 So morning everyone. It is currently Thursday January 21st. We're going to be continuing on with access control today and we'll be playing this recording on Monday night at 6pm for the whatever that session one. I don't remember exactly what we phrased it but if you're watching then thanks for both people you know try to I think it really helps to stay engaged with these remote lectures if you participate in the chat so I think that is very helpful so when I ask questions I think that you know is a good way to stay engaged and participate participating. So what we're talking about here is how do we model access control so we talked about this before so what we're going to do is we're going to introduce a little bit of mathematical notation here so we'll have a set of subjects in our system S and subjects are as we talked about things in the system that can act so these are things that can actually do things and take actions in our access control systems. So we originally if you recall on Tuesday brought up the notion of this student and professor system where students and professors could act because they could read homework files create homework files change ownership of homework files and then we have a set that represents all of the objects in our systems this is the set O that represents all of the assets or objects in our systems that can be acted upon so can something be both in S and O so can something be both a subject and an object and what's an example of that yeah so in our example students right a student can be acted upon because we had a professor that could kick them out of the class so a professor can act on a student and students can also so they're an object in that sense and they're also subjects because they can act great okay cool look at that you all remember what we talked about in the last class that's a step in the right direction and then we're going to have our set R of rights and these are you can think of rights as rights or privilege but basically what can the subject do to the object so let's stop here and we'll refresh where we were let me bring up our old notes here cool okay you won't be able to see it yet I got okay and then if I resume sharing you should be able to see so now can you see the emacs screen on the left yeah cool okay I was challenged to move from notability to emacs by one of the students some of those students in Wednesday or what was that yeah Wednesday's viewing so we have our same policy here right so students should only be able to read their own homework files we have the access control policy the access control rules that we've implemented here we have two students s1 and s2 we'll have two professors p1 and p2 so this would be our set subjects so things that can act in our system we have s1 s2 we have p1 and p2 do we have anything so do we have let's say homework one homework two these are our homework files do those belong in s the set s no and why not yeah because they can't act right so that's great so there's nothing that a homework file itself can do they're not uh altering or changing the access control in the system so we have uh homework one homework two what other objects do we have besides the homeworks students yeah so s1 and s2 awesome now we need to think about the rights so we have uh the rights that a and rights are specifically about what a subject can do on the object so not everything not every right will be in here as we'll see uh but let's say chown one right could be that they can change the ownership of that file um maybe another right could be a read is a clear right that we have um edit uh yeah edit or let's say read write oh shoot i am using this let me i want to save this notes this bar is right in the middle of where i want to be looking at that is not what i want there we go okay yeah so we have so we have create but create is actually kind of a special thing right now because we don't have we don't what is a we don't really have a way to create new objects yet so let's kind of just ignore that for now but we could think of maybe create being a not necessarily a right um but maybe some kind of actions right so that would be maybe an action that that they could take because it's not that we have a create on a specific thing oh uh oh yeah okay so we have owns and then we have some kind of so these would be essentially our actions creates uh so we can have something like creates uh change ownership right so these are actions that we can take that maybe of our system that will either succeed or fail based on the rules here so what we can do is think about and and what we're going to do is model the current access control rules of the system oh it's frozen okay let's stop sharing how about now good no not good still can't see it this is worse okay second time the charm it's still not showing maybe it's just taking a bit to load your screen or something that's weird i mean i don't think i've ever seen this zoom problem before let's do share screen if you optimize for video clip we'll do something different it worked better okay we can see stuff now yeah yeah stuff stuff is always good okay cool so basically we updated these sets so in our small little example we have our subjects we have our objects we have our rights owns read and write and oh action yeah we have another action called kick let's try just sharing all right i will try to sharing the one uh application although i kind of want you to be able to see both but that's all right for now how about there is that better no yeah i can see the text much better okay cool that is bizarre and frustrating okay so okay anyways we'll figure that out okay so now we need to be able to and we want to be able to understand so if i have a given system what are what is the current state of the system so let's say i went through some things where s1 creates a homework file and then uh so we went through this scenario right so now what we want to be able to do is we want to be able to understand about the system exactly what the exactly what everything what are all of the rights that all of the subjects has on all of the objects and so let's think about how that would look like and actually one of the nice things we'll do here is we'll create a table so we'll think about okay let's add something like so we have s1 s2 s1 s2 okay and then i will have s1 s2 yeah okay so can everybody see this table it's in purple i don't know if that's a great color i can also make the screen bigger if that's a problem okay cool so what we're going to do is we're essentially going to make a table so we'll have as our rows all of our subjects and now we want to know for every subject in the system what rights does it have for every object so let's say we went through s1 creates homework file h1 so you can think of s1 dot uh