Case Studies in Access Control - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0%c2%a0/cl…Situations...

Case Studies in Access Control

Case Studies inAccess Control

Joint SoftwareDevelopment

Mailers

1 / 38

■ Joint software development■ Mail

Joint Software Development

Situations

PermissionsWhy Enforce AccessControls?

Unix Setup

Windows ACL Setup

Reviewer/TesterAccess

Medium-Size Group

Basic StructureVersion ControlSystems

Why use a VCS?

Note Well

Structure of a VCS

Permission Structure

They’re Not SetUID!

The Repository

Large Organization

Complications

Mailers

2 / 38

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

3 / 38

■ Small team on a single machine■ Medium-to-large team on a LAN■ Large, distributed team, spread among several

organizations

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

4 / 38

■ Developer (i.e., can commit changes)■ Tester■ Code reviewer

Permissions

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

5 / 38

■ We want the technical mechanisms to reflectthe organizational roles

■ The real challenge: mapping the organizationalstructure to OS primitives

■ Why?

Why Enforce Access Controls?

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

6 / 38

■ Protect software from outsidersreading/stealing it

■ Protect against unauthorized changes■ Know who made certain changes?

Unix Setup

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

7 / 38

■ Assume you just have user/group/otherpermissions, with no ACLs. How would you setthings up?

■ Put all developers in a certain group■ Make files and directories group

readable/writable■ Decision to turn off “other” read access is

site-dependent

Windows ACL Setup

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

8 / 38

■ Could add each developer individually■ Bad idea — if a developer leaves or joins the

group, many ACLs must be updated■ Still want to use groups; vary group

membership instead■ Advantage: can have multiple sets of group

permissions — why?

Reviewer/Tester Access

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

9 / 38

■ Reviewers and testers need read access■ They do not need write access■ No good, built-in solution on classic Unix■ With ACLs, one group can have r/w

permissions; another can have r permissions

Medium-Size Group

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

10 / 38

■ No longer on single machine with simple filepermissions

■ More need for change-tracking■ More formal organizational structure

Basic Structure

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

11 / 38

■ Basic permission structure should be the same■ Again: use group permissions as the

fundamental permission unit■ Limits of non-ACL systems become more

critical

Version Control Systems

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

12 / 38

■ For medium-size projects, use of a versioncontrol system (i.e., CVS, Subversion,Mercurial, RCS, etc.) is mandatory

■ (Why?)■ What are the permission implications of a

version control system?

Why use a VCS?

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

13 / 38

■ Auditability — who made which change?■ When was a given change made?■ Can you roll back to a known-clean version of

the codebase?■ What patches have been applied to which

versions of the system?

Note Well

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

14 / 38

■ All of those features are important just formanageability

■ Security needs are strictly greater — we haveto deal with active malfeasance as well asordinary bugs and failures

Structure of a VCS

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

15 / 38

Repository Master copy; records all changes,versions, etc.

Working copies Zero or more working copies.Developers check out a version from therepository, make changes, and commit thechanges

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

16 / 38

Here are the Unix client commands for RCS, CVS,Mercurial, and Subversion. What are the securityimplications?

$ ls -l /usr/bin/ci /usr/bin/cvs \

/usr/pkg/bin/hg /usr/pkg/bin/svn

-r-xr-xr-x 1 root wheel /usr/bin/ci

-r-xr-xr-x 1 root wheel /usr/bin/cvs

-rwxr-xr-x 1 root wheel /usr/pkg/bin/hg

-rwxr-xr-x 1 root wheel /usr/pkg/bin/svn

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

17 / 38

■ They execute with the permissions of theinvoker

■ They could try to do access control, but it’smeaningless — anyone else could write code todo the same things

■ The permission structure of the repository iswhat’s important

The Repository

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

18 / 38

■ Essential feature: developers must have writepermission on the directories

■ File permissions are irrelevant; old files can berenamed and unlinked instead of beingoverwritten

■ (Potential for annoyance if new directories arecreated with the wrong permission — must setumask properly)

■ But — what prevents a developer with writepermission on the respository from doing nastythings?

■ Nothing. . .

Large Organization

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

19 / 38

■ Use client/server model for repository access■ Most users (including developers) have no

direct access to the VCS repository■ Either build access control into VCS server or

layer on top of underlying OS permissions■ But — must restrict what commands can be

executed on repository by developers

Complications

Situations

Unix Setup

Windows ACL Setup

Medium-Size Group

Why use a VCS?

