read access issite-dependent
ACL Setup
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
9 / 39
■ Could add each developer individually
■ Bad idea — if a developer leaves or joins thegroup, many ACLs must be updated
■ Still want to use groups; vary groupmembership instead
■ Advantage: can have multiple sets of grouppermissions — why?
Reviewer/Tester Access
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
10 / 39
■ Reviewers and testers need read access
■ They do not need write access
■ No good, built-in solution on classic Unix
■ With ACLs, one group can have r/w
permissions; another can have r permissions
Medium-Size Group
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
11 / 39
■ No longer on single machine with simple filepermissions
■ More need for change-tracking
■ More formal organizational structure
Basic Structure
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
12 / 39
■ Basic permission structure should be the same
■ Again: use group permissions as thefundamental permission unit
■ Limits of non-ACL systems become morecritical
Version Control Systems
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
13 / 39
■ For medium-size projects, use of a versioncontrol system (i.e., CVS, Subversion,Mercurial, RCS, etc.) is mandatory
■ (Why?)
■ What are the permission implications of aversion control system?
Why use a VCS?
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
14 / 39
■ Auditability — who made which change?
■ When was a given change made?
■ Can you roll back to a known-clean version ofthe codebase?
■ What patches have been applied to whichversions of the system?
Note Well
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
15 / 39
■ All of those features are important just formanageability
■ Security needs are strictly greater — we haveto deal with active malfeasance as well asordinary bugs and failures
Structure of a VCS
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
16 / 39
Repository Master copy; records all changes,versions, etc.
Working copies Zero or more working copies.Developers check out a version from therepository, make changes, and commit thechanges
Permission Structure
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
17 / 39
Here are the Unix client commands for RCS, CVS,Mercurial, and Subversion. What are the securityimplications?
$ ls -l /usr/bin/ci /usr/bin/cvs \
/usr/pkg/bin/hg /usr/pkg/bin/svn
-r-xr-xr-x 1 root wheel /usr/bin/ci
-r-xr-xr-x 1 root wheel /usr/bin/cvs
-rwxr-xr-x 1 root wheel /usr/pkg/bin/hg
-rwxr-xr-x 1 root wheel /usr/pkg/bin/svn
They’re Not SetUID!
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
18 / 39
■ They execute with the permissions of theinvoker
■ They could try to do access control, but it’smeaningless — anyone else could write codeto do the same things
■ The permission structure of the repository iswhat’s important
The Repository
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
19 / 39
■ Essential feature: developers must have writepermission on the directories
■ File permissions are irrelevant; old files can berenamed and unlinked instead of beingoverwritten
■ (Potential for annoyance if new directories arecreated with the wrong permission — mustset umask properly)
■ But — what prevents a developer with writepermission on the respository from doingnasty things?
■ Nothing. . .
Large Organization
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
20 / 39
■ Use client/server model for repository access
■ Most users (including developers) have nodirect access to the VCS repository
■ Either build access control into VCS server orlayer on top of underlying OS permissions
■ But — must restrict what commands can beexecuted on repository by developers
Complications
Case Studies inAccess Control
Joint SoftwareDevelopment
Situations
Roles
PermissionsWhy Enforce AccessControls?
Classic Unix Setup
ACL Setup
Reviewer/TesterAccess
Medium-Size Group
Basic StructureVersion ControlSystems
Why use a VCS?
Note Well
Structure of a VCS
Permission Structure
They’re Not SetUID!
The Repository
Large Organization
Complications
Mailers
21 / 39
■ If you rely on OS permissions, something hasto have root privileges, to let the repositorypart of the process run as that user
■ If the VCS itself has a root component, is ittrustable?
■ If you use, say, ssh, is the commandrestriction mechanism trustable?
■ If you rely on VCS permissions, you need toimplement a reliable authentication and ACLmechanism
■ All of this is possible — but is it secure?
Mailers
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
22 / 39
Mailers
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
23 / 39
■ Issue of interest: local mail delivery andretrieval
■ Surprisingly enough, network email doesn’tadd (too much) security complexity
Issues
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
24 / 39
■ Email must be reliable
■ Users must be able to send email to any otherusers
■ The system should reliably identify the senderof each message
■ All emails should be logged
■ Locking is often necessary to prevent raceconditions when reading and writing a mailbox
■ Authentication
Accepting Mail
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
25 / 39
■ Must accept mail from users
■ Copy it, either to protected spool directory fornetwork delivery or directly to recipient’smailbox
Spool Directory
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
26 / 39
■ If the mailer is setuid, it can copy the email toa protected directory with no trouble
■ If the directory is world-writable but notworld-readable, you don’t even need setuid —add a random component to the filenames toprevent overwriting
■ (Homework submission script does this)
■ File owner is automatically set correctly, foruse in generating From: line
However. . .
