 You've been the only blocker. All right, folks. We'll see if you survive. So there's still more time to submit late as of the late policy. Just a little brief overview of some scores I pulled in case anybody's interested. Pretty good. I was actually kind of impressed. So like 92 people got 100%. Then you can see it kind of go down. The average was 73, which is actually about not too bad. The average. So, yeah. I don't know. Any kind of a question? Yeah. Yeah. Oh, there's... Oh, so I got 175 people submitted. So a lot of zeros that were on here. These are people who actually submitted once on the homework system. I'm not scared to count those people in the last two weeks if they submitted anything once to include them on here. So yeah, this was the grade that I pulled directly from the submission. Yeah. Louder. Highest score of all your submissions, including late submissions. Yes. Whatever your highest score is. Yeah. For sure. Yeah, the grade you got on the submission survey, these are grades. There's no partial grading. There's no automated grading. What I meant is that you could have somebody who has, let's say, a zero on here or 15. And if they do it all, finish it all today, they can get 80. So they can move their grade up. Highest grade. Highest grade. All your submissions, highest grade. Yeah. So on my best submission, I got everything except for the sub case. No, no, no. Highest grade overall. You can still play with it and submit until you get what looks to be 100. That will count as 80. So your total grade will be 19. Cool. All right. All right. What's today Tuesday? So on Thursday, we were talking about access control. So what was the method? So we talked about using an access control, a matrix, to represent access control rules. Somebody helped us out, refresh us for those that were maybe putting off the homework until, well, the last instrument of Thursday and weren't here. Help refresh us. What is access control matrix? Yeah. So you could have a chart or a table. So what was on the, what were the rows of this table? Subjects. Subjects. What are subjects? Things that can act. So things that can act in the system as rows. And then what about columns? Objects. Objects. What are objects? Things that subjects can act on. Yeah. Dude, are subjects included in objects? Always. Maybe not necessarily, right? It depends on the specific system. Cool. Okay. That's great. So, wow, you guys actually learned stuff. So we can have, represent our access control model on something like this, right, rows, columns. So then how do we tell what rights user V has on file G? What rights does user V have on file G? And how do we figure that out? It's you now because you asked. And how do you figure that out? That's the more important question. So user V, you just trace it down to the left column. Okay. So rows, we look at the row, we say V. Okay, great. Now what do we do? And then we go to the two columns down to G. And we see it's blank. Yes. Awesome. Any questions on the matrix? So what are the benefits? Why do we want, what's good about this model? Yeah, so if it's small, we can easily reason just by looking at it exactly who has access to what. There's no extraneous rules that exist outside of this system. All the access control rules are there for us. On the contrary, right? So by the same token, so that if it's small, it's easy to look at. If it's very hard, it's probably difficult to reason about what things can do. Yeah. Cool. All right. And then we talked to briefly a bit. So imagine you're going to implement this and we'll focus specifically on operating systems a little bit now, here now. So what does an operating system need to control access to? File system? Oh yeah, in what sense? So what? Memory. So in what way? Yeah. So you have your memory right? So each, let's say memory region is owned by a different process. If you don't want a process to be able to access the memory of another process until you do, maybe with some shared memory between them to make sharing stuff faster. So you couldn't want that and then you could also, by definitely, so you would not expect maybe you visit a web page in your browser. Would you expect the JavaScript that's running on that page to be able to access your Word document that you have open? No, that would be very bad, right? Yeah. So memory, what about files? What does the operating system want to control on files? Yeah, who can read, write, or execute a file, but why? Why are you here? Yeah, so maybe to prevent people from breaking their own system? That's a good one. And also, if another process depends on the content, you want to keep everything separated. Yeah, so I guess an interesting thing to think about is actually, do you care about this on your laptop right now? Do any of you have shared accounts on your laptop? Maybe they have somebody else with a different account on their laptop? Nobody? So you don't care if your apps are different? You can access or change different files on your laptop? What do you, I don't know, this is an opinion question. Do you care about keeping, so we said maybe different users being able to control who has access to what, but if you have a device where you're the only person who has access to it, and there's only one user, why would you care about this, yeah? I think like, I mean you're the only human being that has access to it at the moment, and that's a lot of access on your laptop. Right, so have you downloaded some piece of garbage software right from the internet that's doing who knows what? It has full permissions as you. It can access and touch any file that you have access to or any file on your machine if you don't have any restrictions. Yeah. Does it make sense to have the one app or like one user account plus like an administrative route account on the first one to use because no one will be able to control who has access anymore? Right, okay, so yeah, so it's actually kind of interesting, right, this idea of having different users being able to access the system simultaneously and being able to do different things on the system, right, kind of comes from the days of mainframes or other types of servers where you had multiple people logging into one system, so they were literally accessing it concurrently. What's different about how your desktop operating system works versus like your mobile phone, specifically we'll talk Android and iOS? Authentication but specifically on access control. So what about all these apps that you're downloading? Yeah. So usually you can actually get different application specific permissions for your phone? Yeah, so one way they're going to think about it, right, there's actually different