well when we're just kind of making this uh this thing that creates uh let's say homework one right so we have some action so s1 takes an action on the system creates a homework file h1 so what does that mean that s1 has what rights does s1 have over homework one owns any other rights yeah they can also read and write right so this would be a we'll think of it as a set so we have a set that is they own that file can read that file and write that file and let's say s2 creates a homework file homework two so does s1 have any rights on homework two nope does s1 have any rights on s1 can s1 act upon s1 at all no can s1 uh have any rights on s2 no right students can't act on other students oh and I see that I'm missing a row here p1 p2 okay great so s2 now so does s2 have any rights on homework file one nope so it'll be the empty set what about homework file two right so it'll have all of them again exactly does s2 have any rights on s1 nope because they're students great and I'm missing a let's call can kick okay now professor one does professor one have any access to homework one yeah possibly right we actually don't know it's not specified in our system but let's say that the professor can read uh let's say we don't want the professor to be able to write uh they can read and they can uh and because in this system the oh professors can't change who owns the file yeah so they just have okay great so we actually don't need a can own let's just say that a professor can read it that good that makes sense intuitive sense so professors can just read and uh there's no difference between the two now what permissions does or what rights does professor one have over subject one yeah can kick so they have the right to kick uh what about read or write or own yeah it's unclear or you could say no right because it's um those rights don't mean anything against a student right so just because there's a right doesn't mean it actually makes sense against the student uh so we'll go with can kick for now so in this example if you notice uh the rules are that the professors can kick a student from class but they actually can't change the homework files from what we have now okay p2 so p2 would be similar right there's no difference between the professors here now is there anything missing from this is there anything should uh let's say should there be a column here for p1 or p2 yeah they're not objects right nothing can act on a professor which means that we don't need a column for them so now the nice thing about this model and why this is a very interesting model is because if I asked you the question can student one write to homework file two how would you use this uh this matrix or this table to answer that question um just see the intersection yeah so see the intersection yeah great thanks so look up so homework uh subject one is the student one is the subject so we'd look at that row and then we'd look at the homework two column and we'd say nope homework uh student one does not have any rights to homework two so knowing with this model we can see exactly what everyone can do on this system so we can see who can have the has different rights on the system and so now as and the actions would then change the state of this matrix right so if I then said uh let's see we had so p1 can't change it in our system so we have this let's say the next action that gets taken is s1 uh changes ownership of of file h h1 to s2 right and we can do that because in our current model we have this rule that uh that students can change who owns a homework file cool so now and and you can think about this as a state transition right so we're actually this this matrix is transitioning so what is different now about this current state so what does our access control matrix now look like so the own read and write is going to go down to s2 and s1 won't won't have any yeah of what so yeah so s2 now on homework one will have owns read write now we actually haven't specified exactly what happens to s1's access does it lose it does it not so we'll say that ownership you can only have one and so let's say it it removes it right so now s1 has lost rights and now we can see that s1 doesn't have any access to any of the homework files on the system cool okay great so this is um and now I guess one thing I want you to think about is there any ambiguity here of who has what's rights to what objects yeah so there should be almost no ambiguity the ambiguity comes into as the what do these rights mean and what actions change the state but you could think about if we specified these actions properly we could specify owns and read and write and can kick in mathematical terms that could use this this matrix to think about okay if this subject has this right of an object then they can read the file or they can write to the file sorry the actions where it creates owns kicks but if I ask you any question if you have this matrix you can answer it by saying does you know subject two have the can kick write to subject one and you could you would use this matrix and say okay s2 and s1 nope doesn't have any rights here this is just at the empty set which means there's no rights and that's great so this can represent and we can do this for any system so if you think about any kind of system we can actually represent it in this way um let's go then back to our slides I'm sure sound let's try that and then we'll go with so here's just another example that you could look at it that's more abstract okay so can you see the screen now the slides yay okay great so so we can think about even modeling file permissions and this is where we get into more details of the unix file system we can we can model this in this way so here the things that can act on a unix system is actually not you as a user so I'll answer a question first and chat the somebody asked if we change states we need a new matrix to reflect that that was just kind of a way to look at the temporal transition of the matrix you don't have to necessarily create a new matrix but yes like that was just a way to visually show how things change so you don't necessarily need to create a new matrix essentially that matrix would be updated so the interesting thing about a unix system is that you may think so hopefully a lot of you have been into bandit you've ssh to bandit you've accessed that system you may think that in that system you are a subject because you are actually typing in commands actually let's let's uh look at this let's see okay can you all read this text please tell me that's good yeah okay and this the size is big enough that you can all see it cool okay let me see if my server's up yes okay as much as I like typing this in here okay so now I'm on a okay so now I'm on a linux machine so we think you know when I type in ls uh it's