Note Well

Structure of a VCS

The Repository

Large Organization

Complications

Mailers

20 / 38

■ If you rely on OS permissions, something hasto have root privileges, to let the repositorypart of the process run as that user

■ If the VCS itself has a root component, is ittrustable?

■ If you use, say, ssh, is the commandrestriction mechanism trustable?

■ If you rely on VCS permissions, you need toimplement a reliable authentication and ACLmechanism

■ All of this is possible — but is it secure?

Mailers

Issues

Accepting Mail

Spool Directory

However. . .Local Access orClient/Server?

Client/Server

Bug Containment

Local Mail Storage

Central MailDirectory

Dangers ofUser-WritableMailbox DirectoriesDefending AgainstThese AttacksDelivering Mail to aProgram

Privileged Programs

Privileged MailReadersMany MoreSubtleties

Why is it Hard?

21 / 38

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

22 / 38

■ Issue of interest: local mail delivery andretrieval

■ Surprisingly enough, network email doesn’t add(too much) security complexity

Issues

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

23 / 38

■ Email must be reliable■ Users must be able to send email to any other

users■ The system should reliably identify the sender

of each message■ All emails should be logged■ Locking is often necessary to prevent race

conditions when reading and writing a mailbox■ Authentication

Accepting Mail

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

24 / 38

■ Must accept mail from users■ Copy it, either to protected spool directory for

network delivery or directly to recipient’smailbox

Spool Directory

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

25 / 38

■ If the mailer is setuid, it can copy the email toa protected directory with no trouble

■ If the directory is world-writable but notworld-readable, you don’t even need setuid —add a random component to the filenames toprevent overwriting

■ (Homework submission script does this)■ File owner is automatically set correctly, for

use in generating From: line

However. . .

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

26 / 38

■ Cannot securely write metadata for suchdirectories — others could overwrite themetadata file

■ Cannot prevent users from overwriting theirown pending email

■ Listing the mail queue still requires privilege

Local Access or Client/Server?

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

27 / 38

■ For client/server, issues are similar to VCS:authentication, root programs, restrictingactions, etc

■ For local access, must confront permissionissues

■ This is complicated by the many differentversions of Unix over the years

Client/Server

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

28 / 38

■ Standardized, (relatively) simple accessprotocols, POP and IMAP

■ For ISP or large enterprise, neither need norwant general shell-type access to mail server

■ Large system mailers have their ownauthentication database

■ Does not rely on OS permissions■ But — a mail server bug exposes the entire

mail repository■ Also — how do users change their passwords?

Bug Containment

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

29 / 38

■ Separate programs into two sections:

◆ Small, simple section that doesauthentication and changes uid (must runas root)

◆ Large section that runs as that user

■ Major advantage: security holes in largesection don’t matter, since it has no specialprivileges

■ Much more on program structure later in thesemester

Local Mail Storage

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

30 / 38

■ Where is mail stored? Central mailboxdirectory or user’s home directory?

■ Note that mail delivery program must be ableto (a) create, and (b) write to mailboxes

■ If mailbox is in the user’s directory, maildelivery program must have root permissions

Central Mail Directory

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

31 / 38

■ We can put all mailboxes in, say, /var/mail■ What are the permissions on it?■ If it’s writable by group mail, delivery daemon

can create new mailboxes■ Make mailboxes writable by group mail, and

owned by the recipient?■ Permits non-root delivery — but how do new

mailboxes get created and owned by the user?

Dangers of User-Writable Mailbox

DirectoriesCase Studies inAccess Control

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

32 / 38

Permissionescalation

ln -s /etc/passwd /var/mail/me

Vandalism rm /var/mail/you

Denial ofservice

touch /var/mail/does-not-exist-yet

Defending Against These Attacks

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

33 / 38

Escalation Check mailbox permissions andownership before writing (note: watch for raceconditions)

Vandalism Set “sticky bit” on directoryDoS Remove (or change ownership of)

mailboxes with wrong ownership

Note well: most of these are trickier than theyseem

Delivering Mail to a Program

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

34 / 38

■ Most mail systems permit delivery of email toa program

■ Must execute that program as the appropriateuser

■ (Who is the “appropriate” user? Note that onSolaris, you may (depending on systemconfiguration) be able to give away files)

■ Implies the need for root privileges by thelocal delivery program

Privileged Programs

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

35 / 38

■ What must be privileged?■ What privileges?■ Local delivery needs some privileges, frequently

■ Delivery to a program always requires root■ The mail reader?