layers we're talking about access control, right, there's this whole permission model on most phones giving different applications different permissions. Yeah, so you maybe don't even have admin or root access on your phone, I think at least in Android you can very easily create new Google accounts so people can log into your phones, you can share devices and then, so each app on your phone actually executes a different user. So essentially you can think at a rough level both of the devices Android and iOS or have some units underpinnings underneath and this is actually the big conceptual model and change that they did with moving this app model is rather than have every app run as your user each app has its own user account on the system so the permission model is actually a floor stack. So anyways, different ways of thinking about permissions but now I want you to put your mind into somebody who's developing an operating system you're in develop an operating system whatever one of these things how you implement an access control matrix in an operating system and I'm not talking this isn't a low level scary discussion about operating system internals but I want you to conceptualize and think okay, if I was tasked with doing this how would I do it? Okay, so you think about people who need somebody to create users or whatever but more specifically like how do you implement so this access control matrix, yeah sure use that like table that we had before every time like, let's say you have like a subject asking you to do something you just look it up at the table and it says it has permissions to account use your knowledge yeah, so okay, so we could then go back to our nice handy-dandy table it wouldn't be like memory efficient but a 2D array could work hey, you could do a 2D, a 2 dimensional array right, or a 2 dimensional hash table however you want to think about it, right so you have subjects where you can map let's say you map subjects to numbers right, and so you use a 2 dimensional array and you can map all the objects also to numbers so you keep that mapping separate you look up what is the subject look it up, access the array one dimension and access in the other dimension to see what the set of permissions are and then reject so you have to have some way of thinking every request that's going to come into the operating system right, you need some way to enforce this access control policy that's stored in this matrix and then we'll need some ways to update it too right, as we add users, add different kinds of things yeah, so yeah we need a way to have user space programs access this matrix right, and be able to interrogate it to say, have a user say well what permissions does that file have probably a better way than just attempting to do whatever you want to do and see if it fails or doesn't fail so there's a lot of talk about ignoring efficiency, why is that do you guys not care about efficiency? because every machine has a gigabyte of RAM so who cares about efficiency? well yeah, it's taking that into account in the fact that we have more processing power and stuff, but also maybe if efficient maybe, if fast forward but sometimes if you want to make it more secure so you have a bunch of redundant systems that no other person can access other stuff yeah, so you need to definitely check and verify and make sure that your implementation is secure for very good and conscious programmers we can definitely, we can know we can do it safely and we've even considered the thing we haven't talked about which I don't think you quite get to it's all operating systems but concurrent access to this matrix what happens there so you need to make sure that you're thinking about concurrency but we've thought of all of those problems the issue with the 2D array would be there's a lot of redundant elements because not every subject acts in every object so you maybe could have like a graph of all the different subjects and objects and you can point with the rights to each other cool, so maybe we can make so does everybody kind of understand like even in this diagram right we have three blank squares where there's no uprights to anything there's all kinds of efficient data structures you can get into of sparse matrices which they use in like numerical processing and all this stuff so you can make it more complicated and it's easy to demodel yeah this is a different amount of data you would need to represent like this table like N by N or N is what yeah what are you going to name like user and files technically it's definitely N by N right so be the number of users and the number of files right so what's that going to be on a system it's going to be huge would you use an operating system that used a model like this no yes it's probably going to take up a lot of memory I mean you can do some back and on below calculations and the worst thing is it's not even like a constant amount of space right it's going to be continually as more and more files get created so as you're running a program that's creating thousands or hundreds of files now you're multiplying adding more additional columns to this table and the operating system has to do this for every access right so do we want a better way hopefully so then how do we get there so you're all smart people so it seems to be that the intuition would be like okay storing this huge array in one place seems like a bad idea we can all kind of agree with that so what's the alternative or what are some alternatives and we can just spit ball different approaches it doesn't have to be exactly where we're going okay so just a second let's actually that's Potsk I want to make another point okay so this is the unit model we just get rid of information would it be good if we just said well we'll simplify this let's keep the access control model and we'll just stop the matrix and all of our subjects will be columns and the top five most frequently accessed files would I solve your efficiency problem yeah it's always the efficiency problem so we're getting rid of information right so the nice thing about this matrix model is storing all of the information about who can access what file on the system and we've talked about what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem what's the problem We can abstract users into different roles, we can abstract objects into different types of objects, but we'll still, what if we have an app that just spits out, you know, hundreds of thousands of different file type extensions, right, for every three-letter domain or whatever or what about things that don't have file types, right? Maybe you could like make it almost like a lock and key source