From ec8889d56e32ff1f7d2fd4a064e7a325763a050a Mon Sep 17 00:00:00 2001 From: Leonard Kugis Date: Sat, 7 Mar 2020 04:15:11 +0100 Subject: IntroSec Added access control chapter. --- .../introduction_to_information_security.md | 42 ++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md index d1ce4fb..947b427 100644 --- a/en_GB/Introduction to Information Security/introduction_to_information_security.md +++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md @@ -179,7 +179,8 @@ Frequency of failing to extract a feature of a sample. #### Failure-To-Acquire Rate (FTA) -Frequency of failing to acquire a biometric feature. +Frequency of failing to acquire a biometric feature. + $$ \text{FTA} = \text{FTC} + \text{FTX} \times (1 - \text{FTC}) $$ @@ -198,7 +199,8 @@ $$ #### False Positive Identification Rate (FPIR) -Probability of some sample to match at least one of the entries in the database. +Probability of some sample to match at least one of the entries in the database. + $$ \text{FPIR} = (1 - \text{FTA}) \times (1 - (1 - \text{FMR})^{n}) $$ @@ -212,6 +214,42 @@ $$ Using a biometric scheme with $\text{FMR} = 0.01\%$ and a database of size $\text{n} = 80000$ results in $\text{FPIR} = (1 - 0) \times (1 - (1 - 0.0001)^{80000}) = 99.97\%$. +## Access Control + +| Role | Description | +| --- | --- | +| User | The actual human. | +| Principal | The user identity on the system instructing a process to request access. | +| Subject | The active process on the system requesting access. | +| Object | The resource access requested to. | + +### User Identities + +*User Identities* in Linux are stored in `/etc/passwd`. A typical `/etc/passwd` entry looks like this: + +``` +root:69geDfelkw:0:0:root:/root:/bin/bash +:::::: +``` + +`/etc/passwd` is world readable. It contains mainly user indentity information. Password related data (expiry data, issue date, etc.) +is stored in `/etc/shadow`, and can only be written to there. It is readable only by root. + +### UIDs / GIDs of processes + +Processes have a *real* and an *effective* UID/GID pair. +The real pair is inherited from parent process. The effective pair is applied from current file being executed. +E.g. `su` changes real pair from current user to effective pair of root. + +### Security Patterns + +#### Controlled Invokation + +User might want to use a file, but design does not permit users to read that file. +In that case, there could be a program the user has execute rights on, containing checks guaranteeing safe resource access. +Those programs are called *set UID* (SUID) and *set GID* (SGID) programs. They set the *effective UID/GID pair* to the ones required +to access the file (they might have to be created) and reset them on exit. Be careful with *SUID to Root* programs! + ## Encryption ### Kerckhoffs' Principle -- cgit v1.2.1