Access Control
Access Control
Four people
Three files
Can we assign creator and
groups to achieve the desired
access control
Linux ACLs
– In linux,
• type ls –l
– Shows user | group | others
– Too limited
– Allow my_test_user access via
– Users and groups ACL
• View current groups • Make file my_test_file.txt
– groups – gedit my_test_file.txt &
– Or, if any supplementary groups, then – Type something and save
» cat /etc/group
» NOTE: group no s, not groups • Show ACL
• List all users – getfacl my_test_file.txt
– cut –d: -f1 /etc/passwd • Add user
• List groups a user belongs to – setfacl –m u:my_test_user:rwx
– groups user my_test_file.txt
• make a user • Check
– sudo adduser my_test_user
– getfacl my_test_file.txt
• Add user to a group
– Check groups and groups id – Clean up
» cat /etc/group
» (see next slide for interpretation of values) • Remove group
– See the group id of the user we just added. Make a group – sudo groupdel <group_name>
with the next id (e.g., 1002)
» sudo groupadd -g group-ID my_test_group
• Check
– Check – cat /etc/group
» cat /etc/group – Is my_test_user in this group still?
– sudo usermod -G <group-name> username • Remove user
– Check
cat /etc/group
attributes:
base permissions
owner(bishop): rw-
group(sys): r--
others: ---
extended permissions enabled
specify rw- u:holly
permit -w- u:heidi, dev
permit rw- u:matt
deny -w- u:holly, g=faculty
Specify = override
Permit = add rights
Deny = delete rights if they exist
ACCESS CONTROL CHALLENGES
Challenges: ACL Modification
• Who can change access control?
– For files: creator is given own right that allows this
– For databases, there is grant privilege.
• A user with grant privilege can grant others privilege
• In databases, this is called “grant option”
Challenges: Privileged Users
• Do ACLs apply to privileged users (root)?
– Linux – super users can rwx and also modify ACL
– Solaris: If abbreviated lists are used, the root has full access. But the augmented
ACL allows root access to be denied.
– Other vendors: varies
• Privileged users might not have a need to know to the data stored in the
machine.
– Need-To-Know:
• DB admin’s role: Keep DB software up to date, keep DB running smoothly, …
• Does the DB admin need to have access to the DB data (e.g., health records)?
• Does the DB admin control who has access to the DB
– If so, the DB admin could provide themselves with access.
• In this way, Linux’s access control has a vulnerability
– Difficulties
• If the admin does not have access to the entire DB files, then the admin might not be
able to maintain the DB
• E.g., the admin does not have access to password file, but the DB upgrade needs to
change the password file format.
Challenges: Conflicts
• Deny access if any entry would deny access
– AIX: if any entry denies access, regardless or rights given
so far, access is denied
• Apply first entry matching subject
– Cisco routers: run packet through a list of access control
rules (ACL entries) in order; on a match, stop, and forward
the packet; if no matches, deny
• Note default is deny so honors principle of fail-safe defaults
Challenges: Handling Default Permissions
• Windows has an API for working with ACL, they are not accessed directly by an
application
– The application cannot read the DACL object, only get the results (that is, access allowed or
access is denied)
Windows: Search ACL
• Trustee (or subject)
– Token is used to identify the trustee
– Primary access token
• Belongs to the thread/process
– Impersonation token
• E.g., database process has a token, but when a user is accessing
data, the database should impersonate the user
– When a user is accessing the database, the database app is
accessing data on behalf of the user. The database app uses an
impersonation token
– Note that the database is always running, so the database app
cannot use the users token, as oppose to when a user starts an
app
• When a set of access (e.g., r+w) are requested, the
system examines each ACE in sequence until one of
• Thread A requests r+w the following events occurs:
access. Denied because ACE – An access-denied ACE explicitly denies any of the
requested access rights to one of the trustees listed in the
is checked before ACE 2
thread's access token.
• ACE 3 implements allow by
– One or more access-allowed ACEs for trustees listed in the
default, but this needed to
thread's access token explicitly grant all the requested
be explicitly configured access rights.
• If ACE 1 is last, then Andres – All ACEs have been checked and there is still at least one
would get access, because requested access right that has not been explicitly allowed,
once the access question is in which case, access is implicitly denied.
answered, iteration through
• Deny by default
the list is stopped
• Sequence of ACE is used to resolve conflicts
Object
DACL
• Access denied 1. Suppose Stephan is in group C
ACE 1
• Stephan 1. Can Stephan read the file?
• Read, write, 2. Suppose Stephan and in Group B
execute
1. Can Stephan Write to the file?
• Access allowed 3. Suppose Sam is in Group A and B
ACE 2 • Group A
• Write, execute 1. Can Sam Write to the file?
4. Suppose Sam is in Group A and B
• Access denied
ACE 3 • Group B
1. Can Sam Read to the file?
• Write 5. Suppose Sam is in Group B
1. Can Sam get Read+Write access to the file?
• Access allowed
ACE 4 • Group B
6. Suppose Mary is in Group C
• Read 1. Can Mary read the file?
7. Suppose Mary is in Group C
• Access allowed 1. Can Mary write to the file?
ACE 5 • everyone
• Read
Does changing the order have an impact?