system where it's localized to each file and each, not user, but each program or anything. Okay, so let's go with that first concept. So the idea is let's keep it localized to each file. So what would that mean that says what? Yeah, so rather than, so just sorry. So rather than necessarily storing one giant table inside the operating system that must be maintained, what if we split this matrix up into columns for each file and we store extra metadata with the file that says here is the access control list of this file, right? Here are what users have what writes on this file. We're building those permission models. That doesn't exist yet in our minds. So we have to build those, yeah. Why not split up the rows too? So how would we do that then? Well, so just like each file that needs access has like, okay, this is what you need to have an access to. Each program would then have a thing that says this is what I'd love to have access. And that's what I meant by lock and key to whatever, too, whenever a user needs a file, so key has an access. Right, okay. So I would think very carefully about duplicating this data, right? So if we have the same access rights on a file that we do in a process, what happens when the owner wants to change those permissions? Does it need to go to all the processes and update them in the file? Like there's complications there. So in general, duplicating these rules, it gets dicey, right? Because you can get into circumstances where they're not in sync of what they should be. But thinking about it in those two ways, so if we have to keep the data the same, right? We can't throw away any data necessarily. Well, the way is we can split this up. We can split it up into columns and put on each file or each object the rights that each user has. Or we can split it up into rows and have every user process or every process has the list of permissions of what it can access for what file. So what are some of the pros and cons? What if we just threw, let's say, this file F. We just throw some metadata at the top of the file that says U has R1, R2, and V has R2, R3. I think if we're comparing it, like, are you comparing it to also a raw parameter 3, like process has a system? No, just on its own. We're evaluating the merits of just a, we'll call that an access control list. So every file has an access control list. And we're adding that to the top of every file. You have to protect it because it's more localized to the user. It's like you go and change the privileges more easily than if it was embedded in the operating system. Yeah, so if it's embedded in the operating system, the operating system can protect it. So this is like maybe this naive idea of what we'll just throw it to the top of every file. Well, if the user can edit the file, if they can change their permissions, they effectively have complete access to that file. Yeah, we're maybe using additional storage space, right? So maybe we can think about that. But in some sense, we can't get rid of it in this concept of being able to store this matrix. Like that data has to be somewhere, right? But who has access to what? We store it on disk rather than memory. So we're going to go from disk to disk and then just store it. Yeah, so that's an interesting point. So disk is, I actually don't know the current term, is it 1,000? 10,000 times slower than memory? I can't remember what that says, D, that changed the number. But anyways, reading from disk is a lot slower, right? And so now you have every time a process wants to access a file, instead of having a quick look up in memory from the operating system, you now have to read maybe a different file or something, but here you can read that file. So yeah, you're going to have performance hits for sure. Cool. So these are all things we need to think about. And this is, so what does a system like, so these are Unix permissions for a file. So what does like a Unix type OS do? Yeah, it kind of has this, although on the, as we'll get into, right? On the granularity of what the subjects are, it's not individual users, it groups users into three different categories and then has permissions on those categories. But the fundamental model is adding it to the file, so there's special metadata in the file system that says these are the permissions of this file. Downsides? Any other upsides? So what about, now let's think through, a new file is created. What has to happen now? Yeah. Just slowly go through the entire hard drive and add it and all the privileges to every file that writes. A new file is created. A new object is created. Do you have to touch every file in that case? No. Just all the subjects? No. Right? You have to update the sub, well, okay, also now. But so what happens? Let's step through this. So a new file is created. Yeah, it's back. So, say that again? Yeah, okay, so if a file gets created, let's say there's some set of default permissions. What do we, where do we store that? What happens? Let's go through this. Drawing this, this never ends really well, but let's try this. So I created a new file, H. Oh, gosh. This is actually the thing. So we created a new file, H. So the access control model or in the matrix model, right? We created a new file, H, which means we need to propagate. We need to just, we change our matrix to support that. So now here we created a new file, H. What do we have to do? Assign permission. Let's say there's some default permissions. We'll say, what are our subjects here in this example? P and Q. P and Q? Okay, so we have P and Q. There'll be some default permissions or whatever. So let's say it's right, and we'll say this is read. And we'll call it own as well. So, now then what do we do? How do we store this data or this information? Yeah, we store, let's say we'll just store metadata with the file. We don't have to say, but it's in a protected place so that we know if people can't tamper with it. But we'll just say it's metadata stored with the file. Do we have to touch files F and G? No. Why? Yeah, because there's actually nothing to do with the access of H. So this is a nice thing about this model is by storing who can access what on the object itself, right? When you create a new object, you don't have to touch anything else in the system. Now we get this problem of what happens if I add a new user, we'll call it A. Yeah, so I need to go through every object in the system, every single file in the system, and add that permission there. So I have to go, okay, F. What can A do with F? Well, A has read access to F for whatever reason. And G has read access. Or A has read access to G, that's an R. And then we go over here, and A has write access. Cool. So