 All right, can you see the slides on Zoom? Everything good? All right, thank you. Cool, all right. Everyone, good to see you again. Oh, I guess I can, yeah, let's flip over there because I'd like to show my adjustments, my screen. There we go. Yeah, all works going pretty well, I think. I've been pretty happy with the success. I think some of you are struggling with it and that's totally fine. I think that that doesn't mean that you're dumb or stupid or whatever. I mean, everyone comes in with different backgrounds and different experience and the whole point of this assignment is so that you all learn kind of the basics and fundamentals. So that going forward, we don't have problems like, oh, I can't write to this file. Why can't I write to this file? Or, oh, I don't know how to pass arguments to this command. So that's the goal really of this assignment and you're all doing great on that. I'm super happy with the progress. A lot of people doing it. A lot of people getting those points. Let's see, I wonder, scroll. Let's see, did the top 40? Yeah, so like 40 people have already, or is that, can't read that far enough. Yeah, 80 people have already completed the assignment. So, that's a 466 thing. I need to just remove that that takes a little bit of code, but yeah, 466, if you finish the first half of the course, you get a blue belt, I think, or a yellow, no, a yellow belt. And then with, it says phone call on it. And then if you complete all assignments, like so completion means you complete every single challenge in every single category. I mean, I can actually show you. I don't know, it's Dojo. Scoreboard. Or I can at least show the challenges, maybe. Yeah, so there's all these different categories. It's probably 13 or 14 somewhere on there, is my guess. Based on, it's like, they do basically one challenge a week. So, the original program interaction was 142 challenges that they had a week to do. And then, yeah, so I think. Totally. Yeah, do you have something to share? All right, I'll leave it there. Is that free? There's what? Pone College, is that free? Yeah. You can go online, you can go do it right now. There's all the videos, slides, everything. So yeah, these are the people who have done all 472 challenges on Pone College. So they get the blue belts. And I guess at some point, if you scroll, you'll find people who, yeah, have white belts or some people with yellow belts who've done half. Yeah, right about in there. So anyways, that's their system because it's actually built into code to show that. Our stuff shows that, but anyways, we don't have to worry about that too much. Cool. Why are we talking about this? People just don't want to have class. You just want to get me off topic. And that's perfectly fair. All right, we were talking about the access control model. So we talked about the access control matrix model. So somebody refresh us, what are the rows in this matrix? What do they represent? The user? Excellent. Not quite, actually. Almost, yeah. That's very legit, you have to apply it. Close, who's you? Yeah, subjects. Yeah, remember we're in the realm of formalism here. So we're going to use the formal terms of subjects because it could be a user, it could be a process. It could be something completely unrelated. That's not related to a user. So that just helps us think about these things. So the rows are subjects, and then the columns are what? Objects. Objects, yeah, so those are, so subjects are the things that can act and do things on the system. And the objects are the things that get acted upon, right? So, and then inside each cell are the rights for that that subject has on that object. What they mean is dependent on the system. So we can't just look at this and necessarily say RWO means read, write, and own. Maybe it means read, write, and other, or read, write, and come up with your own favorite, whatever O word is. So these rights have to be defined somewhere as part of the system like we showed earlier. Cool. So, orios, that's a good one, yeah. Reading and writing orios. Okay, so, and so we talked about some of the pros and benefits, some of the benefits are, hey, it's very easy to make an access control decision. Whenever a subject is trying to do something to an object, we'd say, oh, we could just look at this table. We say, oh, P is trying to execute object F. Should we allow that? No, why not? There's no X there, right? There's no rights. The subject P does not have the execute rights to F, so we would not allow that. If P asked to read F, we would say, yes, go ahead because we have that in this matrix. Cool, so that's the easy thing. What were some of the drop-backs that we talked about? It can get very, very large, right? So this matrix can just grow and grow and grow as we add files, right? Even a user could just add a million files which adds a million rows or adds a million columns to this table. And then we'd have to figure out, what are the access rights on that new file for all the users on the system? Maybe there's 1,000 users or 10,000 users on the system, right? So storage of that can be pretty intensive. And so if you're gonna, we talked about this, I think I left you with this challenge. I don't know if you did that or if you focused on the actual challenges. I won't call you either way, but how would we implement this access control matrix? So you're writing the operating system, and like here, you have to make the decision, you have to write some function that says, here's the subject, here's the object. Do they have the permissions to change this? Yeah. Well, what I would do is, I would actually have the permission group set as part of a file header for the computer, and have people to read from that section of the file and then do a comparison to what group and subject follow under to get the permissions. Yeah. So the basic idea is rather than store that table in one huge table in the operating system memory, you're saying basically split the table out so that every object has its column as some part of, let's just say metadata. It doesn't really matter where it is, right? But some metadata that the OS can get to that's private and the user space like a normal program can't mess with. And then the operating system would say, okay, you're trying to read file F, let me look at the metadata associated with F, great. Your process P can read file F, so you're good to go, right? That's one way to do it, what would be another way? Big table is second way, what is our third way? Breaking up my user, so can you expand a little bit? Can you expand a little bit on that? That's good. Yeah, so rather than store the metadata about what subjects can do to an object, or in our case, that was the every column in our matrix, what if we stored with each subject, right? So in the case of a process, we have to know what processes are running on our system. We need to know metadata about that, like who's the user ID associated with that process? What's the group ID? What's the current working directory? Actually all these things. So that's actually how when you are moving around in the shell and you do like CD slash, what's actually happening is bash is asking