not important in there no okay so when I type in something like ls right it it seems as if I'm something that's that's making something on the system so let's go to slash temp I can make a directory called cse 365 I can look at the permissions on that directory I can see that the and we'll get into this in a second I can see that the atom d user has some permissions I can change those let's just look at um changing those looking at it then I can see that I've completely modified and change those directories I can create files and when I say I it seems very um intuitive that we're thinking about me the user but that's actually not what's happening under the hood if we look at what's actually happening and can I I want the tree there we go yeah so actually we can see that it's not even me so this is a I'm using htop which is uh looking at all of the processes that are running on my system so what's actually happening is there's a process with the process id of 1406 owned by the root user that is this sshd process this is the ssh daemon that looks for incoming um oh no I just did that how did I collapse how do I expand that um and maybe the plus sign yeah let's oh there we go it was the plus sign yeah thank you I must have done something weird so we can see that it's the ssh daemon and the way that processes work in in unix style systems including linux and other things every every process a process can have children so that spawned an sshd process so this is the thing that listens on port 22 or if you're specifying a band at the specific port it's listening it authenticates you and then when you log in it actually runs your shell which in my case is zsh and you can see I'm actually running htop within there so every command that I type in when I'm typing in ls when I'm typing in all those things it's actually not me that's doing it it's a another process that's doing it on my behalf so the point of all this is to say that on a unix style system the subject is actually a process it's not the user itself and that's um important to understanding the model the model here and how those things work uh so does that kind of make sense of this notion of the process is actually doing the thing not me cool okay and we'll go back cool so we'll imagine a system and we'll we'll start with a slightly simplified model so we have two different processes so we have p and q are different processes and um yeah so this is a so this is an indirect method I am asking so this is the whole point of your shell when you type in ls it figures out what program you want to execute and that process has an action your shell process has an action called execute which actually asks the operating system can you execute this binary for me it will try to do that if it can and it will have rules that uses the access control to understand if you can do it um and we'll have in our system files so here we're only we'll considering files we'll say a very simple model we only have two files f and g and there are actually a lot of different writes that you can have um including read write execute append and own files so we'll think of this as r w x a and o to kind of simplify things right so we have the read write the read and write that's fine so we have the privileges or writes of reading writing executing something uh appending something and owning something so we can then represent in this very simplified model we can represent let's say the in this simplified model a a system so we can have processes so these are subjects and I can have all the rights on them now the interesting thing that we'll see is a process especially in unix can act on another process so for instance I can try to kill another I can send a signal to another process one of those signals is the kill signal which tries to kill that process so I can actually interact with uh other processes on the system so this is why in the unix model uh the processes are also objects that's why they're they have rows so we can see in this model that p can read and write the file f and also owns the file f can only read the file g and can read write and execute and owns the process p and can write to process q now again what exactly it means when you can write to a process is dependent on the implementation of the system um similarly from this model process q can only append to file f so what's the uh difference between appending and writing appending is just adding content writing could be you can change it remove stuff and everything yeah so specifically you can't delete things if you only have append access so if you only have append access to the to a file you can only add additional information to the end of the file whereas um if you have uh write access you can completely change any of the contents of a file yeah so that's great so you know for things like let's say integrity especially if you think about how do you uh ensure the integrity of a log file you want your logging software uh to only have append access to a file and if that's enforced by your operating system then you can be sure that nobody can overwrite previous log entries unless of course they're able to compromise your operating system so yeah this is a important concept and that's why i like bringing it up here um q also can only read and own file g and p has read access to process p and full access basically to process q read write execute and other um so what is it or sorry other is own in this example so what is own maybe mean here and what does it kind of sort of mean in the uh um can p create q and delete q as such so uh let's see p doesn't have owner over q but it does have owner over f f right so in um in the kind of unix model if you own a file that means you can change the permissions on that file and you can specify you can also change permissions for other people as we'll see and you can maybe give other people additional access and you can also change ownership so you can give ownership of that file to somebody else so for instance p could give q ownership access over f and then at that point q could be able to change the ownership there we'll get into uh more details in a bit uh but for now i want us to think about this as a model so and specifically i want to want you to think about this in terms of your writing and operating system right so the operating system should enforce things like um should be able to enforce things like uh should be able to actually enforce these things so should be able to enforce that you can only read from a file if you have the the read access okay so somebody is a question in chat about how can you write without being able to read yeah so that's you let's say you can open a file for writing but that would truncate the file so that uh you can't read what's already in it so you can overwrite it