now every time I create a new subject, what do I have to do? I have to touch every single object in the system, right? I have to create this new object on every single access control list here. I don't know, good, bad? Yeah. I was going to say, so when you create a new user, you're just giving it like permissions. I'm saying in the case that the system decides that, to say that if the user created the file, then it's like, there's some more simple cases that say you created a file, so you should give these permissions. In that case, then you can also control the permission of other users. So in general, so yeah, so here we don't really have any concept of owner or anything like that, right? So that's kind of in our concept of, okay, when file H is created, what are the permissions? Right, well it probably depends on who created that file. So I just made a queue of the owner of this file for no reason, just like, yeah, so then similarly, you can think about what happens when you add a new subject and updating all these data. Why not make every user or program that's created the user have a type and that type comes with a certain dissociated set of permissions. So then when you go to the file, instead of listing what every single user can do with it, you say this type of user can do this, this type of user can do this, this type of user can do this. That way when you add a program, you just add a type of to that program or a user that you've added, and then you don't have to go and add everything to a real file. Yeah, okay, so we can think about then, this will be hopefully better. So we can think, okay, we can have types, right? So we can have file F, we can have file G, and type, what kind of type do you want to say this? Well, I do know why, because I've been reading a lot of code. So type C and type Java, right? So then I have my subjects, S, and let's say I have Adam, who is a C programmer, and Max, who is a Java programmer. Something like this, what we're talking about, right? Yeah. Okay, so then what happens if, how do I give, let's say there's Max, there's also Bob, who is a Java programmer, and do I have names? There's also a Java programmer. But let's say I have a super secret project that I really need Max's help on. How do I give Max access to a file? So let's say I have now a file secret, and it's mostly in C, but I really need Max's help, but I actually, it's so secret, I don't want anyone else to know about it besides Max. Yeah. Add a secret group. Add in the one group, C? Yeah. But we have other C stuff that Max shouldn't be able to have access to. But like that, it can be like a program, and not a group, but a group called secret project. Yeah, you have to make a group for the secret project. Yeah. Well, see, here you can go back, I feel like here you can go back to the old implementation by adding just some sort of exception barrier. So, like, in general, we want to stop there being continually, every time you add a user, every time you add a file, you have to add a massive amount of information. So this generalizes it, but within the bottom of each file, you can add exception to that kind of thing. So, and adding just one exception here and there isn't going to break the efficiency. Yeah, so then we can do something like that, but we need, so this is kind of the point, was thinking through, if you just have a simple model with, let's say, types or something, right? Can you actually express every possible access control model that you can in a matrix model? The answer is usually no. So you need other mechanisms that handle these cases, yeah. And then you get almost as complicated as an app as a matrix. And that's why thinking about it in terms of the matrix is nice, because you have a way to think about that and kind of implement it to use these types, yes. So if you didn't want to use types, you could still use the user. A lot of reasons for the user might have that. You have some other, I guess token that represents no permissions. So then the absence of permissions would just be like a default. And so then when they try to read it or write it, they would say, okay, there's no permission to say that, get to the default permissions. Right, which would help, on the last 90 default permissions, is everybody could read my file, or something like that, right? So there's, yeah, you can definitely think through these corner cases that can help out in some of these things. The idea is thinking about this more generally, but these are important things to think about when we think about, well, why is a certain access control system like this? It's because of these performance reasons, right, of optimizing for different cases. Cool, any questions on access control lists? Yeah. So wait, so then what actually does happen if you add a new subject you have to go through? If you're just thinking classic access control lists, yes, you need to go and touch every file. That's why modern systems, you can see the access control list is usually a group, groups users together, right? There's the owner of the file, the group, and everyone else. So you don't have to update, you're either in one of those categories depending on which user you are per file. But then you can't, it's actually a real pain if anybody has administered a UNIX system. It could be a very big pain to do things like this of like, do you create a new group just for some subset of users that need to have access to something, because you don't have these fine-grained permissions of doing these kinds of things. Right, so then the flip side is, we said, okay, rather than thinking about it in terms of columns of what file can access what, now we can think of it in terms of who has rights, what subject has rights, and what do they have. So basically rather than storing now the information with the file, each process has a set where each subject has what rights it has to every object in the system. So we have process P, has the rights on file F, a green right bone, a group of breed, and process Q has A on F and R on P. So what are some of the benefits here? It's not like you have a free set of columns, so it just grows as the user just grows. Yeah, so it's kind of nice in some sense because we don't have to, and we can maybe assume that the number of users is less than the number of files, maybe significantly less. Default rule, all the subjects are included in the object set, right? So yeah, we have a nice thing there. Maybe you said something about dynamic, what are you doing with that? As opposed to static or outside, okay, there's going to be 40 users, there's going to be 40 capability lists. It's going to be like as the amount of users