 Cool. All right, before we get started, I wanted to make everyone here aware of an opportunity for free money. Free money's good, right? It's paying for school fun. No, I feel like I need for a Marshall Mouse, but I'll stop. I'll just like talk about what it actually is. So as part of, so ASU, if you're not aware, the, we're actually a nationally recognized center of academic excellence in cyber defense education and cyber defense research by both the National Science Foundation, the Department of Homeland Security, and I believe the national national security, what's the NSA stand for? Administration. Agency? Agency. There you go. That makes more sense. Cool. So as part of that, we have a super cool program. So we just got a new grant from the National Science Foundation. I think it started about six months to a year ago for I think it's four or five million dollars to fund your studies. So this, I will say limited time offer in the sense that it's not insanely limited. The idea is the federal government, do they have security problems? Yes. Yes, they have security problems. Everybody has security problems. We're gonna see more and more. All of these security concepts originated in basically in military and government context. That's where a lot of this stuff came from. So they are very interested in getting really good people like yourselves into security. And so part of the way that they do that is to fund your, your studies. So the basic idea is for, so you have to be a resident. So for those of you that are not US residents or US citizens, I apologize, this will not apply, but we'll be back on in a second. And basically the idea is for every year of your college that the government pays for you. So you get, if I believe here, full-time tuition and educational related fees. So you get your tuition paid for. You get health insurance reimbursements. You get up to four thousand dollars per year of a professional development, which of course you know what you can see, with a professional development allowance, which allows you to go travel, do kind of cool travel stuff, a book allowance of up to two thousand dollars, and a stipend depending on what level you're at. So not only are they paying for your school, they're actually paying for you to go to school, which is a pretty cool deal. And all they ask in return is that for every year of your school that is funded, that you go work for the federal government for a year. So if you get one year funded, you go work for the federal government for a year. If you get two years funded, you work for the federal government for two years. I think that's the limit unless you're doing a four plus one program. I think they can do two undergrad and one master's. So this is at the undergraduate master's and PhD level. So yeah, it's actually pretty sweet. And the really cool thing to think about here is once you've done this, so I know several students who've gone through this program, some of them have done jobs at the NSA where they can't tell me what they do and an FBI agent comes and interviews me as part of their background check, which is always a super fun process. But the really cool thing is, so let's say, so A, not only are you like giving back in like, A, they're gonna pay you, right? So it's not like a free job, right? You're getting a job in the federal government. But if you decide that's not really for you as soon as your time's up, then you can go back in the industry with all this insane awesome experience of working in the public sector. Specifically because a lot of these jobs require some kind of security clearance, which the federal government will pay for you to go through that security clearance process. And then once you have that mixed with your experience, that makes you very attractive to private companies that pay you a lot of money for that, those abilities. So very cool program. Any questions on this? Yes? Is this available online somewhere? A super old version is, yes. I'm working on getting it up now. I can post this like a link to this PDF or something on the Piazza. But it will be up on a new website very soon. If you're interested, please contact me. I'll be happy to connect you to who you need to be in contact with. Yeah, I think it's very quickly. I mean if you applied, well the deadline I think is tomorrow, no. I don't think we can retroactively cover stuff, but I believe Dr. Yao put the This is very, yeah, so basically, so we can actually start Spring 2019, so that'll be next semester. So for the upcoming semester, we're going to start reviewing applications if you submit them by November 7th. But as soon as you start applying, people will be in contact with you and so we can get that started. Yeah. I do not know the specifics. Steve would know, Dr. Yao would know better the specifics there. I think you may still be on the subject. Well, I actually don't know. I would say my intuition would be probably work for a year because working for six months is hard anyways, right? So that's my initial feeling, but I don't know the official rules because the us selecting people and giving them money is our job. The contract you sign is not with us. I don't, I mean I don't want you to break your contract with the government, but that's something you sign with the government, not us. So it's like I'm going to come down to your door if you quit within three months or something. Yeah. Is there any like further research or internship opportunities included? There is. There is. So it's part of this program. Let's see if I can find it. This is about applications. So there's part of this is that you'll participate in government internship programs. So and I believe around the January-ish timeframe, there's a job fair in DC where all the people that are part of this scholarship for service program go. And so you get to submit your resumes to a lot of government agencies that they can then see if you want to do that. So yeah, the idea is you work in the summer for an internship for a government organization and that would try to help you just like a normal company help you find a place that you work well Is there a list of those companies or not? It's not companies. They're all organizations. I don't I'm sure there is somewhere maybe in their website or something, but yeah, it's it's all kinds of people. I mean I think that some people who are going to go to Hawaii with one of the army divisions there We have people in Maryland doing secret stuff all kinds of stuff any other questions So I'll post this. I don't take up too much time, but I want to let make you all aware of this especially for I think Juniors, this is kind of that you're at the perfect time here to apply You're considering four plus one even better because you can do undergrad plus a little bit grad school funded too