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
27 / 39
■ Cannot securely write metadata for suchdirectories — others could overwrite themetadata file
■ Cannot prevent users from overwriting theirown pending email
■ Listing the mail queue still requires privilege
Local Access or Client/Server?
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
28 / 39
■ For client/server, issues are similar to VCS:authentication, root programs, restrictingactions, etc
■ For local access, must confront permissionissues
■ This is complicated by the many differentversions of Unix over the years
Client/Server
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
29 / 39
■ Standardized, (relatively) simple accessprotocols, POP and IMAP
■ For ISP or large enterprise, neither need norwant general shell-type access to mail server
■ Large system mailers have their ownauthentication database
■ Does not rely on OS permissions
■ But — a mail server bug exposes the entiremail repository
■ Also — how do users change their passwords?
Bug Containment
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
30 / 39
■ Separate programs into two sections:
◆ Small, simple section that doesauthentication and changes uid (must runas root)
◆ Large section that runs as that user
■ Major advantage: security holes in largesection don’t matter, since it has no specialprivileges
■ Much more on program structure later in thesemester
Local Mail Storage
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
31 / 39
■ Where is mail stored? Central mailboxdirectory or user’s home directory?
■ Note that mail delivery program must be ableto (a) create, and (b) write to mailboxes
■ If mailbox is in the user’s directory, maildelivery program must have root permissions
Central Mail Directory
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
32 / 39
■ We can put all mailboxes in, say, /var/mail
■ What are the permissions on it?
■ If it’s writable by group mail, deliverydaemon can create new mailboxes
■ Make mailboxes writable by group mail, andowned by the recipient?
■ Permits non-root delivery — but how do newmailboxes get created and owned by the user?
Dangers of User-Writable Mailbox
DirectoriesCase Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
33 / 39
Permissionescalation
ln -s /etc/passwd /var/mail/me
Vandalism rm /var/mail/you
Denial ofservice
touch /var/mail/does-not-exist-yet
Defending Against These Attacks
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
34 / 39
Escalation Check mailbox permissions andownership before writing (note: watch for raceconditions)
Vandalism Set “sticky bit” on directory
DoS Remove (or change ownership of) mailboxeswith wrong ownership
Note well: most of these are trickier than theyseem
Delivering Mail to a Program
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
35 / 39
■ Most mail systems permit delivery of email toa program
■ Must execute that program as the appropriateuser
■ (Who is the “appropriate” user? Note that onSolaris, you may (depending on systemconfiguration) be able to give away files)
■ Implies the need for root privileges by thelocal delivery program
Privileged Programs
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
36 / 39
■ What must be privileged?
■ What privileges?
■ Local delivery needs some privileges,frequently root
■ Delivery to a program always requires root
■ The mail reader?
Privileged Mail Readers
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
37 / 39
■ The System V mail reader was setgid togroup mail
■ Could delete empty mailboxes
■ More importantly, could create lock files bylinking in the mailbox directory
■ But — note the danger if the mailer wasbuggy“You don’t give privileges to a whale” (about21K lines of code. . . )
Many More Subtleties
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
38 / 39
■ Writing a mailer is hard
■ I’ve barely scratched the surface of the designdecisions, even the permission-related ones
■ Complicated by varying system semantics
Why is it Hard?
Case Studies inAccess Control
Joint SoftwareDevelopment
Mailers
Mailers
Issues
Accepting Mail
Spool Directory
However. . .Local Access orClient/Server?
Client/Server
Bug Containment
Local Mail Storage
Central MailDirectory
Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram
Privileged Programs
Privileged MailReadersMany MoreSubtleties
Why is it Hard?
39 / 39
■ Mailers cross protection boundaries
■ That is, they copy data from one permissioncontext to another
■ Both can be arbitrary userids
■ Simply importing data to a userid is a loteasier
■ In addition, a lot of functionality is needed
■ Not surprisingly, mailers have a very poorsecurity record