grow, that's going to increase the amount of capability of the list pretty quickly. Yeah, okay, so yeah, so the number of users grow rather than the number of files is how big or complicated this list gets me. Other thoughts? I'm looking at all sides. I'm looking at all sides. You should be looking at all sides. I already know this stuff. Okay. If we're assuming that there's less subjects and objects, then what happens in this situation you have because you have a very long, let's say a really long array. So what happens is you have a lot of continuous memory being used. But the other model you have is all the memories are being separated on the disk, so it's not all in one spot. Right, and if we think, there's one way to think about it in terms of disk or file, but if we think that these users are actually a process, usually you store that maybe in memory, you would think, rather than necessarily on a file, I mean, storing access control lists with the file on disk makes sense. It's literally storing it where the data is located. But here you have a process, and where does the process live? What even is a process? Right, it's like, well, actually maybe I should ask you that, what is a process? Yeah, so maybe, so if you're involved in that, right, so you have a memory, so that the memory that the process has access to, an executing program, I mean, a process can be a sleep, so it cannot actually be running, but it has some state associated with it, maybe it is running, so you have all this kind of complexity of where the heck you would put this list. Maybe if you sort in the operating system, there's the operating system, if you ever have typed in PSAUX, to list out all the processes that are running on your system, you'll see that there's a ton, so the operating system must know what's trying to run on your system, so it must have metadata there with the process, maybe you can sort it there, all these kinds of choices. There's not like an inherently nice thing of like, oh, store the access control list with the object. Are there problems with this approach? Thoughts? Have thoughts? Yeah, yeah, I was formulating it, but so I feel like with this method, since we create a lot more files than users, you have to constantly go through all the users and keep adding or appending to it. Right. Yeah, so now we go through, let's walk through maybe the same case we just walked through, so we add a new file, H, what do we have to do? Yeah, so we're going to go to each of the capability lists of every subject and add, you're right, I'm just trying to be slightly more precise. Yeah, so we have to create, we create a new file, H, we're going to go to P's access control list and H has file, I don't remember what I put, it was whatever, right, so we have to add a new thing to each of the capability lists every time a new file is accessed. Right, yeah. And just to add to this, continuous memory, if we run out of one of the files, we could copy everything over to a new spot memory that's slow. Yeah, so if we're starting this in memory, right, we have the problem of having to deal with either contiguous or linked lists or at least things to think about. Let's go a different way. What if we add a new subject, Adam, that's going to run? See one file that's out of our processes, out of the entire system that each run. So they'll have some, we said some kind of default permissions, right, so the current files I have are F, G, and H, right? Did I have to touch any of the capability lists? Should I have? Yeah, so maybe. It depends on if my subjects are also objects, right, because I may need to add those, but in this model here where we're just using files and users, actually, I would have definitely had to do that, so that's a good point. So I'd have to go here and add something about this here. Yeah, so what are, so now we've looked at this, so compare this then to capability to access control it. We didn't add P and Q, we didn't add P and Q to add. We would have had to, yeah, as well. I just simplified. So do we always assume that subjects can be objects, or is this a case by case? Case by case, so it depends on the model. So in this case, I would just be going off of this access control matrix model, which is the example that we use. We need to move those on there. We can ignore it kind of for now, but conceptually, yeah, this is an example of when a subject is an object. Sure, so you have to process these whatever, P and Q, that are owned by different users, so they should never be able to share memory, right? You should never be able to access memory from the other, but you can, a system call, you can ask for shared memory that's shared between them, so you can think of that as having shared the memory of another process, and that would be a right that you could have. Other things would be like sending signals, being able to kill another process, like normally you can't kill, like send a kill signal to another process, but I think you can set that up, so you can, or if you're in the same group, you can, there's all kinds of here. Would almost like plugins be an example of this, like one bigger program that you want to install, then that thing has to be able to act like any other program in front of it. Yeah, plugins, that's a good one. The other thing that that thing can think of is like the Google Chrome browser model where you have like rendering sub-processes, you have different things rendering and parsing HTML and doing all this stuff, so they need to communicate somehow but over a limited fashion, so that would be another way of thinking about that. IPC, so that's the other thing, like inter-process communication, like a process can talk to another process, maybe through pipes or a unit, sockets or something like that would be another example. Still comparing it to what we had before, a big difference I think is that if you want to edit different, like let's say you have a user and there's a file you want to change the versions on it, depending on the data texture you're like it's going to be really inefficient because you're all the way from the data drawing with my data, like where the file was then changed so I'm trying to change, so if I'm a user, well, inefficient if you think of it like a list like this but you can think of this as a hash table where the name of the file maps to the permissions so it's basically a constant lookup you could say, but then when you do change those permissions you need to change the capability list of every single subject in your system which could be a thing. How easy is it to let's say take away so we didn't talk about this in the previous example but now let's say I want to delete user