And it's pretty fun Cool. All right So then On to class So back to matrices Cool. Okay, so what was the matrix model of access control? Subjects subjects and objects, but yes, the way I've been talking about them is mostly been users It could be a process. It could be any kind of other thing as well And then what's in the what's inside so for a specific column row Yeah, the rights that those subjects have on those objects Yeah, the rights that those subjects have on those objects So this means that whatever for the system that you can do art have right r2 against g whatever that means I mean, it depends on the specific access control system So we talked kind of right. Yeah I yeah, I think those right now, especially at this high level I mean we're talking more technically like I change users to subjects So we have subjects objects and rights. So that's how we talk about them, but Those are very Yeah, the the rights access privileges. I think those are all so what's the benefit of Thinking about and modeling access control using a matrix like this Yeah Super easy to determine who can do what on what objects right because you can say well Ken does You have right r1 on g you look it up. You look up u g and you say no does not What's the downside? Doesn't scale right how so how doesn't it not how does it not scale? n squared Yeah, the more stuff you have to figure this table gets right and every time and then I just mentioned that rows can be users or a process And so do you constantly having a process being created and deleted on your system? Yeah, what kinds of stuff So some kind of background process that's checking if your computer's up to date every time that gets created You have to create a new row in this In this table where you have to fill out all of the rights that that process has And then when it goes away you have to delete that And you probably then because every subject is also an object you'd then also be creating new columns and deleting them all the time Yeah, every time the user types in a command every time they you know this fits So not only is it not just big for a static system, but we have to always remember our systems are dynamic and things are changing So how do you solve this? Yeah Classes like a cavern Okay, so use a tree in what sense So Okay, so maybe if we order our our rights in some kind of way that we can give hierarchical more or less rights Then you can have some kind of inheritance So you make it as convoluted as any object oriented programming project. Yeah Generalize things so for user for users, maybe instead of going individual users Put them into various groups that way that kind of cuts down on that For processes, maybe kind of apply that to system processes user processes So we could try to group things. Yeah, so we could try to group users So rather than having one row for every single user in the system group the users Group process. What about the objects? So think of so yeah, yeah, please You could group them like how how would you group them? So maybe the hierarchy kind of model but turn the Objects into some kind of a hierarchy, right? We have the set of all Uh, I mean, I guess how do you know which is in which set you still have to like put them in there, right? Yeah Yeah So and then I guess there you're kind of explicitly saying if an object is in the set Uh public then it means that any subject can read That object so you're not actually specifically spelling out Every single user on the system can read that How do we actually implement this With difficulty. Yeah, I guess that's most things right You do it difficultly. It's hard and you do it carefully and maybe you can make it work But think about like an operating system. How do you actually implement this? Like so, how would you implement this? So let's stick with this access. This is the matrix model big matrix big table Yep No, but time to do this. Okay. Let's actually good question How so does the linux and unix access control model implement this? I mean you can model it You can model it based on that does it actually So does every file have access options what access options does the file have? World World three world right execute by a world What are the uh user or the owner the group and other But does that mean you can give a specific user access to just one user access to one file Right so essentially you're collapsing right so If you think about it, the the unix model doesn't actually implement this model So let's talk about that. We'll dig into that a little bit. We'll come back to some other some of the other questions we talked about so in the unix model, so if we think about it users are actually Nothing really why is that? There is no spoon There are no users It allows you to group the uh users as you would processes at by uh rights You definitely can But what do so you as a user on a unix or linux system? There is a user directory associated with every user How do you do stuff on a unix machine? So think about like I know it sounds uh But if you think about it right we talked about subjects or things that do things that operate on objects So when you operate on an object, how do you do that? You do what You type in a command. What does a command do? Starts a process. That's the name of that command that carries out whenever logic you wanted to have happen So since we're getting there, I'm going to of course. I turned off my vm, but Uh, there we go I don't I probably need to I don't want to mess with that. I mean, I do want to but I don't want to make it worse Application not responding always the best. Okay. I think I can set up a docker instance real quick Okay, cool So here I am Everybody see this On the left screen Is this better is black on white better or white on black This is better Okay, we'll stick with this for now. Okay, so users on the system. How do I figure out what users Are allowed to access the system That users why don't I find the users on the system? There's no users so evc pwd this has This is a file that contains all of the users on the system. So here we have a user root We have user daemon bin sys sync games man lp mail news uu cp proxy dev dev dev data backup list irc irc I've never actually read through all these before nobody underscore apt system d network system d resolved because you definitely want those We separate uu idd and message bus. So these are all the users on the system But like we just talked about so how do I list the current files in this directory? So I do ls. What is actually happening here? Is this some kind of magic voodoo? Yes No, there's no magic. There's no voodoo What's happening here when I type in ls and I hit enter what's happening. What do I even typing ls into? Yeah, some kind of shell. How do I actually How do I figure out what shell is? Huh ps so I can look at