Object
DACL
1. Suppose Stephan is in group C
1. Can Stephan read the file?
2. Suppose Stephan and in Group B
1. Can Stephan Write to the file?
• Access allowed 3. Suppose Sam is in Group A and B
ACE 2 • Sam
• Write, execute 1. Can Sam Write to the file?
4. Suppose Sam is in Group A and B
• Access denied
ACE 3 • Group B
1. Can Sam Read to the file?
• Write 5. Suppose Sam is in Group B
1. Can Sam get Read+Write access to the file?
• Access allowed
ACE 4 • Group B
6. Suppose Mary is in Group C
• Read 1. Can Mary read the file?
7. Suppose Mary is in Group C
• Access allowed 1. Can Mary write to the file?
ACE 5 • everyone
• Read
• Access denied
• Stephan
ACE 1
• Read, write,
execute
Windows NT ACLs
• Different sets of rights
– Basic: read, write, execute, delete, change permission, take ownership
– Generic:
• no access,
• read (read/execute),
• change (read/write/execute/delete),
• full control (all),
• special access (assign any combination of the basics)
– Access control for a directory:
• no access,
• read (read/execute files in directory),
• list,
• add,
• add and read,
• change (create, add, read, execute, write files; delete subdirectories),
• full control,
• special access
– Default is deny
Role-based Access Control (RBAC)
• Access depends on function, not identity
– Example:
• Allison, bookkeeper for Math Dept, has access to financial records.
• She leaves/changes jobs.
– Challenge: If ACLs are used, the ACL needs to be change for each file
• Betty hired as the new bookkeeper, so she now has access to those records
– Challenge: If ACLs are used, the ACL needs to be change for each file
– The role of “bookkeeper” dictates access, not the identity of the individual.
– Solution: Assign access based on role (i.e., job), not based on identify
• That is, assign access based on job not person’s user name
– RBAC
• Assign access to roles
– E.g., bookkeeper gets access to set of files
» Once this is set up, it never changes
• Assign people to roles
– When people change jobs, their role changes
• Access control is based on the user’s role and the access allowed by that role
– Automatically solves the problem of adjusting access control when people change jobs
Definitions
trans(r), actr(s), authr(s), canexec(s,t)
• Trans(r): the set of files someone can read in role r • Authr(s) is the set of all possible roles that subject s can
– trans(professor) = {grading sheets, class list, homework take
assignments, turned in homework} – Authr(John) = {student}
– trans(student) = {homework assignment, class videos, graded – Authr(Stephan) = {CTO, Professor}
homework}
– Authr(Olivia) = {student}
– trans(dean) = {homework assignment, class videos}
– Actr(Sam) = CEO
– Actr(Lisa) = tech lead in group B
– Actr(Ivan) = programmer in group A
Examples
trans(r) is the set of transactions allowed by someone in role r. Let’s consider the special case where
trans(r) = the set of files someone can read in role r
• Trans(r): the set of files someone can read in role r • Authr(s) is the set of all possible roles that subject s can take
– trans(professor) = {grading sheets, class list, homework assignments, – Authr(John) = {student}
turned in homework, to do list} – Authr(Stephan) = {CTO, Professor}
– trans(student) = {homework assignment, class videos, graded – Authr(Olivia) = {student}
homework}
– trans(dean) = {homework assignment, class videos}
– Authr(Sam) = {Tech lead in group A, programmer in group A)
– Authr(Lisa) = {tech lead in group B, programmer in group B)
– trans(CTO) = {plans for project A, plans for project B, hiring plans,
code, engineering salaries, project A status, project B status, to do list} – Authr(Ivan) = {programmer in group A)
– trans(programmer in group A) = {code set A, plans for project A}
– trans(programmer in group B) = {code set B, plans for project B} • Homework: Answer the following true or false and if false
– trans(tech lead in group A) = {code set A, plans for project A, project A explain why
status}
– Canexec(John, open homework assignment) = true/false ?
– trans(tech lead in group B) = {code set B, plans for project B, project B
status} – Canexec(Stephan, open plans for project A) = true/false ?
– trans(CEO) = {hiring place, engineering salaries, project A status, – Canexec(Olivia, open homework assignment) = true/false ?
project B status} •
– Canexec(Ivan, code set A) = true/false ?
– Canexec(Sam, status project A) = true/false ?
• actr(s) role subject s is in at the current time (now) – Canexec(Lisa, code set A) = true/false ?
– Actr(Stephan) = professor
– Actr(Olivia) = dean – Could Stephan allow student’s to get access to project plans A
– Actr(John) = student • Yes, entering into CTO role, copying project plans A to “to do list”,
changing role to prof. Copying to do list to homework assignments
– Actr(Sam) = CEO
– Actr(Lisa) = tech lead in group B
– Actr(Ivan) = programmer in group A
Separation of Duty / Privilege
• Recall risk-based analysis where we detected we could reduce risk by separating DB
administrator from Back-up Administrator
– How can we enforce this separation? DB admin and Back-up Admin often have similar resumes
– Can we have a technical security mechanism?
• Investment trader cannot also be an IT admin
– Société Générale
– Jérôme Kerviel join the middle offices working on compliance
– Promoted to junior trader
– Made trades for more than authorized, like 49 billion
– Access not updated
• (perhaps)
– Also, Jérôme knew the details of the compliance system and knew how to get around it
– Also, managers ignored the occasional violation
– We need a technical security mechanism