the operating system, hey, change my current working directory to slash. And the operating system does that and updates its notion of where you are in the operating system. And that way anytime you do any kind of relative file operation, it knows to base that based off of your current working directory. But all that is stored in the operating system so that it can keep track of those things. And so similarly we can store for every process in the system, what are the rights they have on every object in the system, right? So yeah, these are basically the two ways of looking at it. And it really makes sense when you look at this model, right? So you look at this model, it's a big table. Okay, what if we split up the table by columns? Okay, that means we're storing the access control information for each object with the object. And if we cut it up by row, then we would store all that information with the subject about what it can access. You can also get into cool stuff with row base. So you can do things like, if you owned the file, oh, what is the O permission sample? Yeah, that's pretty good. I'm just going to do it. It doesn't stand for Oreo, it stands for owner. So if you own the file, typically that means you can change the permissions on that file of who has access to it. So one of the things you could do is maybe give P could give process Q the right to read file F or write file F. And it can actually do that in a cryptographic way that doesn't actually control the operating system. So it can verify. So there's all kinds of ways to think about this, but this is kind of the classic idea and example of this is just cut this matrix into different chunks. Cool. So access control lists are exactly what we talked about. So each column of the access control matrix is stored precisely with the object. And again, at a high level of the A permission was append only. So the A permission meant that you can add content to the file, but you can't delete content for the file. And it actually also doesn't imply reading. So if you can append to a file, that doesn't mean you can actually read the contents of that file. Now you can say, well, of course, but I know once I start appending to that file, I know the content that was written, but you don't know what was written before. And once you're done writing, you don't know what is written after. Yeah. It's like when you will echo a string into a file. You don't know what's in the file, but you still wait for it. Exactly. And there's actually, I mean, that's a good point. I can kind of, yes, that is the, in the chat. Thank you. That is the model we're using right now. I can actually show you hopefully a quick demo of this. So where am I? Let's go to a CD temp. So I'm going to temp. I can, I don't know what's in here, but I can do, I can cat to a file. So this cat, remember I've been mentioning this more to people. If you pass in dash as an argument to cat, it means, hey, read from standard in instead of a file. So if we do cat file name, it will read from a file name. If we cat dash, it will read from standard input. And then I'm using file redirection here. So the right arrow or the, what's that a greater than symbol? I actually don't, I just think of it in directional terms. I'm writing out to foo. So this will, what Bash is doing is saying, okay, let's take the standard output of cat, whatever it outputs, pipe it to a relative file called foo since we're in the slash temp directory. I'm going to write that to a file called slash temp, slash foo. So I can say, hello, class. And then hit control D to tell the, tell bash that I'm done typing an input. Again, I think I'm in some data. This is, if you're reading from the terminal where the user is, how do you know when they're done sending input? So if we were, where this comes into account in your homework, oh, it does just reverse by a row. That's fascinating. I didn't know that. Interesting. Well, that doesn't prove my point at all. Okay, sort. So sort is a command that will take all your lines and sort them. So if I did Z, B, A, it will output A, B, Z. Now, to sort things, you need to know how many things there are. So you can't start sorting until you've actually got the whole list. But I've told cat, hey, read from my standard input. So how can this program that's running on my system, does it know if I'm stopping and thinking right now or I'm done with the input? Right? And so the way you can tell it, hey, you basically tell bash, hey, tell cat that we've reached the end of file. Like I'm done typing in input there. And that's, I can do that by typing in control D. That's a special character or a special symbol that dash interprets and says, okay, we're all done. And then it sorts, it path, cat tells sort, hey, I've got all the input. I'm at the end of file. I have no more output. And so sort then can sort everything. All right, that was kind of a long way, but... So we wrote into foo. So if we do cat foo, cat foo, we should see hello class. And if I do cat, if I do that again into foo and say, do good on homework. And then I cat foo, cat foo. Oh, that'd be a great one, right. So it says, do good on homework. What happened to what I previously wrote? You overwrote it. I overwrote it because the redirection means right out to this file and actually truncate whatever was there. But if I don't want to do that, if I want to append, I can use this and say, hello, 365, cat foo. And now I've appended to that file. So that, the double greater than symbols tells bash, hey, open this file and don't truncate, start at the very end of the file and then keep writing, because that's the appended stuff. All right, cool, close up. I think we're there. All right, so we went over that. Okay, so access control lists. So just what we talked about. So you can think, so each column is stored with that object. So we have a file F, we have all of the access rights stored with that file. So for every subject in the system, we would say, okay, P has this rights, Q has these rights. And the reverse of that is what we just talked about with capability lists. So capability lists is the other name. So access control lists, you can think of as, and it makes sense, right? So an access control list is on objects, you can think of files. So it's the list of what subjects can access that file or what subjects have what rights on that file. Whereas capabilities define what types of things you can do. So a subject, it has certain capabilities on the system means that it can read some files, write to some files and execute some other files. So that's how you can kind of keep these two separate. So every row is stored with the subject. So with the process P, somewhere in the operating system, we'd say, okay, P has the capabilities on F of rewrite and own, has the capabilities of G to read, Q has the capabilities of F to append and the capabilities of G to read and also own that file. The third way, there actually is a third or fourth way is kind of storing in a giant table, the kind of three tuple. So these three relations with the subjects, the access and the object. So we kind of split out that table rather than having a set in each row. We