Podcast
Questions and Answers
What type of access control mechanism does UNIX use for managing file permissions?
What type of access control mechanism does UNIX use for managing file permissions?
What does the 'rwx' permission indicate for the user Zakir on his directories?
What does the 'rwx' permission indicate for the user Zakir on his directories?
What is the result when a user accesses an object in UNIX?
What is the result when a user accesses an object in UNIX?
What is indicated by the permission letters 'r--' for the user on test.py?
What is indicated by the permission letters 'r--' for the user on test.py?
Signup and view all the answers
Who can change file ownership in a UNIX system?
Who can change file ownership in a UNIX system?
Signup and view all the answers
What is the significance of UID 0 in UNIX systems?
What is the significance of UID 0 in UNIX systems?
Signup and view all the answers
Which operation can the owner of a file perform in UNIX regarding permissions?
Which operation can the owner of a file perform in UNIX regarding permissions?
Signup and view all the answers
Which of the following correctly describes access control in UNIX systems?
Which of the following correctly describes access control in UNIX systems?
Signup and view all the answers
How does UNIX handle file ownership?
How does UNIX handle file ownership?
Signup and view all the answers
What is the purpose of groups in UNIX systems?
What is the purpose of groups in UNIX systems?
Signup and view all the answers
What does the 'Read' permission allow a user to do with a file?
What does the 'Read' permission allow a user to do with a file?
Signup and view all the answers
What is a service account in UNIX?
What is a service account in UNIX?
Signup and view all the answers
In UNIX, how can a user check the users on their system?
In UNIX, how can a user check the users on their system?
Signup and view all the answers
Which statement about the least privilege principle is true?
Which statement about the least privilege principle is true?
Signup and view all the answers
What is a potential risk associated with the UNIX security model regarding root access?
What is a potential risk associated with the UNIX security model regarding root access?
Signup and view all the answers
Which statement accurately describes the shortcomings of Access Control Lists (ACLs) in UNIX?
Which statement accurately describes the shortcomings of Access Control Lists (ACLs) in UNIX?
Signup and view all the answers
What does a security descriptor in the Windows security model contain?
What does a security descriptor in the Windows security model contain?
Signup and view all the answers
What is one advantage of the Windows security model compared to the UNIX security model?
What is one advantage of the Windows security model compared to the UNIX security model?
Signup and view all the answers
How do groups function in UNIX systems regarding user permissions?
How do groups function in UNIX systems regarding user permissions?
Signup and view all the answers
What information is typically included in a process's access token in Windows?
What information is typically included in a process's access token in Windows?
Signup and view all the answers
Which of the following best describes the disparity in the management of objects between UNIX and Windows systems?
Which of the following best describes the disparity in the management of objects between UNIX and Windows systems?
Signup and view all the answers
What is a major limitation of UNIX's file ownership and permission system?
What is a major limitation of UNIX's file ownership and permission system?
Signup and view all the answers
Study Notes
Access Control Example 1
- Drew who is a member of cs155-tas has access to the "homework" directory, as Drew's group "cs155-tas" has rwx (read, write, execute) permissions.
Access Control Example 2
- Students can access the "lectures" directory as students likely have access to the server and the lectures directory has r-x (read, execute) permissions for the "cs155-tas" group.
Access Control Lists (ACLs)
- Every object has an ACL, which defines what operations subjects can perform.
- Each access to an object is checked against the object's ACL.
Role Based Access Control (RBAC)
- Access control matrices can become complex as the number of subjects, objects, and operations increase.
- Users should only be able to access the data and resources needed to perform authorized tasks (least privilege principle).
Security Policies
- Subjects (who?): Acting system principals (e.g., user, app, process)
- Objects (what?): Protected resources (e.g., memory, files, hardware devices).
- Operations (how?): How subjects operate on objects (e.g., read, delete).
UNIX Security Model
- Subjects: Users and processes.
- Objects: Files, directories, sockets, pipes, hardware devices, kernel objects, process data.
- Access Operations: Read, write, execute.
Users
- Every user has a unique user ID (UID).
- UID 0 is reserved for the "root" user, which has access to everything.
Example Users
- Users can be viewed through /etc/passwd file.
- Users can have various roles, such as service accounts for background processes or user accounts for specific humans.
Groups
- Groups are collections of users that share files and system resources.
- Every group has a group ID (GID) and name.
File Ownership
- All Linux resources are managed as files.
- Each file or directory has a single user owner and group owner.
Access Control
- Subjects have access to a file: user owner, group owner, and others.
- Permissions exist for each subject for read, write, and execute operations.
- Owner can change permissions and group.
Access Control - Pros and Cons
-
Pros:
- Simple model provides protection for most situations.
- Flexible enough to make simple systems possible.
-
Cons:
- ACLs are coarse-grained, making it difficult to handle complex enterprise scenarios.
- ACLs do not handle different applications within a single user account.
- Nearly all system operations require root access.
Windows Security Model
- Windows employs a complex system for granting access.
- Windows has flexible access control options.
- Objects have full ACLs, enabling fine-grained permissions.
- Users can belong to multiple nested groups.
Object Security Descriptors
- Windows's objects have a security descriptor.
- The security descriptor specifies who can perform what and audit rules.
- Security descriptors contain SIDs, DACLs, and SACLs.
Tokens
- Each process has a set of security tokens, which contain the process's security context.
- Impersonation tokens can be used to temporarily adopt a different context.
Access Request
- When a process tries to access an object, it presents its security tokens to the object's security descriptor.
- Access is granted based on the object's security descriptor and the process's security tokens, allowing or denying the access request.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Explore the concepts of access control in computer security, including ACLs, RBAC, and the least privilege principle. This quiz will test your understanding of how users and resources interact within security policies. Prepare to assess your knowledge on directory permissions and security best practices.