what process Uh all the process that's running so I can see bin bash is pid one. It's running as user root So when I type in ls, what's happening here? Of which the files on here Well, what's happening? Who so when I type in ls, where's that going? Where's that input going? Into the shell specifically the bash specifically exactly to this process here that's running and when I This is docker. So I'm not sshed in but if I was sshed in it would The sshd The ssh daemon is listening on port 22 It sees somebody logging in when they log in it checks their username password with easy shadow not easy root and if that is then it creates a shell for them as their user Which and then it matches up that uh the standard input to bash is the input that they type in from the Network, so I type in ls then I hit enter. What happens? How does bash know what to execute what happens if I type in foobar? Why doesn't that do something? How does it know when I type in ls? There's nothing called ls in my directories There's a path variable which So the path variable and what does bash do with this path variable? It'll look for ls Looks for ls in every single one of these directories separated by a colon So it'll look in user local sdn ls user local bin ls user sdn ls user bin ls sdn ls bin ls Which it will should finally find it And if you do which ls it'll tell you which one it's going to find and execute so it's going to tell you it's running bin ls This is why When you compile a program, how do you run it? You just say a dot out Dot slash a dot out because you have to give a dot out does not exist in any of these directories And you'll notice that the current directory dot is not in your path And you definitely do not want that to be which we may get into later, but that's going to be a big security problem Okay, I type in ls So bash has to first figure out Um, and that's the first figure out what command I want to run which in this case is slash bin ls or if we give an absolute path We can say I want you to execute bin ls Which it'll do And then what does it do so it says okay I found bin ls What does it do yeah No ls can't do that Yeah, why not? so If we go forwards a little bit So what okay, so I type in ls Bash figures out what thing I want to execute slash bin ls something happens and then What actually lists whatever directory information that I want Technically yes, I'm not quite what I'm going for Yeah, so What lists out this directory like where did this input come where did this output come from? ls ls which is a program. It's an executable on disk We can look at slash bin ls We can see that it's an executable and we'll get into the permissions in just a second one three three seven ninety two bytes of ls And so if I do something this is not gonna work Oh, sorry I just want to do this because it's a bit easier Okay, so if I run a screen terminal Ash, but that's okay. All right So all I want to show here is if I do something like cat. So cat if you just run it by itself. What's it doing? Just waiting for whatever you type in on standard input to put on standard output So you can think that you have a really nice friend. Hello And if we go over here, we can see that if we run ps au x we can What I wanted Okay, we can see that there is Okay, here we go. And that was my scrolling Okay, we can see here That it should be here, right? Yeah, so process 174 Is a process called cat that is running just like there was a process bash that was running Does anybody remember off the top of their head how to do The parent child relationship In ps you want to treat right? Yeah Thanks, okay, cool. And if I make that smaller it will actually make sense If I can Rebound my keys. I have no idea Okay, we are stuck at this zoom in forever So that we can see that so we started with the original bin bash Which then actually executed screen so screen is running except Screen is actually will constantly be running without my bash session Which is why it's not a child of bash And then under there we see that we have a bin sh where I'm running cat and the bin s a for I'm running ps au x f So this is two of those Different applications. Anyways the point being that my sh my shell in the other Um Window of screen is running cat. And so if I go over there and kill it and I'll rerun this command I should Should see that it goes away And it did it went away and if I kill all of this Get out of the screen screen terminates ps au That's handy. Thank you. I'll see that all that went away. So the only thing that's running is bin bash Okay, so we know that there is a process when we type in ls eventually what happens is a process runs that Does what yeah when you run it just by itself and list the current directory What happens when you type in ls dash la? Yeah, so these are are these special arguments to bash No special arguments to ls so all bash does is actually look at whatever you type in which is just a string and Have you taken 340 yet? Are taking it yeah, awesome So basically you use compiler techniques to parse the string And separate it by spaces so that you can figure out what's to command the first argument And then what are the arguments to pass to that new program? So the entire thing is this is a process or that is how So this is what's happening. So this is an important concept to remember You are doing what am I actually doing on this system? Nothing I'm giving input to bash and then A process runs to then do whatever I wanted to do Okay, now we can step back for a second How does bash actually start a new process? And bash do it Is it a special process? To where? To the kernel the operating system right the operating system is what's keeping track of every process on the system And it's the one that will execute it and it specifically is the one that's going to do that check of can you actually execute this? Like if I just did slash bin What should happen? Nothing why? It's a directory. It's a directory not only is it a directory. Well, it doesn't matter. It's an executable directory, but Yes, it is a It is a directory. It's not executable. So this error I believe should come from the kernel, but I'm not actually 100 certain now so And so how does the operating system know that you can execute bin ls? How do we parse these first this first for the 6 9 10 How do we parse these 10? things here The first 10 output of ls.la How do we like 100? Not like write a parser to do it just understand that it's humans Yeah first for the directory Not quite cool This is something special which we'll get to. I know the next three are what? Owner Group And other this is read write and execute which means that the owner of this file can read write and execute it How do we know who the owner is? It tells us. It tells us where Yeah, after here, I don't know what this is After here is the