just have a giant table where I said, does subject P have execute access on file F? You could look in this table, is there a row with PXF? If it doesn't exist, then no. If it does exist, then yes. So this is kind of the other way of looking at it. Highly, let's say less used, but I think you can find this in, it's basically how a lot of databases do kind of access control and store writes. So even like the system you're using now, there's just a database table in there that is a user's table and one of the columns is the role, basically. Now it's not precisely like that. This we'll talk about there. It doesn't say all of your users writes on everything. We'll talk about why in a bit. Yeah, so I can explain. So capability lists are, hello. So capability lists we store for every subject. So in this case, a process, every process we store what things they can access. So we store all of their rights for all of the objects in the system. So you can think of this as the row of the matrix. So we have these two different models, access control lists and capabilities. So let's talk about the differences between them. And I want you to first think about one of the things we think about is expressibility. So can you, can each of these two models, and the way to think about expressibility is, okay, I can use this matrix to express any access control policy. And so can I also represent that exact same policy using an access control list versus capability lists? So what do you think? So the way to think about it is, is there a matrix that I can represent that I can make access control decisions on that I can't represent using the way we've talked about access control lists or capability lists? Or another way to think about it, is there some kind of access control policy I can express in an access control list versus capabilities that I can't actually do in capabilities? Considering files being transferred with an access control list all the rights are stored with the object so it's transferred with it. And if the capability list rights are almost transferred when the file goes through the device, it doesn't know no one has access yet. Yeah, that's interesting. So I think it, yeah, I would definitely agree that it can be easier to transfer those rights because it's stored with the file. You don't have to iterate over all capabilities and see what everyone has. The tricky thing comes in if you have an access control, like you have to think of what is this system and does it apply to both, like does this model capture both systems? Right, because if the subjects are different on the systems then you're gonna have problems. Like if you're using user IDs for instance and user a thousand on one system is different than user a thousand on the other system and you just copied that over then you'd have a wrong access control rights. Which actually does happen. And that's like a classic problem. So yeah, I think the key there is thinking about yeah, there's definitely differences involved with copying the question though is like can you actually just take this access control list and dump it over here? If you're in an organization where you're kind of guaranteed that all the systems have the same access control model then yeah, I totally, any other thoughts part of the class where we just stared at each other? I guess everyone hopes that I won't call on them. So what do you think? You don't have to even, it's okay to be wrong. So this matrix, is this matrix the same thing as this list or these capability lists? So let's look at, yeah, so let's think about this. What is the difference between these access control lists and this matrix model? Let's start there. And their pieces of the overall, they're definitely pieces of the overall list. Is any information lost? Is there any different information here than here? No, no. No. What about capability lists and the matrix model? Still the same concept and the same information, right? All the same information. We're just talking about where's it stored, right? So you think of this giant matrix, we still have this giant matrix. It's just saying, okay, let's store the columns by the files, right? That's access control lists or let's store the rows with the subjects that's capability list. But fundamentally all that information is still there, right? You could reconstruct this whole matrix model from that information. And fundamentally, you can't create a matrix that you can't represent in either of these models because you give me any matrix, I just chop it up in the columns, boom, that's a access control list. I take that matrix, chop it up into rows and that's a capability list. So it's fundamentally the same information as being represented there. We're not compressing it, we're not like trying to do anything fancy. So every access control model, we should be able to represent in the capability list or an access control list. And I don't know if that was a good enough proof for you, but this isn't really a formal class. So it's fine enough for me. If somebody wants to formally prove it, they can definitely go ahead. Okay, so there's nothing fundamentally different here, right? There's nothing that says, oh, if I have this policy, I have to use access control lists because the capability list can't represent that, right? They can both represent exactly the same things. Yes, exactly. So the difference is actually not conceptual, right? They're not theoretical and information and can this one express different policies than the other ones? They can all three express the same policies. And so the question then becomes one of implementation, right? What's actually best and better to implement? So some of the things to think about access control list means we need to really authenticate the subject. So we need to know who the subjects are. So we need to be able to say, oh, this is process P and it's not. This is actually one of the key problems with security is if I can convince another process to do something on my behalf, right? If I can... So this was a classic kind of Windows example is I think it was like a UAC style bypass. So if a program that you just downloaded from the internet was trying to access the internet, like to connect to some command and control server or whatever, oftentimes that would pop up a warning dialogue and say warning, like this app is trying to make a network connection. And you say, oh, that's a bummer, but there's a really great app on Windows that is able to access the internet and doesn't have that warning. And that's internet explorer. So if I can just as one process, ask internet explorer to go fetch a website for me and give me the results back to the system, it seems like it's internet explorer that's doing that. And so it says, oh, great, internet explorer wants to access the web, well, of course, internet explorer is good. So actually the difficult challenge there can be how do you authenticate these subjects to make sure it's actually coming from them and not something else. Whereas the way capability lists are usually implemented is we usually, I think it's possibly a similar problem there, but the idea is that we can actually just, we