Implementing an authorization policy on I/O level in GNU/Linux Bachelor’s thesis in Computer Science and Engineering JEAN-PHILIPPE GREEN MATTIAS HOLMBERG FILIP LEVENSTAM TOBIAS TILLSTRÖM Department of Computer Science and Engineering CHALMERS UNIVERSITY OF TECHNOLOGY Göteborg, Sweden 2013 Bachelor’s thesis 2013:10 BACHELOR’S THESIS IN COMPUTER SCIENCE AND ENGINEERING Implementing an authorization policy on I/O level in GNU/Linux JEAN-PHILIPPE GREEN MATTIAS HOLMBERG FILIP LEVENSTAM TOBIAS TILLSTRÖM Department of Computer Science and Engineering CHALMERS UNIVERSITY OF TECHNOLOGY Göteborg, Sweden 2013 Implementing an authorization policy on I/O level in GNU/Linux JEAN-PHILIPPE GREEN MATTIAS HOLMBERG FILIP LEVENSTAM TOBIAS TILLSTRÖM © JEAN-PHILIPPE GREEN, MATTIAS HOLMBERG, FILIP LEVENSTAM, TOBIAS TILLSTRÖM, 2013 Bachelor’s thesis 2013:10 ISSN 1654-4676 Department of Computer Science and Engineering Chalmers University of Technology SE-412 96 Göteborg Sweden Telephone: +46 (0)31-772 1000 Cover: Illustration of the problem with saving files and its solution Chalmers Reproservice Göteborg, Sweden 2013 Implementing an authorization policy on I/O level in GNU/Linux Bachelor’s thesis in Computer Science and Engineering JEAN-PHILIPPE GREEN MATTIAS HOLMBERG FILIP LEVENSTAM TOBIAS TILLSTRÖM Department of Computer Science and Engineering Chalmers University of Technology Abstract The purpose of this project has been to implement enhanced functionality for privileged file operations when using graphical programs in the GNU/Linux operating system. Today, administrative tasks are done by acquiring privileges before the program in question is started. One goal of this thesis is to show how to make administration easier, by instead requesting authentication when an operation is to be performed. When working with a text editor such as Gedit, it is often possible to open system files and make changes to the loaded text. Saving these changes will however be impossible, due to the user not having write permission on the file. The ideas presented in this report will give the user the possibility of having this action authorized, making it possible to save. Implementations of these ideas can also enhance the security of the system by allowing less code to be run with elevated privileges. Instead of running Gedit with higher privileges, only the operation to save the changes will be done privileged. Less code running with the power to change system files means that if a vulnerability is found in some part of the system, there is less risk of an attacker using it for an intrusion. The results of this project are twofold: (1) A mechanism has been created for changing a user’s permissions on a file. This acts as a helper program for other programs to use when lacking permissions on a certain file. This helper program uses Polkit for authentication and, if the user is authorized, elevates the user’s permissions on the affected file. The program can now continue to perform the requested file operation. The user’s permissions on the files will be restored after a set amount of time. (2) The other result consists of guidelines on how to complete this task without changing any permissions on files. Instead this alternative solution can offer the same functionality in a more straightforward way. This by relaying the file operations to a custom made backend. Keywords: Authorization, Graphical User Interface, Access Control List, Polkit i ii Nomenclature ACL A list of permissions attached to a file. (Access Control List). Backend Processing that occurs behind the scenes in software and is not seen by the user. Client A program that as part of its execution sends requests to a server. Daemon A process running in the background, usually without immediate contact with the user. D-Bus A message bus for communication between processes. (Inter-process communication) Distribution An operating system kernel, such as Linux, bundled with software utilities such as a graphical environment and a package manager. GIO A library providing a virtual filesystem API. (Gnome Input/Output). GLib A general purpose library providing data structures and utility functions. (Gnome Library). Gnome A common desktop environment. (GNU Network Object Model Environment). GNU A operating system based on Unix conventions. (GNU is Not Unix). GVfs A virtual file system for the Gnome desktop. (Gnome virtual file system). I/O The communication between a computer and the outside world. (Input/Output). IPC A mechanism for a process to communicate with another process. (Inter-process communication) Kernel The main component in an operating system acting as a bridge between applications and the hardware. Mount Making a device available in the file system tree. Library A collection of functions provided for other programs to use. Linux The kernel replacing the Hurd kernel in GNU, forming the operating system GNU/Linux. Permission The permissions flags define what different users are allowed to do with files. Polkit(PolicyKit) An authorization framework for communication between unprivileged and privileged processes. POSIX A family of standards for system calls in operating systems defined by IEEE. It consists of several parts including standards for core services, thread control and real-time services. Process An instance of a program. it is possible to have several processes running one program. Protocol A family of rules used for defining the communication between different end points. Proxy The procedure of relaying an action to another process. Root An abstract user that is the owner of all system files and also has the highest level of privileges. Server A program that answers requests from client programs. Setuid A flag that when set on a program will execute it with the privileges of the owner rather than the calling user. It can also be the system call for executing processes as another user. (Set user ID upon execution). Shell script A script written for a command line interpreter of an operating system. Stream A data flow, or more precise, a sequence of information that is transmitted. Sudo A program for running a program or command as another user. Running as root is default. (Substitute user do). Unix An operating system with conventions that are used in many other operating systems, such as GNU. User A user is an agent using services on a computer. It may, but does not necessarily, represent an actual person. Virtual Memory The memory visible to a process. iii iv Contents Abstract i Nomenclature iii Contents v Figures vi Listings vi 1 Introduction 1 1.1 Purpose ................................................... 2 1.2 Requirements ................................................ 3 1.2.1 Function ................................................. 3 1.2.2 Interoperability .............................................. 3 1.2.3 Security .................................................. 3 1.2.4 Performance ............................................... 3 1.3 Limitations ................................................. 3 1.4 Method ................................................... 4 1.5 Layout of the report ............................................ 4 2 GNU/Linux basics 5 2.1 Users and groups .............................................. 5 2.2 Directories and files ............................................ 5 2.3 Unix permission model ........................................... 5 2.4 Access Control Lists ............................................ 6 2.5 Process management ............................................ 6 2.6 Memory management in Linux ...................................... 6 2.7 The user ID model and setuid ....................................... 7 2.7.1 UIDs of processes ............................................ 7 2.7.2 Security aspects of setuid programs .................................. 8 3 Project-specific libraries, concepts and tools 9 3.1 D-Bus .................................................... 9 3.2 Polkit .................................................... 9 3.3 Gnome-core ................................................. 10 3.3.1 GLib .................................................... 11 3.3.2 GObject .................................................. 11 3.3.3 GIO/GVfs ................................................ 11 4 Suggested implementation methods 13 4.1 Proxy file operations to another process with the required privileges ................. 13 4.2 Temporarily changing the ACL ...................................... 13 5 Result & Discussion 15 5.1 ACL ..................................................... 15 5.1.1 Result ................................................... 15 5.1.2 Discussion ................................................. 16 5.2 Proxy .................................................... 17 5.2.1 Result ................................................... 17 5.2.2 Discussion ................................................. 17 5.3 Discussion of our method ......................................... 18 6 Conclusions 19 v A Mail conversation with Alexander Larsson 21 B Client and Server for ACL implementation 23 References 31 Figures 1.1 Gedit in read-only mode .......................................... 1 1.2 Gedit - after implementation ....................................... 2 2.1 Two processes sharing the same physical memory ............................ 7 3.1 Flowchart of general polkit usage. .................................... 9 3.2 Overview of Gnome with focus on GIO/GVfs .............................. 10 4.1 Flowchart of the ideal proxy-implementation.