owner is group and the group is root. I know a lot of these things are but I don't know what that is Here's the number the size of the file the number bytes. The date it was Probably modified I'd say but yeah, I'm not 100 percent certain and this tells us what the file is So this means that root can change bin ls The group group can only read or execute And everyone else on the system can only read and execute Why do you want? Why don't you want anyone on the system to be able to write? Yeah, so you can't change ls. I mean you could I'm rooting on this system. I guess I could change it but fundamentally what that means is that anybody could write change ls and Why is that actually a big deal? So when I'm running as so I guess I guess I just destroyed the concept of me which makes explaining slightly more complicated But bash yeah, please I can't hear Yes Someone can put whatever code they want right there in ls Yes, and what so okay all those things are true, but to understand what actually why that's actually a problem So if I do ps au x f So bash okay, so the thing we said is okay, so users are nothing But how does the operating system check? So we just saw that bin ls so I do Let's see Sue what on nobody And I think I need a shell Okay, so now I'm running as user nobody Right, nobody no group no group. So should I be able to change bin ls? Permission denied that's good We're any of you worried But I was going to be able to change it No, so I can't do it. I can execute it But the question is why So what's the difference between so I'm running two different batch sessions here What's the difference? How does the system know or how does because Where does this output come from does this come from linux? Or the operating system Bash there's just bash. There's just a bash problem. So how does bash know that I am nobody? And did log in as nobody So what is so what is the output we did ps au xf? What's the output here and here? It's a little bit nicer because you have column headings Do you have user the process id the percent of the cpu the percent of memory? I don't know something about the virtual size of something another thing more stuff time command the important things are command so What does this mean? So what does the user mean here? Who initiated the batch problems and then ran the command Yeah, kind of I mean it's who initiated that batch prompt or it's really metadata attached to a process that says what user You can think of owns this process And that is what is used on all the authorization checks So the fact that I couldn't as nobody edit bin ls. I can even try Yeah, so I can try to write to it And control w named file right error clinician denied, which is good exit saved by buffers. Absolutely not so Why is that because bash? well Bash ran nano And they're all running as user nobody and so the operating system when it says can this process remember not the user can this process change this file or write to this file The operating system looks at the file And says well, who are you in relation to this file? Are you the owner? Is nobody the owner of this file? Did nobody agree to this file? No, therefore it must be other can others write to this file No So yes The reference to the user I'd say it's slightly differently But yes, I would say that each process has metadata associated with it The important thing is where do you want to put that information? Which is in the process itself the user could change it or modify it so that the information kept in the kernel Where keeps track of every process who's the user Oh Yeah, so you think about how do you even? Write open files for reading or write the files When you're writing in c F open or open or read That's actually all called down to system calls because you as a programmer Do you want to worry about what sector this file is on the hard drive or how to parse an ext4 file system to figure out how to follow symbolic links to then No, you don't want to do any of that unless you're writing a kernel, right? The whole point of an operating system is that abstracts that for you So this means that the operating system on your behalf must open a file for reading or writing And that's what will reject you and stop you from doing that Yeah, yeah are the first rwx of business for the group user, I guess Yes So for the owner and you can tell it's that owner because of root So we'll do another example here where I will change directory to slash attempt I will uh Hello To my file, I can look at my file that just got created so So here the owner of this is nobody and the group of this is no group. So the owner of this file can read and write it Everyone else can read it But can't write it or execute it which is nice. This means that nobody can change This file. Yeah, that's why I was asking about the pirate two groups. Are they for other users? I guess The other two these groups. Yes. So this is Is the process that is trying to And it's it gets even more complicated, but we're not going to go into it that far This is is the process that's trying to to do something to this file the owner the group or anyone else what Whatever the group of the file is so here The owner is nobody and the group is no group Is that group of users? Yeah, so if you look at so edc password Uh, like we talk about etc pas swd This is all the users on the system And then etc. I think it just is a group or groups. Yeah group Etc group has all the groups on the system Which is how you can do things like so when we looked at the matrix model We said, okay, is it possible for me to give read access to two users on the system and no other users With the matrix model. Yes Yes Hey, it's possible to do anything in the matrix model, right? You can express whatever access control rules you want. It's very easy You give the rights to those two users you want to that specific object and you're done But i'm unix does it have a nice easy way to Give just two users access to a file sort of Not an easy way. How would you do it? You have to make a group with only those two users in it and then Change the owner of that group or change the old group of the file to that group And then now those two users can access it and nobody else But then what if you now have Another file that you want two different users to have access to but one of them's the same user You don't have to keep creating multiple groups or if you have a file you want to share with three people That's a super set of just those two people. They have to figure out how to do that which becomes a huge pain all right cool, so That was a let's say digression because this all comes up so Here in the unix what we came out as a process Yeah, I don't need to go back but please how exactly do they manage like Adding yourself to a group our omissions there managers wouldn't Wouldn't