can actually use crypto to prove that a process has access to something with the capability. And like I mentioned, you can have the ability for one process to basically delegate one right to another process. And then the operating system could cryptographically verify that. But of course, this is kind of the difficult things in there. Okay, this is just a different way of looking at that. And, okay. Yeah, other kinds of things to consider are the implementation things that we talked about, right? So access control lists. So the question that I always think about is, okay, we're using access control lists, right? Which means every file has a list of all of the, every process or subject on the system and what rights it has. So what happens when I create a new file? What do I have to do to that file? To make sure that the access control list is maintained properly. Yeah, to somehow figure out, okay, what access does this new file have, right? For every subject on the system, what access should they have? And so that's definitely, every time you create a file, you could do that. Now you could have obviously defaults or whatever. You could say whoever is creating this file is the owner of the file. So they'll have all rights on that file and everyone else will have no rights. And then it's up to the owner to use access control operations to change other people's access. So okay, so adding a file is actually pretty easy, right? We can just figure things out. What about adding a subject? So we add a new subject to the system. What happens? Yeah, yeah, we have to go to every single object in the system and add a row to its access control list of what access this user should have, right? So we have to go through every file on the system. Now, maybe we can say something like, okay, but the default rights they should have is no rights. In which case, maybe we can say by default, if it's not in the list, it doesn't have any rights. So we don't have to update everything. But if you have something running on your system that has access to nothing, it can't do anything, right? So it needs to have some access to some things by default. So you'd have to go through all those files that it has access to and create, add a row to each of their access control lists. Cool. So let's flip it around. So now we have capability lists. So now every subject, every process on our system has a list of all the files that it has. So what happens when we add a file now? Yeah, so we need every capability list needs to be updated with this new file. Or whoever has access to that file needs to be updated, right? So we have to go through all the subjects. What about adding or deleting a subject? The same thing. So we'd need to figure out, we don't need to go update every file, right? But we need to understand for all the files in the system, what access does this user have? So what rights does that user have? The difference is I don't have to go through every access control list on the system and update it with this new process. Instead, if I just know what I need to do, I just create that metadata, the rights of the process, and I add it to my capability list. So you can see the cases have different kinds of implementations depending on what operation you think is more likely to happen. If you're going to have frequent process creation and destruction, capability list may be more appropriate. Whereas if you have very frequent file creation, file deletion, like access control list would be a problem. And I guess to spoil it, we kind of use Vault. So modern access control systems are really complex and actually use a combination of things. Yeah, so the other thing is it can be a lot easier to do. So we talked about the principle of least privilege, which is like a single process or a single entity should have only the rights it needs to do its job and no more. So I think the example I made was the Snowden leaks, maybe, or maybe I didn't make that example, but Snowden was a contractor for the NSA and had access to a ton of information that did not involve information that was required to do his job. And so that's part of how he was able to get all that information and leak it was because he didn't have a least privilege access. So with capabilities, you may be able to create a system where a process just really has the rights to one file. So it runs, has rights to one file and then exits. You can still do the same thing in access control lists. Again, these are not fundamental differences. It just can be a little bit easier to express in capability lists. Okay, cool. So access review. So we talked about giant matrix is great because I can look at it and see, okay, I can look at a single file and understand exactly what subjects have rights to that file. I can look at any subject and see what rights they have across all files. But now we've split up that matrix. So if I'm trying to review the access of a subject, which would be better, do you think? Capability list, because I have the list. I can just leave the list, see all the files they have access to. In an access control list, I have to go through every object in the system, grab the access that that subject has and then create basically that same list out of there. Now flip that around for a file. If I have a super important file and I wanna know who can access this file, right? The access control list tells me, it says all the processes, boom, here's their rights. Whereas in a capability list to say who has access to the super important file, I need to go through every subject in the system, figure out what rights they have to that file. So this is kind of another way to kind of compare them. Yeah, the similar thing happens with revocation. If I wanna say, okay, I wanna make sure that like I gave access to, I don't know, a TA. I gave access to the TA to the midterm exam. The TA left is no longer at ASU. I need to revoke their access. It's a lot easier if it's a file, I can just change that access control list, delete their access, and then boom, they now no longer have access to that file. Whereas with a capability list, if I wanted to have that happen, or yeah, I guess the other way to think about it is if I wanted to delete everyone's access to an object except for mine, that's a lot easier with an access control list. Because otherwise I need to go through every subject and make sure that their permissions and their accesses revoke. Whereas with capabilities, if I just wanted to do it to one subject, that's easier. Let's see the question. So the cap, we can just somebody say subject S and say it has rights to file A through Z for access control that mean we have to add subject S to all files A through Z. Yeah, so exactly. It's really about kind of, you think about it as like iterating in some sense. What are you iterating over? Are you iterating over all the files or all the objects and which do you think is gonna be larger? Okay, cool. I don't think it's important that there's just an example. Because what we really want to get into is so, okay, but how does this theory interact with the real world, right? You've been using and playing with a Linux, a UNIX environment, right? The