but you can't and you could write new information to it but you can't actually read what's there does that make sense um could you explain to us what's truncate in your oh so truncate would be overwrite so basically the moment you try to open a file for writing if you only have write access it means that it erases all of that file that was there so you're starting at the first byte of the file and then you could write more information there so you know what your process knows what it has written but it can't read what was already in that file okay thank you and yes both p and q are subjects in this model subjects and objects yeah exactly but can we use the write access as an append access as in i cannot see what's written but i'll just add stuff to it yes so you you definitely you can it just depends on what your model actually implements um so i you have to we have to look at the details of the uh of what actually happens if you only have write access to a file what you can do but it definitely happens um so yeah it's uh but the the prop the key difference between append and write access is write access allows you to overwrite what is written whereas append access does not allow you to overwrite what's already there you can also with write access inject essentially anywhere in the file whereas append access is only at the end um so excuse me so the ownership will have like a master control over like over like written writes right yeah so exactly in the unix model the owner of the file controls can change the access control of that file so they can remove all access from the file and then can add access back to that file as long as they're still the owner but can they change like things like uh if someone writes something and the and the owner doesn't like it can they undo the changes uh no technically yes so they could do so uh that gets into more technical details about what happens and can two processes like simultaneously be accessing a file but technically yes like if you have read and write access you can be continually reading from that file and then changing whatever that content that you want so fundamentally you can oh thank you yeah so and then an owner can i i don't think they can explicitly well at least in the unix model every file has to have an owner but a you can change who owns a file so you could in this model p could set q as the owner and now they lose ownership so they can no longer change permissions but q is the one that can now change permissions okay and then yeah there's always exactly one owner per file yes and that is uh actually if we go back uh that's this first uh part here when we do ls-la so this tells me that this current directory which is cse 365 is owned by adam d but the parent directory dot dot is owned by root and we'll get into exactly what all these things mean we don't need to do that here we're just kind of going over a very simplified model so i want you to to be to think about this model now so with this as we said we know every subject and every object what rights they have on the system and from the from the idea of you are writing now the operating system that has to implement this access control what's the benefit of having everything in this matrix so somebody wrote in chat readability right or maybe uh comprehensiveness or no ambiguity right uh another thing for performance that's great is constant lookup so if everything we're using hash tables we could look up if we say okay p wants to access g let me look up in my my hash table look up p and then look up g and i can know exactly in constant time what access it has it can be easy to query like we like we said that's great um yeah so then then before we get to the next part let's think about what happens when if p creates a new file how does this matrix change yeah a column is added right so we'll add another column to this table and then what happens if i create another file same thing right more columns so every time we create a file we're adding an additional column to this and in order to be secure we have to specify what every subject has with that new file right so think about a modern you know operating system how big does this matrix have to be to capture all this information yeah very big right millions at least and let's think let's uh go back here okay so i have roughly 164 different processes running on this system how can i let's see this may tell me roughly how many files are on my system so i would need just right now the operating system would have to store a table of let's say 164 rows which is the and it's not number of users it's the number of processes at least let's think of that model right now so i have 176 let's see if this is ever going to finish i actually don't know how big this server is but uh let's okay let's let that run and let we'll go back to it so would that be then a drawback of this system yeah if we think about memory or storage right we have to fundamentally we have to store this matrix model somewhere and and if we're letting people have access to this and they can create as many subjects as they want they can spin up different processes so i could spin up a thousand processes and each of them if i have a million files that's now a thousand times a million new pieces of information that i've have to store in my operating system and so this is a great model in terms of how to think about access control and you can see at a glance exactly the state of everything on the system so you can ensure that everything is exactly how you want it unfortunately it basically becomes a it's untenable to actually implement in this way so if so we talked about you know benefits the drawbacks that we just talked about and so the real thing is and when getting to this so it's not a problem with the model per se but it's a problem of the implementation and this is kind of a really interesting case i like to bring up of you can have this beautiful theoretical model of something but now when you actually implement it you go oh wait that model doesn't actually fit reality how do i actually do i even have enough bytes in my memory to keep track of all that information and if i have let's say a massive system that you know eventually i think we'll create a server that there'll be roughly 600 user accounts for all the people in this class that's going to be a big system that we want to make sure that we need to uh need to keep ah there we go so this file has two million this system has two million files so for every process for every row i'd need two million additional cells right because there's two million columns in this table and you can see how that could quickly get out of hand so now the question becomes okay then what do we do right because you know we don't want to just give things up uh just give