p from my system or subject p from my system how do I do that here? well, you have to go through all the other subjects and remove p from that list here? okay, so let's say they're not in the whatever yeah, let's keep it simple so how do I do that here? you just free the memory? I just get rid of this list, right? I just delete this, done this process now has no permissions it can't do anything on the system even if it's somehow still running in the other model, in the access control list what happens if I delete user p? what happens? you have to go through every file and change every file, right? cool, so we've talked about this a little bit and then so there's just a table there so the other thing we can think about is the just the relation so we have our subjects, our objects and so we actually break apart each so rather than thinking about it in terms of sets now or we say object p has access f rewrite on we can break it apart and just have a list or a table of all of the different access so we can say subject p has write read on object f and so we go through each of them to understand that they have read write and own and read write and own on object f anyways, this can help think of it in a more granular level kind of ripping apart rather than thinking about sets, just think about it in terms of writes or another way to think about it is in terms of permissions this could be what permissions that like app A has Wi-Fi permissions so you can think of like Android has something very similar to this for every app so digging in a little bit more into the differences here between access control lists and capability lists and we touched on some of these things so we said we said that for access control lists it must be the case that we can't alter the permissions that a user can't just change the permissions of a file arbitrary right so we don't want to store those permissions let's say on the top of the file because that means if you have write permissions you can just change what about in capability lists what do I need to, do you need to talk about what I need to secure or keep secure here yeah I need to think about where does this access control where does this, sorry, this capability list lift so let's say if a process p just has memory in a fixed location that has this hash table in it and the process itself is able to update it that's probably a very bad idea right and we need to know and we need to the other thing is we need to have a really good way of authenticating well how do we know that process p is actually process p and not something else so being able to change and especially when you think about it in terms of users so that's one thing I love that so yeah okay so capabilities they need to be unforgeable right so you can't say and just create new capabilities on the fly that makes sense right the system must control that in our case the operating system what about propagation what does that mean yeah so great so a process let's go with that, if a process forms another process what happens to those capabilities do they propagate to that new process what if would we ever want to model where let's say process p gives process q right access to file f maybe we may want to do something on our behalf we want the system to be able to control that right of can a process that is subject to give permissions to another process like how does that actually happen so it's helpful then to think about that in terms of access control list versus capabilities so cool so this is actually just a graphical way of representing what we've been talking about so in some sense it's the same idea just to help clarify capabilities are per subject and access control list or per object base so one of the nice things we can get with and again so we're kind of splitting hairs here a little bit because if you believe what I said that a matrix so we're just different ways of looking at an access control matrix right so it should be theoretically possible to do whatever you want in either of these two schemes but as we saw there's actually some natural either efficiencies for instance creating a file is much easier in an access control list model versus changing versus adding a user so different ways of different things another way of thinking about is we talked about this a little bit in terms of least privilege so what's the concept of least privilege we've talked about in terms of policies and assurance I think right so I'm giving something just the bare privileges to get something done right so this means that like I'm a submission server like none of you should have root access to the submission server right if I did that you could still submit your assignment right you could also do other stuff right you could see everyone else's assignment do all this you don't need to do that so you have hopefully the least amount of privilege to submit your assignment and nothing more so in this context we can think that capability list can provide a little bit more easily and more naturally some finer grained privilege specifically when we're talking this is somebody over here brought up the dynamic like short lived tasks so you're creating a process or a subject that's going to be short lived it has a very limited set of capabilities that's much easier to do in a capability list model so other things we didn't talk about trying to audit and say who has access to what is much easier in an access control list if we're talking about objects right if I have a super important file right that was like company secrets or trade secrets and I want to say who has access to this much easier in an access control list because I have the entire access control for every subject in the system I can see who can read this file otherwise I have to get it from every single subject in my file to see who has the capability to read this file that make sense similarly the other way around asking what does employee X have access to is much easier in a capability system to answer if you have that set with the subject different ways of looking at things it's important to think about what about revocation so we talked about that touch on that a little bit like deleting a subject so revocation would be revoking somebody's access or access to something which way is better in what circumstance is the real question yeah so it depends on what I'm trying to revoke right if I'm trying to revoke a specific subject's access to a file that is much easier you can also say that's easy though revoking that access in an access control list on that file and remove that user's permission so yeah it kind of depends it's kind of similar type of thing again it depends on what