Pone.365 system. And so how does that hit the real world? So what's the UNIX access control model? So I guess the first question is, do we just do this? What's the problem in the real world? Especially put yourself in the mindset of somebody writing an operating system in the 70s, not in 2022, but you have this beautiful model that can express any kind of complex access control policy. What's the problem with an access control list? So I'm gonna store with every file this list. What's the problem there? Memory is very, very close. I have to store it, not necessarily in memory, but hard drive space. Yeah, this was like the era of, what's the famous Bill Gates quotes? Was it like 4K should be enough memory for anyone or something like that? Somebody finds it, like put it in the chat. This was like for the price of a, I don't know, 13 or 18 terabyte hard drive now. Like those are like roughly about $300, $400 now. I think for that price, you can get like a, I don't know, a megabyte hard drive. And that was like considered big. Yeah, that part's great. I mean, the complexity is another thing. But anyways, yeah, you can think like even if you use, let's say we just had read, write, execute, own, I guess we should use more, but let's just say read, write, execute, right? To represent that, we have to have three bits to represent those rights, right? Either a one or zero can read, a one or zero can write, a one or zero can execute, but then for every subject on our system, and again, this is a process, we need those three bits on every file. And if we add another process, we have to go for every file and add another three bits to it. If you have a large system that has a lot of users and a lot of subjects on the system, you're talking about like way too much space dedicated to storing this access control list and even the actual files. And so, oh, okay, cool. Thank you, Thomas. So Thomas is mentioning 440K ought to be enough for everyone. Oh, I guess that's a RAM limit. That's interesting. So it's not, okay, cool. So they said, okay, we actually are not gonna store this whole list. And this is where we'll get to a case where the Unix access control model actually can't represent everything from our matrix because we say, okay, this matrix is just impossible because it grows in every direction in an unbounded way. But we still wanna make an access control decisions, but we wanna do that in a way that saves space. So in the access control model, it uses 12 permission bits for each file. So there's 12 bits grouped into four different sets. And you can see these. So these are not, they're obviously the hard drive. I mean, the operating system stores them in metadata in the file system. But you can see this when you do, and you can see basically like these are the bits. And these, if you actually will get into it right now, if you've ever changed the file mod of the file, like chmod777, that's actually directly setting these bits on the file. So it means the 7777 would be the upper three bits are zero. The next, all those next bits are one, the 111, 111, 111. And that as we'll see means, hey, give access to everything. So the first three bits are the setUID bit, the setGroupID bit, and the city bit. We'll go over what they mean in a second. And the next three bits then applies to, so the next three bits are the read, write, and execute bits for first, so that's each three there is read, write, execute, read, write, execute, read, write, execute. And the first three, so I guess latter three three bits, this is weird to talk about, but I think you all know, oh, you can see my cursor, so. So these three bits, setUID, setGroupID, sticky bit. These three bits are for the files owner. So can the files owner read, write, or execute? The next three bits are for the files group. So can the files group read, write, or execute that file? And finally, the last one is for all. Can any other person who's not one of those three read, write, or execute the file? And that's it. So what do you need to know in order to make an access control decision in this model? Yeah. Yeah, so wait, let's take it a little bit, right? So you need these 12 bits, right? You need to be able to understand these 12 bits and then you need to understand what is the files owner? So there's actually some metadata you need about the file that's not contained in these 12 bits. You need to know who's the files owner and you need to know who's the files group. And then from the subject, you need to know who the subject is and what's the subjects group, or groups, but we'll get into that in a second. And then we can make the decision. We can look and see, okay, is this user the owner of the file? We can check, is the subject's user ID exactly equal to the owner ID of the file? If it is, then they have the owner permissions and we use the owner's three bits. Is the files group in the subjects groups? And it actually uses IDs, not names, so it's group IDs, it checks that. And then if that doesn't, and isn't the case, then it uses the last read, write, and execute. Let's like, we're gonna dive into these things. Okay, so, oh, I hear, okay. Last time I did this, I messed up my computer, so I don't want to, but I can't see what I'm typing. Yeah, it's a criminal story. Okay, so that file we just created was called foo. So LS, we can look, I'm sure you're getting familiar with this, LS, list directories contents. So it shows us information about directories and files. So we can do LS foo, or we can do LS dot, which says, hey, show us all the files in the current directory. We can do LS foo, which will just show us the file foo. And we can do LS dash A, I think, shows all information about foo. Nope, I did foo again. Yeah, I'll just keep happening. I'm okay, yes, okay. Oh, A is all, I see, I see, I see. So we can do, yeah, LS. So a typical LS does not show the directories dot and dot dot. It also, I don't know if there's any examples here, but it will also hide by default any file that begins with a dot. So that's why, if you ever heard of like a dot file, so in your home directory, you can put dot files. So files that begin with dot that are usually configurations for different things. So like I have an emacs.file and all this stuff. Yeah, so the dash A will then show me dot and dot dot. So it shows me all the files, all the files and directories in my current directory that end with a dot. And oh, LS dash A doesn't have that school. Oh, you just lied to me. Corey, I'm so disappointed. Okay, and then we can do L. So L is the long listing and that shows us a bunch of metadata about the file. And we will, ah, what's the difference between dot and dot dot? That's great. Yeah, it could be because I'm on a, this is on the Mac. So should we defend Corey's reputation? So please don't look like we have to start with the dot, Corey. Can you start with dot or on the left side? The hello, hello, I am level two. So I see the 408 dot global dot and 50.h. Almost all, do not list implied dot and dot dot. So it doesn't list the dot and the dot dot. So what the dot and the dot dot, so dot means current directory. So when I do LS dot, that means list out the current