up on this model we still want the benefit of that hey we want all of this access control information this is important information so one of the ways so one thing we can do is we can try to maybe group things together let's say we can rather than having each process as its own row maybe we abstract them to users so a process belongs to a user group and then that way that can simplify things um we'll still need you know for every user group and when i add a user group i need to add a bunch of files i need to also we'll have to uh you know for all the users in the system every time i add a new file i'll have to add a new row which is going to add up to a lot of different things uh and so basically the way to think about this is what if we rather than and one of the key problems is here we have everything in one giant table that's trying to uh capture a ton of information here but what if we split this matrix up into uh different slices what if we actually looked at each column and just stored each column so this is the notion of if you've heard this term before it comes up a lot of an access control list so basically think about okay rather than think about this giant matrix let's think about for every file what processes what rights does every what rights do the subjects have and we can actually have a nice little um implementation benefit here we can say if you're not in the access control list what access do you have what would be the most secure option none yeah so if you're not in this list it's like a bouncer at a club or something right looks at the list be like sorry you're not on the list you don't get in right so this way we only have to store from the column those subjects that actually have a right to our file and you can think about it if a very big system where rights aren't being shared so much this actually can cut down a lot so in this case we'd have uh we'd split it up so that f so for file f we'd say that p has read write and and own and q has a append whereas g has process p has read access and process q has read and own access so what's the benefit here in comparison to the previous big matrix model yeah so it's simplified a little bit it's condensed it's also think about uh what happens when i add a new file or what happens if i add two files at the exact same time before if i had this big matrix what would happen if i added two files at the exact same time by two different users i need to make sure that i made the changes to the that giant matrix one at a time that i couldn't do them at the exact same time because otherwise they uh step over each other right i want to make sure that only one change is being made to that matrix at the same time now if each of these are stored separately let's say and where would i store these let's think now again about a little bit about implementation so then how would i implement something like this where would i store this information should i just add it to the start of the file so every file has uh information at the start of the file that says which process has access right so why can't it be part of the file itself let's say it's just literally this text p colon space r w zero new line q colon space a new line new line and then content of the file yeah so the key problem there is now anybody that can write to the file can change the permissions which is not what i want in my model who in my model should be able to change the permissions on the file owner only the owner right so if we say okay then who has to store this well fundamentally the operating system must have to store this information somewhere so eventually what happens is this becomes metadata on the file system about who can have what access so fundamentally needs to be stored somewhere where the operating system can ensure that a user another process can't just edit these attributes because if they can then that just becomes a massive problem uh so yeah so this is this gives us some clear benefits right we can uh delete we're sorry we can um when we create a new file all we do is add that new metadata right directly to the file we can do that you know simultaneously as many things as possible because that doesn't affect anything else uh are there any downsides to this approach oh metadata just means data about data so it's uh it is information about data so file metadata would say would be information about a file so in this case it would be what rights do the subjects in the system have on that specific file so what's the downside of this approach are there any should we just use this always so one thing we we'd need to um yeah so we need to worry about thread safety you know things happening simultaneously on a specific file that's definitely something you could think about you just can't get rid of that whole thing um that would be if you have two different things accessing or trying to change the metadata here let's think about the example of the students right the professor had the ability to kick a student out of the class and what would then happen if i kicked a student out of the class in our system not in general yeah they'd lose their permissions great thanks in the chat so they would actually lose their permissions but how do we actually how does somebody actually lose their permissions so think about in the matrix model what would i do in the matrix model here i need to either delete this or i need to make sure that every cell in this row p is empty right and maybe then can i delete that excellent now in this case what would i need to do in order to let's say revoke all of p's access ag great i have to go through every single file right i'd have to go through every file delete this row p to make sure that p has no access and i actually lost the ability now to have all of the access control information stored in one place right so if i wanted to know who has access to what on the system i now have to look at every single file on the system to understand what everybody has access to but if i only care about specific files like if f is a super important file all i have to do is look at this access control list of f and i can convince myself that if it's uh secure or not well maybe right so yeah the important thing is there's no perfect solution here it's all tradeoffs right but fundamentally with this model i can still represent everything i can represent in the matrix model because i've just taken the matrix and i've just cut off every column but fundamentally i can still store everything here does that make sense so does that uh if you let me know i'll pause for a little bit if you have questions on the tradeoffs between like the access control list versus the matrix model cool all right and of course so if we thought before hey let's split up this matrix model by cutting up the columns