Basic Access control mechanisms in Systems Security
Elements under control. Subjects and Objects of the system.
When we talk about an IT system and in particular about access control, we will frequently mention the terms subject and object, elements which the aforementioned control is applied to.
Subjects: The subjects of the system are the users, processes, programmes or threads that operate on the device’s resources.
Objects:When we refer to objects, we’re talking about the resources of the system such as files, directories, services, input/output devices, TCP/UDP ports, etc.
Types of Access Control.
Based on the restrictions and access control to systems, we come across three main types: discretionary access control (DAC), role based access (RBAC) and mandatory access control (MAC).
Discretionary Access control, DAC: Discretionary access control is a means of restricting access to objects based on the identity of subjects that try to operate or access them. The most representative example is the mechanism of permissions established by the owner (user/group) of the subject. Therefore, it’s the owner of the object who determines which users and with which privileges they access his/her objects. This access mechanism is present in the majority of operating systems. In this type of access control its normal to use attributes (read, write, execute, etc) to mark the permissions applied to the object. In the same way, there is an owner/user and a set of options that can be shared (groups, other users…).
- DAC permissions in a Windows file -
In the particular case of UNIX/Linux systems, the objects of the system (files, directories, etc) include three attributes: read (r), write (w) and execute (x). These permissions are assigned by the user for the group and others (users that are not owners and don’t belong the group).
In Linux, with the ls -l command we can visualize the basic DAC permissions. In the following example we can see a system, where user1, who belongs to group1, has fixed the read/write/execute permissions (rwx) to himself as the owner. The users that belong to the same group (grupo1) have the same read and write permissions (rw-) and any other user only has a read permission (r--):
- Discretional access permissions (DAC), traditional in *NIX systems -
This way, any read, write or execute action that doesn’t comply with these permission will be denied.
- usuario2 can read but not modify usuario1’s fichero1 because of the assigned permissions -
Other properties exist such as ACLs (access control list) or other a href="http://en.wikipedia.org/wiki/File_system_permissions" rel="external">special permissions such as sticky bit, or setuid, setgid (Linux) permissions that add more options to the DAC but are out of the introductory reach of this part.
Role-Based Access Control (RBAC)
Discretional access controls don’t provide a sufficient granularity to enable a more defined and structured segmentation in a complex system with multiple users and functions. In this case, a role mechanism offers greater versatility. Role-based access control consists in the definition of roles that have been attributed a number of characteristics applied to the permissions and actions that they can carry out, including controlling other roles. It is, in a way, a hierarchical system of classes. Often used in organizations with a great number of users where different work groups or departments with different functions are integrated, such as for example systems, development, commercial, general service departments. With this mechanism, access to objects and tasks can be efficiently segmented and organized. Notable cases of these mechanisms are LDAP, Active Directory of Microsoft Windows or FreeIPA of Fedora/Redhat. Some UNIX systems such as Solaris or AIX all implement this system of privileges.
Mandatory Access Control, MAC: This access mechanism is a compliment of the previous ones and adds another safety layer for access and privilege control. MAC bases itself on “tagging” every element in the system that will then undergo the access control policies that have been configured. Therefore, in any operation by a subject on an object the tags will be verified and the established MAC policies will be applied to determine if the operation is allowed, even when it has complied with other security controls. In contrast with the discretionary access control, the user can modify permissions and tags but can’t fix access controls that suppose a violation of the system’s MAC policies. It’s the responsibility of a privileged user to establish the MAC’s central policies that will govern the controls to be applied depending on the established tags. Examples of these control methods are SELinux in Linux/Redhat/Centos/Fedora distributions or AppArmor in Linux SuSE.
- Types of access control -
In an upcoming article we will explain in detail an example of the MAC mechanism, specifically, SELinux.