you're trying to revoke if you're trying to delete access to an object that's access control lists are better there so this is basically what we talked about here yeah okay so we talked about granting access so on capability list we talked about that this can be easier of granting access to a file but let's rather than talk about so much theoretical stuff let's actually look at the UNIX access control list so we can see how it operates and it's a real system that hopefully all of you now use after assignment one or have touched or know how to touch you'll get more familiar I promise as the semester goes on okay cool so how does the model work it's not a model now how does the UNIX access control system access control list work I mean first the capability system or an access control system for access control lists sorry I missed it access control lists how do you know it's ACL I mean it uses the term ACL and it's also on the slide and you didn't know how do you convince yourself you could look at the source code wow very brave person not saying that you should it or can't oh no alright I can't make the font bigger so I'm not sure but can you see that in the back so I'm just gonna SSH to the submission server hopefully there should be nothing on there that's important okay so I can do ls-la which shows me all the permissions it should show me the permissions of the file in the current directory is there anything important on here no okay okay cool so how do I know what the access control is for a specific file yeah what is it explain it to me I think there are the help users read and write read and write there's two of them though I think it's per user like I mean per group so like once for once for users okay so I have a first one that does some stuff we'll talk about right now we can see it's D on a directory and dash for not a directory so there's some additional metadata about a directory or not there's other bits in here which we'll talk about in a second read write execute so the first three octet is the permissions to read write or execute this file by the owner so that's the owner then the next three are read write execute from the group and the third is read write execute from all everyone else or others sorry I think it's the way it goes yeah owner group is that it yeah the dash here yeah the dash simplified so the way to read this guys the dash simplifies not like there are no permissions so for let's see the stop profile I can the owner can read and write it and the group can read it and everyone else can read it but how do I how do I know what users the owner and what user yeah one more column say like you found two I think it's per group and the next one's a user I think it's per verse but I don't know how to prove it I think it's a user I mean right here we can't prove it but I'm very confident it's a user that group so you have dinner in class so again this makes sense right if you need to make an access control decision based on an access control list if your bids are all about what the owner can do the group can do and everyone else well how do you know which of them so you need to store additional data about who the user is and what the group is do you just store information about everyone else okay cool so we have slightly more complicated than this we'll go back to this because I like doing this so there's actually and you think about it we only need a bit to represent each of those information right so we have three we use a bit for each read write execute for owner one bit right bids are really good to represent what true or false yeah true or false one or zero right so read write execute owner read write execute group and read write execute everyone else so why is there four of them that seems dumb yeah so we have other three bits that do super important things that we need and we'll go over those in a second these are really important stuff so we have setuid setgroupid so this is very interesting then we have read write execute so let's go over quickly setuid groupid and let's dig in a little bit to this concept of so so okay so we have the owner and the the group of this file where is that information stored like how do I know what users are on the system epcpassword slash epc I'm going to show you all my passwords about this so we can look at this file how do I know what user I am besides looking at this bash prompt who am I right tell me the other one is id this is another good one we'll tell you the user id you are because again this is a you know it's not storing the file it's storing a user id that points to a user name and that's how it's getting it all here so I can see all the information about me I have a user id a group id and I'm a member of several different groups cool okay so actually so can I read the epcpassword file yes why because I have to read it on the last one so am I a group no I'm everyone else right so I can read this so if I cat this file will I be giving you all of my passwords okay okay this file so this is on the unixer screen it has every single user account and so the way to read this file it's not important how to read this so you can think of it as separated by columns so the first one is the name of the user the second one used to be a hash of the password this is stored elsewhere so we'll see in a bit and then you have the user id and the group id of that user is this the group name actually don't know and then the home location so the home for reach is slash root and then the last part is the shell of what shell to use so we can see me my user the mootu here right 1000 1000 that matches the user id and the group id that we saw when we ran id okay so I see like a bobo group like column 8 it says like 110 and then the 1 so does that mean like 110 is the user id and then 1 is the group so there's something else that has 1 as its user id yeah I have no idea I'm not sure what that column is you have to understand certainly what this number is I was just guessing based on what other stuff I saw um man 5 gives you the format let's see login name encrypted password user id group id and then username or comment field that's weird so you have a username that's different from your login I think it shows up for finger output okay then home directory cool so the answer is yes apparently and then to see where the group is there's EDC so you then see EDC group is a lot simpler so like though so that was you saw some of them are no group some of them were 1 was that that one we were looking at and that would be daemon group see learn something new every day okay cool so yes why is linux like a shitty mod that's supposed to have an intuitive file system where you