Assignment 6, due Mar 2

Part of the homework for 22C:169, Spring 2007
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.

  1. Background: Consider this access matrix, for a system where there are only the users listed:
    Alice R/W R R
    Bob R R/W R
    Carol R R/W R
    Dave R R R/W
    ~alice/aaa ~bob/bbb ~carol/ccc ~dave/ddd

    System administrators on Linux machines have access to the following commands for group administration. To create a new group account, groupadd. To create a user account, useradd. Users may find out what groups they are in with groups. The man command has partial documentation on these, but if you do, for example, man 2 chown, you will find considerably more.

    If a user is a member of multiple groups, the newgrp shell command can be used to launch a shell reading from a new group (it uses the setgrp kernel call). When users create files, the file is created with the user's current effective group ID (unless the directory has the set group ID bit set). The chmod command may be used to set the access rights for a file, and the chgrp command may be used by the file's owner to change the file's group to any group they are a member of.

    To create an empty file, a Unix user can use the command echo>newfile

    a) Give an appropriate sequence of groupadd and useradd commands to set up the above users, with appropriate group memberships, so that a Linux system could begin to enforce the above access limitations. (1 point)

    b) Give an appropriate sequence of commands for each of the above users so that, after all users have executed their commands, the result will be that all of the files mentioned above have been created with the indicated access rights. (1 point)

    c) Suppose Alice wants to write a program that opens ~bob/bbb and ~dave/ddd for read access and ~alice/aaa for write access. Write a sequence of open commands in C (or C++), plus any auxiliary commands required to do this. Note that there is no easy way to translate symbolic group names to numeric group IDs. Assume that the users have to do this the hard way, by asking the system administrator for help. (1 point)

  2. Background: Read the rationalle section of the man page for the setuid kernel call on the departmental Linux server.

    Problem: Did the designers of Unix and Linux really understand security? At what point in the development of Unix did they destroy the ability to use the setuid feature of exec to solve the mutual suspicion problem, and why did they do it? (1 point)

  3. Background: Assume a capability-based variant of Unix, where directories are capability lists. Therefore, mkdir creates a new capability list, and chmod changes the access rights not on a file, but rather, on a capability for that file. We enforce the rule that chmod may not be used to add rights to a capability, but only to reduce the rights from the original set of rights -- new files, we assume, are created with all rights. The access rights are rwx, as in Unix, but there is just one triplet on each capability, instead of three triplets, as in conventional Unix. The shell command link may be used, as in Unix, to make a new link to a file, but now, this copies the capability, including the access rights. All restrictions on linking to directories are lifted. To create a link or add a file to a directory, of course, a user must have write access to that directory.

    Assume that each user has a home directory, and that each pair of users share a directory that serves as a private communications channel between that pair of users. So, Alice and Bob share a directory. Alice calls this directory bob and Bob calls this shared directory alice (think of it as being almost a bidirectional E-mail channel).

    Problem: Solve part b of problem 1 for this new system. (1 point)