it just be easier like if anyone can add themselves to a root group and then it would be super easy yes, okay, so the Let me Look real quick I can't remember which file lists all the members in the group This lists all the groups I don't remember actually off the top of my head Okay, but it actually is So i'll answer that question in a roundabout way so We have this file Would you say that this uh, etc password pswd file is important? Why is it important and defines all the users on the system? So if you want a new user on the system you just add a new line to this file Shouldn't anyone be able to add a user to a system? Yeah Yes, I don't have systems. Do you have any? It's gonna be a nightmare. No event. I mean Usually on most systems you want just the administrator to be able to make new users, right? Or think about more concrete scenario when I give you all access to one server Do I want any of you to be able to just create new users? No, I do not Okay, but we look at this etc password file one of the things in this etc password file So the way to read this Is the name of the user The second field used to be the actual password So it's a little bit of a history lesson why it's called pswd Because it used to store hash passwords of all the users on the system as we'll see later That's a terrible idea. So they move that to etc shadow, which I can't get to if I do ls-la You'll see that only root can read or write that and the group shadow can read it But I can't read it. So if I wanted to try to get to the everybody's hashes I can't do that. Okay So we go back to the etc password file I show up to scroll up So we have the name of the user a password a hash password x means go look in the etc password file We have I believe the user id of the user and the group ID of the user. Oh, I'm not 100 certain I think for most of these these are exactly the same except apparently for saying for some reason So the idea is this is that user id. So you think about in the kernel Do you want to keep a string for every process about what user it is? Or what user that process is? No strings are dumb. You want to use numbers, right? I mean, they're not dumb. They have a lot of problems, right? So use a number and you can always go back to this file to map the number to the name Okay Then you have I think this is the group although I'm not certain but at the end here you have their home directory So roots in slash home or roots home is slash root And what does last element here? The shell the default shell that the user uses why Do you want users do you want users to be able to change with shell that what does the shell mean? Yeah, it's like the thing that you're interacting with that's parsing all your commands and then spawning a process to do your bidding And telling you and doing all that cool stuff like file redirection. So redirecting things to files all that kind of stuff happens there Cool, uh, do you want to make if you're an admin of a system? Do you want to force all your users to use the same shell? It depends on the system. I mean, I guess through the military the answer is always yes Do you want to restrict things the answer is yes For a normal system. No, there's many different shells. You can run bash. You can run sh you can run Zsh you can run. I don't know. Is anybody where I think Fish is another one. I've heard of does anybody run a weird one that I haven't heard of that's actually a real one Okay, corn, but that's not an old one Okay, cool new one It's not a ksh Yeah, it's like k or not. I think the fan I can't remember exactly how what the name relation is there. Maybe the person who wrote it or something I think it was like c-show and then they were just like, oh We're like a k-show. Okay. Yeah, interesting. Okay, so So I'm a user. So I'm user nobody I want to change well and so here you can put uh, if you don't want people to be able to log in You put it to something like this, but Uh, let's see. I do not have so I'm gonna actually get on a different system really quick Uh, you guys aren't letting me access to the internet. Okay We'll see if this works Live demos on real systems. I actually broke my system in one of the classes Doing exactly this Oh, oh slowly coming up. Okay Okay, so I'm logged in as a user in boon to on this system. This is actually a submission system. That's running all your stuff So if I look at uh, p-a-s-s-w-d I can see that the in boon tune user is using bin bash But man, I really Exactly what I want, but that's fine We'll be a little bit. No, no, no. Okay. Okay. All right. Okay. So bin bash So user mootoo is shell is bin bash But man, I really want to try out this super cool s-h prompt because look at how much better it is sh is such a better shell And so how do I change my shell? Okay, so maybe try to edit them edc p-a-s-s-w-d This will not work. It's open to read only. There's no way to change this file Um, okay, that's not going to work them is stuck. I think it's the network. Oh, there we go Okay, get my quit. Good. Okay, so I can't change that file What should I do? How do I do it? chsh I don't have a password But I definitely am not going to show everyone here my password Okay, so normally typing your user's password I'm going to run this as Root just to prove a point, but you can change your own password. Okay, I promise that So I'm going to change it to bin sh And then I'm going to cat edc password And then we will see that I changed this line in this file to slash bin sh How was I able to do that? Did I just fundamentally break unix's permission model? Seems like it, right? I was able to change this line in a file that I have no right access to Who's the only person that can change this file? Yeah, okay, but let's pretend I did So I mean I could create a password right now and then change it But I don't want I had to write make a good password and make sure that you all can't log into this system as this user It's like a whole thing. So I'm not gonna do that but You can change your shell without running as user without running as root. I promise you Yeah, we need some kind of process to act as root. How did I change my shell? Okay, we look at see user bin chsh What's different about this executable and other executables? S here as the instead of execute they have an s here instead of an x This is super So the standard for super important it stands for set uid What this means is this is a special bit which says when you run this process run it as the user That owns this process not as the user running this process Normally if we ran chsh It would run as our user which means that it can't edit the ebc password file but If this user bin chsh is running as root, then it can obviously read that file and edit that value So what was the original question that sent me down to this rather whole? No, that was