Privileged Mail Readers

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

36 / 38

■ The System V mail reader was setgid togroup mail

■ Could delete empty mailboxes■ More importantly, could create lock files by

linking in the mailbox directory■ But — note the danger if the mailer was buggy

“You don’t give privileges to a whale” (about21K lines of code. . . )

Many More Subtleties

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

37 / 38

■ Writing a mailer is hard

■ I’ve barely scratched the surface of the designdecisions, even the permission-related ones

■ Complicated by varying system semantics

Why is it Hard?

Mailers

Issues

Accepting Mail

Spool Directory

Client/Server

Bug Containment

Local Mail Storage

Privileged Programs

Why is it Hard?

38 / 38

■ Mailers cross protection boundaries■ That is, they copy data from one permission

context to another■ Both can be arbitrary userids■ Simply importing data to a userid is a lot easier■ In addition, a lot of functionality is needed■ Not surprisingly, mailers have a very poor

security record

Case Studies in Access Control - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0%c2%a0/cl…Situations...

Documents

DISTRIBUTION ONLYsmb%c2%a0%c2%a0%c2%a0%c2%a0... · 2017. 5. 29. · 3-4. mum m- ” 4..mm.mm.m . we ... In nuclearweapons that areinherently one-point safe,‘nuclearsafety is dependent

Documento1 - transparencia.saltillo.gob.mxtransparencia.saltillo.gob.mx/Articulo%2028/VIII.%c2%a0%c2%a0%c2… · del IMCS, o de quienes el Comité designe, y la decisión será inapetable,

C2 04 CATALOGO.dwg C2-04 A0 2) - Ponferrada

Toward Usable Access Control for End-users: A Case Study ...smb%c2%a0%c2%a0%c2%a0... · evaluating how Facebook users utilize the available privacy controls to implement an access

Security: The Human Elementsmb%c2%a0%c2%a0%c2%a0%c2%a0… · The Human Element “Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable

Secure System Design: Corporate Encryptionsmb%C2%A0%C2%A0%C2%A0%C2%A… · We need encryption in many different places Communication keys are different than storage keys Some keys

Practical Issues with Intrusion Detectionsmb%c2%a0%c2%a0%c2%a0%c2%a0... · 2006. 11. 14. · Extrusion Detection Simple Logging Log Files Finding Compromised Hosts 3 / 42. Locations

Employment and Computers - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0... · Alcatel “merged” with Lucent; Nokia is buying the new ... remained a monopoly—and didn’t drop in price

Biometrics; Authentication as a Systems Problemsmb%c2%a0%c2%a0%… · · 2013-09-26the problmes are likely to remain difﬁcult issues for system designers? Steven M. Bellovin

Authentication - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0%c2%a0… · password as the key (Why not encrypt the password?) + This is where the 8-character limit comes from Any decent cryptosystem

Databases and the Lawsmb%c2%a0%c2%a0%c2%a0... · or more databases Steven M. Bellovin February 11, 2010 4. Scale • Vastly more data is in machine-readable form • A lot of data

Protecting the Internet Against Large-Scale Passive Monitoringsmb%c2%a0%c2%a0%c2%a0%c2%a0… · Types of Attack Passive Attacker just listens Active Attacker transmits messages; may

คู่มือสมัครเข้ารับการศึกษาskmo.moph.go.th/sites/default/files/File_patbook/%C3%A0%C2%B8%… · คู่มือสมัครเข้ารับการศึกษา

Encryp’on, Security, and Privacysmb%c2%a0%c2%a0%c2%a0%c2%a0… · Examples l Incorrectly padding a short message to match the encryp’on algorithm’s requirements has resulted

Doing History in the Internet Agesmb%c2%a0%c2%a0%c2%a0... · the Freemasons (1829), the Templars (1867), and the Ku Klux Klan (1872) Neither of these two meanings is listed in the

STAINES AP-PLANS PHDD C2-A0 HVAC MECH

Software Complexitysmb%c2%a0%c2%a0%c2%a0%c2%a0%c2%a0/tal… · Why Technologists Oppose Golden Keys • It has nothing to do with dislike of the FBI or the NSA • Technologists can

The Crypto Warssmb%c2%a0%c2%a0%c2%a0%c2%a0...The American Black Chamber The US originally did little of this, but learned rapidly during World War I (During the Civil War, the Union

Web Server-Side Securitysmb%c2%a0%c2%a0%c2%a0%c2%a0… · Most interesting web sites use server-side scripts: CGI, ASP, PHP, server-side include, etc. Each such script is a separate

Risks of Computers: What do we Do? - cs.columbia.edusmb%c2%a0%c2%a0%c2%a0... · The Bloomberg Crash ... ther traders said they depended on Bloomberg chat so heavily that they weren’t