Lesson 7: Privilege Management Objectives...Lesson 7: Privilege Management . Objectives: (a) Analyze programs that submit input via the command line. (b) Describe how permissions are

Lesson 7: Privilege Management

Objectives:

(a) Analyze programs that submit input via the command line.

(b) Describe how permissions are managed and controlled in a multi-user OS environment.

(c) Explain how users can be afforded the limited ability to execute commands with escalated privileges.

Up to this point it has only been possible to accept inputs with the use of a scanf statement in the body of a C program. A standard example would be:

include <stdio.h> int main() { int i; printf("Enter an integer:"); scanf(“%d”, &i); }

However, it is also possible to write a C program which accepts arguments from the command line, known as command line arguments. The utility of this will become clear in an example. 1. Command Line Arguments In this course, we have written the function main as: int main() However, we know that main is a function and as such may have function arguments. The main function is more formally written as: int main (int argc, char *argv[]) The parameter argc contains the number of arguments passed to main and the variable argv is an array of strings with each argument passed stored in one of the array elements. When you execute a C program, the operating system counts the total number of separate items entered, and places that integer in the variable argc. Each separate item you entered is placed, as a string, one-by-one, in the array of strings called argv. So if I have a C program named a.c that I compile into a.exe and type:

./a.exe one 2 3.45 who? Then the parts of the command line entry are laid out as:

What is the value of argc? The answer is 5 because there are five separate strings on the command line. Note: If command line arguments are entered in quotes, they are stored as one command line argument. An example illustrates:

./file.exe “This is all one cmd line argument”


The value of argc =2.

argv[0]= ./file.exe argv[1]= This is all one cmd line argument

The following C program called view_args.c accepts command line arguments and outputs the values of each element of the array argv to the screen.

#include <stdio.h> int main( int argc, char *argv[] ) { int i; printf("Arguments to this program, on the command-line:\n"); for (i = 0; i < argc; i = i + 1) printf("argv[%d] = \"%s\"\n", i,argv[i]); }

then, when executing it we would see the output below:

Practice Problem 9.1

For the following program invocation: midshipman@EC310 ~$ ./a.out wait 8 mate

(a) What is the value of argc? (b) What is the value of argv[1]? (c) What is the data type of argv[2]?

Solution: (a) (b) (c)


Pertaining to taking in command line arguments for a program, choose the best description for argc.

(a) Holds the number of command line arguments excluding the program name. (b) Holds the total number of command line arguments available to the program. (c) Holds the number of integer variables entered at the command line before the program begins. (d) None of the above.

Solution:


In the following sentence, circle the correct choices.

argv is a(n) array / index / stack used to store each command line parameter / index / argument in a binary / string / numeric format.

2. The exit statement Sometimes we would like to intentionally terminate a program “gracefully” (instead of letting the program crash and burn). This can be accomplished with an exit statement. When using the exit statement, we must add the directive: #include <stdlib.h>. Consider the case where you write a program designed to take two command line arguments. If a user executed the program and did not enter a second command like argument, this might create a runtime error and cause our program to


crash! We can utilize the exit statement in a case like this to terminate the program gracefully. An example snippet of a C program follows:

#include <stdio.h>

#include <stdlib.h> int main(int argc, char *argv[]) { if( argc <=2 ) { printf( "Too few arguments!\n"); exit(1); //For us, it doesn’t matter what number we use } else { More code… } }

3. Linux Access Privileges Every file has access privileges that control who can read, write and execute the file. Every directory has similar privileges, but, for directories, read means “read the contents of the directory,” write means “add or remove files from the directory” and execute means copy files from the directory. 3.1.1 Reading a File Oftentimes we want to look at the contents of a file, with no intention whatsoever to edit the file. Or we may have the ability to read the file but not write to (or edit) it. In cases where we merely want to view the contents of a file, there is no need to open an editor such as nano. Linux provides us with the cat command. The command:

cat filename

will display the contents of the file named filename. For example, if I have a text file named stuff and I enter cat stuff I see:

File contents using nano: File contents displayed using cat

3.1.2 Writing a file In cases where we want to write to or edit a file, we use the nano editor. In order to write to or edit a file, the user entering the nano command from the command line must have “write” permissions. 3.1.3 Executing a file As we know, our computer only speaks machine language so only the .exe file types (i.e., machine language programs we execute) will have the execute privilege. 3.2 File access categories The access privileges for a file or directory can be broken down into three categories owner privileges, group privileges and public privileges. 3.2.1 Owner access The owner of a file has unique access privileges that can be different from all other user if they so choose. The owner is also permitted to make chances to all other file access categories. When you create a file (such as when saving a new file with nano), you are the owner of the file. When making changes to owner permissions, the owner is symbolized by the letter u. 3.2.2 Group access Group membership is specific and groups may be formed to handle users which should have the same access privileges. For example an EC310 instructor may write a program which they are the owner of and want to share the ability to execute the program with other EC310 instructors but not all users on the system (students!) If specific users are placed in a group, the group may have more tailored access privileges. When making changes to group permissions, the group is symbolized by the letter g.


3.2.3 Public access Public access is the broadest file access category. Any user on the system which is not a member of a specific group is by default a member of the public. When making changes to public permissions, the public is symbolized by the letter o. 3.3 Viewing the access privileges The access privileges for a file or directory can be returned by entering the ls –l command. The –l stands for long; that is, we want the long listing! A line produced by this command (one line will be produced for each file and directory) might look like this:

The important points above: (1) The file is named happy_times.exe, (2) the owner of the file is jones and (3) the access privileges are: rwxr-x--x. Let’s look more closely at the nine symbols that comprise the access privileges. The symbols used are:

• r for read (which also allows the copying of the file) • w for write • x for execute • - for no access

The first three symbols (i.e., the first triplet) refer to the file owner’s privileges, the second triplet refers to the owner's group privileges, and the third triplet refers to the general public’s privileges (everyone who has an account on your system). So, given the access privileges that we see in the example above:

• The owner (jones) can read, write to and execute the file happy_times.exe. • The group (happymids) can read and execute the file happy_times.exe but cannot write to it. • The general public can do nothing other than execute the file happy_times.exe.

3.4 Changing File Access The access privileges are called the mode of the file or directory. The owner of a file can change the access privileges for a file using the change mode (chmod) command. The command’s format is:


In addition to changing the access privileges for the owner, group, or public we may also change them all at one using ‘a’ as seen above.


What are the access privileges for happytimes.exe after the command shown above is entered?

Solution:


What command would remove the ability for the public to execute happytimes.exe?

Solution:


What single command using the assign operator would assign the public the ability to read and execute happytimes.exe?

Solution:

4. User Accounts How many users have accounts on our system? How can we find out? In Linux, every user is given a directory under the home directory. So, let's see who has folders under the home directory.

There is one user that is not shown on this list: the user named root. As you recall, the account named root has special privileges and full access rights over the entire system. The root account is owned by the system administrator, and has the ability to read, write and execute all files in anyone’s account. 4.1 User IDs Each user who has an account on a Linux system has a unique user ID number, which you can determine by using the id command. For example, to determine the unique ID number for joe, we enter:

r for read w for write x for execute s for setuid


If we do this for all users we determine the following IDs:

root 0 mia 500 joe 501 instructor 998 midshipman 999

4.2 Switch User Command There is a command that allows us to switch users… to switch from midshipman to, say joe. This command is the su command. Let’s try it!