can get all those commands you can actually say like oh see that memorize a million different commands I mean you have that historical answer you want the like why would we still use it like 30 years later um it's I classify it if you take like an HCI class they talk about like expert interfaces so like unix is very much an expert interface where it's very difficult to get started but as you master like more and more of these commands you can actually be much more efficient than people poking around with a GUI on like many different things so the interesting thing to think about is like Windows land came up with like PowerShell to do command line type stuff in a nice way and composing all these commands doing all this stuff you can do a lot with what seems to be very little but yes it has a lot of UX problems in terms of discoverability and figuring out how to poke through all these things okay cool so let's the example I like to give so we have this file here right ADC password file can I write to this file if I can write to this file what can I do I can change users I can change my I can change my user to user ID 0 which would be the same as root so the program that the operating system would think that I have root privileges which means I can do anything on the system I can change logins I can add another login right I can do a lot of things I can basically take over the entire system by editing this file so should you allow users to edit this file but there's a the last field here is what what did I say was last one what's this last part somebody just said the shell yeah so this is when you log in what shell do you use right well I don't want to use bin back I want to use something else so how do I change it do I like do bin ADC password down to very old school why can't I write this I don't have the right permissions to this so how the heck can I change my shell I'm let's say I'm not a pseudo user though I am on this but even if I'm not I should be able to change my shell that's my shell and I log in I get 7 I log in do you have any users ADC password you do not have a user local ADC password it turns out there's a nice command called change lchsh change login shell so shall we do that oh but I don't know the password of this account I run this as pseudo but look the other way pretend I do have the password there's only because I literally don't know the password to this and go to account it was created automatically by Amazon I don't know what this password but I can't run it as pseudo but that would change the login shell for root user so it's saying ah the login is the second parameter okay so I want to change it to bin sh you try typing in front of 200 people okay so now what do we expect to have changed to ADC password extension on this yeah so it should be that Ubuntu changed to bin sh how did this happen we just saw as the Ubuntu user I cannot write to that file how did that file just get changed pretend I did not type in pseudo it does not matter here at all I promise yeah I'm going to guess you asked root to change it for you yeah so in some sense I can't run it but we somehow need to ask root to change it for us so how do we do that so I can do which chsh I can do ls-la say what the heck is this change shell password why does this look different it has an s instead of an x for the user right remember there was those 3 first bits, setuid, setgroupid and a sticky bit so setuserid and that's why I closed so we also see that the shell changes so there's an s here that means it's executable and it's setuserid bit is set what this means is when this process executes rather than have that process execute as the user who executed that basically it means executed as root so let's uh we can actually verify this really quickly normally I'd use something like a terminal but whatever okay so I can run cat what's the user cat running as so I can see that cat right the program cat process cat is running as user voodoo right it makes sense I'm logged in as user voodoo in fact if we look at all the everything that's running on our system will this tell you any information tree so you can see there's a ton of stuff going on on this server we have a rabbit in queue that's storing all your jobs mysql server the patchy server actually so if you ever wonder what happens how you get onto a remote system so you have that ssh statement that's listing running as root I've logged in and once I logged in it gives me a terminal where now it knows I've logged in as the user voodoo it gives me a terminal that's running as a voodoo which then runs bash which was my default shell which then now this is what I'm literally looking at right here this is the process that's running atop this is the process um number and I have bash and cap the whole reason we're doing this is so I can see that cap is running in my other terminal with the same user as voodoo now if I did a user bin ssh now if I look I can see that that is running as root right change shell is running as root because of that setuid that is set and this is how the chsh program is able to change a file that should only be writable by root that's how it all works there's nothing magic here and so set group id works similarly to set user id just now with the with the group so it will run as whatever group you have as that happens the sticky bin is very complicated I can't remember off the top of my head I think it's ba ba ba ba setuid do you remember it's file permissions in a directory you don't know but I remember what the you had a last year I think to create files in that directory but not do other stuff also what does it mean so we just went over what all these things mean with files right it's pretty easy read write execute what about for directories what does it mean to read a directory you can list the files that are in that directory what about write to a directory I think it means you can delete files in the directory assuming you have permissions to and create new ones I think in that directory what about execute does it make sense to execute a directory yeah maybe that's the same thing as reading so the interesting thing is so execute means that you can go into a sub folder of that directory but you may not be able to list it or create files so and other things are I think the same way anything there I don't think so in a directory anyways the more thing is directories are slightly different but we can see this access control right we can see the access control list here so we know the permissions that are here the user ID the group ID we can see how the operating system is putting this all together in order to do the access control checks alright awesome