6.2.1. Managing Access Rights to Resources in UnixLinux

The basis of the security of the OS Unix family are users of the system Users have certain rights, they own files, system and application processes are launched on their behalf. Moreover, the set of functions, system calls and operations that a process can perform depends on the rights of the user who started the process. All users registered in the system are recorded in the / etc / passwd file . Each user of the system has a login name ( login name ). However, the system distinguishes users not by name, but by their associated unique user identifiers or UID ( User Identifier ). Also, each user is a member of one or more groups. Groups are described in the / etc / group file. Each group has a unique name and a unique GID group identifier. The file / etc / passwd indicates the identifier of the user's primary group. Thus, the UID and GID determine what rights the user has in the system. Among all users, a special position is occupied by a user with UID = 0 , or the so-called superuser . This user usually has the login name root , but there can be several users with UID = 0 and different names in the system. The superuser has unlimited rights and can perform any valid operation on files and processes. In addition, some system calls and operations can only be performed by the superuser. For example, the following operations are available only to the superuser: creating device files, changing system time, increasing resource use limits, increasing process priorities, setting a network name, configuring network interfaces, stopping, and rebooting the system. The administrator should take great care when working under the superuser name, as careless actions can lead to irreversible consequences. Also, in many systems there is a special privileged group with GID = 0 and the name wheel . Some operations, such as executing the su command, are available only to users who are members of this group. In addition to the username and identifiers, the / etc / passwd file also contains the encrypted user password, the user's home directory, and the command interpreter. The password encryption algorithm depends on the specific version of the system and is a unidirectional encryption algorithm. For example, the FreeBSD system uses the MD5 algorithm. It should be noted that the password is never stored anywhere in the clear. When a user logs in, the password entered by him is encrypted and two encrypted options are compared. Even the superuser cannot find out the password of any user, however he can change the password of any user with the help of the passwd utility. This utility also allows ordinary users to change their passwords. If in the password file instead of the encrypted password is a '*' character, then such a user will not be able to log in. If the password field is empty, the user will be able to log in by entering an empty password. Even in an encrypted form, the password file presents some security risk, since it is possible to select passwords, for example, using a dictionary. Therefore, in many systems, passwords were transferred from the / etc / passwd file to other files. For example, in FreeBSD, passwords are in the /etc/master.passwd file, and on Solaris and Linux, in / etc / shadow . Both of these files are available only to the superuser and are not available to other users of the system, even for reading. When a user logs in, the command interpreter specified in the / etc / passwd file is launched. This is usually one of the standard command interpreters / bin / sh ( Bourne shell ), / bin / csh ( C shell ), / bin / ksh ( Corn shell ) or / bin / bash ( Bourne shell again ), allowing the user to enter commands and run tasks. For users who do not need an interpreter in this field, you can specify, for example, / sbin / nologin, / nonexistent (for pseudo- users) or / bin / date (for remote users). In the general case, any program can be specified in this field, it’s important that, having completed this task, the user will automatically log out. The file / etc / shells contains a list of programs that can be used as a command interpreter.

As already noted, users in the Unix family of operating systems can own files. It should be noted that in Unix the file subsystem provides a unified interface for accessing data located on disk drives and peripheral devices. Those. Access to all devices through special device files. In the OS of the Unix family of files have two owners: the owner-user and the owner-group . The owner-user of the newly created file is the user who created the file. The owner group for a newly created file is defined differently in different versions of the systems. In BSD versions of UNIX, owner-group is determined by the group that owns the directory in which the file is created. In AT & T systems, the primary group to which the user who created the file belongs becomes the owner-group.

In Unix, there are three basic file access classes:

u is the access class for the owner user;

g - access class for the owner group;

o - access class for other users.

For each class, Unix supports three types of permissions:

r - the right to read;

w - the right to record;

x - the right to exercise.

The list of permissions can be obtained using the ls –l utility. For example:

- rwx rw- r- - 1 root wheel 1077 Jun 1 18:05 / usr / home / sergey / myinfo

From the above example, it can be seen that for the / usr / home / sergey / myinfo file the owner-user is root, the owner is the wheel group, the rights are for the owner-user rwx , the owner-group rw , and for other users r . The first character indicates the file type: 'd' is the directory, 'c' is the byte-oriented device file, 'b' is the block-oriented device file, 's' is the socket, 'p' is the named pipe, 'l' is symbolic link.

Access rights can only be changed by the owner of the file or the superuser using the chmod utility. Only the superuser with the help of the chown and chgrp utilities can change the owner-user and owner-group.