my question. Yeah, it was like what's stopping you from just adding yourself to a group. Yes Okay, so this is what's stopping you so Um, so the idea is in order to do things like this to give So you can think about basically it's like giving very limited powers to a user Right, like you don't get full root privileges, but you can change just your shell with this program Or you can let's say get added to a group So one thing about groups is you can have a password on the group If you know that password you get added automatically to that group and anyone can do that and that's I think it's like I actually don't remember the command to do that, but it's one of the commands and it's definitely a set uid program And this is how everything works basically So this is fun Cool. Okay, so we think about unix We've dispelled the notion that there's any such thing as users on the system. It's all It's all process. So we have subjects as processes. We have files as objects and We have the rights. So we have rewrite execute We didn't talk about it, but there is an append you can on newer things you can have append only files I think it depends on I hope it's exactly the file system or where that happens, but So why is own a right? What do I mean by own here? You gotta change who owns the file Yeah, you can so you can well You you own the file and that gives you more privileges than if you can just read write execute Right, and this is simplified because we don't have the group ownership on here either and we don't have concepts of groups here But still from here. So we can think about these very simply read write execute append So we can now represent, you know any kind of Access control model in a real-world Linux system in this way So using our our super handy dandy expressive matrix Not going to go into this So we've talked a lot about the access control matrix benefits and drawbacks. So i'm not going to go into more details here Um, talk about how do we implement an access control matrix? So like we said unix linux The operating system is the thing that checks. Can you edit this file? Can you read this file? Can you execute this program? We even saw the crazy thing that that set uid where it will actually elevate your privileges to root just for that process That's running. I mean so Are you hearing up for technical interviews at any point soon? Yeah, so one tip for technical interviews is You should all like silence is weird So you're just sitting there like It's a back and forth communication between the interviewer and you they want to see how you think They don't they don't just want to see can you solve this problem? They want to see can you think through solving this problem, right? Because that gives them more insight into you So one of the things that can happen is you just like you hear a problem and you're just like think for a while And you're like what about this? And then it doesn't work Uh, one of the best things to do is just do the Talk through your approach. If you have no idea what to do talk about the stupid simplest dumbest approach that you could possibly do Question Okay, perfect. What yeah, yeah, so like it seems that The columns are What's the naive way? I mean, how would you just implement it? So as metadata Um, that will be the column So one way to do it So one way to do it would be the dumb way here I mean the not dumb, I would say the simple way, right? Simple is not bad The simple way is you just have this matrix in the kernel. You can do two-dimensional arrays Please Percent that you do and then go learn very quickly and come back You can do two-dimensional rays. It's just a two-dimensional array Right or a hash table. It's a hash table of hash tables basically So you can also do it that way, right? You can do it in all kinds of of ways But you just say and for every access you just look up what this process wants to do Does the process have the right to this object? Look it up in your table What's some of the problems there It's very large just like we talked about right so the operating system has to have this in memory It's also very dynamic as we talked about things can constantly be changing So you have to worry about issues to do with parallelism. What happens if multiple process tries to interact with this table at once So you probably want to serialize access to the table and then you have to all these crazy problems So How else could you implement it as a part of the file? So for each file, how would you do it? I mean not like super detailed blockchain, but I know to do this like a high level Okay, though, let's go a little bit higher level than than linux and let's say we don't we want to be A little bit better than linux in some sense, right and just say okay Well, what if we want it like rather than collapsing everyone into this owner group or or everyone What if we wanted to keep track of what every user can do on the file? Yeah, so what aspect? Yeah, good. Okay. So what aspect of this table is this? So for every file so for F. What are you going to store on F? Yeah, so that column right so for every file you think about the column And you start with every file the rights of every user on that file doesn't scale how so With many users. Yeah, and so what happens when you add a new user to the system? You have to go to every single file And update every file to add that metadata that this user has those rights Does that data also transition to other systems as well? Yeah, that's a huge I think a general purpose problem that we'll ignore for now of How do you and this happens if you've ever run like an nfs file share or a samba share of like dealing with access control Between unix and windows. It's like a huge thing Yeah, is there like if we store like that metadata with the file? Isn't there like a security problem like if you're able to edit that file? Yeah, so we definitely need to make sure that that the metadata is not accessible If we just said well the first part of every file will store 100 bytes of the size of this column that we need Well then every application if they're reading that file if they read those 100 bytes they can just change it and add stuff So well assume that we're doing it in such a way that a process itself can't change. It's what are some What are some other thoughts on this model? It's like it's less of a model more kind of like an implementation So then rather than thinking about it in terms of columns here Think about it in terms of rows About so for each user store metadata about what files That user has permission Yeah, what's the slowest thing on a computer? Probably the user actually now that I say it but What's the second slowest thing? It's actually a fun game. I'd say no not this It's still user logging on Not hard drive fastest thing Yeah, cpu or like even transistors