O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.

Slides:



Advertisements
Similar presentations
Unix permissions, ownership and setuid File security and ownership The chmod(1) command Process Ownership Setuid, Setgid and the Sticky bit Writing setuid.
Advertisements

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Passwords in Unix/Linux Systems.
Linux+ Guide to Linux Certification, Second Edition
User Accounts and Permissions Chapter IV / Part II.
Linux Linux File System.
UNIX Chapter 08 File Security Mr. Mohammad Smirat.
Linux+ Guide to Linux Certification, Second Edition
Lecture 7 Access Control
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Getting Started with Linux Linux System Administration Permissions.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Introduction to Linux Installing Linux User accounts and management Linux’s file system.
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
Files & Directories Objectives –to be able to describe and use the Unix file system model and concepts Contents –directory structure –file system concepts.
Mid 1960 ’ s - Multics - proposed by AT&T, Honeywell, GE & MIT; funded by DARPA Thompson & Ritchie create Unix 1978 to 84 - Bill Joy & Chuck Haley.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
File Permissions. What are the three categories of users that apply to file permissions? Owner (or user) Group All others (public, world, others)
Linux+ Guide to Linux Certification, Second Edition
Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2011 by the Trustees of Indiana University except as noted.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
Module 4 - File Security. Security Overview File Ownership Access to Files and Dircetories Changing File and Directory Ownership Changing File and Directory.
File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.
ITI-481: Unix Administration Meeting 3 Christopher Uriarte, Instructor Rutgers University Center for Applied Computing Technologies.
Lesson 9-Setting and Using Permissions. Overview Describing file permissions. Using execute permissions with a file. Changing file permissions using mnemonics.
Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Linux+ Guide to Linux Certification, Third Edition
Linux+ Guide to Linux Certification, Third Edition
PacNOG 6: Nadi, Fiji UNIX ™/ /Linux Permissions Hervey Allen Network Startup Resource Center.
Managing Files CSCI N321 – System and Network Administration Copyright © 2000, 2007 by the Trustees of Indiana University except as noted.
Chapter 8 File System Security. File Protection Schemes Login passwords Encryption File Access Privileges.
The Saigon CTT Chapter 10 Managing Users. The Saigon CTT  Objectives  Define the requirements for user accounts  Explain group and group accounts 
© 2006 ITT Educational Services Inc. Linux Operating System :: Unit 3 :: Slide 1 Downloading and Installing Software yum pirut Bit Torrent rmp.
The Unix File system (UFS) Presented by: Gurpreet Singh Assistant Professor Department of School of Computing and Engineering Galgotias University.
CSCI 330 The UNIX System Unit V Permissions. all access to directories and files is controlled UNIX uses discretionary access control (DAC) model each.
SCSC 455 Computer Security Chapter 3 User Security.
Chapter 8 File System Security. File Protection Schemes Password-Based Protection Encryption-Based Protection Protection-Based on Access Permission.
Working with users and Groups. 1. Manage users and group 2. Manage ownership, permissions, and quotas.
Linux Use the Command-Line Interface to Administer the System.
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions.
Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.
Chapter 6 Adding New Users. Computer Center, CS, NCTU 2 Steps to add a new user 1.Edit the password and group files >vipw, pw 2.Set an initial password.
Jozef Goetz, expanded by Jozef Goetz, 2008 Credits: Parts of the slides are based on slides created by UNIX textbook authors, Syed M. Sarwar, Robert.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
Lecture 4 & 5: System Architecture  File systems  Devices  File system permissions  Review of Linux runlevels  In-class exercise.
Karlstad University Operating System security Ge Zhang Karlstad University.
ORAFACT The Linux File System. ORAFACT Filesystem Support Support for dozens of filesystem types including: Minix, ext2, MS-DOS, UMSDOS, VFAT, NTFS, NFS,
LECTURE 6 UNIX SECURITY Waseem Iqbal. INTRODUCTION Individual security mechanisms like access control, authentication etc. cannot work in isolation. To.
Linux Filesystem Management
Privileges: who can control what
Module X (Unix/Linux Password Security)
Linux 101 Training Module Linux Basics.
Chapter 11: Managing Users
Chapter 8 File Security.
Chapter 2 User Management
Adding New Users, Storage, File System
Unix Access Control Basic CE 2
Computer Security 3e Dieter Gollmann
Chapter 7 File and file System structure
Security and File Permission
The Linux Command Line Chapter 9
Rootly Powers Chapter 3.
Adding New Users.
Access Control and Audit
Presentation transcript:

O.S security Ge Zhang Karlstad University

Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system

Why O.S. security is important? Application security can be bypassed from lower layer Hardware layer is too narrow and inflexible Application layer is too broad Hardware: memory, CPU, HD, etc Operating system: Linux SUSE Applications: my sql, apache, open office, firefox, etc

Security schemes in Unix/Linux Account security –User authentication File system security –File access control Management issues –Audit log –Environment variables –Manage the superuser

Account security (1) User Accounts (/etc/passwd) –User name: a string up to 8 characters –User identities (UIDs) and group identities (GIDs) [Superuser (Root, UID=0)] –Unix does not distinguish between users with the same UID!!!! –Home directory –Shell root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash jim:x:500:100:Jim Smith:/home/jim:/bin/bash