what would be the other idea to try there use the rows right exactly so if we said hey what if we did the columns what if we just did the rows so this is actually called capability lists so different from an access control list and you can think about the difference here an access control list is about an object so it says who has what access to this object whereas if you think about it from the row a row is a subject so it says what can this subject do on this system so that's a capability so basically we now store each row of the access model with the specific subject so p would have some metadata again associated with it again we'd want to by the same logic securely store that in the operating system that says okay process p has um file f has read write and own and and file g has read access and q has for file f a append access and for file g read and own access what about other files that aren't in this access on this capability list no access right same same principle as before we default to have no access being that way we can make sure that things are secure so what are some of the benefits now here yeah so deleting a user's permission is super easy all i have to do is delete this capability list right so removing subjects is incredibly easy um and i can also audit a user very easily i can say okay the subject what access do they have and i can see exactly all the access that each user has right but again now a problem is what if i want to say who has access to file f or yeah great example austin if i remove a file or let's say add a new file i have to then go and update all the capability list of everybody in my system so you can see that these have a very natural trade-off depending on if you're focused on subjects or you're focused on objects um another cool thing here that i'll briefly mention is that one of the cool things about capability lists is you actually you can rely on cryptography here a little bit so that the operating system itself doesn't have to store the capabilities it can create this capability list cryptographically sign it in such a way that whenever p wants to access a file f p asks the operating system hey i'd like to access file f and it goes great show me your capabilities it shows it it's encrypted blob the operating system can check that and verify that yes it indeed has access um one of the tricky things is this now allows delegation so f could possibly delegate um to file f to somebody else by giving them this encrypted token but that's uh kind of for later so yeah so we can't there's no perfect system but in each of these systems we can represent everything that the matrix can represent right any possible access control system and but we just do that in different ways that have different implementation trade-offs so access control lists vertically capability lists horizontally yeah then we can think of maybe another way of and this is more um we can think of a subject the access and the object so we can actually just split it up like this so we can think about a three three tuple so like a list with always three elements the subject the access and the object and so this would be kind of another way of thinking about this but it's definitely not as common as access control lists and capability lists so um yeah okay so we talked about this so this is again where we've talked about um a little bit about authentication so authentication is who are you so with an access control list we require that we know exactly who the subjects are so encryption is so that basically about integrity so that we know that that somebody hasn't modified the capability list yeah so it's about ensuring uh integrity there um whereas with capability lists so as long as somebody can present us the proper capabilities we actually don't care who they are so we actually don't require authentication which is pretty kind of an interesting thing um but of course we have these problems that we can't uh you know we don't want capabilities to be able to be forged so we don't want anybody to do that that's why we'll eventually get into encryption here um so the unique so modern linux systems use both believe it or not well use a combination of complicated things windows itself uses both so windows uses a bunch of different things uh we'll get into the exact way of how the main way that people are used to it is a linux machine will use and a unix machine will use a access control list so propagation is for a capability can a process give their capabilities to another process so that would be propagation can those capabilities propagate without the control of the system yeah excellent so yeah basically um this is kind of just another way of thinking about it so we have some directory with some files right access control lists break up the the access rights based on the file whereas uh capability lists are thinking about subjects so the user a specific user has different rights on that file of fila fila b but we already talked about that cool so um yeah so so one of the kind of interest another interesting thing here is this concept of least privilege which we've mentioned before so least privilege is the idea you should only have access to the things that you need to do your job and nothing more so because capability lists focus more on the subjects we can ensure that the access that they have is limited to just what they need to do their jobs um so for instance thinking about a logging service which i mentioned before it'd be very easy to see that a logging service that has the capability of only appending to a certain file that would be an easy way to verify that it has least privilege and that the logging process can't go haywire and do anything but again this is kind of a we're getting more very fine grain separation here because fundamentally you can represent anything in any form but as we saw they kind of have inherent uh tradeoffs and drawbacks other thing is we talked about even access review so if we have an access control list it's super easy to say for this file who has access whereas for capabilities it's easier to say what uh what does this subject have access to right we talked about that uh we talked about revocation so this was the notion of kicking somebody from class so how can i revoke all their access so if we're going to if we have an access control list if we want to say okay i want nobody to have access to this file well it's pretty easy we just delete the access control list and now nobody can have access to that file whereas capability lists are better for revoking a subject so if i want to optimize my system around kicking students out of class then capability lists are going to be better for that because i can just remove their capabilities ah okay yeah so this is kind of about the propagation aspect