Update lecture `03-accounts-files-and-processes'.HEADmagister

1 files changed, 164 insertions, 8 deletions

diff --git a/lectures/03-accounts-files-and-processes.org b/lectures/03-accounts-files-and-processes.org
index 20cd0b6..1d63c9e 100644
--- a/lectures/03-accounts-files-and-processes.org
+++ b/lectures/03-accounts-files-and-processes.org
@@ -36,16 +36,60 @@
 - +shell scripts+
 - directories → group ownership auto copied
 
-* sticky bit
+* Sticky Bit
 - inhibit non-owner file removal
 - directories only
   - historically used on files on some systems
 
+* Giving Files
+- no SUID behavior on directories?
+
+* Filesystem Quotas
+- limiting filesystem usage by users / groups
+- mount options =usrquota= / =grpquota=
+- =aquota.user= / =aquota.group= (formely without leading "a")
+- details may vary between filesystems / operating systems
+  - tmpfs quota only available since Linux 6.6 (2023)!
+
+* Filesystem Quotas, Diving in
+- *separate inodes and blocks quotas*
+  - space for inodes reserved a priori on ext filesystems
+    - can be tuned
+  - millions of small files → fs unoperational
+- hard & soft limits
+  - can be exceeded temporarily (soft)
+    - can send warnings to the user
+  - cannot be exceeded (hard)
+
+* Other Resource Quotas
+- =setrlimit()= / =getrlimit()=
+- hard / soft limits can be lowered
+- root can raise limits
+- non-root can only raise soft
+- limits on
+  - absolute cpu time
+  - file descriptor count
+  - user thread count
+  - memory used (virtual, RSS, stack)
+
+* Cgroups
+- Linux-specific
+- groups of processes (group hierarchies)
+- aplly policies to groups
+  - resource limiting
+  - accounting
+  - control
+    - kill the entire groups at once
+    - freeze the entire group at once
+- can be configured through a special fs
+  - typically mounted at =/sys/fs/cgroup/=
+- shall also be very useful to us later (containers)
+
 * =setuid()=
 - root only
   - but… we'll cover capabilities in a minute
 
-* new process with a different UID — cases
+* new process with a Different UID — Cases
 - login manager
 - su
 - SSH
@@ -53,7 +97,7 @@
 - inetd
 - ...
 
-* threads
+* Threads
 - seen as processes by Linux kernel
   - shared resources (memory, etc.)
 - thread-local storage
@@ -79,11 +123,35 @@
 - rootless X11
 
 * IPC
-- semaphores, pipes, sockets, shared mem…
-- sockets → local client authentication
+- semaphores, pipes, sockets, signals, shared mem…
+  - root can send signals to all
+  - users can send signals to their own processes
+- sockets
+  - local client authentication
+  - sending file descriptor to other local process
+    - Linux-based systems
+  - socketd themselves operated through fds…
+  - sending socket fd over socket
+    - zero downtime service updates
+    - binding to privileged ports and sending sockfd
 - IPC namespace — future topic
 
-* attributes
+* =ptrace=
+- traditional UNIX syscall
+- used by debuggers
+  - signal reception interception
+  - operations on traced process' memory
+  - syscall interception
+- used by PRoot
+- used by User Mode Linux
+
+* =ptrace= Security
+- can only trace process if either
+  - have =CAP_SYS_PTRACE=
+  - can send signal to it and process is not SUID / SGID
+- other ways of limitation (Linux Security Modules)
+
+* Attributes
 - examples:
   - append only (a)
   - compressed (c)
@@ -94,7 +162,7 @@
   - no copy on write (C)
 - BSD file flags — analogical
 
-* extended attributes
+* Extended Attributes
 - arbitrary name+value pairs on files
 - several uses
   - file mime type
@@ -121,10 +189,98 @@
   - =CAP_NET_BIND_SERVICE=
   - =CAP_NET_RAW=
   - =CAP_SYS_TIME=
-  - more… (limit of 64)
+  - more… (limit of 64, formely 32)
   - =CAP_SYS_ADMIN= ← overloaded
 - use +setuid+ *setcap* binaries
 
+* Capabilities, Diving in
+- threads have caps
+- executables have caps
+  - ignore when mounted as nosuid
+  - ignore when ptrace in use
+  - …
+- =captget= / =capset= syscalls
+- =prctl= syscall
+
+* Capability Sets
+- Permitted
+- Inheritable
+
+Permitted → =capset()= → Inheritable — always allowed.
+/*nothing*/ → =capset()= → Inheritable — if process has =CAP_SETPCAP=.
+
+* Capabilities on =exec=
+- P — process
+- F — file
+
+P_prm' := F_prm | (P_inh & F_inh)
+P_inh' := P_inh
+
+* Capability Sets, Cont.
+- Permitted
+- Inheritable
+- Effective
+
+On a file, Effective is a bit, not a set.
+
+* Capabilities on =exec=, Cont.
+- P — process
+- F — file
+
+P_prm' := F_prm | (P_inh & F_inh)
+P_inh' := P_inh
+P_eff' := F_eff & P_prm'
+
+Effective bit useful for "dumb" binaries.
+
+* Capability Sets, Cont…
+- Permitted (processes and files)
+- Effective (processes and files)
+- Inheritable (processes and files)
+- Bounding (processes *only*)
+
+=prctl(CAP_BSET_DROP)= ← can remove from bounding set, not add
+Bounding limits *adding to* Inheritable.
+
+* Capabilities on =exec=, Cont.
+- P — process
+- F — file
+
+P_prm' := (F_prm & P_bnd) | (P_inh & F_inh)
+P_inh' := P_inh
+P_eff' := F_eff & P_prm'
+P_bnd' := P_bnd
+
+* Capability Sets, Cont…
+- Permitted (processes and files)
+- Effective (processes and files)
+- Inheritable (processes and files)
+- Bounding (processes *only*)
+- Ambient (processes *only*)
+
+=prctl(PR_CAP_AMBIENT_RAISE)= ← if cap already in Permitted & Inheritable
+
+* Capabilities on =exec=, Cont.
+- P — process
+- F — file
+
+P_amb' := F_has_caps ? 0 : P_amb
+P_prm' := (F_prm | (P_inh & F_inh) | P_amb') & P_bnd
+P_inh' := P_inh
+P_eff' := F_eff ? P_prm' : P_amb'
+P_bnd' := P_bnd
+
+Capability preservation on ordinary =exec=.
+Note that file can *have* cap sets that are empty.
+
+* Capabilities in =exec= by Root
+P_prm' := P_inh | P_bnd
+P_eff' := P_prm'
+
+Also applies at the moment of gaining root through SUID binary…
+
+… except when that binary has caps itself.
+
 * Windows SIDs
 - instead of UID/GID
 - well-known SIDs