Information Technology Reference
In-Depth Information
making changes to the operating system. This
feature improves Windows implementation of
fail-safe defaults in providing mandatory rather
than just discretionary controls and also improves
the implementation of complete mediation by the
operating system by improving the granularity of
that mediation. (Note that as this chapter goes to
press, it is not clear that WIC will be in Windows
Server 2008.)
linux Security modules and
mandatory access controls
In response to heightened security concerns and
a Linux user-base which is expanding to larger
mission critical operations there has been an ef-
fort to provide extensible and flexible security
features in Linux without having the operating
system kernel source code fracture into numerous
variants. The Linux Security Module was designed
to provide a lightweight, general purpose, access
control framework which supports kernel-space
mediation of object access (Wright, Cowan, Mor-
ris, Smalley, & Kroah-Hartman, 2002).
Linux Security Modules (LSM) provide a plug-
gable architecture for the enforcement of security
authorization by the kernel. A strict, finely-grained
authorization model can be substituted using an
LSM module, or a less-restrictive, discretionary
access model could be used instead by using a
different LSM module.
Security-Enhanced Linux (SELinux) provides
mandatory access controls (MAC) and role-based
access control using LSM. MAC allows a set of
permissions to be defined for subjects (users, pro-
grams and processes) and objects (files, devices).
It is based on the principal of least privilege and
allows an administrator to grant an application
just the permissions needed to perform its task.
Permissions (authorization) can be assigned not to
the user but to the application (Karsten, n.d.).
linux authorization
By default, Linux uses a
discretionary access
control
approach to authorization. Authoriza-
tion privileges are either
read
,
write
, or
execute
.
The objects under the control of the operating
system are files and directories and special files
which provide access to device drivers (Bacic,
n.d.; Ritchie, 1978). When a program attempts to
access an object in Linux, a system call is made
which requests that the kernel return a handle
(reference) to the object. The request specifies an
operation as
read
,
write,
or
execute
for the object.
The ability to delete an object is implied by the
write permission.
When an object request has been made, the
kernel first checks to determine whether or not
the user has permission to use the object. If user
permissions on the file match the user permis-
sions of the program requesting the object, then
the kernel will move to the next step. In this
step, the privilege type for the user is evaluated.
If the privilege type on the object is suitable for
the operation being requested, the object handle
is returned to the object. If no user permissions
on the file are found to match the user requesting
the object, then group permissions are checked.
If the group identifier for the user matches that of
the file, then the next step is to determine which
access privilege will be used. If no suitable access
privileges are found which satisfy the access be-
ing requested then the program is not permitted
to use the object.
aSSeSSment
Table 2 summarizes the assessment of the security
features of authentication and authorization in
Windows and Linux. It is clear from this table that
both Windows and Linux have provided adequate
solutions for a number of the principles cited by
Saltzer and Schroeder.
Recent releases of Windows and Linux have
both attempted to improve implementations of
least privilege and fail-safe defaults, more no-
Search WWH ::
Custom Search