directory. I can always use a PWD to output my current working directory, so my current working directory slash home slash hacker. If I do CD dot dot, it traverses up the directory tree and I will now be in slash home. Oh, what did I do to search the man page? Yeah, this is good. So if you put hit slash, so slash, then you can type what you're looking for. So like dash A hit enter. And then if there were other ones, you can hit N to go to next. This is I think Vim key bindings or something, but this is just what I know for less or man pages or whatever. Okay. So let's go back to our home. All right, I guess we're gonna not use this system. So we can do LS slash LA shows us a ton of information. So let's do a foo. And so this is showing us a lot of information. This shows us the, so we'll see the difference. So the first bit in the output, so it doesn't directly compare with the, so you'll actually see there's, it's one, two, three. So read, write, execute for other one, two, three for the group and one, two, three for the owner. So those bids do correspond one to one with those bits that we talked about. So those are what nine bits there. We have these other three bits that will actually come out. We'll show you in a second. And D specifies directory. So this first bit, it's a D of its directory. I think there's other things for other files. If you looked at Yon's command line video, I think he talks about that at some point. Dash just means a regular file. I believe FIFOs or pipes or, I don't know, something else we'll show up there to indicate that it's a different kind of file. So, okay. So this is the first like chunk of output from LS dash L. So it shows us, what was that? I have no idea. That's interesting. I'll have to dig into that. Keystone sounds like a key sign. We can look at it later. Or if somebody Googles online and figures it out, that'd be cool. Oh yeah. P instead of D shows up for FIFO files. I think this number is the number of files in there, but I actually don't know. I mean, I don't memorize everything in here, but I do know that, so this one is the owner of the file. So this column says that some of these files are owned by the Adam Dean user. Some of these files are owned by the user root. The current directory that we're in, so slash temp is owned by root and the parent of us, so slash, so we're in slash temp, so dot dot is just slash. That is also owned by root. And then I guess for whatever reason, so I guess I know why, but all of these are also owned by the wheel group. The next column is the file size. And then I believe this is the last modification date, which you can use, you can use LAT, so dash T will sort by file name or sort by modification time. And I believe that capital T will sort the other way. And honestly, the only reason why I know this is there was a CTF challenge where you had as many code execute like shell code, or not shell code, but commands that you could execute as possible that you wanted, but you could only use, I think, five characters at a time. So what you do is use tricks of creating files of different names, and then you can use LS dash T to sort them by time and then turn them into other larger commands that you wanted to execute. Anyways, there's all kinds of insanity. We learned a lot about different types of options of things that I've never ever thought about, but anyways, okay, so, okay. So we can actually see, so I have this file foo that I created, right? We know that we had this file foo, and I have almost all the information we talked about that I need. I have the read write execute for the owner, the read write execute for the group, and the read write execute for other. And I also have the owner of the file, Adam D, and the group of the file wheel. I wonder if, yeah, cool. So dash N, so this is kind of a, it's common in a lot of things. It basically means don't show me the name of something, show me the actual number. So this actually also applies in TCP dump. When you're looking at network traffic, it'll try to translate a IP address into a DNS thing. But if you do dash N just tells me, hey, just show me the IP address because I'm only interested in the number. So that's why we can see in here the user ID for root on almost, I think it's every unique system is zero. And the wheel group, I guess on VST systems are zero. I wonder what the pseudo group is for admin or something for Linux, you could probably look at it. And my user's ID is 501. So again, the reason is it's much easier for a computer to know and remember, hey, this is your user ID, you like to remember IDs rather than just strings. So that's how we can actually see the real numbers there. So I have everything I need. Now, the one thing I don't know is about my process, right? So he said, we also need the process that you're running, what's its user ID and what's its group ID? And then we can make the access control determination. But I can use the ID command to show. I can see my user ID is 501, which is the name Adam D. But group ID is 20, which apparently is staff. My groups are staff, everyone, whatever this thing is, some app store thing, something else, the developer thing, what is this sharing? I can't see it, I don't have the screen, access SSH, access remote AP, that's fascinating. I don't know why I'm not in the wheel group, but maybe staff and wheel are similar. I, that's interesting. So, look back at Foo. So now we can predict based on all of this information that you can currently see on the screen, will I be able to read the file Foo? Yes, why? Say it louder. There's an R on the owner and what else? I should be able to read it and others can't. And why do we know that I can read this file? I'm not gonna read it, I'm the owner Adam D and my process is running as user ID Adam D. So, if I do cat Foo, it should work. And I can do CH mod, so the, and if you, so there's two syntaxes for changing the ownership of the file, I can do CH mod, I think it's owner dash W would be like apply owner and subtract, so minus write access to Foo. No, O is for other, I can't remember what owner is. A is for all. Okay, anyways, the point is there's two different syntax, you can read the man page, but when I do the actual like numeric values, I'm doing the bits exactly as they are. So six zero zero means the two highest fits, right? Six is one, one, zero. So read, write, no execute, and zero and zero are obviously zero with nothing. I can do four zero zero, which should be just only the owner can read and nobody else has any other rights, yeah. Say it again? Yes, how? Only the owner should be the owner and root. So root has full permissions over everything, root can change any file access. I'll actually show this in a second. Yeah, so now can I cat this file? Write to this file, right? Permission denied. So the operating system says, even though you own this file, you cannot write to it. I'm sorry, I won't let you write to it. I can't, also can't append to it, right? I can't, if I tried to open it up in Emacs, Emacs, what should we do with this, what's going on? Okay, yeah, that's good. First read only, this is a bug that y'all have gotten before. This is Emacs telling