so what we talked about is we need some way to actually give capabilities so we need the operating system support which we need in an access control list if i want to say okay i want to change ownership of this file the operating system needs to update that needs to update that information whereas in a capability list i have to somehow figure out a way there we go so yeah um yeah so if i may need anyways i think this is fine uh we don't have to go into details on this now we get to the unix access control model so we can actually see how this works um okay so the normal thing so now we need to then put on our implementation hat so with an access control model with our access control model actually we'll go back here and let's go fun times back to our model okay so access control lists right so we have our access control lists now you're implementing this you want to store extra data for each file right so for file f you're going to store extra data how much data do you need to store how much space do you need to store the access control list yeah you need space proportional it's dynamic right it depends on how many subjects and how much subjects have access right so we don't have to store access to uh we don't have to store information for subjects that have no access but let's say your system by default has read access to all files so therefore i need to be able to expand to an infinite number of subjects now this is clearly a major limiting problem especially if you think of linux was created in unix systems were created back in the day where there wasn't unlimited space on file systems so in order to get around that they've actually have simplified this model in such a way that it reduces the amount of information that they have to store so fundamentally it actually uses only 12 bits per file and it's logically grouped into four sets of three bits so the um and this is when you type in ls-la you'll see something kind of looks like this we'll get into it a little bit um i will yeah let's i'm gonna show an example okay because i think it's much better to learn through examples okay okay so when i type in ls-la i don't actually see 12 outputs i see one two three four five six seven eight nine so i see nine bits we'll see that it actually has at least the 12 bits of information if not more uh one interesting thing so the first one is d so if it's directory or not so if i create a new file uh called testing i'll see that testing the testing file which has zero bytes so just walk through this so this first bit is uh if it's a directory or regular file and probably other information as well uh then the next three bits are important the access control bits that we talked about uh this i actually don't know what this is uh that's interesting uh the next one is the number the who is the user that owns the file the second one is who's the group that owns the file then the size and then the last date that it was changed and then the name so the important concept in unix is um permissions are organized around what permission does the owner of the file have what permissions does the group of the file have and what permissions does anyone else have on the system that is not in there so that's why you have this adam d and adam d and if you run the id command it will tell you okay your user id is user id 1000 which is the name text name adam d and your group id is 1000 which is the text name adam d and i'm a member of all of these groups on my system and this allows you to do things like only members of your group have access to a certain file uh etc so for instance well anyways we won't get into talk to docker uh so the way these permissions work is so this file testing is read write no execute read write no execute and read so this means that the user of this file can read it read on a file is very simple it literally just means read write means write just like we talked about the next bit is execute so can we execute this file so this is why if i do dot slash testing it will say permission denied so it's telling me permission denied because i don't have permissions to execute this file it's not failing because it's an empty file it's failing because i don't have the permission to execute this file the number is the so Nathan thank you put in the chat the number in the is the link count the number of places the file of directors use okay so that has to do with like hard links and stuff like that so we actually already went over this if i wanted to make this executable for me just the owner i can use chmod and there's two different types of syntax so when we do when i did like seven seven seven testing this is literally me setting so this is octal in those bits so this is octal so seven seven seven is nine all ones right in terms of binary so this means that in this example all of these bits will be one so this means that the and we'll let's look at ls slash la testing and we'll look at this so we can see that it is now readable writeable executable by the owner readable writeable executable by the group and readable writeable executable by anyone else and now if i try executing this that is shocking and it doesn't even give an error uh fascinating okay i have absolutely no idea why this actually executes even though it's literally an empty file uh let's there we go okay that's yeah that definitely shouldn't work so seven seven seven is octal again this is octal to set the bits i can also uh and i kind of have done this enough so this would be six six six would be non-executable is that right yeah so it's just readable writeable uh six six four was the original so that's uh readable writeable not executable readable writeable not executable and just readable so if i tried executing that it will of course tell me permission denied because i cannot edit it so or because i cannot execute it great you can also do something else with chmod you can say okay i want the owner so the owner i want to add plus the execute permissions now if i look at it i should see oh of course i messed that up uh um the i messed that up because oh it actually stands for other not owner i think i always messed that up so i can do that again by oh dash oh minus x so to subtract that uh what is actually owner a u is for user thank you very much okay great so i can just add change this bit by saying i want the user to be executable um and now i can execute it and now i can it'll let me execute it but of course it will fail uh do y'all want to see me being another user too let's do that okay so now i'm running basically screen to have two screens i'll be root in the other one okay of course that uh will not work so now i've changed myself to the nobody user so i am nobody um and i'm in this directory and if i execute testing it'll say permission denied so why is it