CHAPTER 4

Sharing Files

▸ About This Chapter
In this chapter, we work with the mechanisms provided by operating systems like Unix and Windows to protect files and folders. We also take a technical look at the fifth phase of the security process: monitoring the system. The chapter focuses on these topics:
■ Tailoring the security policy to grant special access to individuals or groups
■ Permission flags in Unix-like systems
■ Access control lists in Macintosh and Windows systems
■ Monitoring system events through logging

▸ 4.1 Controlled Sharing
What happens if Bob needs to share files with one or two other users but not with the rest of the suite?

Bob hired a clerk to do data entry for his new client, a big surveying company. The new clerk, Tina, has her own login on Bob's computer ("tina"). However, the isolation policy blocks Bob and Tina from sharing files, unless Bob logs in as administrator and bypasses the access restrictions. It is clear that we can create files and folders and establish access rights for them. We can share files with some people and hide them from others, simply by configuring the right permissions. In small cases we might get this correct through trial-and-error, but we might also leak data while implementing our solution. Instead, we begin with identifying our objectives, threats, risks, and requirements. We plan and implement our controls based on the requirements.

When we write the requirements and policy, we want to capture our general intent. When we write up implementation details, we get specific. In this case, the

136 Chapter 4 Sharing Files

requirements talk about people and general types of information (Bob, Tina, and shared bookkeeping data). Implementation controls talk about files, folders, users, and access rights. Here are the two requirements we add to our isolation policy:
■ Bob and Tina shall be able to read and modify the surveying company's bookkeeping data.
■ No one shall have access to bookkeeping data, except Bob and Tina.

Although global restrictions like "no one shall" are sometimes hard to verify, accurate policy statements may require them.

Tailored File Security Policies
To share the project files, Bob needs to adjust his user isolation security policy. Practical problems like this often arise when using one-size-fits-all policies like "isolate everyone" or "share everything." We address such things with tailored access policies. Three examples of tailored policies are:
1. Privacy
2. Shared reading
3. Shared updating We can describe a tailored policy in several ways. Here we take a systematic approach. We implement each tailored policy underneath a systemwide default policy of either isolation or sharing. The tailored policy specifies additional access rights. These new rights may add to or replace the default rights. For each new set of rights, the tailored policy needs to consider four things:

1. Which files or other resources are involved (e.g., files relating to "Surveyors" or perhaps "Tina's personal files")?
2. Which users are granted these new rights (e.g., users editing the books for "Surveyors")?
3. Do we Deny by Default, or do we retain the default access rights for these files?
4. Which access rights do we enforce: full access, execute, read-only, or no access?

Typically, the files in question will reside within a particular directory and be used by a particular group of people. When we describe the policy, however, we must be careful to describe what we want, rather than how we'll do it. Bob's Sharing Dilemma

Bob needs to implement a tailored updating policy so that he can share files with Tina. But how should he do it? For each file, we can control access by the owner, administrators, and the rest of the users. If that's all we have, there's no way to grant access to two specific users while blocking access to the rest. Bob could solve this sharing dilemma if he always logs in to a system administration account. On some systems, these accounts use a specific user identity with a name like "system" or "root" that receives all system-related access rights. If Bob does this, the account will have full access to Tina's files. If he wants to create files

4.1 Controlled Sharing 137

to share with Tina, however, he must make Tina the owner of those files. Otherwise, he wouldn't be able to restrict access exclusively to Tina and himself. This solution poses a problem: Least Privilege. It may seem convenient to log into a system routinely as "root" or some other administrative identity, but it poses a real risk to the system. If Bob unexpectedly exposes the system to a virus or malicious website while using administrative privileges, the system may quickly become compromised.

We can solve Bob's problem if we can specify additional access rights for each file and folder. There are two choices, depending on which operating system we use:
1. Keep a list of access rights for each file, called the access control list (ACL). Each entry in the ACL identifies a specific user and contains a list of access rights granted to that user. This is available on modern versions of Windows and on Apple's MacOS. 2. Keep one additional set of access rights, and associate it with a user group. Associate a group with each file, just as we associate a user, the owner, with each file. This is available on all Unix-based systems.

Windows uses a simple version of ACLs to provide basic file sharing on "home" editions of Windows. All Unix-based systems provide group-based access controls.

Practical Tip: Always organize your files into separate folders according to their access rights. Bob and Tina need to share the bookkeeping files for the surveying company. They put the files they need to share into a specific folder. They set up the folder's access rights to let them share the files. Neither Bob nor Tina should store files in that folder unless both of them should be sharing that file. If Bob hires another clerk to work on a different customer's books, he should set up a separate folder for that clerk.

4.1.1 Basic File Sharing on Windows

Windows provides a very simple mechanism for sharing files among users on a personal computer. The mechanism begins with an isolation policy; users have no access to other users' personal files. Building on the isolation policy, we assign additional permissions to selected users. To implement tailored sharing, we put the files in a folder and enable file sharing for that folder. File sharing recognizes three sets of access rights: 1. File Type