This command failed! It’s non-trivial to switch from being one user to another. Thus, the su command asks for the password of the target account (in this case, joe’s password). The only time a password will not be asked for is if the su command is entered by the root user who has the ability to move from account to account. 4.3 Sudo Command Using sudo allows us to execute a single command as the root user. After using the sudo command, the very next command will revert you back to the privileges of your account.1 This puts a practical constraint on the need to actually switch user to be root. Since using sudo gives you root privileges (even for only a single command), a user should be prompted for a password every time they use sudo. This makes sense, if anyone could use the sudo command, then anyone can act as the root user, one command at a time. In a Linux system, the system administrator (root) may give a few trusted assistants sudo privileges2. Let’s use sudo to become the user joe! We enter:

sudo su joe and see I’m joe!3


Who, besides the file's owner, can change a file's mode?

Solution:


What does the sudo command accomplish?

Solution:

1 The meaning of the acronym sudo is unclear. In some texts it is presented as "switch user (to root and) do". In some texts it is presented as "super user do". In some texts it is presented as "substitute user (for root and) do". Of course all texts are in agreement about what the sudo command actually does! 2 In order for you to explore privilege management and get a fuller understand of how permissions are managed you, the user midshipman, can use the sudo command without a password. This will allow you to switch your identity (switch users) to see the system from their perspective. This is not something an ordinary user would ever be able to do in practice. 3 Although sudo only provides me the ability to execute one command as root, if the command is to switch to another user, you will remain as that user. In other words, you do not revert back to the former user after one command.



Who can execute the sudo command?

Solution:

5. An extended example and a problem The concepts behind escalating Linux file access privileges can be little unclear without a concrete example. In all the C programs we have written thus far, any values accepted as inputs to the program have been placed on the stack frame of the function which is in main memory. We know that main memory is volatile and will not provide long term storage. Thus, we set out to write a C program that takes command line inputs and stores them to a text file in secondary memory. The mechanics and syntax necessary to write this program are beyond the scope of this class. The program is designed to work so that any user who has the permissions to execute notetaker.exe can execute their program from the command line and their command line arguments are stored to the file /tmp/notes. The images that follow should aid our understanding of how the program functions.

Let’s look at the access permissions for the source code (notetaker.c), the machine language code (notetaker.exe) and the text file that this program creates and writes to(/tmp/notes):

5.1 setuid permission We see the executable program we wrote can be executed by anyone, but the file /tmp/notes can only be read and written to by the owner, midshipman. This sets up a conflict for us which must be addressed. We want joe to be able to execute the program notetaker.exe and his inputs to be stored in the file named /tmp/notes, or essentially we want our program to work as we have designed it. joe as a member of the public has the permissions to execute notetaker.exe but he does not have the permissions to write to the file /tmp/notes. The result is that joe is able to execute the program from the command line, but his inputs are not stored. If his message was “How’s it going?” joe would see the following error:

How do we fix this problem? You first guess might be to change the access permissions to the file /tmp/notes, but we do not want joe (or any other member of the public) to be able to write to the file by using the editor nano we want them to use the notetaker.exe program. Granting write permissions to the public for the file /tmp/notes would throw the


barn doors wide open. We want joe to be able to write to the file /tmp/notes provided he only does this by using the notetaker.exe program. You may be surprised to know that this sort of permissions mismatch scenario occurs quite frequently! Linux handles this by providing a special permission called the set user ID (setuid) permission. If an executable program has the setuid flag set, then whenever the program is executed, it will behave as though it were being executed by the owner of the file. In other words, if we set the setuid flag for the file notetaker.exe, then when joe executes the program, the program will run as if the owner (midshipman) is executing it. This is good because the user named midshipman is the only one who can write to the file /tmp/notes. The owner, midshipman, can set the setuid flag for notetaker.exe. We enter: chmod u+s notetaker.exe And look at a listing of the file permissions:

Note the s in the execute field for the owner. That is the indicator that the setuid flag is set for notetaker.exe. Also, when you use the ls command, any executable files with the setuid flag set have their names highlighted in red. Let’s go back to being joe and let’s see if joe can now add notes to /tmp/notes. We enter:

sudo su joe Even after setting the setuid flag, joe still cannot directly read the contents of the file notes (see the permissions for /tmp/notes above). With the setuid flag set the only way joe can have an effect on the file /tmp/notes is through the use of the program notetaker.exe. After joe runs the program we switch the user back to being midshipman and look at the file.