saying permission denied yeah the other group doesn't have permission right so i can't execute this uh can i read the file so let's cat testing yeah so i can read the file now if i go over here back as my user and i do chmod other minus r testing i'll see that hopefully nobody can read that file so then i should see permission denied let's see can i change permissions as the nobody user so it says operations not permitted because i can't do that right cool and so so i can even remove uh let's see i i always love just typing in random commands that people suggest so what happens if i get rid of all permissions right we can see that there's no permissions here so now i even as the owner can't execute it can i cat read that file nope and right so i can't even the owner of that file can't do that but i can give myself access again so six zero zero is read right so now i can read the file of course there is a usually there's always some kind of uh so now i'm the root user so i'm the administrator of this system and the administrator the system is allowed to do anything so i can read this file uh there's actually ways that you can reduce the capabilities of root so that root can't do everything but in this case i can read so see yeah because i don't own this i can't do it but let's see uh yeah so root root can change the files they can also change the owner um yeah let's see i can change the owner so the syntax here is okay so the syntax here is um ch own nobody nobody and so now oh nobody that's strange i don't know why i can't do that root definitely should be able to uh must be something about changing ownerships or something um yeah i'd have to dig into this to figure out exactly why that's not happening the way i thought it would but now the tables have turned so even though that user created that file we can't actually do it but now nobody can and now let's put it back okay cool there's some other special bits so we said there's 12 bits we've only looked at the three bits we've looked at uh read write execute for the files owner for the user read write execute for the group and read write execute for all users so everyone else on the system but there's actually three other important bits so and again the question is how do i how does it actually know who i am right again it doesn't know that it's me it's not looking through facial recognition to look at adam d what it's doing is um what it's doing is yeah okay great bash root yeah so what it's doing is looking the operating system stores for every process on the system who's the owner who is the um what user id is that associated with so the bash where i'm running is user id nobody group nobody the adam d one is adam d and the root one is owned by root and that's what it's using to detect those things okay uh very briefly these other um file permissions are actually important so again when i want to uh let's see so the edc password file is actually a super important file on the system it has all of the user accounts so it has the user account it used to have the password go in the second field it has your user id's and uh your username any comment your home directory and your shell so if a user could edit this if you could edit this file edc password then you could update your user id to be zero which would mean you're the root user you could change the password for other people and change their password you could basically do anything but we can see that its edc password file is only uh is only readable it's owned by root group root and only root can write to this file so this please don't work uh yeah so i can't write to that file as a user but if i go do csh which is change cell oh i don't even know my password on the system uh maybe it's that nope ah there we go okay so let's say i want to change my password to bin sh i do that but then cat edc password i look at the user adam d suddenly this seems like i violated all the rules that we talked about i just changed a bin slash s i just changed this edc password file but only root can change this file right have i just severely hacked this system am i the owner of this system and i know we're at time but i'm gonna i'm gonna keep going because i want to uh finish this out real quick so how does that happen so let's look uh the command i ran was csh if you ever want to know exactly where a thing is located do which and then that command it'll it'll tell you the path to the binary so i can see lss la user bin csh and now i see something we haven't seen before i see that it's it's a regular file it's readable writeable and a lowercase s here instead of an x readable uh no writeable executable readable no writeable executable owned by root what this means this s is the set uid bit so this is one of the first bits in there and this says um that this chsh program runs as root so that's what set uid bit which means it runs with the permissions of root so when i run this again watch we can look if i do ps aux grep uh chsh we can see that the chsh program is running as root and if i run h top and let's look at the tree view i said let's look at the tree view oh thank you fun okay if i look at csh so csh is running which is a child of csh which i ran but csh was an atom d process and chh is a root process as we saw um so we can see chh is a root process so this is how the operating system allows you to do things like be able to edit a file that's only editable by root is it's a c program that is compiled that when the set uid bit is set it sets uh that user that owns that process as root and this is how as a user you're able to change important files to be able to do things like that set gid is to set the group id which is similar except instead of setting the user of the process it sets the group of whoever is the group of the process um you'll actually see that i believe in one of the uh the binary hacking homework assignments and finally the sticky bit is uh it's not really relevant anymore it comes from uh old well it is relevant in the fact that if you look so this t here in temp is the sticky bit and i believe it means that uh let's see do i have yeah okay sticky bit on a directory means that people can create files in the directory but cannot write or rename other directories uh we also didn't go over what readable writeable and executable means for directories they're a little bit more complicated but uh when we come back so this is the mechanics of how it works i want you to be thinking about uh from now until then how does this relate to the matrix model and what are the difference between the actual implementation of the unix access control model that we talked about here how does that differ from the matrix model so thanks for bearing with me i know i went over a little bit i know we had some silly zoom uh sharing problems