me, hey, I'm not gonna let you edit this file because even if you change it, you won't be able to save it. So what are we doing here? Yeah. I'm still the owner, I can still change it. Yeah, so now I can't even read the file, right? Zero zero zero, no permissions. I'm saying nobody can do anything to this file. Except if we run, so first let's use pseudo ID. Always fun to type in your password in front of everyone. Okay, so the root user, like we said, has user ID zero. I'm 99% sure that that's true across all Unix privates. Yeah, sorry. So that directly translates to those 12 bits. So those 12 bits of the first three ones, which we'll talk about in a second, sticky, no, sorry. Set UID, set group ID, sticky bit. And then the next one is read, write, execute owner, read, write, execute group, read, write, execute other. Or all. And that's what's literally, and those bits literally get set just like that. And so that's why I can do things like if I wanted to give others read access, I could do four. So four is just read access. So four is just read access. So one zero zero is four, right? Yeah, okay. Sometimes you're like, think you know a thing. Cause I'm like, anyways. So six is one, one, zero. So read, write anything that's odd means execute. So five would be read and execute with no right. And you just kind of iterate through those, all those possibilities. I cannot open this file. Why can't I? What was that? I don't have the permissions because the owner cannot read this file. I do not because I am the owner. So those rights apply to me. So it's kind of like a decision tree, right? First thing, check, is it the owner? Yes, then these bits apply to you. If that doesn't, if you're not the owner, then it checks are you, is the group ID the same? And if it is, then the group ID bits get set. And then it checks if you're everyone else, it doesn't have to check if you're anyone else. You can think of that the last, if else, pause. Yeah. No, because every process I execute runs as me. So even if I did, we can quickly pop, we can import subprocess, subprocess.wasit.run. Oh, you're all very familiar with this now. Isn't that awesome? Think about those of you that haven't done the API on it. You can just tell me exactly what to type in here. Yeah, that's great. So what I want to run is cat food, right? Oh, I need to put it in different things like this. Permission denied, right? Cannot read that file. Because, and let's run subprocess.run ID. So it's running as user ID, add MD. So it's exactly the same ID as me. And this is deliberate. So this is again, the parent-child relationship. We talked a bit about inheritance of what open file descriptors, so what open file descriptors you have. The child inherits from the parent. The child also inherits all of the ID attributes from the parent. So that's why. So when we tell, because what we talked about what subprocess is doing, just like you wrote in the C program, it's doing fork. So create a new process that has exactly the same ID permissions and then exec VE and that inherits also the ID permissions. So that's why all of this is maintained, which is very helpful because, hey, you don't really want to necessarily run as the root user or be able, users to be able to arbitrarily change themselves. So yeah, let's kind of keep going through this. I think this is probably helpful, not just, I'm gonna keep doing that. All right. Not only helpful to understand the access control concepts, but also understand more about the UNIX system that you're using a lot. So we showed, I can't cat foo. We saw I can run pseudo ID, so I should always be able to cat foo. So when I run a command as pseudo, like with the ID, that's a special command. We'll actually talk about why it's special in a second. That runs as root and will, is able to change its user ID to root and run as the root user. And that's why I can cat out that file. I think if I do chmod 0, 0, 0 cat, foo. Yeah, there we go. So I should be able to do pseudo cat foo. And even though there's no chmod permissions, there's a special check in the OS that says, if it's user ID zero, they can basically do whatever they want. Now, that's actually a huge security vulnerability because if anybody gets access to the root account on your system, your hose. So that's why there's actually other layers of security permissions. There's file attributes that you can set. So I don't know exactly how to do it on here. You have to look it up, but you can make a file immutable so that even root can't change or alter the content or delete that file. You can do all kinds of stuff to limit the root's power. Does anybody have a Mac and use something like Homebrew or stuff like that? No? All right. Anyways, the Mac is set up so that even root can't edit certain files. There's attributes that are set that make sure that the operating system ensures that they can't mess it up. Yeah. I've made some data on the user. Be very careful when you're doing a recursive delete. Yes, exactly. Especially if you forget to actually do the actual thing before you flash and you try to delete the file that you're trying to delete, you'll accidentally delete your entire line drive. Yep. That is... Yeah. Oh, you guys are hearing... Oh, sorry. I can't hear the beeps. I'll figure out how to disable that for next time. Sorry about that. The poor Zoom people. Every time I hit tab, it beeps. Okay. Okay. So we showed that. Let's see where we are with foo. Okay. Nobody can access it. Let's say zero, zero, four. I want to give everyone read access, except for me. So we saw that if I try to cap foo, that does not work. I can sudo. So sudo means run the other command as root. S-U nobody means change. I can't remember what S-U stands for, but basically this means like change might need a nobody user. And of course that didn't work because I need to get stuff by a shell. Still didn't work. All right. Less ETC. So yeah, this is all the... Was that because it has a negative user ID? What in the world? I'm used to doing this on a remote server. Oh, there's a lot of users that... What do we think? Log V? That sounds good. Root user, pa, pa, pa. CHmods, zero, zero, four. Foo, cat, foo. Sudo, S-U, nobody. We've been matched, so you're a nice mom. Okay, whew. All right, we're gonna roll. I am now a different user ID. I'm the user of nobody. If I do S-U-L-A foo, I can read the file even though the file's owner cannot read the file because of the file permissions. Woo. All right. Now, a question should be, how does the sudo command work? I can use which... You can use, if you're ever typing in a command and you don't know exactly where that command is, this searches your path to figure out what command is actually executed. So I can do L-S-S-L-A user bin sudo. And actually, I think I talked about this in assignment one, but now I actually have a lot of background knowledge here. So there's something very special about one of the bits that's set there. So this S, okay, I see. This S is set, so it's not X, but it's S. So this means a set. So this means that the execute bit is set and that's what, so the S implies X there and the set user ID bit. Yeah, so that's the higher most