Changing the file access permissions and setting the setuid flag worked. Now joe—or anyone—can use the program, but only midshipman can write to the file /tmp/notes directly.



The following is the output of ls –l for the shutdown command, which is a system administration program.

We can see that it is owned by the root user (administrator) and appears to be executable by everyone. That is, not the case, since the program named shutdown actually calls other programs, and these other programs can only be executed by the root user. How can the root user modify the permissions to this program to allow anyone to shut down the computer? (Give the command, then an explanation of how it solves this problem.)

Solution:


Consider the long listing for three files, shown below. The file note1.c is a C program that writes to the file /tmp/notes. The file note1.exe is the compiled version of note1.c.

The system has four users: midshipman, smith, jones and, of course, root.

(a) The user smith executes the file note1.exe and notices that her attempts to write to the file /tmp/notes are not successful. Explain why.

Solution:

(b) Suppose it was necessary to grant users the ability to write to the file /tmp/notes, but only when executing the program note1.exe. Your friend proposes two ways of accomplishing this:

(i) Enter the command: chmod u+w /tmp/notes

OR

(ii) Enter the command: chmod u+s note1.exe

Which option do you select and why?

Solution:

You’ve learned a number of new Linux commands in this chapter, and you’ll see a few more in SX-9 that follows. Here is a summary of those commands and what they do:

Command: What it is used for: cat Display a file’s contents as ASCII characters chmod Change file permissions chown Change file ownership hexdump Display a file’s contents (bytes) as hexadecimal values id Show user id number ls -l Long listing of file attributes, including permissions su Switch user sudo Execute one command as root

THIS PAGE INTENTIONALLY LEFT BLANK

CH. 7 Problems

Name:_________________________ 1. In your VM, navigate to the instructor directory. You should see the prompt:

Using nano, open the file unix_basics for editing:

midshipman@EC310:/home/instructor $ nano unix_basics Add your favorite Linux command (we realize you have several—just pick one) to the top of the file, and save the file under the same name (Control-o). Were you successful? Why/Why not? 2. After typing in the command, ls –l gethappy.exe you see:

(a) Who is the owner of this file?

(b) What permissions do users in the owner’s group have?

(c) You (midshipman) are neither the owner nor part of the owner’s group instructor. What command would the administrator enter to give you permission to read and execute the gethappy.exe file?

3. Continuing Problem 4 above: You (midshipman) now have permission to read and execute the gethappy.exe file.

The function of the gethappy.exe file, when executed, is to write to another file called happytimes. The file permissions are shown below.

After multiple attempts, the executable file is not operating as expected. The owner changes permissions on the executable file. You see:

(a) What permission changed? Your answer must include the name of the permission.

(a) How does the change to the file’s permissions affect the execution of the program?

Continued on back

5. Consider the program below, where two students submit their school as a command line argument as follows: ./best_school.exe Army Navy 1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 5 int main(int argc, char *argv[]) 6 { 7 if(argc<3) 8 exit(1); 9 char school1[8], school2[8]; 10 char *pointer1, *pointer2; 11 pointer1 = school1; 12 pointer2 = school2; 13 strcpy(pointer1, argv[1]); 14 strcpy(pointer2, argv[2]); 15 printf(“The best school is %s. \n”, school1); 16 }

(a) What is the value of argc?

(b) What is the value of argv[0]?

(c) What is the value of the character stored at pointer2 + 4?

(d) What type of variable is stored in argv[2]?

Documents

Lesson 7: Privilege Management Objectives...Lesson 7: Privilege Management . Objectives: (a) Analyze programs that submit input via the command line. (b) Describe how permissions are