The general chmod format is as follows:

u

g + r

chmod o - w file1 file2 ....

a = x

The arguments are access classes ( 'u' is owner-user, 'g' is owner-group, 'o' is the rest of the users, 'a' is all classes of users), access rights ( 'r' is read, 'w ' - record and ' x ' - execution) and the operation to be performed ( ' + ' - add, ' - ' - delete and ' = ' - assign) for the file list file1 , file2 , etc. For example

chmod u + w, og + r-wxtext1 text2

You can also set all nine permissions at once using the numeric command form. The number is determined as follows: it is necessary to provide access rights in binary form (0 - no corresponding right, 1 - its presence) and in turn convert each triad corresponding to the access class into a decimal number. Suppose chmod 754 * is equivalent to chmod u = rwx, g = rx, o = r * ( rwx = 111b = 7; rx = 101b = 5; r - = 100b = 4 )

The meaning of access rights is different for different file types. For files, the operations that can be performed follow from the names of the access rights themselves. For example, to view the contents of a file with the cat command , the user must have read permission (r) . Editing a file, that is, changing it, provides for the right to write (w) . Finally, in order to run some program for execution, you must have the right to execute (x) . The executable file can be either a compiled program or a shell shell script. In the latter case, for execution, you must also have the right to read, because when the script is executed, the command interpreter must be able to read commands from the file. All this, with the exception of the right to execute, is also true for other types of files: special device files, named pipes and sockets. For symbolic links, access rights are not used at all, since they are controlled by the target file (for symbolic links, rights are always equal to lrwxrwxrwx ).

For directories, the system treats access rights somewhat differently. The right to read the directory allows you to get the names of files (or rather only the names and their inode) located in this directory. To obtain additional information about directory files (for example, a detailed listing of the ls -l command ), you must have execute permissions for the directory. This right is also necessary to access the contents of the file (for example, to read it with the cat command ) and to go to the directory, i.e. make it current with the cd command. In addition, in order to make the directory current, the right to execute must be available for all directories on the path to the specified one. The rights r and x act independently, the right x for the directory does not require the right r , and vice versa. A combination of these two rights can achieve interesting effects, for example, creating “dark” directories, the files of which are available only if the user knows their names in advance, since retrieving a list of files of such directories is prohibited. Creating, deleting and renaming files requires w and x rights to the directory. In this case, when deleting files, access rights for the file itself are not taken into account. Those. if the user has the right w to the directory, then he can delete the file in it, which has no rights. You can change this behavior of the operating system with the help of special additional flags, which will be discussed below.

The UNIX operating system checks the permissions for creating, opening (for reading or writing), starting to execute, or deleting a file. The following checks are performed:

1. If the operation is requested by the superuser (with UID = 0 ), access is allowed. No additional checks are made. This allows the administrator to have unlimited access to the entire file system.

2. If the operation is requested by the file owner, then access is allowed provided that the required access right is defined for the owner-user, otherwise access is denied.

3. If the operation is requested by a user who is a member of the group that owns the file, then access is allowed provided that the required access right is defined for the owner-group, otherwise access is denied.

4. If the required access right for other users is ( other ) established, access is allowed, otherwise access is denied.

The system carries out checks in the specified sequence. For example, if the user does not own the file, but is a member of the owner-group, then access is determined solely from the rights of the owner-group, the rights specified for other users are not checked. For example,

-rwx --- r - 2root guest 1056 Jun 1 19: 13special.info

If the user gstuser is a member of the guest group, access to the special.info file will be denied to him, although all other users who are not in this group have read access to this file. This feature allows you to select groups of users with limited rights.

In addition to the basic access rights considered, there are additional rights. These are the SUID, SGID and Sticky bits. These bits can be set or cleared using the standard chmod utility. When using the character mode, these bits are indicated by the letters s and t, respectively, and when using the numeric mode, SUID corresponds to 4000, SGID - 2000 and Sticky -bit - 1000. When viewing access rights, these bits are indicated instead of the corresponding bits x with lowercase letters s and t . It should be noted that in most cases, using these bits without setting the corresponding x bits makes no sense (for example, setting the SUID without setting the x bit for the file owner). Therefore, in this case, when viewing access rights, the bits will be indicated in uppercase letters S and T , which indicates that they are incorrectly used.

Consider the scope of the additional bits. The SUID and SGID bits allow you to set the EUID and EGID of the process to be equal to the UID or GID of the owner-user and group-owner of the file. Sticky bit for files is considered outdated and is practically not used in modern systems. For directories, the SGID bit sets the mode in which the group owning the directory becomes the owner-group when creating the file. This allows some Unix systems to mimic the behavior of BSD version systems for which this inheritance rule is the default. Sticky -bit for directories sets the mode in which a user can delete files from a directory only if he has w right for these files. This overrides the default mode, in which only w and x rights to the directory itself are enough to delete files. An example of using this mode is the / tmp directory , which is writeable for all users, but in which it may be undesirable that the user can delete someone else's temporary files.

In addition to the access rights discussed above, some systems use additional access rights. For example, in BSD systems there is a special noschg flag, the installation of which prohibits changing and deleting a file. In addition, some modern versions of Unix systems support ACL access list management.