of those 12 bits. So the set user ID bit is very, very special and very dangerous and tells the operating system, hey, when you execute this process, don't execute it as the user who asked to execute it. Execute it as the owner of the file. So who owns this file? I don't own this file. You're a root user. I think the root user owns that file, which means when I run, I can run them. So if I did, where was sudo? Yeah, so PSAUX shows you all of the processes that are running on the system as well as extra information about them. The only thing we care about right now is this first one shows you that that process is running with user ID root. So that's because I ran the sudo program. Because of that set you ID bit, the OS ran it as not me, but the root user. And then that call the sleep command. So if we look at the sleep command, we should see, apparently lots, oh, yeah, yeah, yeah, yeah, yeah, because all of your stuff is sleeping, that's funny. We'd see this sleep command and if we dug in deeper, we'd actually see a parent-child relationship between those two processes. So that the sudo command has as a child the sleep command that are both running as root. And so this is actually a source of many vulnerabilities because now if I can find a vulnerability in this, in the sudo command, if I can find a vulnerability in here, I can execute it, that process runs as root, then I can exploit that process. There's actually a bug in a, I think it was a 12 year old bug that was found in a root, a set you ID binary on, I think it's default from going to installs up. If somebody can find it, put it in the chat, we're all composed about it later. But yeah, so that lets somebody who's not a root user on your system be able to execute as if they were the root user and then give themselves root access, change the root user's password, they can really have total control of your system. The challenge directory very similarly has, and actually this is part of the security of Pone College. I believe the only, if I did which sudo, I believe nothing on this system is set you ID as root, so nothing will run as root except for the challenge binary. So when we look at flag, those of you who just tried to catch flag, so our user ID is hacker, our group ID is hacker, we're only in one group hacker, and we can look at slash flag, a slash flag is only readable by root. And yet, every time you solve a level, it actually gives you the flag. How is it doing that? Because the challenge itself, here interaction level four has the set you ID bit. So it runs as root, exactly. So the other thing, so there's set user ID, set group ID. So set group ID is the same, but runs as the group, not the user. So you can do this for pretty complex things. And the other one is the sticky bit. And the other thing we didn't talk about is what these permission, so what does it mean to read a directory? It seems very straightforward with a file. You read, write, execute a file. What about a directory? What does it mean to execute a directory? You can see what the content is about. Yeah, so the, and that's the tricky thing with these permissions, right? Because they have the same 12 bit model for both files and directories. So they had to do things like, okay, for a directory read means you can list the contents of what's inside that directory. Write means I believe that you can create and delete files in the directory. And execute, what does it mean to execute a directory? Yeah, no, because the files have that themselves, right? So it doesn't make sense to add additional stuff on there, but yeah, it has nothing to do with execution. What it actually means is you can traverse through that directory. So you can access a sub-child directory. So let's look at a example here. So I can, and actually I'm gonna go back here. I'm gonna go to my home. I'm gonna make a directory called first, to make a directory first, second, a file, first, second, foo. I can access this, first, second foo, right? So let's look at the permissions there. First is read, write, execute, read. So nobody else. So what this means is if I do, oh, I can't, I don't actually know how to execute this as another user. Oh no. So the dash P will make all directories, which is kind of nice to not have to do them one after the other. We want to cat out to first, second, foo, first, second foo, second. Cool. So I can, so now if I run as the user, nobody, but I do sudo su, nobody, ls-la.slash-first, okay? There's the first directory and I can do, don't know if this will actually work out the way I want, but let's just try it anyways, don't we? Yeah, that makes sense. Okay, so I can list these files, right? So I can list the contents of the first directory because I have read access to it. I can also list the contents of the second directory. Now, if I go back over and I change first dot second, or first slash second, if I do a chmod, what do I want this? Seven, five, one. So now the second directory, everyone else, nobody, everyone else can't read it, can't write to it, so create files and can execute in it. So they can see what's in there. Or so they can't see what's in there. So if I go to first, I guess one other thing I should show is as the nobody user, I can't create a file inside the first directory. So even though I can list all the files, I don't have right permission, I can't create anything in there. I can then try to ls-la-first, second, and it says permission denied. I can't list the files inside that directory, but because I have the X permission, I can access files inside that directory. So this actually, yeah, anyways, on shared homework servers, this is how you can probe for files in certain places. You can guess the path that somebody else has. There's reasons why all these things exist. I think the only other thing is, I think it's in the slides, so let me, is the sticky bit? Yeah, the sticky bit, I always have to look. So sticky bit on a file basically means nothing. It used to mean sticky in the sense that the operating system should never swap this process out of memory when it's running, but that basically doesn't mean anything anymore. And, but it means on directories that people can create files in a directory, but not write or rename other files in that directory. So the main way that this is used is in the temp directory. So we want everybody to be able to write files in temp, but we don't want them to delete other people's files. So we want a writable attribute for everyone on temp, but we don't want, yeah, say it again, implicit zero for the most, the highest bits. Yeah, unless you deliberately state that this item is that high as the bit. Yeah, you can put seven, seven, right, which would do this sticky bit or the set UID set group ID, sticky bit. I mean, we can see the temp. We'll just do this real quick and then we'll call it a day. So there now through is, we can see both the set UID bit is set, that's the S here. We can see that the group set group ID bit is set because there's an S on the group execute and the T is set, which means the sticky file. So yeah, without supplying that, it's like a zero there. But thank you everyone and we'll see you on Tuesday.