if you want to get that level Put on network the network slow Yeah Yeah, like community network communication So I'd say the user network communication What's that for that? I say storage disk Yeah, this this is super slow I mean spinning disks are really really slow SSDs are by comparison very fast, but it's still very slow So you think about a model Like we talked about with the columns where every file So you had a new user who has read permissions to every file on the system You now have to go and write And change something in every single file on the system or the metadata associated with every single file on the system You're going to kill your hard drive and probably end up killing it So that's how so the other way of what we talked about is well for each user So then let's let's go that direction. So let's say, okay the operating system rather than creating this huge table Then just thinks about well for a specific user specific process Or I guess subject if we're going back to this model You'd store the rights to all of the files for that user So what are some of the benefits there and every time a file is created You have to update that for all the users on the system Yeah, every time a user is created you have to go through all the files that they have rights to I'd say that Between the two file creation is a much more frequent event than user creation And especially because you have lots of temp files being created all the time Yeah They're the only user that has access to a specific file and we have something that's just going to sit there for Yeah, that's an interesting case. Yeah, you have this case of what like orphan files, right? Where you delete a user and now these files are just hanging around cool good discussion, so You just invented two different models of access control Look at this Yes, awesome So access control lists are exactly what they sound like and this is exactly what we talked about where each column of the access matrix You store that with the object So one of the nice things here is what do you do about a user who has no rights to a file? Yeah, you do default deny and you would not store anything there, but you don't store Well Who has zero rights and bar has zero rights, right? Because then you're just wasting space So that is a nice thing here And so the flip side here is thinking about this and again, it's just slicing this matrix in different ways So the capability lists are exactly what we talked about. So it's thinking about And the way to think about this is okay an access control list like on a file There is a list of who can access that file and what rights they have Whereas the capability list is what capabilities does a specific user have can they what capabilities do they have to the objects? And this is just rows. So it's very simple exactly what we talked about Okay, we've actually talked about some of the interesting parts here So in order to do an access control list You need to be able to authenticate subjects. Why is that? To figure out who who's accessing the file Yeah, otherwise, I'll just lie and say that I'm the group user like give me all the access to this file Uh capabilities So assuming you do it correctly So if we go back capabilities or what we talked about where each user has a list The kernel can actually even give you this list And then we'll talk about some crypto things later in this course in an unforgible manner So that you can't change it But they can the kernel can verify that yes, these capabilities are legitimate and are for are really you So this means that you don't need to authenticate them Every time but you need to be there's like a lot of caveats if you can just it's like a key Right like a physical key you can give a physical key to somebody else and they can copy it and give it to somebody else And copy it you can't control that propagation But if the operating system can control that then you can do some cool stuff. Okay, this is exactly what we've been talking about Okay They are very so one of the nice things is If we think about the access here I'm thinking about okay with capabilities you can actually voluntarily Get lower capabilities. So if you wanted to say well, I actually bless you if I actually don't want to write to this file I just want to read to this file Then that's very easy to do with capabilities you just say well remove these capabilities because you're just getting Like restricting yourself. Why would you want to do that? Restricting yourself fun If it's a crucial system process, I may not necessarily want to be able to mess with it, but I may want to see what it's doing Yeah, exactly. So so think about well, we're we haven't got there yet But you need to be root on a unix machine to bind to ports below. I think it's 1024 It's like what port is web traffic on Port 80 Which means who can bind to port 80 on a unix system? root Which means your web server must run as root in order to bind to that port Do you want your web server where anyone on earth can contact it? Which has possibly remotely exploitable vulnerabilities running as root? Oh, definitely not. That's actually that w w w that data user. I think that we saw earlier. So the um There's a way for well It's actually a lot of ways and linux actually has a capability system so that you can say I want to run as root, but I only want the ability to Open a socket so you can't do all root capabilities You can just do one thing or like this where you just want to be root to open the socket And then you want to change to a different user essentially dropping your capabilities so Capabilities, this is again here. We're kind of when we talk about the differences between access control lists and capabilities They're very They're two different views of the same model right so fundamentally They're the same and it really comes down to kind of fine-grained things of when some things can be better for instance like If we wanted to create some process to just do one thing to one file We could give the capabilities to only touch that file and we know if it goes rogue and starts trying to delete all the files It fundamentally can't so it doesn't have that capabilities Do you want to know if you're administrating a system who can do what? why You have this beautiful model of all the access control right that I've ever used in your system, right? And those things actually to verify that the system's in the state that it should be in right This is something that if you're taking this thing seriously or you think about a company We think about access control in terms of physical access to the building What are some cases you would want to detect? password changes well File removal what about who's access to the building who's not an employee? Right who has access to the building and you want to