diff options
Diffstat (limited to 'lectures/03-accounts-files-and-processes.org')
| -rw-r--r-- | lectures/03-accounts-files-and-processes.org | 172 |
1 files changed, 164 insertions, 8 deletions
diff --git a/lectures/03-accounts-files-and-processes.org b/lectures/03-accounts-files-and-processes.org index 20cd0b6..1d63c9e 100644 --- a/lectures/03-accounts-files-and-processes.org +++ b/lectures/03-accounts-files-and-processes.org @@ -36,16 +36,60 @@ - +shell scripts+ - directories → group ownership auto copied -* sticky bit +* Sticky Bit - inhibit non-owner file removal - directories only - historically used on files on some systems +* Giving Files +- no SUID behavior on directories? + +* Filesystem Quotas +- limiting filesystem usage by users / groups +- mount options =usrquota= / =grpquota= +- =aquota.user= / =aquota.group= (formely without leading "a") +- details may vary between filesystems / operating systems + - tmpfs quota only available since Linux 6.6 (2023)! + +* Filesystem Quotas, Diving in +- *separate inodes and blocks quotas* + - space for inodes reserved a priori on ext filesystems + - can be tuned + - millions of small files → fs unoperational +- hard & soft limits + - can be exceeded temporarily (soft) + - can send warnings to the user + - cannot be exceeded (hard) + +* Other Resource Quotas +- =setrlimit()= / =getrlimit()= +- hard / soft limits can be lowered +- root can raise limits +- non-root can only raise soft +- limits on + - absolute cpu time + - file descriptor count + - user thread count + - memory used (virtual, RSS, stack) + +* Cgroups +- Linux-specific +- groups of processes (group hierarchies) +- aplly policies to groups + - resource limiting + - accounting + - control + - kill the entire groups at once + - freeze the entire group at once +- can be configured through a special fs + - typically mounted at =/sys/fs/cgroup/= +- shall also be very useful to us later (containers) + * =setuid()= - root only - but… we'll cover capabilities in a minute -* new process with a different UID — cases +* new process with a Different UID — Cases - login manager - su - SSH @@ -53,7 +97,7 @@ - inetd - ... -* threads +* Threads - seen as processes by Linux kernel - shared resources (memory, etc.) - thread-local storage @@ -79,11 +123,35 @@ - rootless X11 * IPC -- semaphores, pipes, sockets, shared mem… -- sockets → local client authentication +- semaphores, pipes, sockets, signals, shared mem… + - root can send signals to all + - users can send signals to their own processes +- sockets + - local client authentication + - sending file descriptor to other local process + - Linux-based systems + - socketd themselves operated through fds… + - sending socket fd over socket + - zero downtime service updates + - binding to privileged ports and sending sockfd - IPC namespace — future topic -* attributes +* =ptrace= +- traditional UNIX syscall +- used by debuggers + - signal reception interception + - operations on traced process' memory + - syscall interception +- used by PRoot +- used by User Mode Linux + +* =ptrace= Security +- can only trace process if either + - have =CAP_SYS_PTRACE= + - can send signal to it and process is not SUID / SGID +- other ways of limitation (Linux Security Modules) + +* Attributes - examples: - append only (a) - compressed (c) @@ -94,7 +162,7 @@ - no copy on write (C) - BSD file flags — analogical -* extended attributes +* Extended Attributes - arbitrary name+value pairs on files - several uses - file mime type @@ -121,10 +189,98 @@ - =CAP_NET_BIND_SERVICE= - =CAP_NET_RAW= - =CAP_SYS_TIME= - - more… (limit of 64) + - more… (limit of 64, formely 32) - =CAP_SYS_ADMIN= ← overloaded - use +setuid+ *setcap* binaries +* Capabilities, Diving in +- threads have caps +- executables have caps + - ignore when mounted as nosuid + - ignore when ptrace in use + - … +- =captget= / =capset= syscalls +- =prctl= syscall + +* Capability Sets +- Permitted +- Inheritable + +Permitted → =capset()= → Inheritable — always allowed. +/*nothing*/ → =capset()= → Inheritable — if process has =CAP_SETPCAP=. + +* Capabilities on =exec= +- P — process +- F — file + +P_prm' := F_prm | (P_inh & F_inh) +P_inh' := P_inh + +* Capability Sets, Cont. +- Permitted +- Inheritable +- Effective + +On a file, Effective is a bit, not a set. + +* Capabilities on =exec=, Cont. +- P — process +- F — file + +P_prm' := F_prm | (P_inh & F_inh) +P_inh' := P_inh +P_eff' := F_eff & P_prm' + +Effective bit useful for "dumb" binaries. + +* Capability Sets, Cont… +- Permitted (processes and files) +- Effective (processes and files) +- Inheritable (processes and files) +- Bounding (processes *only*) + +=prctl(CAP_BSET_DROP)= ← can remove from bounding set, not add +Bounding limits *adding to* Inheritable. + +* Capabilities on =exec=, Cont. +- P — process +- F — file + +P_prm' := (F_prm & P_bnd) | (P_inh & F_inh) +P_inh' := P_inh +P_eff' := F_eff & P_prm' +P_bnd' := P_bnd + +* Capability Sets, Cont… +- Permitted (processes and files) +- Effective (processes and files) +- Inheritable (processes and files) +- Bounding (processes *only*) +- Ambient (processes *only*) + +=prctl(PR_CAP_AMBIENT_RAISE)= ← if cap already in Permitted & Inheritable + +* Capabilities on =exec=, Cont. +- P — process +- F — file + +P_amb' := F_has_caps ? 0 : P_amb +P_prm' := (F_prm | (P_inh & F_inh) | P_amb') & P_bnd +P_inh' := P_inh +P_eff' := F_eff ? P_prm' : P_amb' +P_bnd' := P_bnd + +Capability preservation on ordinary =exec=. +Note that file can *have* cap sets that are empty. + +* Capabilities in =exec= by Root +P_prm' := P_inh | P_bnd +P_eff' := P_prm' + +Also applies at the moment of gaining root through SUID binary… + +… except when that binary has caps itself. + * Windows SIDs - instead of UID/GID - well-known SIDs |