Account security (2) Shadow file (/etc/shadow) (only readable to the users with root privilege) –User name –Password (algorithm, salt, hashed password) *: login is disabled Empty: no password is required –Last password change –Minimum: the number of days left before the user is allowed to change his/her password –Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password) root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7::: bin:*:10933:0:99999:7::: jim::10933:0:99999:7:::

Account security (3) root:$1$v3cNGjbW$WEvnoW8Cniswn3d:14523:0:99999:7::: bin:*:10933:0:99999:7::: jim::10933:0:99999:7::: One-way function saltPassword (plaintext) Password (encrypted)

Account security (4) Groups –Users belong to one or more groups –To share files or other resource with a small number of users –Ease of user management (give privilege) Group file (/etc/group) –Group name –Password –Group ID (GID) –Group list: members student:x:24:alice, bob, raj teacher:x:12:raj, nick

File system (1) The inode: each file entry in a directory is a pointer to a data structure –mode: types of file and access rights –uid: who is the owner –gid: group which owns the file –atime: access time –mtime: modification time –itime: inode alteration time –block count: size of file –physical location

File system (2) The type of the file: ‘-’ for regular file, ‘d’ for directory File permissions Link counter Name of the owner and the group - rw-r--r-- 1 nick staff 1617 Oct 28 11:01 test.txt drwx nick staff 512 Oct 25 17:55 tmp/

File system (3) Owner (r, w, x), group (r, w, x), other (r, w, x) Two ways to represent –String: rwxr--r-- –Octal number: 744 Default permissions: 666 or 777 (umask): a three-digit number specifying the rights that should be withheld –Default permissions AND NOT umask For example: umask 777 (denies all)

File system (4) Permission for directories –Read: find which files are in the directory (e.g., ls) –Write: add files or remove files –Execute: enter the directory and open files inside the directory (even for your own files)

File system (5) “a real pain if you try and install a permanent file in someone’s directory.” Sticky bit: restrict the right to delete a file. only the file's owner, the directory's owner, or the root can rename or delete files. drwxrwxrwx 4 root sys 485 Nov 10 06:01 /tmp drwxrwxrwt 4 root sys 485 Nov 10 06:01 /tmp

File system (6) Unix requires higher privilege temporarily to execute some operations –Change password –Open a port (0-123) SUID (set userID), SGID (set groupID) A user who is executing this program will get the privilege of the owner temporarily -rws--x--x 3 root root Nov passwd*

Processes Each process has a process ID (PID) Two pairs of UID/GID for each process –A real UID/GID –An effective UID/GID The login process processReal UIDEffective UIDReal GIDEffective GID /bin/loginroot system /bin/loginnick staff /bin/bashnick staff /bin/lsnick staff /bin/passwdnickrootstaffroot

File system (7) To change the attributes chmod –who: u, g, o, a –Permission: r, w, x, s, t –chmod 777 file –chmod o+r file chown chgrp

File system (8) How to set? Need a fourth number –4??? set user ID on execution –2??? set group ID on execution –1??? set sticky bit

File system (9) How to remove a file in a secure way? Links You removed the original file from its directory, but… ncheck: list all links to a file Furthermore, the file is not really deleted! –User wipe

File system (9) Protection of devices Unix treats devices like files Devices commonly found in the /dev is: –/dev/console –/dev/men –/dev/kmem Devices should be world-unreadable and world-unwritable

Changing the root of the filesystem Sandbox: access to objects outside the sandbox is prevented chroot Changes the root directory from / to when executes For example, a web server

Search path Shell: a command line interpreter For easy-to-use: user input command without specifying the full pathname Searchpath in the.profile PATH=.:$HOME/bin:/usr:/bin:/usr/bin:/usr/l ocal:/usr/new:/usr/hosts

Audit logs /usr/adm/lastlog: records the last time a user has logged in /usr/adm/utmp: records a list of users who are currently logged into a computer /var/adm/wtmp: records every time a user logs in or logs out /var/adm/acct: records all executed commands Others: ps…

Manage the superuser Superuser is the major weakness Compromise the account –Weak password –Change UID to 0 –Crash the process with root privillege Presentation –Admin should not use root as their personal account (using SU, SUDO) –Strong password protection

Windows security Separation between user mode (ring 3) and kernel mode (ring 0) User programs make API calls to invoke operating system services Device drivers are running in kernel mode Security subsystem –Log-on process (winlogon): the authentication process (winlogon.exe) –Local Security Authority (LSA): verification and auditing (lsass.exe) –Security Account Manager (SAM): user account database

Domains Domains: to facilitate single sign-on and centralized security administration A domain is a collection of machines sharing a common user accounts database and security policy DC: domain controller

User authentication: interactive logon Secure attention sequence CTRL+ALT+DEL Winlogon.exe Lsass.exe: verification Start a shell (explorer.exe)

Local Security settings

Event viewer

Key points (1) The mechanism of user authentication in Unix. Where are the user’s account and password stored? Root account What is salt? How to use it and why it is important? What is the “group” in Unix? Why to use it? /etc/passwd, /etc/shadow, /etc/group What are the A real UID/GID and An effective UID/GID? What is an inode? The permissions to access a file or a directory umask Sticky bit, SUID, SGID

Key points (2) chmod How to delete a file in a secure way? Protection of devices Search path Audit logs in windows and unix Security subsystem in windows Why users should press CTRL+ALT+DEL to get a logon window in windows?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.