correlate that with who's actually an employee? Are people's access getting revoked when they should? Um, you think about like the isic access system. That's another thing I think to deal with that they just restart everyone every semester or something And so you have to reapply for access if you need access So for access control this versus capabilities if you want to review who can do what? What's easier maybe capability lists since you can just see the users what they can do by Exactly you go look at every user's capabilities on the system and you'd say okay. Yes, these are This is who can do what? And it actually kind of depends on your on your capability or on what you're trying to do If you actually want to ask well, who can edit important files on my system Important objects on my system Then in that case that's kind of a pain in the kind of a pain because you need to go through every subject to see Who can do what when an access control list you just look at that object and you say, oh, okay These are the the subjects that can edit or that can have these rights What revocation what does revocation mean? Take something away take something away. Yeah Close it's more any more of the taking away connotation like if I revoke somebody's aid from a semester ago Because I found out they're cheating right that would be taking something away from them And so in the context of access control, what do we mean by revocation? Yeah remove someone's access to the system. So we just talked about with isic How do I remove their access to the system? Is it just taking their so? Has anybody moved apartments before? How do they ensure that your access to that apartment has been revoked Do they they do what you give the keys back to them? I mean if you just gave the keys back to them, are they sure that your access has been revoked? Yeah, because you can copy those keys, right even if it says do not copy There are ways definitely to make that happen, right? So that's doesn't guarantee it but what does Changing the locks, right? That's what a good landlord would do is after somebody moves out you change the locks that way you don't care if they made keys you don't care about whatever you just You do that so then for access controller capability list, which is better for revocation in what? Was that access control access control lists why? Well, because if I don't want user a to access this set of files I can say hey User a on this set of files There's a just update the files there the tricky thing always comes in as so well, what do you? Like we talked about well if you want to Let's say remove their access to all the files you have to go and update every single file on the system So it's again all these things are kind of matters of perspective and matters of There's no hard and fast answers of what is definitively better most of the time And again, it's very similar because You're storing all of the access rights on each of the objects if you want to remove access to a specific object It's very easy with an access control list More difficult capability lists, but again you can do everything and we did this we'll come back to it. They'll be a good refresher Three minutes with you. Okay, cool. We'll finish this up then. Okay, so Capability lists so access control lists are pretty easy if we want to give somebody access to our file How do we do that? Yeah, we add them to the files metadata to say, okay This user gets access to this file the operating system would probably check Do we have that ability to add or change that access control list on that file in unix? That would be the owner privilege or the owner of that file we can control that Actually as the owner of that file we can give ownership of that file to somebody else How do we do in capability lists? Access to a file. Yeah, we can update the users Yeah, so we'd have to either basically I mean we may not be able to do it ourselves But we have to tell the operating system update the capabilities for this other user And then have to somehow notify that user that they need to Refetch their capabilities because their set doesn't contain that file So they wouldn't have access so Anyways, so basically and you could do it a number of ways one of the cool things about capability lists Is you can create a system such that one user p can create their own capabilities to give out to somebody else So p has owner rights on file f They could actually create a capability without invoking the operating system to give to process q So that they can give it to the operating system and say hey look I got this capability from q who says I can now read to this file And then everything will work, which is pretty cool. Um, so you do things like pass this stuff around So what does unix Implement which of these styles Technically both but the normal thing we're used to thinking about is access control lists Right and why is that? How do you know that? That Yeah, we saw that when we do ls-la right there's metadata on each individual file That the operating system is storing any file Now is it storing every single subject on the system what they can do to that file? No No, what is it storing? Groups owner and group owner groups and other Yeah, owner groups and other along with who's the owner and who's the group of that file Why why do that? Can you like we just talked about it's difficult to express everything you might want to express there It's difficult to say things like I just want to share this file with these three people or these four people without creating All kinds of crazy groups But why do that it simplifies it from an administrative perspective that way I don't have to go and start Just to make certain that user x has access or does not have access to this file So maybe maybe one idea would be user experience of the administrator to understand and reason about things I'd say that in general a simpler system would be easier to reason about yeah, what else? What's blowing up there? You have a million users that you have to give access to you have some way of representing that So for a file that is readable by everyone you need At least one bit per user on your system and if you're talking about huge systems with lots of users That's a lot of file metadata. How many bits do you need? With the current scheme 10. How do you reason? at least how many Three for each group or three for each let's say access control right groupings So a read write execute for owner group and other right so nine bits Which is not a lot and there's other bits in there that do other things Um, so at the end of the day you just use 12 bits for each file You can still express all this complicated stuff, but again, you're giving up expressivity. You cannot express Everything that you can in a typical access control list. All right. Good stuff